Code Execution from WinRAR

In this post, we are going to discuss how WinRAR has patched serious security faults last month, one of the world’s most popular Windows file compression applications, which can only be exploited by tricking a WinRar user to extract malicious archives. The vulnerability identified last year by research.checkpoint.com affects all versions released in all WinRAR over the past 19 years.

More About Evil Winrar

CVE-ID: CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, and CVE-2018-20253

Patched Version: WinRAR 5.70 Beta 1

This vulnerability is due to the UNACEV2.DLL library included with all versions of WinRAR. The winrar uses the ACE format to compress the folder and unpack the compressed folder with the help of UNACE.DLL.

In WinRAR versions prior to and including 5.61, There is path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path. This happens due to improper compilation when unace.dll come into the face.

Let’s download a python script that will generate a malicious file archive in a rar format. Once you download the python script, install the dependency required for it.

Further, you need to give full permission to the python script inside the Evil-Winrar-Gen folder and then generate a malicious exe file with the help of msfvenom and name as “winrar.exe” as shown and multi handler inside Metasploit.

Now create a text file that will display to the victim when he extracts the rar file to confuse him. Then execute evilWinrar python script along with malicious exe file and text file, creating a malicious archive that you can send to the target.

As said, this vulnerability allows us to extract the malicious file in the arbitrary path, with the help of this script we will allow rar files extraction in the /startup program. Now use social engineering for transferring the malicious rar to the victim and wait for the victim to restart his machine to obtain reverse connection of the target.

There is currently no startup program in the target machine as shown below. Once the victim extracts the malicious rar file “evil.rar,” our winrar.exe backdoor will extract from the startup program.

To ensure for winrar.exe file in the startup folder, type shell:startup in the run prompt.

As soon as the victim will restart the machine, you will get a reverse connection as shown.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Why should an organization hire an Information Security professional?

Every business organization seeks safety and security of its internal information. It is essential to ensure that the data is protected from malicious attackers who easily breach into the network through use of unfair practices. Maintaining a secure information security policy and hiring the right bunch of qualified professionals is of prime importance to any organization who intend to prevent their internal servers and systems from being compromised. Such professionals ensure that the software installations are up-to-date and build in security layers which become difficult for cyber attackers to intrude into the network.

What is CISSP?

The full form of CISSP is Certified Information Systems Security Professional. This certification is conferred by the International Information Systems Security Certification Consortium (ISC)², which is a global non-profit organization specializing in IT security. (ISC)² is rendered as one of the world’s largest Information Security organization which offers a variety of security certifications like CISSP, CSSLP, and CAP.

As an Information Security aspirant, there are multiple benefits of obtaining a CISSP certification which you simply cannot ignore. Let’s discuss some of the topmost reasons to earn such a certification and discover how a CISSP is integral for any business organization and act as a key component in the selection procedure for managerial-level information security positions.

  • Global Recognition

Obtaining a CISSP certification is a good move for a flourishing IT career. Reason being, CISSP provides industry-wide recognition  and considered as the “Best Professional Certification Program” by SC Magazine. This certification is highly endorsed and recognized by well-known global MNCs like Google, IBM etc. It is ascertained that there is a projected requirement of about 56% of cyber experts in the current job market.

  • (ISC)² Membership

You are eligible to earn an (ISC)² membership once you complete the CISSP certification. This membership offers a wide array of resources and advantages which help you to improve your knowledge area and network. You just need to invest on some maintenance fees annually to retain the membership. As a member, you also stand a chance to earn discounts on industry seminars and conferences and have free access to certain online events. Your credentials are available online through digital badges. The scope of benefits of a member are immense and opens a world of possibilities for you to stay connected with the latest findings and resources.

  • Job Competency

The core content of CISSP provides a wide range of understanding of the security field to the information security professionals and creates an awareness of the latest security threats. This certification encompasses knowledge transfer of control devices and the network architecture to maintain the integrity and confidentiality of public and private networks. The course content is designed in such a way that it involves the application of security concepts and the best practices for software development, enterprise computing solutions in the production and operation environment.

  • Increased Earning Potential

Getting a CISSP certification under your belt not only assures you of advanced knowledge and skill-sets but also command higher remuneration. In 2017, there were around 1 million job openings in cybersecurity which is likely to go beyond 1.5 million by 2019. Organizations are continuously competing to hire the best security talent in the market and are ready to pay handsome salaries to the prospective candidates. On an average, a CISSP earns 25% more than the non-certified counterparts.

