झाल्या तिन्हीसांझा

"BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of XSS browser vulnerabilities. Development has focused on creating a modular structure making new module development a trivial process with the intelligence residing within BeEF. Current modules include the first public Inter-protocol Exploit, a traditional browser overflow exploit, port scanning, keylogging, clipboard theft and more." read more...

Website: http://www.bindshell.net/tools/beef

Ever wanted to turn your AV console into an Incident Response & Threat Hunting machine? Rastrea2r (pronounced "rastreador" - hunter- in Spanish) is a multi-platform open source tool that allows incident responders and SOC analysts to triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes. To parse and collect artifacts of interest from remote systems (including memory dumps), rastrea2r can execute sysinternal, system commands and other 3rd party tools across multiples endpoints, saving the output to a centralized share for automated or manual analysis. By using a client/server RESTful API, rastrea2r can also hunt for IOCs on disk and memory across multiple systems using YARA rules. As a command line tool, rastrea2r can be easily integrated within McAfee ePO, as well as other AV consoles and orchestration tools, allowing incident responders and SOC analysts to collect forensic evidence and hunt for IOCs without the need for an additional agent, with 'gusto' and style!

Dependencies

Python 2.7.x
git
bottle
requests
yara-python

Quickstart

Clone the project to your local directory (or download the zip file of the project)

$git clone https://github.com/rastrea2r/rastrea2r.git
$cd rastrea2r

All the dependencies necessary for the tool to run can be installed within a virtual environment via the provided makefile.

$make help
help                           - display this makefile's help information
venv                           - create a virtual environment for development
clean                          - clean all files using .gitignore rules
scrub                          - clean all files, even untracked files
test                           - run tests
test-verbose                   - run tests [verbosely]
check-coverage                 - perform test coverage checks
check-style                    - perform pep8 check
fix-style                      - perform check with autopep8 fixes
docs                           - generate project documentation
check-docs                     - quick check docs consistency
serve-docs                     - serve project html documentation
dist                           - create a wheel distribution package
dist-test                      - test a wheel distribution package
dist-upload                    - upload a wheel distribution package

Create a virtual environment with all dependencies

$make venv
//Upon successful creation of the virtualenvironment, enter the virtualenvironment as instructed, for ex:
$source /Users/ssbhat/.venvs/rastrea2r/bin/activate

Start the rastrea2r server by going to $PROJECT_HOME/src/rastrea2r/server folder

$cd src/rastrea2r/server/
$python rastrea2r_server_v0.3.py
Bottle v0.12.13 server starting up (using WSGIRefServer())...
Listening on http://0.0.0.0:8080/

Now execute the client program, depending on which platform you are trying to scan choose the target python script appropriately. Currently Windows, Linux and Mac platforms are supported.

$python rastrea2r_osx_v0.3.py -h
usage: rastrea2r_osx_v0.3.py [-h] [-v] {yara-disk,yara-mem,triage} ...

Rastrea2r RESTful remote Yara/Triage tool for Incident Responders

positional arguments:  {yara-disk,yara-mem,triage}

modes of operation
 yara-disk           Yara scan for file/directory objects on disk
 yara-mem            Yara scan for running processes in memory
 triage              Collect triage information from endpoint

optional arguments:
 -h, --help            show this help message and exit
 -v, --version         show program's version number and exit


Further more, the available options under each command can be viewed by executing the help option. i,e

$python rastrea2r_osx_v0.3.py yara-disk -h
usage: rastrea2r_osx_v0.3.py yara-disk [-h] [-s] path server rule

positional arguments:
path          File or directory path to scan
server        rastrea2r REST server
rule          Yara rule on REST server

optional arguments:
-h, --help    show this help message and exit
-s, --silent  Suppresses standard output

For ex, on a Mac or Unix system you would do:

