Social Engineering Toolkit: Credential Harvesting

Overview
The Social Engineering Toolkit (SET) is specifically designed to perform advanced attacks against the human element.[1]


Requirements
For this blog post I used the Kali Linux operating system which comes with SET pre-installed.



Instructions
Launch SET

• Applications > Exploitation Tools > Social Engineering ToolKit

A. Loading Credential Harvesting

1. Select: "1) Social-Engineering Attacks" by typing the number 1
2. Select: "2) Website Attack Vectors" by typing the number 2
3. Select: "3) Credential Harvester Attack Method" by typing the number 3
4. Select: "3) Custom Import"  by typing the number 3

 B. Cloning A Website

1. Open a browser (Any browser will work)
2. Navigate to the Website Login page you wish to clone. 
3. Navigate to the File option in your browser.
4. Change the Name field to index.html (the name is case sensitive)
5. Change the Save Location to /var/www/html
6. Change Type to Web Page, Complete
7. Save

C. Arming the Website

1. Open a Terminal and type ifconfig
2. Copy the inet addr: xxx.xxx.xxx.xxx
3. Paste the inet addr into the terminal running SET
• set: webattack > IP address for the POST back in Harvester/Tabnabbing: xxx.xxx.xxx.xxx
4. Type the following file path:
• /var/www/html
5. Type the URL of the website you clone.
6. Type "y" for yes you want to start Apache server. 

D. Testing the Website
If everything was done correctly you'll see an exact clone of the website you cloned. 

1. Open a browser (on the same machine you used SET on)
2. Type in your inet addr: xxx.xxx.xxx.xxx into the URL bar.
3. Hit Enter key

Reference
1. Social Engineering Toolkit

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

OSINT Tool: Recon-ng

How to Use Open Source Intelligence Tool RECON-NG

Overview
"Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly." [1]

Recon-ng is a tool used to perform open source intelligence on Domains and IP addresses. It allows you to find sub domains, their relative IP addresses, and perform geographical tagging, etc.


Download
Recon-ng


Syntax
[recon-ng][default] command



Help
To access the help menu type the following command:

• help
• example: 
• [recon-ng][default] help 

Database
Everything this script does is to populate a database which the user creates. This script's database query, creation, and deletion syntax is similar to MySQL.

1. Creating a Database

• To create a database type the following command:
• workspaces add
• example: workspaces add TableName

• Once you create your table you'll see the following prompt:
• [recon-ng][TableName]
• This means your table is ready for use with any of the modules.

2.  Defining Domains

• After you create a table you have to define a domain for all of the modules to take action on.
• To add a domain type the following:
• add domain 
• [recon-ng][TableName] add domain DomainName

3. Deleting a Table

• To delete a database type the following command:
• workspaces delete
• example: [recon-ng][default] workspaces delete TableName

Modules
To search for Modules follow these steps:
1. Select your table

• [recon-ng][default] workspaces select TableName

2. Search for Modules

• Search Syntax:
• [recon-ng][TableName] load SearchTerm
• Key search terms: domain, location, reports

3.  Loading a Modular

• From the list of option you are presented with copy & paste the whole line which contains the FilePath and the ModularName.
• example: [recon-ng][TableName] load Path&ModularName

Recommended Videos

• How To Kali 2.0 Recon-ng
• OSINT - recon-ng information gathering example tutorial
• Recon-ng Framework: Automated & Advanced Information Gathering

Reference(s)
1. Tools Kali

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cyber Security Analyst (Part 2 of 3)

PCAP Data Analysis

This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos.



The information in this blog is design to help people analyzing PCAP data. There are many programs which can automate the manipulation and organization of PCAP data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different. For the purpose of this blog post we'll be covering the use of open source PCAP analysis tool Wireshark.


Tools
The list tool is a free open source tool for Linux and Windows:

• Wireshark

Background
Having a working understanding of the PCAP filters are essential to being able to read PCAP data.

