MODULE 8.3 Sniffing With TCPDUMP

Tcpdump is a commandline network analyzer tool or more technically a packet sniffer. It can be thought of as the commandline version of wireshark (only to a certain extent, since wireshark is much more powerful and capable).

As a commandline tool tcpdump is quite powerful for network analysis as filter expressions can be passed in and tcpdump would pick up only the matching packets and dump them.

In this tutorial we are going to learn to use tcpdump and how it can be used for network analysis. On ubunut for example it can be installed by typing the following in terminal

$ sudo apt-get install tcpdump

Tcpdump depends on libpcap library for sniffing packets. It is documented here.

For windows use the alternative called windump. It is compatible with tcpdump (in terms of usage and options). Download from http://www.winpcap.org/windump/default.htm

Basic sniffing

Lets start using tcpdump. The first simple command to use is tcpdump -n

$ sudo tcpdump -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:34:57.266865 IP 173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1176, length 64
16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43)
16:34:57.274549 IP 218.248.255.163.53 > 192.168.1.101.21271: 23380 1/4/2 PTR bom04s01-in-f6.1e100.net. (195)
16:34:57.297874 IP 192.168.1.101.56295 > 186.105.77.150.38213: UDP, length 105

Why sudo ? Because tcpdump needs root privileges to be able to capture packets on network interfaces. On ubuntu prepending sudo to any command makes it run with superuser/root privileges. The -n parameter is given to stop tcpdump from resolving ip addresses to hostnames, which take look and not required right now.

Lets take a line from the above output to analyse.

16:34:57.267226 IP 192.168.1.101.21271 > 218.248.255.163.53: 23380+ PTR? 6.36.194.173.in-addr.arpa. (43)

The first thing “16:34:57.267226” is the timestamp with microsecond precision. Next is the protocol of the packet called IP (stands for Internet protocol and it is under this protocol that most of the internet communication goes on). Next is the source ip address joined with the source port. Following next is the destination port and then some information about the packet.

Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy. Here is a quick example

$ sudo tcpdump -v -n
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:43:13.058660 IP (tos 0x20, ttl 54, id 50249, offset 0, flags [DF], proto TCP (6), length 40)
    64.41.140.209.5222 > 192.168.1.101.35783: Flags [.], cksum 0x6d32 (correct), ack 1617156745, win 9648, length 0
16:43:13.214621 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > 173.194.36.6: ICMP echo request, id 19941, seq 1659, length 64
16:43:13.355334 IP (tos 0x20, ttl 54, id 48656, offset 0, flags [none], proto ICMP (1), length 84)
    173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 1659, length 64
16:43:13.355719 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.1.101.22181 > 218.248.255.163.53: 28650+ PTR? 6.36.194.173.in-addr.arpa. (43)
16:43:13.362941 IP (tos 0x0, ttl 251, id 63454, offset 0, flags [DF], proto UDP (17), length 223)
    218.248.255.163.53 > 192.168.1.101.22181: 28650 1/4/2 6.36.194.173.in-addr.arpa. PTR bom04s01-in-f6.1e100.net. (195)
16:43:13.880338 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.3 tell 192.168.1.101, length 28
16:43:14.215904 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.101 > 173.194.36.6: ICMP echo request, id 19941, seq 1660, length 64

Now with the verbose switch lots of additional details about the packet are also being displayed. And these include the ttl, id, tcp flags, packet length etc.

Getting the ethernet header (link layer headers)

In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.