  • High Demand for Security Experts

On a global scale, companies are investing more on hiring CISSP certified experts. With the ever-increasing intensity of hacker activities across the world, organizations are struggling to keep at bay such security breaches which hamper their internal security fabric. For this reason, employers are recruiting certified cybersecurity experts to prevent such network intrusion by building stronger security layers thereby protecting their internal servers and systems from malicious attacks.

Takeaway

Considering all these factors that has been discussed in this article, we can safely connote that obtaining a CISSP certification can certainly propel your IT career to a great extent. CISSP is thus, a very well-performing certification and once you are through the certification, it provides you a rewarding, lucrative and satisfying career path in the long run.

Author Bio: I am Maria Thomas, Content Marketing Manager and Product Specialist at GreyCampus with eight years rich experience on professional certification courses like PMI- Project Management Professional, PMI-ACP, Prince2, ITIL (Information Technology Infrastructure Library), Big Data, Cloud and Six Sigma.

Why you should know about SSL certificates: CertDB.com Case

It’s generally believed that an SSL certificate is just a minor collection of the data files that digitally bond the cryptographic key to the businesses’ details. Everyone supposedly knows that without the SSL certificate, all of the proper secure data on the website could get intercepted and used for blackmailing, identity theft, etc. Likewise, the certificate is important as a mean of forming the trust in the website and the commercial customer attraction. All of the listed benefits could be exploited by using the service, called CertDB, or by figuring out each one of them manually. Thanks to the user friendly interface of the service, however, I think it’s a worthwhile option for those only starting to wonder if the SSL certificates have the ability to change the nature of things around us.

The CertDB is an SSL certificate search engine that could be used for the various purposes. First of all, it allows the companies who specialize in the security breaches to find the problematic certificates with the aim of weakening the possibility of the hacker attacks. The service also functions as a useful tool during the penetration tests. Not to forget to mention that with the help of the certificate analysis one may discover the subdomains and domains of the particular focus that could turn to be vulnerable. Such an information may be used not only for the security but also in a profitable way. A commercial SSL-selling company, for example, could boost its own sales by warning those suffering from the “holes” in the system. Although, there is clearly no need to think of CertDB as os some advanced mechanism that is of no use to the non-experts on the internet. On the opposite, the service could turn to be truly practical, regardless of the fact that the creators position their service primarily for the research.

Have you ever wondered how come a simple internet user may figure out the plans of the entire company? Despite the various establishments’ enormous efforts to remain free of private info breaches and the strict non-disclosure deals, which could keep secrets for as long as desired, things could get leaked pretty easily. By exploiting the direct searching software of CertDB, one can surely find the newly-released SSL certificates that could be used for gathering the info, such as the company’s used domains, subdomains, and IP addresses. Thus, such a data could help the owner to interpret it in the variety of ways. For instance, the company may have just registered the domain indicating the upcoming start of the initial coin offerings (ico.xxx.com). This small piece of evidence may be actually crucial as it can be used for the competitive analysis and other business analytics among others. Sometimes, the company of the focus may issue the certificate in an organization with the domains of the other companies, which could mean the collaboration or the purchase of one company by another. Clearly, such a data could potentially benefit the owner as it can generate profits as an insight info or even lead to the start of the investigation (if there are hints of the unfair business practices). I, personally, find this to be truly appealing as CertDB has the promising power to shape the entire industries with its innovative and useful searching engine.

CertDB is clearly an unparalleled project, and there is an obvious need to mention the people working behind the doors of it. The SSL certificate search engine is only possible due to the SPYSE team of highly-skilled security specialists and IT experts of the area that constantly work on the IT projects all across the globe. Besides, it’s fair to claim that the innovation is continuous, which is something that personally fascinates me. As I was writing this article, the SPYSE team has just released the subdomain searching tool (findsubdomains.com) that looks promising to me after doing the first-hand analysis. I will attempt to fully review the newly-released service in the short time, although there is one outstanding thing that I should already mention, being the free using cost of the service. It seems to me that the entire SPYSE team is functioning with the waves of enthusiasm in mind. Besides, there is a manifest sign of professionalism as can be seen by the capabilities of the CertDB website.

More should be said about the project’s mission and why it has come to exist with the effort of the SPYSE team mentioned above. The inventors of CertDB hold a belief that the internet is developing at an incredibly rapid speed, which only furthers the issues of data security and privacy concerns that could potentially happen in any web project of the focus. To this end and with the purpose of disclosing the hidden info to the public, CertDB keeps functioning for the needs of the average users who want to know more about the various companies and conglomerates. The fact that CertDB, an internet-wide SSL search engine, exists allows to both browse the “outdated” data as well as to obtain the newly-published one. Frankly, such things could change the way I look on the use of data, which is something I don’t say that much often.