$cd src/rastrea2r/osx/

$python rastrea2r_osx_v0.3.py yara-disk /opt http://127.0.0.1:8080/ test.yar

Executing rastrea2r on Windows

Apart from the libraries specified in requirements.txt, we need to install the following libraries
- PSutil for win64: https://github.com/giampaolo/psutil
- WMI for win32: https://pypi.python.org/pypi/WMI/
- Requests: pip install requests
Compiling rastrea2r
Make sure you have all the dependencies installed for the binary you are going to build on your Windows box. Then install:
- Pywin32: http://sourceforge.net/projects/pywin32/files/ ** Windows only
- Pyinstaller: https://github.com/pyinstaller/pyinstaller/wiki

Currently Supported functionality

yara-disk: Yara scan for file/directory objects on disk
yara-mem: Yara scan for running processes in memory
memdump: Acquires a memory dump from the endpoint ** Windows only
triage: Collects triage information from the endpoint ** Windows only

Notes
For memdump and triage modules, SMB shares must be set up in this specific way:

Binaries (sysinternals, batch files and others) must be located in a shared folder called TOOLS (read only)

\path-to-share-foldertools
Output is sent to a shared folder called DATA (write only)

\path-to-share-folderdata
For yara-mem and yara-disk scans, the yara rules must be in the same directory where the server is executed from.
The RESTful API server stores data received in a file called results.txt in the same directory.

Contributing to rastrea2r project
The Developer Documentation provides complete information on how to contribute to rastrea2r project

Demo videos on Youtube

Video 1: Incident Response / Triage with rastrea2r on the command line - https://youtu.be/uFIZxqWeSyQ
Video 2: Remote Yara scans with rastrea2r on the command line - https://youtu.be/cnY1yEslirw
Video 3: Using rastrea2r with McAfee ePO - Client Tasks & Execution - https://youtu.be/jB17uLtu45Y

Presentations

rastrea2r at BlackHat Arsenal 2016 (check PDF for documentation on usage and examples) https://www.blackhat.com/us-16/arsenal.html#rastrea2r
https://github.com/aboutsecurity/Talks-and-Presentations/blob/master/Ismael_Valenzuela-Hunting_for_IOCs_rastrea2r-BH_Arsenal_2016.pdf
Recording of talk on rastrea2r at the SANS Threat Hunting Summit 2016
https://www.youtube.com/watch?v=0PvBsL6KKfA&feature=youtu.be&a

Credits & References

To Robert Gresham Jr. (@rwgresham) and Ryan O'Connor (@_remixed) for their contributions to the Triage module. Thanks folks!
To Ricardo Dias for the idea of using a REST server and his great paper on how to use Python and Yara with McAfee ePO: http://www.sans.org/reading-room/whitepapers/forensics/intelligence-driven-incident-response-yara-35542

Download Rastrea2R

Related word

In this post we will show why Gridcoin is insecure and probably will never achieve better security. Therefore, we are going to explain two critical implementation vulnerabilities and our experience with the core developer in the process of the responsible disclosure.

In our last blog post we described the Gridcoin architecture and the design vulnerability we found and fixed (the good). Now we come to the process of responsibly disclosing our findings and try to fix the two implementation vulnerabilities (the bad).

Update (15.08.2017):
After the talk at WOOT'17 serveral other developers of Gridcoin quickly reached out to us and told us that there was a change in responsibility internally in the Gridcoin-Dev team. Thus, we are going to wait for their response and then change this blog post accordingly. So stay tuned :)

Update (16.08.2017):
We are currently in touch with the whole dev team of Gridcoin and it seems that they are going to fix the vulnerabilities with the next release.

TL;DR
The whole Gridcoin currency is seriously insecure against attacks and should not be trusted anymore; unless some developers are in place, which have a profound background in protocol and application security.

What is Gridcoin?

Gridcoin is an altcoin, which is in active development since 2013. It claims to provide a high sustainability, as it has very low energy requirements in comparison to Bitcoin. It rewards users for contributing computation power to scientific projects, published on the BOINC project platform. Although Gridcoin is not as widespread as Bitcoin, its draft is very appealing as it attempts to eliminate Bitcoin's core problems. It possesses a market capitalization of $13,530,738 as of August the 4th 2017 and its users contributed approximately 5% of the total scientific BOINC work done before October 2016.