$ sudo tcpdump -vv -n -e
[sudo] password for enlightened: 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:57:27.218531 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 98: (tos 0x20, ttl 54, id 53046, offset 0, flags [none], proto ICMP (1), length 84)
    173.194.36.6 > 192.168.1.101: ICMP echo reply, id 19941, seq 6015, length 64
17:57:27.218823 00:1c:c0:f8:79:ee > 00:25:5e:1a:3d:f1, ethertype IPv4 (0x0800), length 85: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 71)
    192.168.1.101.53134 > 218.248.255.163.53: [bad udp cksum 0x9cee -> 0xe5f6!] 23855+ PTR? 6.36.194.173.in-addr.arpa. (43)
17:57:27.226352 00:25:5e:1a:3d:f1 > 00:1c:c0:f8:79:ee, ethertype IPv4 (0x0800), length 269: (tos 0x0, ttl 251, id 10513, offset 0, flags [DF], proto UDP (17), length 255)
    218.248.255.163.53 > 192.168.1.101.53134: [udp sum ok] 23855 q: PTR? 6.36.194.173.in-addr.arpa. 1/4/4 6.36.194.173.in-addr.arpa. PTR bom04s01-in-f6.1e100.net. ns: 194.173.in-addr.arpa. NS NS4.GOOGLE.COM., 194.173.in-addr.arpa. NS NS2.GOOGLE.COM., 194.173.in-addr.arpa. NS NS1.GOOGLE.COM., 194.173.in-addr.arpa. NS NS3.GOOGLE.COM. ar: NS1.GOOGLE.COM. A 216.239.32.10, NS2.GOOGLE.COM. A 216.239.34.10, NS3.GOOGLE.COM. A 216.239.36.10, NS4.GOOGLE.COM. A 216.239.38.10 (227)

Now the first thing after the timestamp is the source and destination mac address.

Sniffing a particular interface

In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.

$ sudo tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.any (Pseudo-device that captures on all interfaces)
5.lo

Next we can use the interface number of name with the -i switch to sniff the particular interface.

$ sudo tcpdump -i 1
$ sudo tcpdump -i eth0

Filtering packets using expressions

The next important feature of tcpdump as a network analysis tool is to allow the user to filter packets and select only those that match a certain rule or criteria. And like before this too is quite simple and can be learned easily. Lets take a few simple examples.

Selecting protocols

$ sudo tcpdump -n tcp

The above command will show only tcp packets. Similary udp or icmp can be specified.

Particular host or port

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

$ sudo tcpdump -n 'src 192.168.1.101'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:04:04.856379 IP 192.168.1.101.47141 > 173.194.36.1.443: Flags [.], seq 2781603453:2781604873, ack 338206850, win 41850, length 1420
20:04:05.216372 IP 192.168.1.101.33885 > 193.219.128.49.6667: Flags [P.], seq 3980513010:3980513027, ack 2134949138, win 28400, length 17

Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

$ sudo tcpdump -n 'udp and dst port 53'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:06:48.015359 IP 192.168.1.101.33990 > 218.248.255.163.53: 41001+ A? s.gateway.messenger.live.com. (46)
20:06:50.842530 IP 192.168.1.101.32954 > 218.248.255.163.53: 12380+ A? DB3MSGR5010722.gateway.messenger.live.com. (59)

The above output shows the dns requests made by local system to the dns server 218.248.255.163 port 53. Its all very intuitive and simple. Note the “and” which is used to combine multiple conditions. This is where the creativity begins, to write powerful expressions to analyse the network.

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2

$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'

Note that the port number 21 has been specified by its name – ftp.

So similarly many different kinds of expressions can be developed to fit the needs of the network analyst and pick up matching packets.

Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

$ sudo tcpdump -n -A | grep -e 'POST'
[sudo] password for enlightened: 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
E...=.@.@......e@.H..'.P(.o%~...P.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E...c_@.@..=...e@.H..*.PfC<....wP.9.PN..POST /blog/wp-admin/admin-ajax.php HTTP/1.1
E.....@.@......e@.H...."g;.(.-,WP.9.Nj..POST /login/?login_only=1 HTTP/1.1

The above example detects packets with the string “POST” in them. It detects http post requests as shown.
The -A option displays the content of the packet in ascii text form, which is searchable using grep.

On windows the grep command is not available, but has an equivalent called find/findstr. Example usage

C:\tools>WinDump.exe -A | findstr "GET"
WinDump.exe: listening on \Device\NPF_{6019E682-FD40-4A54-BB75-9C2ACFA56CAA}
.....&....P..W.....P....k..GET /search?hl=en&sclient=psy-ab&q=asda&oq
.....&....P..[{..N.P...%-..GET /csi?v=3&s=web&action=&ei=LrmPUMrLNoHO
.P-%.}....P..$Ch..GET /subscribe?host_int=139535925&ns_map=2

So in the above example we used windump and searched the sniffed packet for the string “GET” (which mostly discover the http get requests).