A. Wireshark  Filters [1]
1. HTTP header information

• Description: used to analyze the packet HTTP header information
• Syntax:
• http."option"
• Commonly used "option(s)"
• http.user_agent
• http.response
• http.connection

  2. TCP session information

• Description: used to analyze the packet TCP session information
• Syntax:
• tcp."option(s)"
• Commonly used "option(s)"
• tcp.analysis.flags
• tcp.flags
• tcp.srcport

3. SSL connection

• Description: used to determine if an SSL connection was established.
• Syntax
•  
• Commonly used "option(s)"
• ssl.handshake

4.  System communications

• Description: used to determine who the system is trying to communicate with and how often.
• Syntax:
• dns."option(s)"."option(s)"
• Commonly used "option(s)"
• dns.qry.name
• dns.resp.addr
• dns.resp.name

5. Text search

• Description: used to search for specific text inside of a packet.
• Syntax:
• frame contains "text"
• Common text to search for
• "Dos"
• ".exe"

Concepts & Techniques
Two things to look for in PCAP when looking for signs of potential malicious activity are magic numbers and Base64.

A. Magic Numbers [2]
Common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-times. Detecting such constraints in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.

• GIF image file:
• ASCII cod 
• "GIF89a" (47 49 46 38 39 61) 
• "GIF87a" (47 49 46 38 37 61)

• JPEG image file:
• Begins with "FF D8" and ends with "FF D9"

• Postscript file:
• start with "%!" (25 21)

• MS-DOS exe file:
• start with 
• "MZ" (4D 5A)
• "ZM" (5A 4D) - is NOT as common

B. Base64 [3]
A group of similar encoding schemes that represent binary data in an ASCII string format by translating it into a Radix-64 representation. Base64 encoding schemes are commonly used when there is a need to encode binary that needs to be stored and transferred over media that are designed to deal with textual data. This is done to ensure that the data remains intact without modification during transport.

• Characters [A-Z], [a-z],[0-9],[+],[/]
• Padding: 
• "==" indicates last group contained only 1 bytes. 
• "=" indicates that it contained 2 bytes.

References 

1. Wireshark Filters
2. Magic Numbers
3. Base64
   

Recommended Reading and/or Videos

• Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
• ISBN-13: 978-0321240699
   
• Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.
• ISBN-13: 978-0321349965

 
Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cyber Security Analyst (Part 1 of 3)

Netflow Data Analysis
This series will cover analyzing the common data types found in cyber security incidents; Netflow,  Domain(s) & IP address(es), PCAP. The format of the posts will be as follows Background information, Concepts & Techniques, Tools, and Recommended reading and/or videos. 



The information in this blog is design to help people analyzing Netflow data. There are many programs which can automate the manipulation and organization of Netflow data for the end user. I believe it is always a good idea to know how to perform these task manually because every environment will be different.



Background
Having a working understanding of the Threeway Handshake, Session Flags, Port Numbers, and Domain Name System (DNS) are essential to being able to read Netflow data.

A. Threeway Handshake

• Threeway Handshake is used to establish a connection between a client and a server. 
• Client is a device which request services. 
• Server is a provider of services to clients. 
• Threeway Handshake Process: 
1. Client sends a "SYN" flag to the server  
2. Server responses with "SYN-ACK"   
3. Client sends a "ACK" flag  
4. The connection is now complete. 

B. Session Flags [1]

• URG (1 bit)  indicates that the Urgent pointer field is significant 
• ACK (1 bit)  indicates that the Acknowledgment field is significant. All packets after the initial SYN packet sent by the client should have this flag set. 
• PSH (1 bit)  Push function. Asks to push the buffered data to the receiving application. 
• RST (1 bit)  Reset the connection SYN (1 bit)  Synchronize sequence numbers. Only the first packet sent from each end should have this flag set. Some other flags change meaning based on this flag, and some are only valid for when it is set, and others when it is clear. 
• FIN (1 bit)  No more data from sender

C. Port Numbers [2]

• Port Numbers can be linked to certain applications and services to give one a better idea of the type of activity which is occurring during the communication they are observing. 
• Port number: 1 - 1023 well know server services. 
• Port numbers 1024 - 5000 ephemeral port numbers. 
• An ephemeral port is a short-lived transport protocol port for Internet Protocol (IP) communications allocated automatically from a predefined range by the TCP/IP software.

D.  Domain Naming System (DNS)

• DNS interactions are required for all internet activity.
• DNS Process:
1. Client issues a DNS query.
2. A DNS Server accepts the query.
3. If the first DNS server does not know the answer to the query request, then it will ask additional DNS servers.
4. When the DNS server receives the answer to the DNS query, it returns the Domain to the client.