A detailed description of the Gridcoin architecture and technical terms used in this blog post are explained in our last blog post.

The Issues

Currently there are 2 implementation vulnerabilities in the source code, and we can mount the following attacks against Gridcoin:

We can steal the block creation reward from many Gridcoin minters
We can efficiently prevent many Gridcoin minters from claiming their block creation reward (DoS attack)

So why do we not just open up an issue online explaining the problems?

Because we already fixed a critical design issue in Gridcoin last year and tried to help them to fix the new issues. Unfortunately, they do not seem to have an interest in securing Gridcoin and thus leave us no other choice than fully disclosing the findings.

In order to explain the vulnerabilities we will take a look at the current Gridcoin source code (version 3.5.9.8).

WARNING: Due to the high number of source code lines in the source files, it can take a while until your browser shows the right line.

Stealing the BOINC block reward

The developer implemented our countermeasures in order to prevent our attack from the last blog post. Unfortunately, they did not look at their implementation from an attacker's perspective. Otherwise, they would have found out that they conduct not check, if the signature over the last block hash really is done over the last block hash. But we come to that in a minute. First lets take a look at the code flow:

In the figure the called-by-graph can be seen for the function VerifyCPIDSignature.

CheckBlock → DeserializeBoincBlock [Source]

Here we deserialize the BOINC data structure from the first transaction

CheckBlock → IsCPIDValidv2 [Source]

Then we call a function to verify the CPID used in the block. Due to the massive changes over the last years, there are 3 possible verify functions. We are interested in the last one (VerifyCPIDSignature), for the reason that it is the current verification function.

IsCPIDValidv2 → VerifyCPIDSignature [Source]
VerifyCPIDSignature → CheckMessageSignature [Source, Source]

In the last function the real signature verification is conducted [Source]. When we closely take a look at the function parameter, we see the message (std::string sMsg) and the signature (std::string sSig) variables, which are checked. But where does this values come from?

If we go backwards in the function call graph we see that in VerifyCPIDSignature the sMsg is the string sConcatMessage, which is a concatenation of the sCPID and the sBlockHash.
We are interested where the sBlockHash value comes from, due to the fact that this one is the only changing value in the signature generation.
When we go backwards, we see that the value originate from the deserialization of the BOINC structure (MiningCPID& mc) and is the variable mc.lastblockhash [Source, Source]. But wait a second, is this value ever checked whether it contains the real last block hash?

No, it is not....

So they just look if the stored values there end up in a valid signature.

Thus, we just need to wait for one valid block from a researcher and copy the signature, the last block hash value, the CPID and adjust every other dynamic value, like the RAC. Consequently, we are able to claim the reward of other BOINC users. This simple bug allows us again to steal the reward of every Gridcoin researcher, like there was never a countermeasure.

Lock out Gridcoin researcher
The following vulnerability allows an attacker under specific circumstances to register a key pair for a CPID, even if the CPID was previously tied to another key pair. Thus, the attacker locks out a legit researcher and prevent him from claiming BOINC reward in his minted blocks.

Reminder: A beacon is valid for 5 months, afterwards a new beacon must be sent with the same public key and CPID.

Therefore, we need to take a look at the functions, which process the beacon information. Every time there is a block, which contains beacon information, it is processed the following way (click image for higher resolution):

In the figure the called-by-graph can be seen for the function GetBeaconPublicKey.

We now show the source code path:

ProcessBlock → CheckBlock [Source]
CheckBlock → LoadAdminMessages [Source]
LoadAdminMessages → MemorizeMessages [Source]
MemorizeMessages → GetBeaconPublicKey [Source]

In the last function GetBeaconPublicKey there are different paths to process a beacon depending on the public key, the CPID, and the time since both were associated to each other.
For the following explanation we assume that we have an existing association (bound) between a CPID A and a public key pubK_A for 4 months.