So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
Here is quick example to sniff passwords using egrep

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

 

MODULE 8.2 Sniffing Password with Wireshark

 

Wireshark is the world’s foremost network protocol analyzer. It lets you see what’s happening on your network at a microscopic level. It is the de facto (and often de jure) standard across many industries and educational institutions.
This tutorial can be an angel and also devil in the same time, it depends to you who use this tutorial for which purpose…me as a writer of this tutorial just hope that all of you can use it in the right way , because I believe that no one from you want your password sniffed by someone out there so don’t do that to others too

Disclaimer – Our tutorials are designed to aid aspiring pen testers/security enthusiasts in learning new skills, we only recommend that you test this tutorial on a system that belongs to YOU. We do not accept responsibility for anyone who thinks it’s a good idea to try to use this to attempt to hack systems that do not belong to you
Requirements :

1. Wireshark Network Analyzer (wireshark.org)
2. Network Card (Wi-Fi Card, LAN Card, etc) fyi : for wi-fi it should support promiscious mode

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to

Application > Kali Linux > Top 10 Security Tools > Wireshark

In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I’ve selected wlan0.

dz

Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start

dz2

Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.

when wee type in your username, password and press the Login button, it generates a a POST method (in short – you’re sending data to the remote server).

To filter all traffic and locate POST data, type in the following in the filter section

http.request.method == “POST”

See screenshot below. It is showing 1 POST event.

dz4

Step 3: Analyze POST data for username and password

Now right click on that line and select Follow TCP Steam

dz5

This will open a new Window that contains something like this:

dz6

So in this case,

username: sampleuser
password: e4b7c855be6e3d4307b8d6ba4cd4ab91
But hold on, e4b7c855be6e3d4307b8d6ba4cd4ab91 can’t be a real password. It must be a hash value.

to crack this password its simple just open new terminal window and type this :

dz8

and its looks like this:

  1. username: sampleuser
  2. password: e4b7c855be6e3d4307b8d6ba4cd4ab91:simplepassword

Meet Apache Spot, a new open source project for cybersecurity

The effort taps big data analytics and machine learning for advanced threat detection

strata apache spot hadoop
The Apache Spot project was announced at Strata+Hadoop World on Wednesday, Sept. 28, 2016.

Credit: Katherine Noyes

Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they’ve donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.

Originally created by Intel and launched as the Open Network Insight (ONI) project in February, the effort is now called Apache Spot and has been accepted into the ASF Incubator.

“The idea is, let’s create a common data model that any application developer can take advantage of to bring new analytic capabilities to bear on cybersecurity problems,” Mike Olson, Cloudera co-founder and chief strategy officer, told an audience at the Strata+Hadoop World show in New York. “This is a big deal, and could have a huge impact around the world.”

Based on Cloudera’s big data platform, Spot taps Apache Hadoop for infinite log management and data storage scale along with Apache Spark for machine learning and near real-time anomaly detection. The software can analyze billions of events in order to detect unknown and insider threats and provide new network visibility.

Essentially, it uses machine learning as a filter to separate bad traffic from benign and to characterize network traffic behavior. It also uses a process including context enrichment, noise filtering, whitelisting and heuristics to produce a shortlist of most likely security threats.

By providing common open data models for network, endpoint, and user, meanwhile, Spot makes it easier to integrate cross-application data for better enterprise visibility and new analytic functionality. Those open data models also make it easier for organizations to share analytics as new threats are discovered.

Other contributors to the project so far include eBay, Webroot, Jask, Cybraics, Cloudwick, and Endgame.

“The open source community is the perfect environment for Apache Spot to take a collective, peer-driven approach to fighting cybercrime,” said Ron Kasabian, vice president and general manager for Intel’s Analytics and Artificial Intelligence Solutions Group. “The combined expertise of contributors will help further Apache Spot’s open data model vision and provide the grounds for collaboration on the world’s toughest and constantly evolving challenges in cybersecurity analytics.”

