HackHound Tutorials

Using Pastebin for Malicious Sample Collection

Wed, 22 Feb 2012 05:14:09 +0000

Quote

Services like Malware Domain List, Virus Watch and MalC0de are great for finding URLs of malicious content that may be interesting to collect and they provide us with a great deal of information that we use for further analysis. There are times when I am looking for specific samples and these services can't be used, that's when I turn to Pastebin.

Pastebin is a great service that allows for easy sharing and collaboration of data. Recently it has been used by various groups for posting personal information, breach data, or statements. I’ve also found it to be a great source for collecting malicious samples and discovering new attack techniques.

Source:

http://dvlabs.tippingpoint.com/blog/2011/12/14/pastebin-malicious-samples-collection

Manually Add Bytes to a File

Sat, 18 Feb 2012 22:49:13 +0000

This is a quick example of how to manually add bytes to a file.

Things you will need:

1. LordPE v1.41
2. Hex Workshop (or other hex editor)

Open LordPE, click on “PE Editor”, then open the executable you want to add bytes to. Next click on “Sections”. You will use the last “Section Table” to add bytes to.

Example:

.rsrc

Take the “Rawsize” value of that section and add how many bytes you need to it.

Example:

Rsize: 00008A00 + 64 bytes (100 bytes in Decimal) = 00008A64 in Hex.

Right-click on the “.rsrc” section then click on “edit section header”. Now add your new value to both the “VirtualSize” and “RawSize” section.

Example:

VirtualSize: 00008A64
RawSize: 00008A64

Now click on the “...” button next to “Flags:” and tick “Executable as code”, “Readable”, and “Writable”. Click “OK” and save all of your changes then exit out of LordPE.

Open up your file in Hex Workshop (or any other hex editor) and scroll down to the very last line of the hex dump. Right-click then click on “Insert”. Tick on “Hex” and place “100” in the text field. Keep “Fill with the following hex byte:” at zero. Now save your changes and exit your hex editor. Open your executable to see if it runs. If it does and the size is now 100 bytes bigger, you have been successful.

Finding the Hidden Web with Nmap

Fri, 17 Feb 2012 17:47:44 +0000

In this short tutorial I will be teaching you one way of how to find webpages and anonymous FTP's that are hidden in the "Deepweb". The first thing you will need is a list of IP ranges by country. I have supplied that with this tutorial. Your next step is to pick a country, an IP range, and then do a simple ping sweep through that range to get a list of live hosts. I use a simple Batch script that does this for me since for some reason Nmap misses a lot of these hosts that a simple ping doesn't.

So here is my Batch script for the ping sweep:

@echo off
set a=0
set /p b=IP Range:
:c
set /a a=%a%+1
cls
echo. & echo %b%.%a% & echo.
ping -n 1 -w 2000 %b%.%a% >nul
if %errorlevel%==0 echo %b%.%a% >> IP's.txt
if %a%==255 goto :eof
goto c

To use this, save it as a .bat file, run it, then place ONLY the the first 3 octets of the IP (127.0.0) you want to scan. It will then scan 127.0.0.0 through 127.0.0.255 as an example. Then it will dump all of the live hosts to IP's.txt.

Once you have your list of IP's, it's now time to scan one of them for any webpages or anonymous FTP's with Nmap:

nmap -sC -sV -p 21,80,8080 -n -Pn --unprivileged --version-all --script=banner 127.0.0.90 --script=http-headers --script=ftp-anon

That will scan ports 21,80,8080 for webpages and anonymous FTP's. This also tells Nmap not to use a reverse DNS (-n) or ping the host before the scan (-Pn). That will make things go much quicker. We are also using Nmap's built in scripts for banner grabbing so we know exactly what we are getting on those ports.

If you are feeling really adventurous and want to scan the entire port range of the host incase they are using other ports for a webserver and FTP other then the normal ports, you can do this:

nmap -sC -sV -p 0-65535 -n -Pn --unprivileged --version-all --script=banner 127.0.0.90 --script=http-headers --script=ftp-anon

This will scan ports 0 through 65535. That may take about 10 hours to complete but you will know if there are any webservers or FTP's on any of those ports. Hope you will find some uses for this.

Manual Code Injection

Fri, 17 Feb 2012 03:43:30 +0000

I know I have given some of this information out before, but this is a personal example of how I do it. I hope this is usefull to someone.

