Wednesday, April 29, 2009

Antivirus bypass

Main source site: UPX Packer


Presentation of how to bypass win32/nix Antivirus


This article is an "how to" related to a situation that I have met during a technical audit by a third party company.
Let say that I am a nice Pentest consultant with plenty of experience, but maybe my soul is not the one of a hacker or I am not specialised in all the matters that I am auditing. Sure it's most of the time the case.
For the frequency, I should recognize that I am a bit late, that's why I'll pay my dues with several articles this month to fill the gap.


I- Tools or not tools


There are different possible approaches to that kind of problem. From time to time there won't be a best solution, it will mainly rely on your capabilities.
Should I use tools or not? If I don't use dedicated tools how can I surround that with my skills?

Let say that a good technical approach would be to analyze the target and thus to assess the technics used by the antivirus aimed to detect malware/hackware/viruses/trojans etc...

For that you can check the comparisons regularly published to precise whether an antivirus or another is able to detect such behaviour or such code. Comparison matrix sample.

Some tests will go deeper to help each other to understand where an antirus is efficient and where it's not.
As a conclusion, you can decide to use a trageted surrounding method (with scripts, shell to hide your tools, 0day exploits...), but in most cases especially for auditors, what will be relevant is that you are able to choose a method that will work in the wide.

a- Compiler

Compiler, an easy simple word for those developers. But not all people dealing with IT are developers. Assuming that you are not afraid by such approach, if you can find the source code of the tools you want to render stealth, just try to compile them on your own with your own tools and compiler, maybe trying to add just some comments while respecting the author copyright.

For example I recently met a nasty antivirus who tried to prevent me from using the Pass-the-hash toolkit. Bad boy !
I just downloaded the source code, installed Microsoft Visual Studio 9.0 free edition for visual C++ 9.0 express and recompiled the tool on my own. Off course, to recompile the tool, I add to make some modifications such as replace deprecated functions, convert some variables for Unicode compatibility...etc.

After that, I was able to use the tools like a charm with my antivirux working at the same time.


b- Packer

Hey, guy, I am not a coder will you say ! Ok, I understand and in that case, there is a simple method which allows a clicker to achieve the same goal.
This approach is a packer one. What's a packer?
A packer will most of the time allow you to compress the size of your executable program while trying not to add time to execute it. One famous packer is UPX which will help you to compress and so modify an exe keeping it executable as is.

This way to surround antivirus works part of the time depending on how the exe is packed or compiled. For example, it doesn't work for PS tools with most antiviruses.


II- Conclusion


Even if you try to create your own version of a program, for the VB trojan/viruses GUI creators it won't work as soon as they are known by antiviruses.
For other programs, you will have to try to personalize as much as possible your tools to make them stealth.

If you just use common tools for example, my nice auditor who had managed to launch an exploit against one of our servers and who had gained a command access was stuck with his tools since they were all detected by the server antivirus. Whereas a nice script with modified tools would have suffice.

Thursday, February 19, 2009

Pstools alternative - Sysadmins toolkit

Main source site: Nir Sofer Utilities Web Site


Presentation of a useful Freeware site


This article won't be technical, it will only describe some of the most usefull tools maintained by Nir Sofer on his Nirsoft website. If you know and appreciate the Sysinternals tools now part of Microsoft products, you will love the one from NirSoft.


I- Tools selection


Some tools are even more convenient for certain tasks. Here is a list of some of these applications with their description extracted from the original site. For more details follow the links:

CurrPorts displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it. In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP ports information to HTML file , XML file, or to tab-delimited text file. CurrPorts also automatically mark with pink color suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons)



CurrProcess utility displays the list of all processes currently running on your system. For each process, you can view the list of all modules (DLL files) that the process loads into memory. for all processes and modules, additional useful information is also displayed: product name, version, company name, description of the file, the size of the file, and more. In addition, CurrProcess allows you to do the following actions: Kill a process, Dump memory of process into a text file, Create HTML report containing information about a process with the list of all modules that it loads into memory, Save the list of all running processes into text or HTML file, and more.

d- NetworkPassword Sniffer
IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0/8.0, as well as older versions of Internet explorer, v4.0 - v6.0
PstPassword is a small utility that recover lost password of Outlook .PST (Personal Folders) file.
g- LSASecretsDump
http://www.nirsoft.net/utils/lsa_secrets_dump.html
LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window. The LSA secrets key is located under HKEY_LOCAL_MACHINE\Security\Policy\Secrets and may contain your RAS/VPN passwords, Autologon password, and other system passwords/keys. This utility is the console version of LSASecretsView.


