Posted on

Malware analysis with PEframe

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about malware analysis and difference between static analysis and dynamic analysis of malware. In this article, you will learn about peframe, a malware analysis tool.

PEframe is an open source tool to perform static analysis on portable executable malware and malicious MS Office documents. Let’s see how to perform analysis of portable executable files using this tool. For this, we will be using Kali Linux.

In static analysis, the malware sample is analyzed without executing it whereas in dynamic analysis the sample is executed in a controlled environment. Static analysis is performed on the source code of the sample portable executable. PEframe reveals information about suspicious files like packers, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions and much more. PEframe can be installed in Kali Linux as shown below.

Open a terminal and type the command as shown below to clone PEFrame from Github.

After PEFrame is cloned successfully, a new directory is formed with name peframe. You are automatically taken into this directory. This tool requires simplejson (a subset of JavaScript). So install it using pip command. Next, we need to run the setup.py file from the directory. Since it is a python file, we need to run the command “python3 setup.py” install to install PEframe.

Once the installation is finished, type command “peframe -h” to see its simple usage

Before we analyze the portable executables, let us analyze some files we created for tutorials of our magazine. The first one is msf.pdf we created using Metasploit.

As you can see in the above image, we found not only an IP address but also an url hosting some executable file. It can be assumed that as we open this pdf file, another executable will be downloaded from the IP address and executed in our system. Let us now analyze a hta file created with Metasploit next. This file is analyzed as a HTML document with IP address and it has a library called kernel32.dll. This file probably opens a payload when clicked upon. Given below is another similar file in visual basic format.

Given below is a macro file. You can see all these files have an IP address where probably a listener is running.

Now let us analyze a portable executable file. Kali Linux has some exe files already stored in its windows-binaries folder. We will analyze the plink.exe file.

Plink.exe is a command line utility file similar to UNIX ssh. It is mostly used for automated operations. As you can see in the image given above, the program is giving more detailed information to us than the other files. The plink.exe has four sections and none of them appears to be suspicious. But the file has a packer, mutex and antidbg. The packer it used is Microsoft Visual C++ which is normally used for genuine programs.

Given above is its Antidbg and Mutex information. The dynamic link libraries it imports is also given. Given below are the apis (application programming interfaces) used by the file.

The filenames found in the portable executable are given in the image below. As you can see it has a big list of filenames.

Metadata is data about the data. Metadata reveals a lot of information about a file. Given below is the metadata of our portable executable. We can see that it is a part of Putty Suite.

Even the description of the file is given. Normally malware does not contain so much information about itself like this Plink file. Only genuine files contain so much information because they have no use to hide themselves. Now let us analyze another file. This file is also present in Kali Linux and it is a keylogger. It is klogger.exe present in the same windows-binaries folder.

As you can see in the above image, the file which has five sections has two suspicious sections and the packer it uses is ASPack v2.11. Let us have a look at its suspicious sections once.

Given below in the image are its api alerts and filenames. As you have observed, this file reveals very less information than the previous analyzed file. This in itself does not mean that the file is malicious but it gives a general idea about it. That’s all about Forensics using static analyzer PEFrame. We will be back with a new tool in our next howto.

Next, learn about Ollydbg, a debugger.

Posted on

Beginners guide to Hercules Framework

Hello, aspiring ethical hackers. In our previous blogpost, you learnt what are payload generators. In this blogpost, you will learn about a payload generator that enables you bypass Antivirus on the target system. This is Hercules framework. HERCULES is a customizable payload generator that can bypass antivirus software. Let’s see how it works.

Let’s start by cloning Hercules framework from github as shown below.

After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.

The setup automatically installs Hercules as shown below and

successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.

Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.

Image explaining about the usage of Hercules Framework for Windows exploitation

Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.

After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory.  Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target.  Since we have already know how to create a persistent backdoor we will not enable it here.

Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.

Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.

Here I have only enabled the UPX function so the packing process begins as shown below.

Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.

Next start the listener on Metasploit as shown below and send the  binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.

That’s how we use Hercules for generating Fully UnDetectable (FUD) payloads. Learn how to create FUD payloads using Veil Framework.

Posted on 3 Comments

Beginners guide to Arcanus Framework

Hello aspiring ethical hackers. In our previous blogpost, you learnt what is a payload and about what is a payload generator. In this blogpost, you will learn about one of the payload generators, Arcanus Framework. Arcanus is a customized payload generator that can generate payloads which are undetectable by almost all of the antiviruses (till date ). This could be very useful in penetration testing.

Let’s see how to use Arcanus Framework. To install this tool on Kali Linux, we need to install golang. Install Golang and then clone the Arcanus repository from Github as shown below.