Things you will need:

1. OllyDbg v1.10
2. Notepad.exe

Open Notepad.exe with OllyDbg. Once it is loaded, highlight all the code up to the first “Call” Procedure you see. Right-click then copy the highlighted lines to a text editor for later. Remember that the first line is the original entry point (OEP).

Example:

0100739D > $ 6A 70		 PUSH 70 (OEP)
0100739F   . 68 98180001	PUSH notepad.01001898
010073A4   . E8 BF010000	CALL notepad.01007568

Scroll down until you see the end of all the code and the beginning of your code caves (DB 00). Then select as many empty lines as you need then right-click, click on “Binary” then “Edit”. Place your function(s) in the “ASCII” box then click “OK”. Once that is done, Ctrl+A to assemble the code. Make note of the first address ( 01008748 ) that starts your function(s).

Example:

01008748 ASCII “cmd /c start calc.exe”

Now under your function, select empty line(s) to place your API with your function address. Click “a” then place your code in and then click on “Assemble”.

Example:

0100877D PUSH 0
0100877E PUSH 01008748 (function address)
0100877F Call WinExec

In the CPU window right-click then select “Go to” then “Origin”. That will take you back to the original entry point again. Double click on the entry point and replace it with a jump to the line of your first function then click on “Assemble” again.

Example:

JMP 0100877D

Now look at the code you copied down in your text editor and the new code you just replaced the OEP with. You will see that two lines of code have been changed.

Example:

PUSH 70
PUSH notepad.01001898

Highlight the new jump entry point you made then click on “Enter”. This will take you to the function you created. Right Under your API Call (don't skip a DB 00) highlight three empty lines then click “a”. Now place all the code that had changed, back in with the first call procedure you also copied down. Make “CALL notepad.01007568” procedure a jump.

Example:

PUSH 70
PUSH 01001898
JMP  010073A4

Now right-click in the CPU window and select “Copy to executable” then “All modifications”. Click on “Copy all”. A new window will then pop up, close it. It will ask you if you want to save these new changes, click “Yes” and save the new executable. Run the new executable and it should run your injected code. This will run calculator.

64bit syscall document/tutorial.

Sat, 04 Feb 2012 11:46:35 +0000

x86_64 syscalls document/tutorial.
Version 1.0
By Pawn.

0x0 - Intro,
-------------------------------------------------
Well when writing this, I tried to keep it as simple as possible and REALLY tried to stick to specific facts and stay on topic. Truth be told, there's A LOT of things that are varied when comparing x86 to x64 calling conventions, like how a target pointer must be within a 2GB range of the instruction that uses it and the removal of SEH from Windows just to name a few.

The deeper I get into this, the more I'm probably going to document and write about. Then again, maybe not. lol. I'm kinda impulsive that way.

0.1 What this document isn't.
-------------------------------------------------
Before we get started here, I'd like to point out. This is NOT a assembly tutorial, I'll probably breifly touch on the new registers, the new calling convention and a few other little things. But aside from that, I'm going to assume you at least know x86 assembly.

Get it? Got it? GOOD. :]

1.0 RIP EAX.
-------------------------------------------------
So the first thing I think I should at least breifly cover is the registers, changes have come people! I know change is scary but fear not. Our old beloved EAX, AX, AL, AH etc still exist in the x86-64 arch. Well I could rant on and on about this and that, but I'll probably do that later so.. Straight to business!

The new registers names(and 8 new registers!) are as follows.

Rename general purpose registers
RAX, RBX, RCX, RDX, RSI, RDI, RSP, RBP, RIP(LOL I love how EIP got renamed to this.)

NEW general purpose registers
R8, R9, R10, R11, R12, R13, R14, R15

Ontop of that, there's also 16 128-bit SSE2 registers, which are named XMM0 through XMM15(Used to pass floating point params is a generalized usage, but I wont be doing that in this doc, so screw 'em! ;D).

Another key point to mention about this is that, PUSHAD and POPAD are gone. Now you can't be lazy when trying to preserve all the registers. D:
Also, Segments are non-existant. So no more CS, DS, ES, SS, FS and GS. But who really cares, right?