FBI reports more attempts to hack voter registration system

There have also been ‘scanning activities,’ which could be preludes to attacks

FBI Comey
 

The U.S. Federal Bureau of Investigation has found more attempts to hack the voter registration systems of states, ahead of national elections.

The agency had reportedly found evidence in August that foreign hackers had breached state election databases in Illinois and Arizona, but it appears that there have been other attempts as well, besides frequent scanning activities, which the FBI describes as preludes for possible hacking attempts.

“There have been a variety of scanning activities, which is a preamble for potential intrusion activities, as well as some attempted intrusions at voter registration databases beyond those we knew about in July and August,” FBI Director James Comey told theHouse Judiciary Committee on Wednesday.

Comey said that the systems that could be at risk were the voter registration systems that are connected to the Internet. The vote system in the U.S., in contrast, is hard to hack into “because it’s so clunky and dispersed,” he added. He advised states to get the best information they can get from the Department of Homeland Security and ensure their systems are tight as there is “no doubt that some bad actors have been poking around.”

“We are doing an awful lot of work through our counter-intelligence investigators to understand just what mischief is Russia up to in connection with our elections,” Comeysaid. U.S. officials have hinted that they believe Russia is behind recent attacks on servers of the Democratic National Committee, which led to the leak of embarrassing emails through whistleblowing website, WikiLeaks. But the U.S. government has not directly attributed the attacks to Russia.

Security experts and Democratic party president candidate Hillary Clinton have blamed Russia for the attack, but Republican party candidate Donald Trump said nobody knows it was the Russians, adding that the hack could have come from Russia, China or a 400-pound hacker working from his bed.

The U.S. government is not sure whether Russia, which is said to have interfered in U.S. elections since the 1960s, aims to influence the outcome of the election or try to sow seeds of doubt about the sanctity of the process, Director of National Intelligence James R. Clapper recently told The Washington Post in an interview.

Clapper said that “there’s a tradition in Russia of interfering with elections, their own and others.” To ensure that hackers don’t get to the electoral system, the DHS is working with state election officials on best practices on security, specially where there is any dependence on the Internet, Clapper said.

So far 18 states have requested the assistance of the DHS, said Secretary Jeh Johnson, in testimony this week before a Senate committee.

What is ransomware? 1 in 3 small businesses ‘clueless’ to the danger

A third of small to medium-sized businesses (SMBs) have no idea what ransomware is or how devastating the malware can be, highlighting a series lack of understanding which could seriously harm today’s companies.

According to new research released by antivirus firm AVG on Tuesday, too many businesses are unaware of how dangerous ransomware can be — and how easily it is to become the latest victim of the malware strain.

Ransomware is a type of malicious code that once executed on your system — usually through a malicious link or phishing email — locks your PC, encrypts either your files or hard drive, and demands a ransom payment in return for a decryption key which claims to give you your system back.

One of the latest strains to be detected, MarsJoke, threatens to wipe data if a ransom is not paid within 96 hours.Time-sensitive threats are a common tactic used by ransomware campaign operators to put pressure on victims to pay up, and ransom payments can range from small amounts to hundreds — or thousands — of dollars.

As ransomware can be a very lucrative prospect for cybercriminals looking to cash in, unsurprisingly, infections are on the rise. Locky, Cerber and Virlock are only some of the ransomware variants which are being used in active campaigns against entities including hospitals, governments and gamers.

One UK university has reported 21 attacks in the past 12 months alone.

The true scale of the problem is somewhat hard to define though because, understandably, many businesses and organisations are reluctant to reveal they’ve been held to ransom because of fears about being targeted again, or losing existing or new customers,” AVG notes.

In June, the security firm asked almost 400 SMB customers in the US and the UK whether they knew about ransomware. In total, 68 percent of respondents had heard of the term ‘ransomware,’ but it is the 32 percent — just over a third — that had no knowledge which is the concerning factor.

Considering the first recorded attack took place in 2005, which came in the now-common form factor of a fake antivirus message which required payment, 11 years on is a long time to not know about such a dangerous threat to business operations.

