passivedns network sniffer to log DNS query

Domain name servers may contain several type of security vulnerabilities that allow a malicious user to redirect website visitors to a third party website. The attack can be cache poisoning or ARP spoof and this in case that the DNS server is not patched or hardened.

Passivedns is an open source tool that you can use to investigate an incident related to DNS attack. The tool allows security analyst to collect DNS traffic passively to read them in form of pcap file or log files. This helps to identify the answer of the DNS and find out where the redirection or the issue with the server.

Passivedns can be used as a standard DNS packet sniffer to monitor network traffic and search history to provide a list of what the URL is resolving so it will display the first time URL seen with query and the IP answered by the DNS.

passivdnsPassivedns screenshot during sniffing the DNS packets (click to enlarge)

Logs are going to be stored in passivedns.log. This will be useful for the security analyst and can be used for creating report related to the incident. You can download the tool on the following link: https://github.com/gamelinux/passivedns

Share

Smbexec rapid post exploitation tool

Smbexec is a tool that you can use for penetration testing domain controllers, the program allows to run post exploitation for domain accounts and expand the access to targeted network. this makes pentester have a full access without any privilege requirement.

Latest release include improvements so it runs faster and there are more options in configuration and a module that support file search. using smbexec allows to easily go through all machines on the network and collect the necessary information such as the UAC configuration or other system settings beside where the domain administrators credentials are in use.

SMBexecScreenshot for the smbexec options

To install smbexec it will be possible to make the following:

  1. git clone https://github.com/pentestgeek/smbexec.git
  2. Run the install.sh script, select your operating system, and supply any required information
  3. Run the install.sh script and compile the binaries
  4. Type smbexec

you can find more information on the release notes: https://github.com/pentestgeek/smbexec

Share

IE PassView 1.31

We have several tools for recovering passwords in web browsers. IE PassView can be used for internet explorer in case you have forget the passwords you are using to log in different system. the tool have a graphical interface and simple to use.

” IE PassView is a small password management utility that reveals the passwords stored by Internet Explorer Web browser, and allows you to delete passwords that you don’t need anymore. It supports all versions of Internet Explorer, from version 4.0 and up to 10.0. For each password that is stored by Internet Explorer, the following information is displayed: Web address, Password Type (AutoComplete, Password-Protected Web Site, or FTP), Storage Location (Registry, Credentials File, or Protected Storage), and the user name/password pair. You can select one or more items from the passwords list and export them into text/html/csv/xml file.”

 

iepvScreenshot for IE PassView

You can download the program on the following link: http://www.nirsoft.net/utils/internet_explorer_password.html#DownloadLinks

Share
Virusalert

MS Office files used to spread malwares

New malware have been observed by TrendMicro that is targeting Microsoft office files. The virus is using windows PowerShell script which is allowed on many environments by system administrator to customize OS configuration.

The malware is named CRIGENT and it integrates itself with word or excel document. When the victim opens the malicious file it will execute and download two components hosted on cloud providers using Tor and Polipo. Cyber-criminal are masking the URL in DNS records.

Opening the URL will run a PowerShell script to get users information including IP , country code, OS version , Domain, OS language, Office application version, victim location and the script will keep monitoring the information with each system start up.

crigent2-2screenshot for the PS script modifying reg keys

Usually on local network it is important to monitor the traffic and if we detect connection to non standard protocols it is required to make more investigation and identify the root cause for the issue. We may prevent this on the firewall level because this indicate a risk for infected systems.

Trend Micro already have the appropriate signature to make users protected against this malware so keep you security software updated.

Share

Download Google Play application Without an Account

Installing application on your smartphone or tablet may contain a security risk. The idea that we have several sources for applications and this allow attacker to create fake packages that can be used to infect victim devices.

Google play can be used to download required application but you will need to create an account in order to be able to install what you need. Good alternative is to consider APK downloader where it will act as a proxy and it will bring you the direct link to APK file. All what you need to do is to enter the URL for the application and you will get the direct link to the APK.

APK Downloader

This can be a good alternative in case you are looking to install APK application without a Google play account. Also you can use the chrome extension to make the files downloaded and installed on any device.

Share

Mobius Forensic Toolkit 0.5.16

Forensic frameworks are important in running investigation and finding the root cause for any incident. open source programs are widely used for creating cases and gathering evidence.  one of the open source framework is Mobius Forensic Toolkit the toolkit is extensible to investigate data from several entries such as skype and windows operating system registry.

screenshot ForensicMobius Forensic Toolkit

After installing the framework you start by creating a case this will take the name of what you need to investigate and will contain the evidence for the incident. Next you add items that are related to the incident such as the hard disk or floppies. you need to add details and information about the category.

The following step you can use the Hive extension to browse the operating system registry and you can directly drag and drop suspected registry entries and the ones you need to investigate. You can also browse Skype logs using the Skype Agent extension all logs for the application are stored  in ApplicationData/Skype.  this will allow the forensic analyst to have calls, chats, contacts, file transfers, profile data, SMS and voicemails.

you can download the framework over this link: http://freecode.com/projects/mobiusft

Share

Threatglass service to uncover the web threat landscape

Threatglass by Barracuda is a new platform that is created by security researchers to automatically analyze million of websites in the cyberspace. the framework will monitor the malicious activity and include charts and information that will help to detect and alert of new malicious codes hosted on websites.

Threat

Any user will  have the opportunity to add or analyze websites that he feel they may contain malicious threats. the information can be displayed with several categories with DNS, HTTP, and netflow in both graphical and textual formats. you can even have the pcap files which provides evidence about the attack to end user.

The information will also include links that are opened when the victim open the malicious page, screenshots recorded as in the sandbox or even to check the internet explorer crash report. Threatglass have an automatic analysis that is based on approximately 10 thousands of malwares accumulated at Barracuda Networks. it is really an amazing project that you can find over this link: http://www.threatglass.com/

Share