Tag Archives: defcon

EQGRP tools are post-exploitation

Post Syndicated from Robert Graham original http://blog.erratasec.com/2016/08/eqgrp-tools-are-post-exploitation.html

A recent leak exposed hackings tools from the “Equation Group”, a group likely related to the NSA TAO (the NSA/DoD hacking group). I thought I’d write up some comments.

Despite the existence of 0days, these tools seem to be overwhelmingly post-exploitation. They aren’t the sorts of tools you use to break into a network — but the sorts of tools you use afterwards.

The focus of the tools appear to be about hacking into network equipment, installing implants, achievement permanence, and using the equipment to sniff network traffic.

Different pentesters have different ways of doing things once they’ve gotten inside a network, and this is reflected in their toolkits. Some focus on Windows and getting domain admin control, and have tools like mimikatz. Other’s focus on webapps, and how to install hostile PHP scripts. In this case, these tools reflect a methodology that goes after network equipment.

It’s a good strategy. Finding equipment is easy, and undetectable, just do a traceroute. As long as network equipment isn’t causing problems, sysadmins ignore it, so your implants are unlikely to be detected. Internal network equipment is rarely patched, so old exploits are still likely to work. Some tools appear to target bugs in equipment that are likely older than Equation Group itself.

In particular, because network equipment is at the network center instead of the edges, you can reach out and sniff packets through the equipment. Half the time it’s a feature of the network equipment, so no special implant is needed. Conversely, when on the edge of the network, switches often prevent you from sniffing packets, and even if you exploit the switch (e.g. ARP flood), all you get are nearby machines. Getting critical machines from across the network requires remotely hacking network devices.

So you see a group of pentest-type people (TAO hackers) with a consistent methodology, and toolmakers who develop and refine tools for them. Tool development is a rare thing amount pentesters — they use tools, they don’t develop them. Having programmers on staff dramatically changes the nature of pentesting.

Consider the program xml2pcap. I don’t know what it does, but it looks like similar tools I’ve written in my own pentests. Various network devices will allow you to sniff packets, but produce output in custom formats. Therefore, you need to write a quick-and-dirty tool that converts from that weird format back into the standard pcap format for use with tools like Wireshark. More than once I’ve had to convert HTML/XML output to pcap. Setting port filters for 21 (FTP) and Telnet (23) produces low-bandwidth traffic with high return (admin passwords) within networks — all you need is a script that can convert the packets into standard format to exploit this.

Also consider the tftpd tool in the dump. Many network devices support that protocol for updating firmware and configuration. That’s pretty much all it’s used for. This points to a defensive security strategy for your organization: log all TFTP traffic.

Same applies to SNMP. By the way, SNMP vulnerabilities in network equipment is still low hanging fruit. SNMP stores thousands of configuration parameters and statistics in a big tree, meaning that it has an enormous attack surface. Anything value that’s a settable, variable-length value (OCTECT STRING, OBJECT IDENTIFIER) is something you can play with for buffer-overflows and format string bugs. The Cisco 0day in the toolkit was one example.

Some have pointed out that the code in the tools is crappy, and they make obvious crypto errors (such as using the same initialization vectors). This is nonsense. It’s largely pentesters, not software developers, creating these tools. And they have limited threat models — encryption is to avoid easy detection that they are exfiltrating data, not to prevent somebody from looking at the data.

From that perspective, then, this is fine code, with some effort spent at quality for tools that don’t particularly need it. I’m a professional coder, and my little scripts often suck worse than the code I see here.

Lastly, I don’t think it’s a hack of the NSA themselves. Those people are over-the-top paranoid about opsec. But 95% of the US cyber-industrial-complex is made of up companies, who are much more lax about security than the NSA itself. It’s probably one of those companies that got popped — such as an employee who went to DEFCON and accidentally left his notebook computer open on the hotel WiFi.


Despite the 0days, these appear to be post-exploitation tools. They look like the sort of tools pentesters might develop over years, where each time they pop a target, they do a little development based on the devices they find inside that new network in order to compromise more machines/data.

Kim Dotcom & John McAfee “At War” Over Megaupload 2.0 Revelations

Post Syndicated from Andy original https://torrentfreak.com/kim-dotcom-john-mcafee-at-war-over-megaupload-2-0-revelations-160818/

dotcom-laptopTo celebrate the five year anniversary of the Megaupload raids, in January 2017 Kim Dotcom hopes to deliver a brand new file-sharing system to the masses.

Provisionally titled Megaupload 2.0, Dotcom says the system will take decentralization, anonymity & encryption “to the next level” by connecting file transfers to bitcoin transactions.

Importantly, the new iteration of Megaupload will launch with the original Megaupload’s user database, which could potentially mean 100 million users checking in shortly after launch. Unsurprisingly then, news of the project has been generating a lot of interest online, even before any hard technical details have been made public.

While Dotcom is yet to reveal any of his investment partners, he has just made a surprise announcement concerning who he won’t be doing business with. It began with a tweet in which Dotcom claimed he’d been offered cash to participate in what he saw as a “pump and dump” deal.

The MGT to which Dotcom refers is MGT Capital Investments, a company which advertises itself as dealing with cyber threats “through advanced protection technologies for mobile and personal tech devices.” Early May, security expert John McAfee was confirmed as the company’s new CEO and a chaotic period of stock trading ensued.