To make matters worse, out of the 68 percent of respondents which said they knew what ransomware was, 36 percent gave the wrong answer — and actually didn’t really know what the malware was, or its implications.

If you find yourself a victim of such malware, the first thing to do is research the infection to see if security companies have come up with free decryption tools, including AVG andKaspersky.

While some tools are available, it takes time to crack updated versions and so you may be out of luck. If none are available, you may have to resort to backups of your data. You might be tempted to pay up; however — if you do so, you are funding the criminal enterprise, and there is no guarantee you will be given a working key to retrieve your files after paying the ransom.

Where ransomware goes next: Your phone, your TV, your servers

Cyber-cops list cryptoware as their ‘dominant concern’ and warn that it will target more devices and aim for higher-value targets.

Europol’s latest annual Internet Organised Crime Threat Assessment report paints a rather grim portrait of digital criminality loose on the internet.

It warns that the Crime-as-a-Service model continues to provide crooks, from the entry level to top-tier players, with the tools and services needed to conduct crime online.

The report also said that the boundaries between cybercriminals and state-sponsored hackers continue to blur, warning: “While the extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited, the availability of cybercrime tools and services, and illicit commodities such as firearms on the Darknet, provide ample opportunities for this situation to change.”

But Europol said that in terms of day-to-day online criminality, “ransomware continues to be the dominant concern for EU law enforcement”, as the number of variants of the malware have multiplied. Most use the same business model: encrypt a user’s files, demand a ransom in Bitcoin, and offer a free test file decryption to prove their capability.

More ransomware targets
But while traditional malware mostly targets desktop Windows users, Europol said there are many more potential targets for ransomware, from individual users’ devices, to networks within industry, healthcare, or even government.

“Cryptoware will also continue to expand its attack surface,” it said, adding: “The profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms.”

And while the same data-stealing malware largely appears year-on-year, ransomware is in greater flux will take several more years before it reaches the same level of equilibrium, said the report.

Europol warned that ransomware will evolve to “routinely spread to other smart devices”, and that there were already some indications that ransomware is capable of infecting devices such as smart TVs.

“Following the pattern of data-stealing malware, cryptoware campaigns will likely become less scattergun and more targeted on victims of greater potential worth,” the report said, noting that a new strain of server-side ransomware called Samsam was targeting the healthcare industry. Samsam does not require user to click on a link or open an attachment, but exploits the vulnerabilities of web servers and encrypts folders typically associated with website files, images and scripts.

As well as ransomware, the report warned that the overall quality and authenticity of phishing campaigns has increased, with targeted phishing — also known as spear-phising — aimed at high-value targets, including CEOs for the purposes of fraud. It also said that DDoS attacks continue to grow in intensity and complexity, as do the ways in which criminals use the data they steal.

“Data remains a key commodity for cybercriminals, however data is no longer just procured for immediate financial gain. Increasingly it is acquired for the furtherance of more complex fraud, encrypted for ransom, or used directly for extortion,” said the report.

Majority of enterprises admit they are vulnerable to insider threats

The majority of enterprise players admit they are vulnerable to insider threats to their networks and a third have already become victims, according to new research.

Insider threats are not always due to malicious, unprincipled employees. While it is possible that such staff members could access corporate data for sale or trade illegally, it is often accidental insider threats which are the source of data breaches — such as in the case ofSnapchat this year, when a cybercriminal posing as the firm’s CEO Evan Spiegel in order to dupe HR into handing over staff payroll data.

There are many reasons why insider threats can disrupt a business, including simple human error, falling for fraudulent emails, careless personal security of devices and data or failing to keep personal devices which access corporate networks secure.

According to Bitglass researchers, despite cybersecurity becoming more of a priority for today’s businesses, the threat of insiders is still very much a core problem.

On Thursday, the cybersecurity firm released a new report on insider threats in the enterprise. After surveying over 500 security professionals from enterprise companies, Bitglass said that one in three companies admitted to experiencing a data breach caused by an insider in the past year, and 74 percent still feel vulnerable to insider threats.

Over half of respondents — 56 percent — also said that they believe insider threats have become more frequent in the past 12 months.

