Discover open ports without any tool.

During a pen-testing assignment, not all clients would be comfortable enough to allow you to connect your armored laptop to their network. At such times, you would need to write your own port scanner to discover atleast the open ports. It is very easy using Powershell:

1) To scan from Port 1 to Port 1024 on a single system:

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.1",$_)) "Port $_ is open!"} 2>$null

Understanding the input:

1..1024 - Creates a range of variables between 1..1024
| - The pipe operator passes objects into the loop
% - The % operator in PowerShell is an alias for foreach-object, and is used to start a loop. The loop executes the content between {} in sequence
echo - Print the following output to the screen
new-object Net.Sockets.TcpClient - Instantiates an instance of the .Net TcpClient class, allowing us to make socket connections to TCP ports
Connect("10.0.0.100",$_)) - Call the Connect function on the TcpClient class with arguments 10.0.0.100 and port $_. $_ is a variable that means current object. The current object relates to number (1..1024) that the loop is currently on.
"Port $_ is open!") - This prints Port # is open! when the program finds an open port.
2>$null - This tells PowerShell not to display any errors encountered

2) To scan for a single port on a range of systems

foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 10.0.0.$ip}

Understanding the input

foreach ($ip in 1..20) {} - Loop through numbers 1 to 20
Test-NetConnection - Test-NetConnection is a utility for testing different types of network connectivity.
Port 80 - Check the availability of port 80
InformationLevel "Detailed" - Provide detailed output information
192.168.1.$ip - Attempt to connect to port 80 against the listed IP address. The $ip variable loops from 1-20 in this example.

3) To scan for all ports on a range of systems

1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}

4) To test open ports to evaluate egress traffic controls

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open!" } 2>$null

How hackers use your own Antivirus as malwares?

Your Antivirus Software might come with some annoyances. It might slow your computer down, or pop up so many alerts that you can’t tell when something is actually wrong. A well-intentioned debugging tool found in many versions of Microsoft Windows can be used maliciously to gain access to vulnerable antivirus programs, and weaponize them.

A zero-day attack called Double Agent can take over antivirus software on Windows machines and turn it into malware that encrypts files for ransom, exfiltrated data or formats the hard drives. Dubbed DoubleAgent, the new injecting code technique works on all versions of Microsoft Windows operating systems, starting from Windows XP to the latest release of Windows 10.

What's worse? 

DoubleAgent exploits a 15-years-old undocumented legitimate feature in Windows from XP through Windows 10 called "Application Verifier," which cannot be patched. The attack is effective against all 14 antivirus products tested by security vendor Cybellum – and would also be effective against pretty much every other process running on the machines.

The sad, but plain fact is that the vulnerability is yet to be patched by most of the antivirus vendors and could be used in the wild to attack almost any organization that uses an antivirus. Once the attacker has gained control of the antivirus, he may command it to perform malicious operations on behalf of the attacker. Because the antivirus is considered a trusted entity, any malicious operation done by it would be considered legitimate, giving the attacker the ability to bypass all the security products in the organization.

What makes DoubleAgent worse than other attacks is that in most hacks, the attacker need not work harder to avoid the antivirus. An attack from something like this gives them the freedom to do as they please, without fear of interference. In essence, there would be no obstacle to stop them from destabilizing your system. The attack has been tested and proven on all the major antiviruses as well as of all versions of Microsoft Windows. The attack was reported to all the major vendors which approved the vulnerability and are currently working on finding a solution and releasing a patch.

Application Verifier (AppVerif.exe) is a dynamic verification tool for user-mode applications. This tool monitors application actions while the application runs, subjects the application to a variety of stresses and tests, and generates a report about potential errors in application execution or design. Application Verifier can detect errors in any user-mode applications that are not based on managed code, including user-mode drivers. It finds subtle programming errors that might be difficult to detect during standard application testing or driver testing.

Mitigation:

Microsoft has provided a new design concept for antivirus vendors called Protected Processes. The new concept is specially designed for antivirus services. Antivirus processes can be created as “Protected Processes” and the protected process infrastructure only allows trusted, signed code to load and has built-in defense against code injection attacks. This means that even if an attacker found a new Zero-Day technique for injecting code, it could not be used against the antivirus as its code is not signed. Currently no antivirus (except Windows Defender) has implemented this design. Even though Microsoft made this design available more than 3 years ago. It’s important to note, that even when the antivirus vendors would block the registration attempts, the code injection technique and the persistency technique would live forever since it’s legitimate part of the OS.

Detailed information : 

https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx

Summary

Attackers are always evolving and finding new Zero-Day attacks. We need to make more efforts to detect and prevent these attacks, and stop blindly trusting traditional security solutions. Also as shown here it's not only ineffective against Zero-Days but also open new opportunities for the attacker to create complicated and deadly attacks.

Microsoft's Docs.com: Users unwittingly shared sensitive information

Security Researchers found that Microsoft searchable Docs.com service users have exposed a lot of their information like passwords and other private data on the Internet.

Microsoft description reads that “Docs.com is an online showroom where you can collect and publish Word documents, Excel workbooks, PowerPoint and Office Mix presentations, OneNote notebooks, PDF files, Sway stories, and Minecraft worlds. With Docs.com, it’s easy for you to share with others what interests you, and your content looks great on any device.”

Thus, you may observe that Docs.com service allows people to easily exchange documents, it implements a useful search engine that helps users to search them for keywords.

Microsoft further describes that - “Anything you publish with Public visibility will appear in worldwide search engine results and can be shared by you and others on social media sites. This option is a great way to get your work noticed. On the other hand, anything you publish with Limited visibility does not appear in search engine results and can be viewed only by people with whom a direct link to your content has been shared. Similarly, anything you publish with Organization visibility does not appear in search engine results and can be viewed only by those who sign in with a school or work account from your school or organization.”