Navigate to the ARCANUS directory created and view its contents. We should see a file ARCANUS_x86. Let’s first generate a Windows payload. We will generate a x_86 payload. First change its permissions as shown below.

Next run this file. You should see an ARCANUS logo as shown below.

You will see five options as shown below. Since we are generating a Windows payload, we will choose option 2.

Image explaining Windows hacking with Arcanus framework

It will prompt you to set the attacker system’s IP address ( in our case the address of Kali Linux ) and a port on which you want to start a listener for the reverse shell. Enter the values and hit “Enter”.

It will generate the payload and automatically start a listener as shown below.

The payload will be generated with the name “payload.exe” as shown below in the ARCANUS directory.

Next we need to send this payload to the victim using Social engineering. When the target user clicks on the payload we sent, we will get a shell on the target system as shown below. 

That’ s all in Windows hacking with Arcanus. Now let’s see how to generate a payload for Linux target. Select the option 3 since we are generating a Linux payload.

The rest of the steps are same as generating a Windows payload. Enter your IP address (Kali Linux in this case) and the listening port as shown below.

It will generate the payload in the same directory start to automatically listen for a reverse shell as shown below.

Send the generated payload to our victim. When he executes it, we should get a shell on his system as shown below.

Posted on

WAPT with HPWebinspect : Part 2

Good evening friends. Today we will see the second part of WAPT with HPWebinspect. If you didn’t go through the first part, we ended it by scanning a website for vulnerabilities. The results have given us vulnerabilities categorized as critical, high, medium and low. That was the easiest part. Now we will go through analysis of these vulnerabilities.

Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation.

The analysis part is very important part of the WAPT. Let us see how to perform this analysis . We will take our previous scan report.

Before we do the analysis, let us have a look at the interface of HPWebinspect.  To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

Image explaining about hpwebinspect

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

It also shows us the emails we found during scan.

Also the forms.

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyze each vulnerability for this exact reason.

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyze this vulnerability.

Click on the vulnerability. The dashboard of HPWebinspect will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

Now right click on the vulnerability we are analyzing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

Another window will open as shown below. It will automatically show you the browser view.

We can click on “Request tab”to see the request sent by our tool.

Similarly the response tab shows us the response given by the target.

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

For instance, the vulnerability detected is not that critical, we can change its severity suitably to high or medium or low.

Now what if the vulnerability detected  is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

We can also access this option from the “review vulnerability” window as already shown above.

When we click on that option, we get two sub-options to mark it either as false positive as shown below

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

Select whatever you want to include in your report as shown below and click on Finish.

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

That’s how we do WAPT with HPwebinspect. Want to learn Ethical Hacking with Real World Scenarios.? Subscribe to our digital magazine.

Posted on 1 Comment

Hp WebInspect: Beginners guide

Hello, aspiring ethical hackers. In our previous blogpost on web application hacking, you learnt about various vulnerabilities a web app or website may contain. It would be good if these vulnerabilities are detected and patched before they are exploited by hackers in real-world. The vulnerabilities can be detected either manually or by using automated scanners. HP WebInspect is one such automated tool.

Hp WebInspect is an automated web application security scanning tool from HP. It helps the security professionals to assess the potential vulnerabilities in the web application. It is basically an automated dynamic application security testing (DAST) tool that mimics real-world hacking techniques and attacks, and provides comprehensive dynamic analysis of complex web applications and services. It can be downloaded from here.

Let’s see how to perform website vulnerability assessment with HP WebInspect. Open the program and click on basic scan. We will see other scan options in the following parts of this tutorial. As its name implies, this option performs a basic security scan on a website.

As we select the basic scan option, the “scan wizard” opens as shown below. As I am using a trial version of HPWebinspect I am only allowed to scan the website deliberately provided by HP for this purpose. This website simulates a bank ( named zero bank ) and this will be our target from now on.

I allot the given name. Below the scan name option, we have features with radio buttons. Let’s see these options.

crawl:- This process makes a list of all the pages  on the entire website and builds its structure.

auditing:- Auditing is the process in which HPwebinspect will attack the website to find out the vulnerabilities.

I have selected the “crawling and auditing” option. HP Webinspect provides four types of scans.

Standard scan:- Normal scan.
List Driven scan:- You can specify the list of urls for the tool to scan. It will only scan those urls.
Workflow Driven scan:- Similar to list driven scan. You can scan a port of your website by specifying a macro.
Manual scan:- You can specify each link you want to scan. step by step.

Next specify the website you want to scan and click on “Next”.

wapt

In the next window, you will be prompted for authentication. If your website or network requires authentication, provide them . Choose if you want network proxy or not and click on “Next“.