In total, 71 percent of cybersecurity professionals said they were most concerned with accidents and inadvertent corporate leaks and breaches caused by “risky, unsanctioned” mobile app usage, accidental external sharing of corporate data and the use of mobile devices which are not fully up-to-date and patched — which can lead to malicious apps accessing corporate information, surveillance or spying.

Malicious insiders are also a source of worry for IT professionals, with 61 percent concerned about employees that have an axe to grind or are willing to trade corporate information for their own gain.

n addition, careless security policies implemented by the enterprise make matters worse. If network administrators give employees more access and privileges than they need, should their accounts be compromised, attackers can do so much more — and for 60 percent of organizations, it is these privileged users which demonstrate a real threat to security.

A number of respondents also said that cloud and mobile technologies are forcing a rethink of how best to tackle digital security. According to the survey, 62 percent of IT professionals blame a lack of employee training and 57 percent say insufficient data protection solutions is a major cause of data breaches.

Too many devices have access to sensitive data say 54 percent of respondents, and 48 percent claim that more data than ever leaving corporate network perimeters is also a major cause of information leaks.

“Adoption of cloud and BYOD are positive developments, but organizations that have limited cross-app visibility will struggle to detect anomalous behavior and need to rethink their approach to data security,” said Nat Kausik, CEO of Bitglass. “The reality is that cloud apps have made data more readily accessible and insider threats more likely — it’s up to the enterprise to put adequate data controls and policies in place to secure vital data.”

In the majority of organizations, employee training, identity management solutions and data leakage prevention strategies were seen as effective tools to combat insider threats.

MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool

MANA Toolkit is a set of tools for rogue access point (evilAP) attacks and wireless MiTM.

MANA Toolkit - Rogue Access Point (evilAP) And MiTM Attack Tool

More specifically, it contains the improvements to KARMA attacks implemented into hostapd, as well as some useful configs for conducting MitM once you’ve managed to get a victim to connect.

Contents

MANA Toolkit contains:

  • kali/ubuntu-install.sh – simple installers for Kali 1.0.9 and Ubuntu 14.04 (trusty)
  • slides – an explanation of what we’re doing here
  • run-mana – the controller scripts
  • hostapd-mana – modified hostapd that implements our new mana attacks
  • crackapd – a tool for offloading the cracking of EAP creds to an external tool and re-adding them to the hostapd EAP config (auto crack ‘n add)
  • sslstrip-hsts – our modifications to LeonardoNVE’s & moxie’s cool tools
  • apache – the apache vhosts for the noupstream hacks; deploy to /etc/apache2/ and /var/www/ respectively

Installation

The simplest way to get up and running is it “apt-get install mana-toolkit” on Kali. If you want to go manual to get the latest version, check below. Make sure to edit the start script to point to the right wifi device.

 

To get up and running setup a Kali box (VM or otherwise), update it, then run kali-install.sh

To get up and running setup a Ubuntu 14.04 box (VM or otherwise), update it, then run ubuntu-install.sh

If you’re installing from git, you can use the following commands after you have grabbed the necessary dependencies:

You can download MANA Toolkit here:

Source: mana-1.3.1.zip
Binary: mana-toolkit-1.3-1debian1_amd64.deb

Mousetrapping and Spreading Malware

Mousetrapping is a technique used by attackers to keep visitors from leaving theit website, so that they can take advantage of that. Mousetrapping is done by launching numerous numbers of pop-ups endlessly or disabling Back/Forward or even the close button.
Different ways of Mousetrapping 

Mousetrapping can be done in different ways :