Concepts & Techniques
The Netflow data is used to confirm activity through correlation of information across different mediums. For example correlating network traffic with system logs to determine what the system was doing at the specific point in time. When analyzing Netflow data keep the following in mind:

• Netflow data can be queried like a database.
• Organize the data according to the "Time" field preferably the start time option. 
• You may not be able to see the complete session due to network a lack of network coverage.
• Go back a week or a month from the initial date of the suspicious traffic in order to try and establish a normal behavioral pattern to compare the infected system to. 
• A few common attacks that can be observed in Netflow:
• Beaconing
• DDoS
• TCP Reset attack

 

Tools
The list tools are free open source tools for Linux and Windows respectively:

• tcpdump
• WinPCAP

These tools will allow you to capture Netflow data from the network interface of your PC. I recommend practicing observing the Netflow data from your PC while it is idle in order to see which services are continuously communicating with the internet and browsing the web.


Recommended Reading and/or Videos

• Real Digital Forensics: Computer Security and Incident Response by Keith J. Jones, Richard Bejtlich, and Curtis W. Rose.
• ISBN-13: 978-0321240699
   
• Extrusion Detection: Security Monitoring for Internal Intrusions by Richard Bejtlich, foreword by Marcus Ranum.
• ISBN-13: 978-0321349965

References 

1. Transmission Control Protocol
2. Ephemeral Port

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 4 of 4)

This is 4 of a 4 part series on the installation of Cuckoo Sandbox. Part 4 will focus on preparing the guess Operating System of the Virtual Machine for use with the Cuckoo Sandbox.

Patch Management
One of the keys to using Cuckoo successfully is to track the applied patches/updates to your guess Operating System (OS) and application(s) also known as a baseline. The baseline eliminates specific vulnerabilities in certain software based on the applied patch/update level. A baseline allows one to rule out malware which effects vulnerabilities covered by your baseline. My recommendation is to have your baseline patched/updated between 1 - 3 months behind the current month. This is because every environment handles patches/updates differently which can lead to delays in rolling out patches/updates. 


Guess Operating System
Cuckoo supports Linux, Unix, and Windows operating systems. While Linux and Unix Operating systems are targets for malware, Windows is the most used Operating System in the business sector and therefore will be the Operating Systems of focus for this post. My recommendations are to test malware samples on Windows 7 (32-bit/64-bit) or Windows 10 (32-bit/64-bit). 


Steps

1. Guess Operating System Configurations

• Disable the Windows Firewall
• Disable the Windows Defender
• Reason for disabling the above is that organizations use third party vendors to manage those functions (i.e. Norton anti-virus, Sonic wall, etc)

• If possible, set automatic updates to "notify when updates are available and let me chose which ones to download and install."

2. Cuckoo Dependencies [1]

• Download and install Python 2.7
• (Optional) Download and install Python Image Library 1.1.7 for Python 2.7 
• Transfer the Cuckoo Agent via a temporary shared folder between the host and guess operating system.

3. Additional Software

• Install the following commonly used programs: Microsoft Office (2007, 2010, 2013), Adobe Flash player, Adobe Reader, and Java.

4. Plugins

• Add commonly used browser plugins  

5. Paranoid Fish (Pafish)

• Purpose is to help one determine if their Sandbox is detectable by malware.
• Some malware has the capability to detects the presents of a sandbox. If it detects one it will fail to execute preventing one from obtaining any analytical information from it.  
• Installation:
• Download the executable file Paranoid Fish to your Virtual Machine.
• Install the executable.
• Run it.

References
1. Cuckoo Sandbox Documentation.


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec

Cuckoo Sandbox Installation (Part 3 of 4)

This is 3 of a 4 part series on the installation of Cuckoo Sandbox. Part 3 will focus on editing the configuration files for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 3


Steps

To edit the configuration files:

• Open a terminal
• Navigate to the directory of the configuration files 
• /home/YourUserName/Downloads/cuckoo/conf
• Open a specific file using nano editor
• nano FileName
• Replace the value on the right side of the equal sign with a corresponding value (i.e replace "yes" with "no", or change a numerical value). 
• Note: The items in "[ ]" are the section heads within the specific configuration file.  

• Nano editor Basics
• To save the edited file hold the "Ctrl" button on your keyboard and press the "x" button on your keyboard.
• Type "Y"

• How to Find the IP Address of your Windows virtual machine:
• 1. Power on the VM.
• 2. Open a command prompt and type the command:
• ipconfig  

• How to Find the Network Interface of your virtual machine:
• 1. Open a terminal
• 2. Type the command:
• ifconfig
• Look the IP Address range which your VM's IP Address falls within. To the left of the IP Address range will be the name of the Network Interface associated with it. Below is a picture containing an example:
•   
  

• How to Find the vmx_path:
• Type the following command:
•  find / -name "*.vmx"

• How to Find the IP Address of your host machine:
• 1. Open a terminal
• 2. Type the command:
• ifconfig

Configuration Files[1]

• cuckoo.conf 
• nano cuckoo.conf
• [cuckoo]
• memory_dump = on
• machinery = virtualbox or vmware

• [resultserver]
• ip = ip address of the host system not the virtual machine.