Every time I want to stick my nose where it does not belong, I do realize that CertDB is the best option for me to use in such a situation. It’s free of charge, has the most accurate database of the SSL certificates and is easy to use for those inexperienced with the web surfing processes. Personally, I would continue to use CertDB and exploit all of the service’s benefits. Although, I hope that you have been able to reconsider your position on the importance of the SSL certificates.

DOS Attack Penetration Testing (Part 1)

Hello friends! Today we are going to describe DOS/DDOS attack, here we will cover What is dos attack; How one can lunch Dos attack on any targeted network and What will its outcome and How victim can predict for Dos attack for his network.

Requirement

Attacker machine: Kali Linux

Victim machine: Ubuntu

Optional: Wireshark (we have added it in our tutorial so that we can clearly confirm all incoming and outgoing packet of the network)

What is DOS/DDOS Attack

From Wikipedia

denial-of-service attack (DoS attack) is a cyber-attack where the attacker looks for to make a machine or network resource unavailable to its deliberated users by temporarily or indefinitely services of disturbing a host connected to the Internet. Denial of service is usually accomplished by flooding the targeted machine or resource with excessive requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. A DoS or DDoS attack is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.

Basically, the attacker machine either himself sends infinite request packets on the target machine without waiting for reply packet form target network or uses bots (host machines) to send request packet on the target machine. Let study more above it using given below image, here you can observe 3 Phases where Attacker machine is placed at the Top while Middle part holds Host machine which is control by attacker machine and at Bottom, you can see Target machine.

From given below image you can observe that the attacker machine want to send ICMP echo request packet on the target machine with help of bots so this will increase the number of attacker and number of request packet on the target network and cause traffic Flood. Now at that time, the targeted network gets overloaded and hence lead some service down then prevent some or all legitimate requests from being fulfilled.

DOS/DDOS Categories

  • Volume Based Attack: The attack’s objective is to flood the bandwidth of the target networks by sending ICMP or UDP or TCP traffic in per bits per second.
  • Protocol-Based Attack: This kind of attack focus actual target server resources by sending packets such TCP SYN flood, Ping of death or Fragmented packets attack per second to demolish the target and make it unresponsive to other legitimate requests.
  • Application Layer Attack: Rather than attempt to demolish the whole server, an attacker will focus their attack on running applications by sending request per second, for example, attacking WordPress, Joomla web server by infinite request on apache to make it unresponsive to other legitimate requests.

 

How to Perform a DOS Attack?

If you are aware of OSI 7 layers model then you may know that whenever we send a request packet to the server for accessing any particular service, for example, browsing Google.com then this process executes by passing through 7 layers of OSI model and at last we are able to access Google.com on the browser.

Now suppose port 80 is open in target’s network (192.168.1.107) for accessing its HTTP services so that you can open their website through your browser and get the information available in those web pages. So basically attacker plan to slow down HTTP service for another user who wants to interact with target machine through port 80 as result server will not able to reply the other legitimate requests and this will consider as Protocol Dos attack.

An attacker can use any tool for DOS attack but we are using Hping3 for attacking to generate traffic flood for the target’s network to slow down its HTTP service for other users.

Above command will send endless request packet per second on port 80 of the target’s network.

What will the Effect of Dos Attack?

As we had described that any kind of Dos attack will affect the server services to their users and clients in establishing a connection with it. Here also when we had sent infinite request packet on port 80 of target’s network then it should make HTTP service unable for legitimate users.

So now if I will explore target IP on your browser for accessing their web site as a legitimate user then you can observe that the browser is unable to connect with the server for HTTP services as shown in given below image.

How to Predict DOS Attack in Our Network?

Configure IDS in your network which will monitor the incoming network traffic on your network and generates the alert for suspicious traffic to system administrators. We had install Snort on the system (ubuntu: 192.168.1.107) as NIDS (Network Intrusion Detection System) kindly read our previous both articles related to Snort Installation (Manually or using apt-respiratory)and its rule configuration to enable it as IDS for your network.

TCP SYN Flood

Execute given below command in ubuntu’s terminal to open snort local rule file in text editor.

sudo gedit /etc/snort/rules/local.rules

Above rule will monitor incoming TCP-SYN packets on 192.168.1.107 by generating alert for it as “SYN Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Now test the above rule by sending infinite SYN packet using the attacker’s machine. Open the terminal and enter msfconsole for Metasploit framework and execute given below command to run the syn flood exploit.

This exploit will send countless syn packets on the target’s network to demolish its services.

We have set shost for attacker’s IP only for tutorial else it was optional or you can address any random IP of your network, now can see SYN flood has been launched on port 80 by default it is considered as Protocol Based Dos Attack as described above.