  • a numerous numbers of new pages may open up
  • the same page may open several times
  • browser buttons like Back/Forward or Close may become inaccessible, making the page harder to close
  • several pop-ups may open up that alert about something or ask to take some action
  • unwanted commercial ads, gambling requests, fake lottery requests or adult contents may start showing up again and again
Threats of Mousetrapping
Mousetrapping is normally associated with typosquatting and browser hijacking. When a user misspells a popular URL in the address bar, the malicious website opens and it starts Mousetrapping. Clearly, it takes time for the user to close the website, and by then, the attackers start drive-by download of malware. They can even change the browser settings of the user, so that the attackers can infect the computer with even more malware or perform more attacks.
Countermeasures of Mousetrapping
There are a number of countermeasures that can be taken to prevent Mousetrapping :
  • If you ever run into Mousetrapping, press keyboard shortcut to close the windows. Because, most of the browser buttons become unaccessible at this time, and closing webpages like this takes less time also.
  • If that does not work, you can try disabling javascript functionality in your browser. Because normally Mousetrapping is implemented using javascript.
  • If that also does not work by any chance, you can reboot your computer (e.g. With Ctrl + Alt + Delete in Windows)
  • Never ever perform the actions suggested in the pop-ups. Because that is what is the intention of the attackers. If you perform those actions, your computer will definitely be infected with malware.
  • Keep the software you use updated with security patches, so that the attackers cannot take advantage of the security holes of those software.
  • Keep your computer updated with a trusted anti-malware program.
  • Please remember that educating oneself with the recent threats and its countermeasures is always the best policy to go with.

 

This was an article to keep you informed about another recent threat and the countermeasures that can be taken. Hope it solved its purpose.

New ransomware family takes aim at government targets

A new form of ransomware is targeting government agencies and educational institutions in the US, using emails claiming to be from airlines.

The MarsJoke ransomware has been unearthed by Proofpoint cybersecurity researchers, who note that a large-scale email campaign distributing the machine-locking malware began on 22 September, with the main targets being state and local government agencies.

MarsJoker is just the latest in a string of new ransomware attacks, the combined might of which are set to cost organisations a total of $1 billion during 2016 alone.

Those behind MarsJoke are sending out malicious emails designed to look like they’re from airlines: the method is similar to that used by a recent CryptFile 2 ransomware campaign, which attempted to lure government targets with the lure of cheap flights.

The recipient will receive an email with a subject about tracking a parcel and, when opened, this displays a spoofed email claiming to be from a carrier and inviting them to click on a link to track their delivery.

If the target’s suspicions aren’t raised by the spelling errors and bad English and they click on the link, they’ll be taken to a URL hosting a file named “file_6.exe” which will infect the targeted machine with the MarsJoke.

This sort of approach is different to many other types of ransomware – including the widely distributed Locky – because it encourages users to click a link rather than download an infected document.

Researchers have chosen this name for the ransomware based on a string in the code which says “HelloWorldItsJokeFromMars”.

Once a machine is infected, MarsJoke will encrypt files and also creates new files with names like “!!! For Decrypt !!!.bat”, “!!! Readme For Decrypt !!!.txt”, and “ReadMeFilesDecrypt!!!.txt” to create a file inform the victim their files have been encrypted and provide instructions on how to pay a ransom of 0.7 Bitcoins ($320) – the untraceable nature of Bitcoin makes it a popular payment method for cybercriminals.

The victim’s desktop background is also changed to tell them they’ve been infected and also features a timer ticking down from 96 hours, warning the user that if they don’t pay within that time, all of their files will be permanently encrypted with MarsJoker.

The criminals also warn that any action taken to remove the ransomware without paying will result in the computer’s files being lost forever. It’s worth noting that the visual style of the ransom demand is very similar to that of the CTB-Locker ransomware family.

marsjoke-ransomware-demand.png
The visual style of MarsJoke mimics CTB-Locker

Image: Proofpoint

Like many schemes of this type, the criminals behind MarsJoker provide a “help” service to instruct victims how to acquire the Bitcoin required in order to pay the ransom, as well offering the option to decrypt two files for free.

With MarsJoker representing a new strain of ransomware, there’s currently no means of decrypting files without paying the ransom. Proofpoint researchers suggest this variant isn’t “just another ransomware” with a highly sophisticated operation likely to be behind the scheme.

The last majority of the MarsJoker emails target state and local government agencies, with schools also a major focus of the campaign. These sectors – particularly education – are likely to be hit because cybercriminals view them as an easy target, due to a lack of infrastructure and funding in place in order protect users. The ransomware is also targeting the healthcare, telecoms and insurance sectors, although on a much smaller scale.