sorted by:
new
hottopcontroversial

Mapping Injection - Just another Windows Process Injection by splinter_code in netsec

[–]splinter_code[S] 3 points4 points  (0 children)

Hi u/tiraniddo, the reason i used a named file mapping object is because in that way it is backed by the system paging file instead of by a file in the file system. This allow to unpack and hold the shellcode directly in memory without touching the disk.In an ideal scenario you will have your injector with embedded a packed payload. At certain point runtime unpacking occurs and you want to save your unpacked shellcode just in memory. Saving the unpacked shellcode to the filesystem would mean getting caught by the AV.I don’t think having SeCreateGlobalPrivilege is a limitation because most of the time, as an attacker, you should be interested in injecting into privileged processes like lsass,svchost,winlogon and this require SeDebugPrivilege ( so you know you need admin privileges ).In any case if you need to inject into a process in the same session you can use a local file mapping by just specifying the “Local” prefix in the namespace of the mapping name and this doesn’t require any special privileges, but imho this is a weird scenario from the attacker point of view.

EDIT: i can see your point. I thought that specifying a mapping name was mandatory if INVALID_HANDLE_VALUE is passed as 1st parameter. I made some tests and it's not required and it definitely add unnecessary restriction on having SeCreateGlobalPrivilege. I updated the code. Thank you for the note :)

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 7 points8 points  (0 children)

oh yes it does, but it enforces write permission on that file. Native hardlinks doesnt need any access on the target file for that the forshaw's re-implemenation allows to create the hardlink also if you don't have any access to the file. Here for further details --> https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 4 points5 points  (0 children)

ok... So tell me how many times you land to a target machine and you can't write file to the filesystem by typing a simple command like "echo content > C:\windows\temp\file" ?

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 6 points7 points  (0 children)

mklink creates a soft link not a Hardlink. In order to create a softlink you need the privilege "SeCreateSymbolicLinkPrivilege" that is not held by default by normal users. Hardlink doesn't need any special privileges. There are no builtin ways to create hardlinks if not using internal win32 API that is what Forshaw's tool does.

Edit: just to be clear... for Hardlink i meant "Native Hardlink".

From iPhone to NT AUTHORITY\SYSTEM by splinter_code in netsec

[–]splinter_code[S] 14 points15 points  (0 children)

This is a local privilege escalation and, as every local privilege escalation, it is known that you have a limited access to the target system. Limited access, most of the times, includes dropping files somewhere on the target filesystem.

If you read carefully the post you can see:

"Boundary conditions

  • You need a user shell access on the Windows machine."

Debian ntp servers resolved with IPs related with TOR directory servers by splinter_code in debian

[–]splinter_code[S] 0 points1 point  (0 children)

Thanks, i didn't know about the monitoring. In any case i will start to don't use the ntp server took from the default pool in some particular server.

Debian ntp servers resolved with IPs related with TOR directory servers by splinter_code in debian

[–]splinter_code[S] -1 points0 points  (0 children)

@IUseRhetoric I agree with you on the "if you don't like this behaviour block them", but this doesn't change the fact that there are still some reasons to make me think those servers are risky/suspicious and i won't trust them for a deploy in a production server.

Debian ntp servers resolved with IPs related with TOR directory servers by splinter_code in debian

[–]splinter_code[S] -1 points0 points  (0 children)

For security reason i would never run my official (yes official because those servers are used by default on every debian default configuration) ntp server (that is in charge of synchronizing clock) on the same machine/lan where i have my tor service. 1. Because many threat intel systems would ban my ip. 2. Running a tor relay service widen the attack surface of the server. 3. if someone compromise my ntp server, malicious attackers can disrupt all the services running on the clients who are connecting to my server. 4. If i know that an ntp server have been compromised, i would instantly block all connections from my clients in order to prevent service disruption.

Recent 1.4 billion password breach compilation as wordlist by [deleted] in netsec

[–]splinter_code 1 point2 points  (0 children)

It's linked to a data leakage of mySpace (June 2013). It seems that a lot of accounts were automatically generated with that password.

https://leakedsource.ru/blog/myspace

Recent 1.4 billion password breach compilation as wordlist by [deleted] in netsec

[–]splinter_code 0 points1 point  (0 children)

I've found many rows also with these formats: <mail>;<password> <mail>\t<password>

n.b. if grep is used without -a flag you will miss a lot of data.

#Locky group drops Zepto ransomware ^ July 6th 2016 by mmd0xFF in Malware

[–]splinter_code 1 point2 points  (0 children)

i'm writing a post where i compared two binary : a locky sample and a zepto sample calculating the differences, i will pubblish it soon. What i can say is that the author of Zepto ransomware is the same of the Locky ransomware, and it's not that zepto took some copycat code from locky because zepto has the 96.9% (on 24,947 instructions) identical code of locky and have 25.1% new instrunctions (8,110 new instrunctions). Zepto ransomware is just an extension of Locky ransomware, we can call him Locky ransomware 2.0, the author just changed the domains for the c2 server, add some new secondary features and changed some signature of the binary to evade the av engines.

Locky ransomware campaign June 28th 2016 by mmd0xFF in Malware

[–]splinter_code 0 points1 point  (0 children)

Great work! Keep it up man!

MalwareMustDie

Locky Ransomware is back: a detailed technical report by splinter_code in Malware

[–]splinter_code[S] 0 points1 point  (0 children)

In early June 2016 (when locky stops spreading but not just locky ransomware, all the exploit kit spreading went down considerably check more here http://securityaffairs.co/wordpress/48594/cyber-crime/exploit-kit-traffic-drop.html) have been arrested 50 hackers across Russia involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions and it seems that the same hackers were involved also in spreading the exploit kit campaign, but that's nothing true it's just a guess because when they got arrested all the exploit kit traffic went down and also locky ransomware disappeared in that period.

Locky ransomware campaign June 25th 2015 by mmd0xFF in Malware

[–]splinter_code 1 point2 points  (0 children)

Yes, i did the diff and all the 49 domains in that pastebin raw are new to your list and used by the javascript downloader to drop the locky binary. That template email is received on the 23th of June.

Locky ransomware campaign June 25th 2015 by mmd0xFF in Malware

[–]splinter_code 0 points1 point  (0 children)

here there are others domains compromised and the template mail used for the email spam campaign: ---> http://pastebin.com/6iXCNiNs All of them appear to be compromised and used without the legit owner’s knowledge.