• auxiliary.conf
• nano auxiliary.conf
• [mitm]
• enable = yes

• [sniffer]
• interface = the network interface of your virtual machine

• vmware.conf
• nano vmware.conf 
• [vmware]
• machines = name of virtual machine
• interface = name of the network interface for the virtual machine
• [Name_of_the_Virtual_Machine]
• vmx_path = ../name_of_virtual_machine/ name_of_virtual_machine.vmx
• ip = ip address of the virtual machine

• processing.conf
• nano processing.conf
•  [memory]
• enable = yes

• memory.conf
• nano memory.conf
• [basic]
• guest_profile = volatility's profile name for your guest operating system
• Here are a list of profile names for the various Windows operating systems
•  
  

• reporting.conf
• nano reporting.conf 
• [reporthtml]
• enable = yes

• [mongodb]
• enable = yes

References  
1. Cuckoo Sandbox Configuration Files

Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec 

Cuckoo Sandbox Installation (Part 2 of 4)

This is 2 of a 4 part series on the installation of Cuckoo Sandbox. Part 2 will focus on installing additional functionality to the Host Operating System for the Cuckoo Sandbox. 

Video Instructions
Cuckoo Sandbox Installation Part 2


Steps
All  commands are Italicize. To install the software open a terminal and copy & paste the commands. During the installation of the various software you will be prompted with the options of "Yes/No" type "Yes or Y" to all prompts.

1. Install Django-based web interface [1]

• sudo apt-get install mongodb

2. Install TCPdump [1]

• sudo apt-get install tcpdump
• sudo apt-get install libcap2-bin
• sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
• getcap /usr/sbin/tcpdump

3. Install Volatility [2]

• sudo apt install git
• git clone https://github.com/volatilityfoundation/volatility.git
• Navigate to the volatility folder 
• cd /home/YourUserName/volatility
• sudo python setup.py install

4. Install Volatility Plug-ins

• Distorm3
• Download Distorm3  
• Navigate to the Downloads folder
• tar -xvzf distorm-3.4.0.tar.gz
• Navigate to the distorm-3.4.0 folder
• cd /home/YourUserName/Downloads/distorm-3.4.0
• sudo python setup.py install

•  Yara [3]
•  Install autoreconf
• sudo apt-get install autoconf
• Install libtool-bin
• sudo apt-get install libtool-bin
• Download Yara
• Navigate to the Downloads folder
• tar -xvzf yara-3.5.0.tar.gz
• Navigate to the yara-3.5.0 folder
• cd /home/YourUserName/Downloads/yara-3.5.0
• ./bootstrap.sh
• ./configure --with-crypto --enable-magic --enable-cuckoo
• make
• sudo make install 
• sudo -H pip install yara-python

• PyCrypto [4]
• Download PyCrypto
• Navigate to the Downloads folder
• tar -xvzf pycrypto-2.6.1.tar.gz
• Navigate to the pycrypto-2.6.1 folder
• cd /home/YourUserName/Downloads/pycrypto-2.6.1
•  python setup.py build
• sudo python setup.py install

• Openpyxl [5]
• sudo -H pip install openpyxl

• UJSON [6]
• sudo -H pip install ujson

•  IPython [7]
• sudo -H pip install jupyter

5. Install Mitmproxy

• sudo apt-get install python3-pip python3-dev libssl-dev libtiff5-dev libjpeg8-dev zlib1g-dev libwebp-dev
• sudo pip3 install mitmproxy
• mitmproxy
• cd ~/.mitmproxy
• cp mitmproxy-ca-cert.p12 /home/YourUserName/Downloads/cuckoo/analyzer/windows/bin/cert.p12 
•  mitmdump = /usr/local/bin/mitmdump

References
1. Cuckoo Sandbox Documentation
2. Volatility Documentation
3. Yara Documentation
4. PyCrypto Documentation
5. OpenPyxl Documentation
6. UJSON Documentation
7. IPython Documentation


Social Media
Facebook:
https://www.facebook.com/BDavisCS/

Twitter:
@BDavis_CyberSec