Information Security experts analysed the service for inscribing such highly sensitive private information. Their study concentrated on looking at files and documents containing search keys like “password” and “confidential”.

It is found that users are inadvertently sharing personal and sensitive data via Docs.com. The experts have found bank account details, password lists, medical records, social security numbers and even a divorce settlement or two.

This kind of information, needless to say, is a boon to attackers for illegal purposes such as financial scams and identity thefts.

The experts found that thousands of people from Office 365 subscribers with Microsoft single-sign on accounts were giving sensitive documents. Following this discovery, Microsoft has temporarily shut down the search engine and alerted the subscribers.

A spokesperson of Microsoft told that “As part of our commitment to protect customers, we’re taking steps to help those who may have inadvertently published documents with sensitive information.”

We advise the users that it is essential to check every time security and privacy settings of the system to keep away from such issues.

Did you hear about the musical virus? Your phone could be hacked with sound waves.

There’s an old chant in the security world that anything can be hacked. And the more complex our devices become, the more methods hackers dream up to break into them.

But what if you are told that it's possible to hack someone's smartphone using sound waves. Aren't you concerned?

As for your smartphone, scientists have discovered a crafty new method for hacking them. A team of researchers can use sound waves to control anything from a smartphone, medical apparatuses or even cars and aeroplanes.

You can now legitimately make things float in mid-air using precisely attuned sonic waves. Inside pretty much every smartphone is an accelerometer, which is used to detect motion in three dimensions. It turns out that a certain type of accelerometer, called a capacitive MEMS accelerometer, the chips that enable smartphones and Fitbits to know when they’re in motion, where they’re going, and how quickly can be hacked with sound waves.

The output signal spells “WALNUT.” Can you see it? 

A University of Michigan researcher points a speaker at an accelerometer, which can send false readings to a phone, fitness tracker or other device. Using a $5 speaker, the team used their music files to add thousands of fictitious steps to FitBits, and they manipulated a smartphone’s accelerometer into thinking it was moving in order to pilot a connected remote control car. These sound waves were emitted from both remote devices and from the phones themselves using embedded sound files concealed within emails and text messages. They used a different malicious music file to cause a Samsung Galaxy S5’s accelerometer to spell out the word “WALNUT” in a graph of its readings.

So how does this work? This video is well worth watching:

                         

The flaw, which the researchers have found in more than half of the 20 commercial brands from five chip makers they tested, illustrates the security challenges that has emerged as robots and other kinds of digital appliances have begun to move around in the world.

In the case of the toy car, the researchers did not actually compromise the car's microprocessor, but they controlled the car by forcing the accelerometer to produce false readings. They exploited the fact that a smartphone application relies on the accelerometer to control the car.

While toy cars might seem like minor examples, there are other darker likelihoods too. If an accelerometer was designed to control the automation of insulin dosage in a diabetic patient, for example, that might make it possible to tamper with the system that controlled the correct dosage. 

Dridex Trojan - First to integrate Atom-Bombing

The Dridex, the most nefarious banking Trojans actively targeting financial sector has received an upgrade which equips the malware with a new sophisticated injection technique and evasive capabilities known as "Atom-Bombing"

On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.

Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.

One of the lesser known things about computer viruses is the fact that malware is very similar to normal software, often going through the same development cycles and receiving constant updates. While most malware operators strive to keep as much of their source code and operational details hidden, the Dridex crew has always embedded the malware’s version number in its source, which in turn has permitted researchers to easily track its evolution. 

However, by including Atom-Bombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection. As with previous campaigns, Dridex exhibits typical behavior of monitoring a victim’s traffic to bank sites and stealing login and account information. The biggest change is tied to Dridex v4’s code injection method.

Know more about "Atom-Bombing" Technique:

Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.

But since the Atom-Bombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging Atom-Bombing in the latest Dridex version made it difficult for antiviruses to detect.

Initially spotted in October by enSilo researchers, Atom-Bombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft's Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect. Atom-Bombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects and other types of data to access on a regular basis.

An attacker can write malicious code into an atom table and trick legitimate applications into retrieving it from the table to execute malicious actions on nearly any Windows operating system released in the past 16 years.

What makes Dridex v4 different from other Atom-Bombing attacks is that attackers only use “The technique for writing the payload, then used a different method to achieve execution permissions, and for the execution itself,” according to co-authors of the X-Force report Magal Baz and Or Safran.

"Atom-Bombing makes use of Windows’ atom tables and the native API NtQueueApcThread to copy a payload into a read-write memory space in the target process. It then uses NtSetContextThread to invoke a simple return-oriented programming chain that allocates read/write/execute memory, copies the payload into it and executes it. Finally, it restores the original context of the hijacked thread.

Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into the read/write/execute (memory). That cues up Dridex to use the Windows asynchronous procedure to call GlobalGetAtomA, which executes the payload.

The last stage is the execution of the payload. To avoid calling CreateRemoteThread, Dridex again uses APC. Using an APC call to the payload itself would be very suspicious. Alternatively, Dridex v4 uses “the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload." said the researchers.

Over the years, cybercriminals behind the different versions of the Dridex Trojan have been extremely persistent. While campaigns have fluctuated in volume, innovation into the malware has been consistent. In January, researchers at Flashpoint said they spotted a new variant of the Dridex Trojan with a technique that can bypass Windows User Account Control (UAC). In 2015, an older version of Dridex started using an evasion detection technique called AutoClose that involved phishing messages that contained macros-based attacks that did not execute until the malicious document was closed.