II- Conclusion


It's only an abstract of the tools available on this site, just go there and check what is available. There's for example a cmd tool, an "at" command rewrite and all sort of tools to dump memory, analyze caches, processes, calls, dlls, passwords ...etc.
Enjoy explore this site. Cheers.


Wednesday, January 7, 2009

Oracle Instant Client 10 / VBS Oracle access

Main source files: Instant client repository
Version detailed 10.2.0.4


PART I - Instant Oracle client 10.2.0.4 for Win32
ODBC installation guide


I decided to give a detailed installation guide for this version which will help you save some time and use easily Instant Oracle. It allows to avoid installing the full Oracle client on any computer or server which is not totally seamless.

I- Download the proper files

Create first a directory on C:\ drive C:\Instant_oracle, put all the files in this directory.You should get normally the following files:
  • instantclient-basic-win32-10.2.0.4.zip
  • instantclient-odbc-win32-10.2.0.4.zip
  • mfc71.dll
  • Reg_tns.reg
  • tnsnames.ora
II- Installation steps
  • Unzip all the files into the same directory*
*It can work with the basic lite version of the archive, but you need first to follow carefully this procedure with the files mentioned before at the end only keeping the lite archive content.
  • Apply the Reg_tns.reg file by double clicking on it and accepting to load it into the registry.
  • Update the path environment variable with "C:\Instant_oracle".
Go under System Property > Advanced > Environment variables > System Variables > Path
and Add ";C:\Instant_oracle" at the end of this variable without the brackets.
  • Launch a command window with Start > Run > Cmd, go to the C:\Instant_oracle folder.
  • Execute the odbc_install.exe file. If everything works properly, you should get a success message.

PART II - ODBC System DSN creation and
VBS Oracle sample code


III- Creation of the ODBC link to an Oracle database

  • Go first to :
Start > Control Panel > Administrative Tools > Data Sources (ODBC)
  • Go to the System DSN tab and click Add...

  • Select the Oracle in instantclient10_2 driver then you will see appearing a configuration window.
  • In this configuration window, you will have to fill in mainly:
*The Data Source Name, a Description, the TNS Service Name, a User ID
*Note: The TNS service name matches what is defined in the TNSNAMES.ORA file. Don't think that the scroll down list will propose you all the TNS service name, you have to type it manually without taking care of the junk available in the choices.
  • You can simply reproduce what is mentioned below:

  • At the end of the configuration, you can use the Test Connection option. If everything works well you should get a successful connection message.
Everything is now ready to prepare the software part and to use your database.
In order to illustrate this connection, I have added a simple VBS sample which illustrate how use this configuration.

IV- Sample VBS usage of this ODBC link


  • Here is a sample VBS code, just copy it to a text file and save as test.vbs, then double click on it.




Source Code



'*******************************************
'Script illustrating a simple Oracle query
' DdTf: 12/08
'*******************************************
Dim connection, connectionString, myCommand, commandString, rst
Dim myDSN, myUID, myPWD

'Command type - 1 is for standard query
const cnstCommand = 1

'*******************************************
'Modification section
'*******************************************
'Data Source Name
myDSN="orat2"
'User ID and Password
myUID="TEST"
myPWD="TEST"
'*******************************************

'Connection to the database
connectionString = "Data Source=" & myDSN & ";UID=" & myUID & ";PWD=" & myPWD & ";"
Set connection = CreateObject("ADODB.Connection")
Set myCommand = CreateObject("ADODB.Command")
Set rst = CreateObject("ADODB.Recordset")
connection.Open connectionString

'Query part
commandString = "select sysdate from dual;"
mycommand.CommandText = commandString
mycommand.CommandType = cnstCommand
mycommand.ActiveConnection = connection
Set rst = mycommand.Execute

'Result display
While Not(rst.EOF)
wscript.echo rst("sysdate")
rst.MoveNext
Wend

Wscript.quit


  • If everything is working, you should be able to get the date in a message box.


Well done !