1.1 Passing params through registers?
-------------------------------------------------
Under the 64bit calling convention things have changed.

let's look at a standard C call

int x= socket(AF_INET, SOCK_STREAM, 0);

Okay, so. On the x86 arch to call the C socket function..

push 0
push SOCK_STREAM
push AF_INET
call socket
add 4*3

However, under the new calling convention. Things are a bit different..

xor rax, rax
mov rdx, 0
mov rsi, dword SOCK_STREAM
mov rdi, dword AF_INET
call socket

Yup, it's exactly as it looks like.. BAM! Goodbye stack! Well that's half true. Under the new calling convention 6 params can be passed through registers, the list for FUNCTION calls(like libc functions..) RDI, RSI, RDX, RCX, R8, R9 respectively.

Personally, when making calls under Assembly on this calling convention. I find it easy to think like this.
RDI=Param1
RSI=Param2
RDX=Param3
RCX=Param4
... and so on.

Infact, you can even think of it like a C function if it's easier that way.

/*int socket(int domain, int type, int protocol); */
int socket(RDI,RSI,RDX);

Windows is a bit different(Of course it is.. -.-). In the case of windows, the initial 4 params are passed through registers, if anymore are required they are pushed on the stack. So something like this..
RCX=Param1
RDX=Param2
R8=Param3
R9=Param4
.. The rest of the args are on the stack.
But, kernel syscalls can't get params off the stack, and we don't have "syscall numbers" under windows... so it isn't really relevent to this document. lol.

An important point to make when calling functions is that, There are registers that MUST be perserved accross all functions calls. they are, RBX, RSP, RBP, R12, R13, R14, R15 respectively.

For more information on any of this crap above, See the reference section at [3.0].

2.0 HELLO, Kernel!
-------------------------------------------------
Finally! the good stuff. >;]

2.1 syscall and it's params
-------------------------------------------------
Much like passing params to a function imported from C(As I explained earilier), syscall works in the same way. Though, the registers do change a little bit. RDI, RSI, RDX, R10, R8, R9 are the registers used, As you can see.. Only R10(param4) is different from the function list(it's RCX when calling functions from say libc).

So, how do we make a syscall? Well that's easy.. the structure is pretty much the same as calling a libc function.

mov rdx, 0
mov rsi, dword SOCK_STREAM
mov rdi, dword AF_INET
mov rax, sys_socket
syscall

Infact, It's pretty much EXACTLY the same in mosts cases(At least as far as I can tell from trial and error, of course I haven't tried doing sys_ptrace or anything like that yet so.. lol.).. But just to clarify.. the param order for the registers is like this..
RDI=Param1
RSI=Param2
RDX=Param3
R10=Param4
and so on..

Just as with the x86 syscalls, the syscall number is placed in RAX(EAX on x86 based systems) as you've probably already figured out.

2.2 - syscall numbers? where?!
-------------------------------------------------
You can find a list of syscall numbers here..

/usr/include/asm-x86_64/unistd_64.h

or on the web here
http://www.acsu.buff...alls_64bit.html

2.3 - The forgone conclusion.
-------------------------------------------------
So, that's basically all there is to x86_64 syscalling under linux, Although, there's probably more that I have yet to figure out. For example passing more than 6 arguments.. lol. But with so little information around about OS specific Assembly programming on the x86_64 arch, I figured ANY information was better than none at all.

3.0 - References.
-------------------------------------------------
[3.1.1] - http://msdn.microsof...e/cc300794.aspx
[3.1.2] - http://www.vikaskuma...x86-64 tutorial
[3.1.3] - http://www.nasm.us/doc/nasmdoc0.html
[3.1.4] - http://www.nasm.us/doc/nasmdo11.htm
[3.1.5] - http://www.nasm.us/doc/nasmdoc7.html

[TUT]#Isert Manifest - #Set Privilegies Admin to APP VB6

Sun, 29 Jan 2012 04:16:10 +0000

Hello,in this tutorial created by me to teach them how to insert a manifest file for a app made in vb to run with privileges
manager and this method not only what we take for such a thing, also serves to make our
applications have "style XP" that means that the buttons, bars, other controls, will be the style of
windows we have. You just need a tool called "mt.exe" included in the SDK tools, notepad.exe and VB6.