So why was MGT trying to get involved with Megaupload 2.0? TorrentFreak spoke with Dotcom to find out more and it transpires some big numbers were involved.

“[MGT’s approach] was connected to the new businesses I’m working on. They offered to invest $30m in cash and $MGT stock. But after some due diligence it became clear that their offer was unrealistic,” Dotcom informs TF.

“They didn’t have the substance to make such an offer. When I questioned that they responded that the substance can be created by the partnership announcement. Meaning an increase in stock value which would make the stock component of the deal more valuable”

While $30m plus stock might sound like a lot, Dotcom said he poured cold water on the idea.

“I told them I’m not interested in pumping up $MGT stock and that they need to raise the money first before we can enter into any kind of agreement,” he explains.

Undeterred, MGT had another proposal for the Megaupload founder.

“Then they offered $500k for signing a Letter of Intent to be announced at a big press conference during Defcon. The whole thing was designed to drive up the $MGT stock price with no substance. We declined,” Dotcom says.

We asked Dotcom if John McAfee himself was aware of the deal being put on the table.

“John knows about this,” he told us. “In my opinion it was all about pump and dump. All they always talked about was the effect of previous announcements on the stock price. That’s not how you create value or run a business.”

But while Dotcom may not have liked the offer made by MGT, behind the scenes it appears that he had also irritated McAfee.

Eric J. Anderson (Eijah) is a former Rockstar games developer and the founder of anonymous information sharing app DemonSaw, a product endorsed by McAfee. Dotcom says he offered Anderson, McAfee’s friend and the CTO of MGT, an important job.

“I offered Eijah [the] CTO role at Megaupload 2.0 – he agreed. Mcafee goes mental, scares Eijah, making serious threats,” Dotcom reveals.

“I decided to come forward about $MGT when I witnessed how Mcafee abused Eijah. I’m not concerned about the fallout. I stand up for friends.”

And now it appears the touchpaper has been lit. In a message from McAfee last evening, the security expert warned Dotcom that things might get a little bumpy today.

Early reaction to Dotcom’s decision to go public about the MGT offer has been largely positive, with people praising the businessman for coming clean. However, Dotcom says his decision to go public could have its downsides.

“I had to say something. I know I’m exposing myself to attacks by $MGT but I had to go public. Based on everything I have learned about $MGT there is no substance, yet,” he says.

“They might create substance in the future. They might come up with real products that create real value. But at the moment they are focusing on making announcements to drive up the $MGT stock price instead of creating real value for investors. It’s unethical and that’s why we declined the money and I went public.”

TorrentFreak contacted MGT but the company did not respond to our request for comment.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

Defcon 24: Blinded By The Light

Post Syndicated from Craig original http://www.devttys0.com/2016/08/defcon-24-blinded-by-the-light/

I won’t be at Defcon this year in body, but I’ll be there in spirit! I got to design the hardware used in @tb69rr’s and @bjt2n3904‘s Defcon talk, Blinded By The Light.

A walk through of the hardware design is given in the video below; if you’re interested in how the collected infrared data can be used to identify and track your phone, be sure to check out their talk at the wireless village!

Security Vulnerabilities in Wireless Keyboards

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/08/security_vulner_7.html

Most of them are unencrypted, which makes them vulnerable to all sorts of attacks:

On Tuesday Bastille’s research team revealed a new set of wireless keyboard attacks they’re calling Keysniffer. The technique, which they’re planning to detail at the Defcon hacker conference in two weeks, allows any hacker with a $12 radio device to intercept the connection between any of eight wireless keyboards and a computer from 250 feet away. What’s more, it gives the hacker the ability to both type keystrokes on the victim machine and silently record the target’s typing.

This is a continuation of their previous work

More news articles. Here are lists of affected devices.

Researchers Discover Tor Nodes Designed to Spy on Hidden Services

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/researchers_dis.html

Two researchers have discovered over 100 Tor nodes that are spying on hidden services. Cory Doctorow explains:

These nodes — ordinary nodes, not exit nodes — sorted through all the traffic that passed through them, looking for anything bound for a hidden service, which allowed them to discover hidden services that had not been advertised. These nodes then attacked the hidden services by making connections to them and trying common exploits against the server-software running on them, seeking to compromise and take them over.

The researchers used “honeypot” .onion servers to find the spying computers: these honeypots were .onion sites that the researchers set up in their own lab and then connected to repeatedly over the Tor network, thus seeding many Tor nodes with the information of the honions’ existence. They didn’t advertise the honions’ existence in any other way and there was nothing of interest at these sites, and so when the sites logged new connections, the researchers could infer that they were being contacted by a system that had spied on one of their Tor network circuits.

This attack was already understood as a theoretical problem for the Tor project, which had recently undertaken a rearchitecting of the hidden service system that would prevent it from taking place.

No one knows who is running the spying nodes: they could be run by criminals, governments, private suppliers of “infowar” weapons to governments, independent researchers, or other scholars (though scholarly research would not normally include attempts to hack the servers once they were discovered).

The Tor project is working on redesigning its system to block this attack.

Vice Motherboard article. Defcon talk announcement.

Unicorn – PowerShell Downgrade Attack

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/ZyaTsabV8ew/

Magic Unicorn is a simple tool for using a PowerShell downgrade attack to inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the…

Read the full post at darknet.org.uk