The profiler automatically samples the website and recommends best configuration for the scan. You can select the option. We will see more about profiler later. There are some other settings. Leave them to their default settings and click on “Next”.

You will get a congrats message telling about the successful configuration of scan settings. It’s time to start the scan. Click on “scan”.

The scan will start as shown below. It will take some time dependent on the size of the website you are scanning.

After the scan is finished, it will show the results as shown below. This tool classifies vulnerabilities into critical, high, medium, low and info. That was about basic scanning of website with HPWebinspect.

That’s all in WAPT with HP WebInspect. Now, we will see analyzing these vulnerabilities. Wait, but why do we need this analysis? Just because we have used an automated tool doesn’t mean it is cent percent effective. There may be lot of false positives and in the worst case false negatives. The threat it shows as critical may not be really that dangerous or a threat it shows as medium may be critical depending on the situation. The analysis part is very important part of the WAPT. Let us see how to perform this analysis . We will take our previous scan report.

Before we do the analysis, let us have a look at the interface of HPWebinspect.  To the down left, we have view options of the scan ( site and sequence ). The “site view” shows us the hierarchical structure of website we just scanned with vulnerabilities found highlighted as shown below to the left. We can see that in account part of the website there is a critical vulnerability.

The sequence view shows us the order in which WebInspect scanned the URLs. It is shown below.

Occupying large area of the interface is the Scan dashboard with a pictorial representation of vulnerabilities. It also has vulnerabilities classified into its attack types ( how exactly these vulnerabilities will be used ).To its left, we have sections called scan info, session info and host info. The scan info has four options : dashboard, traffic monitor, attachments and false positives. We have already seen dashboard and others are self explanatory.

Below scan info we have have session info. It is empty because we didn’t include any sessions in our scan.

Below session info, we have the host info which is obviously information about the host we scanned. It will provide us info like P3P info ( protocol allowing websites to declare their intended use of information they collect about users) , AJAX, certificates etc, etc, etc. Let us look at the cookies collected by the scan.

It also shows us the emails we found during scan.

Also the forms.

Now we come to the most important part of the interface which is right down below. These are the vulnerabilities found during the scan. As already said, these are classified according to the dangers posed by them but there may be false positives. We need to analyze each vulnerability for this exact reason.

In this howto, we will cover analysis of one or two vulnerabilities. Expand the “critical” section of vulnerabilities. We can see that there is a XSS vulnerability in the search page. We will analyze this vulnerability.

Click on the vulnerability. The dashboard of HPWebinspect will show information about the particular vulnerability ( in our case XSS ) and how hackers might exploit this.

Scroll down the dashboard to get more info about the vulnerability. We can see the exact query used by the tool to get the result. In this case, our target is using tag removal to prevent XSS but we can bypass using the query given below. ( We will learn more about XSS and its evasion filters in a separate howto)

Now right click on the vulnerability we are analyzing. In the menu that opens, click on “View in Browser” to see this exploit practically in the browser.

We can see the browser result below. In this case, it is displaying a messagebox with a number but hackers can use it to display cookies and session ids. Hence this is definitely a critical vulnerability.

Right click on the vulnerability and select the option “Review vulnerability”. This is helpful in knowing more precisely about the vulnerability.

Another window will open as shown below. It will automatically show you the browser view.

We can click on “Request tab”to see the request sent by our tool.

Similarly the response tab shows us the response given by the target.

We already saw this before in the dashboard. The “vulnerability tab” give us information about the vulnerability and how hackers might exploit it. There are also options like “Retest” and “Mark as”. The Retest option allows us to test the vulnerability again. We shall see the “mark as” option below.

Close the window. Once again right click on the vulnerability. You can see the option “change severity”.

For instance, the vulnerability detected is not that critical, we can change its severity suitably to high or medium or low.

Now what if the vulnerability detected  is not an actual vulnerability. This is known as false positive. For example, we have this send feedback page of the target website. Let us assume it is just a false positive. In that scenario, just below the “review vulnerability” option we have “Mark as” option.

We can also access this option from the “review vulnerability” window as already shown above.

When we click on that option, we get two sub-options to mark it either as false positive as shown below

or to completely ignore the vulnerability. We can only ignore the vulnerability if it doesn’t pose any valid threat. We can also provide some description about why we are marking it as false positive or ignoring.

When we have successfully finished reviewing each vulnerability, it’s time to write the penetration testing report. To automatically generate a report, click on “Reports” tab. Select the scan for which you want to generate the report and click on “Next”.

Select whatever you want to include in your report as shown below and click on Finish.

The report generation takes some time depending on the options you selected. The report generated would be in the format as shown below. That’s all for now and in our next howto, we will see more about the tool.

That’s how we can find vulnerabilities in website with HP WebInspect.