First public key for a CPID received [Source]

The initial situation, when pubK_A was sent and bind to CPID A (4 months ago)

Existing public key for a CPID was sent [Source]

The case that pubK_A was resent for a CPID A, before the 5 months are passed by

Other public key for a CPID was sent [Source]

The case, if a different public key pubK_B for the CPID A was sent via beacon.

The existing public key for the CPID is expired

After 5 months a refresh for the association between A and pubK_A is required.

When an incoming beacon is processed, a look up is made, if there already exists a public key for the CPID used in the beacon. If yes, it is compared to the public key used in the beacon (case 2 and 3).
If no public key exists (case 1) the new public key is bound to the CPID.

If a public key exists, but it was not refreshed directly 12.960.000 seconds (5 months [Source]) after the last beacon advertisement of the public key and CPID, it is handled as no public key would exist [Source].

Thus, case 1 and 4 are treated identical, if the public key is expired, allowing an attacker to register his public key for an arbitrary CPID with expired public key. In practice this allows an attacker to lock out a Gridcoin user from the minting process of new blocks and further allows the attacker to claim reward for BOINC work he never did.

There is a countermeasure, which allows a user to delete his last beacon (identified by the CPID) . Therefore, the user sends 1 GRC to a special address (SAuJGrxn724SVmpYNxb8gsi3tDgnFhTES9) from an GRC address associated to this CPID [Source]. We did not look into this mechanism in more detail, because it only can be used to remove our attack beacon, but does not prevent the attack.

The responsible disclosure process

As part of our work as researchers we all have had the pleasure to responsible disclose the findings to developer or companies.

For the reasons that we wanted to give the developer some time to fix the design vulnerabilities, described in the last blog post, we did not issue a ticket at the Gridcoin Github project. Instead we contacted the developer at September the 14th 2016 via email and got a response one day later (2016/09/15). They proposed a variation of our countermeasure and dropped the signature in the advertising beacon, which would result in further security issues. We sent another email (2016/09/15) explained to them, why it is not wise to change our countermeasures and drop the signature in the advertising beacon.
Unfortunately, we did not receive a response. We tried it again on October the 31th 2016. They again did not respond, but we saw in the source code that they made some promising changes. Due to some other projects we did not look into the code until May 2017. At this point we found the two implementation vulnerabilities. We contacted the developer twice via email (5th and 16th of May 2017) again, but never received a response. Thus, we decided to wait for the WOOT notification to pass by and then fully disclose the findings. We thus have no other choice then to say that:

The whole Gridcoin cryptocurrency is seriously insecure against attacks and should not be trusted anymore; unless some developers are in place, which have a profound background in protocol and application security.

Further Reading

A more detailed description of the Gridcoin architecture, the old design issue and the fix will be presented at WOOT'17. Some days after the conference the paper will be available online.

Pages

झाल्या तिन्हीसांझा

Monday 31 August 2020

BeEF: Browser Exploitation Framework

Related articles

Sunday 30 August 2020

Rastrea2R - Collecting & Hunting For IOCs With Gusto And Style

Related word

Gridcoin - The Bad

What is Gridcoin?

The Issues

Stealing the BOINC block reward

The responsible disclosure process

More articles

Blog Archive

Followers

About Me

My Blog List

My Blog List

Total Pageviews

Popular Posts

Search This Blog

Pages

झाल्या तिन्हीसांझा

Monday 31 August 2020

BeEF: Browser Exploitation Framework

Related articles

Sunday 30 August 2020

Rastrea2R - Collecting & Hunting For IOCs With Gusto And Style

Related word

Gridcoin - The Bad

What is Gridcoin?

The Issues

Stealing the BOINC block reward

The responsible disclosure process

More articles

Blog Archive

Followers

About Me

My Blog List

My Blog List

Total Pageviews

Popular Posts

Search This Blog

Subscribe To