Respect to the tool that inserts the manifest (mt.exe) to our applications can download the SDK
here:
http://www.microsoft...lang=en&id=6510
if you want the file and upload it here Mt.exe:
http://www.mediafire...qw2f5w0xrr4d2fq

the file based manifest is the followring:



  
  Example get privilegies

The word "NAME" is the name of project
"Description" as the name indicated, write a description of file
The word "PRIVILEGE" is the privilegie type, I can be following

"asInvoker": The Aplication so executed with privilegies in father process... is the user

"highestAvailable": Tje aplication so executed with privilegies of user account...

"requiereAdministrator": The privilegie highing, a application be executed as administrator

modified the manifest file save it with the name format: NAME.exe.manifest

The name must have the same name as the executable I'll take the default project1:
Project1.exe.manifest

well now we will open the Shell, going to path, where must be the three files (mt.exe, Project1.exe, proyecto1.exe.manifest)

The following executed command from the shell:

mt.exe -manifest proyecto1.exe.manifest -outputresource:proyecto1.exe;#1

Regards!

Become a Programmer, Motherfucker

Sun, 15 Jan 2012 15:02:36 +0000

Quote

We are a community of motherfucking programmers who have been humiliated by software development methodologies for years.
We are tired of XP, Scrum, Kanban, Waterfall, Software Craftsmanship(aka XP-Lite) and anything else getting in the way of...Programming, Motherfucker.
We are tired of being told we're autistic idiots who need to be manipulated to work in a Forced Pair Programming chain gang without any time to be creative because none of the 10 managers on the project can do... Programming, Motherfucker.
We must destroy these methodologies that get in the way of...Programming, Motherfucker.

If you don't know how to code, then you can learn even if you think you can't. Thousands of people have learned programming from these fine books:
http://learnpythonthehardway.org/
http://ruby.learncodethehardway.org/

I'm also working on a whole series of programming education books at learncodethehardway.org. These are works in progress, and feedback is welcome.

http://programming-m...com/become.html

Configuring a router with Satellite Internet Connection to allow for Reverse Connection!

Mon, 09 Jan 2012 15:21:13 +0000

I had a problem with cybergate not connecting,So DugidOx tried TEAMVIEWER with me for over 2 hours(thanks bro).We couldnt find the problem,So I started Looking into it deeper and this is what I found..I have a Satellite Internet Connection So I had to Correctly configure my Router to allow for incoming connections..This tutorial is only for Satellite Internet Users .....It's all good in the Neighborhood now..I just wanted to Share!

Symptoms:
Running the Setup Wizard from the router configuration causes the screen to freeze.
Cause:
The IP Address of the router and the modem are the same.
Procedure/Solution:
Change the router's IP, as follows:

Disconnect the modem from the router.
Connect the computer to a router LAN port, as shown.
Turn on the router.
Open a browser and type http://192.168.0.1
Type the "admin" for User Name and "password" for Password.
Click OK.
Click Advanced > LAN IP Setup.
Change IP address to 192.168.10.1
Change Starting IP Address to 192.168.10.2
Change Ending IP Address to 192.168.10.51 (Do not use the value shown in the screenshot.)
Click Apply. An error "Page cannot be displayed" or "Action Cancelled" message appears.
Close the browser.
Power off the router.
Connect the modem to the router's Internet port.
Turn on the router.
Restart your computer.
Open a browser and type http://192.168.10.1
Type "admin" for User Name, and "password" for Password (unless you changed the password from the default). Older routers have a default password of 1234.
Click OK.
Click the Setup Wizard under the left of the router settings page.
Check Yes, then Next.
Click Next in the Dynamic IP Detected screen.
Click Apply.
Click Logout on the router settings screen.

XSS Keylogger

Sun, 08 Jan 2012 22:28:23 +0000

Hello,

I recently created a tutorial about XSS keylogger.
It expalains how to use a xss vulnerability to grab user keystrokes on the vulnerable page.

There are js and php files, I also created a vulnerable page if you want to try to exploit it fo trainning.

Tutorial : XSS Keylogger
Article : XSS Keylogger

This article will be updated to know when follow me on twitter @wiremask.

Thanks.

Basic Steganography

Sun, 08 Jan 2012 00:14:28 +0000

This is a very basic tutorial on steganography.
Project Files: http://dl.dropbox.co...41/StegoTut.zip