As I had declaimed above why we are involving Wireshark in this tutorial so that you can clearly see the packet sends from an attacker network to targets network. Hence in given below image, you can notice endless SYN packet has sent on target’s network on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all incoming traffic here you will observe that it is generating alerts for “SYN Flood Dos”.  Hence you can block the attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

UDP Flood 

Now again open local rule files for generating alert for UDP flood Dos attack and enter given below rule and save the file.

The above rule will monitor incoming UDP packets on 192.168.1.107 by generating alert for it as “UDP Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

We are using Hping3 for attacking to generate traffic flood for target’s network to slow down its UDP service for other users it is considered as Volume Based Dos Attack as described above.

Above command will send endless bits packet per second on port 80 of the target’s network.

From given below image you can observe Wireshark has captured UDP packets from 192.168.1.105 to 192.168.1.107

Come back to over your target machine where snort is capturing all incoming traffic here you will observe that it is generating alert for UDP Flood Dos attack. Hence you can block the attacker’s IP to protect your network from further scanning.

SYN FIN Flood

By default snort capture SYN FIN Flood packets turn on IDS mode using given below command.

Again we are using Hping3 for attacking to generate traffic flood for the target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of the target’s network.

Hence in given below image, you can notice endless SYN-FIN packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all incoming traffic here you will observe that it is generating alerts for “SYN-FIN Flood Dos”.  Hence you can block the attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

PUSH ACK Flood

Now again open local rule files for generating alert for some combination of flags such as PSH-ACK packets and enter given below rule and save the file.

The above rule will monitor incoming TCP-PSH/ACK packets on 192.168.1.107 by generating alert for it as “PUSH-ACK Flood Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic flood for the target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of the target’s network.

Hence in given below image, you can notice endless PSH-ACK packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all incoming traffic here you will observe that it is generating alerts for “PUSH-ACK Flood Dos”.  Hence you can block the attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Reset Flood

Now again open local rule files for generating alert for Reset flag packets and enter given below rule and save the file.

Above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “Reset  Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic flood for the target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of the target’s network.

Hence in given below image, you can notice endless RST (Reset) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all incoming traffic here you will observe that it is generating alerts for “Reset Dos”.  Hence you can block the attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

FIN Flood

Now again open local rule files for generating alert for Fin flag packets and enter given below rule and save the file.

The above rule will monitor incoming TCP-RST packets on 192.168.1.107 by generating alert for it as “FIN Dos”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic flood for the target’s network to slow down network services for other users.

Above command will send endless bits packet per second on port 80 of the target’s network.

Hence in given below image, you can notice endless FIN (Finished) packet has sent from 192.168.1.105 to 192.168.1.107 on port 80.

Come back to over your target machine where you will notice that snort is exactly in same way capturing all incoming traffic here you will observe that it is generating alerts for “FIN Dos”.  Hence you can block the attacker’s IP (192.168.1.105) to protect your network from discard all further coming packets toward your network.

Smurf Attack

A smurf attack is a DDOS attack in which large numbers of Internet Control Message Protocol packets are used to generate a fake Echo request (ICMP type: 8) containing a spoofed source IP which is actually the target network address. This request packet is then is transmitted to all of the network hosts on the network and then each host sends an ICMP response to the spoofed source address (target IP).  The target’s computer will be flooded with traffic; this can slow down the target’s computer and make it usable for other users.

Now again open local rule files for generating alert for ICMP packets and enter given below rule and save the file.

The above rule will monitor ICMP packets on 192.168.1.103 by generating alert for it as “Smurf Dos Attack”. Now turn on IDS mode of snort by executing given below command in terminal:

Again we are using Hping3 for attacking to generate traffic ICMP flood for target’s network to slow down network services for other users.

Above command will generate fake ICMP echo request packet containing a spoofed source IP: 192.168.1.103 which is basically our victim’s network and this request packet is then is transmitted to host’s network on 192.168.1.255 and then this host sends an ICMP response to the spoofed source address which our victim’s machine in IDS mode.

From given below image you can observe it is showing source machine 192.168.1.103 sending icmp echo request packet to 192.168.1.255 but as we know in actual attacker is the main culprit behind this scenario.

Come back to over your target machine where you will notice that snort is capturing all the traffic flowing from 192.168.1.103 to 192.168.1.255 and generating alerts for “Smurf Dos Attack” which means is our machine (victim’s machine) is pinging another host machine of that network. Therefore the network administrator should be attentive with this kind of traffic and must check the system activity and legitimate ICMP request of a packet of his network.

Author: Rahul Virmani is a Certified Ethical Hacker and the researcher in the field of network Penetration Testing (CYBERSECURITY).    Contact Here