Bill Smartt @bsmartt13 - Tumblr Blog

Android Malware Clicker.G!Gen Found on Google Play

Getting started with AlienVault OTX 2.0

First, signup for an account. Use your existing twitter or google account, or fill out the form. Your username will be displayed throughout the site, but your email address will remain private.

Fundamentals

Every new account gets subscribed to the AlienVault account. The AlienVault account is how we are posting Indicators Of Compromise (IOCs) to all AlienVault USM and OSSIM appliances, as well as whomever makes use of the API. If you’d prefer a fresh start*, you can unsubscribe from AlienVault. The easiest way to do this as of now is to visit AlienVault’s profile page, and click unsubscribe.

*Given that the AlienVault account is managed by the AV Labs threat intelligence team, we’d highly encourage you to remain subscribed to AlienVault. If you’re planning to use OTX to supply yourself with your own exclusive IOCs and nothing else, you should unsubscribe from AlienVault. In most cases AlienVault IOCs will be of the highest integrity.

We use the term ‘pulse’ to mean a singular threat - but may contain many IOCs. Each `pulse` (or threat) on OTX contains it’s own IOCs, description, tags, comments, etc.

Follow VS Subscribe

You’ll notice there’s two actions on user profile pages:

Subscribe to the users whom you trust the most. Pulses by users you subscribe to will be automatically included in your threat intelligence. For example, if AlienVault posts a pulse in the middle of the night, you’ll receive these indicators without having to take action on the website.

Follow users you’re interested in, but not yet ready to blindly accept IOCs from. You’ll be notified about new pulses by users you follow, and you’ll see these pulses in your activity feed (discussed below), but you’ll need to click the subscribe button on each of their pulses for them to be included in your threat intelligence.

Subscribe to a single pulse from the list view:

Or, to examine the IOCs in detail before subscribing, you can click the list item title, and use the subscribe button in the detailed pulse view:

We now know about two sources for threat intelligence. Pulses we subscribe to directly, and pulses by users we subscribe to. With this knowledge, you’re ready to start consuming threat intelligence from OTX. The third and final source of threat intelligence on OTX is from the pulses you create yourself!

#otx #alienvault #open threat exchange #threat intelligence

SSLStrip tutorial (for fun and profit)

SSLStrip is a tool for executing Man-In-The-Middle attacks. It allows you to steal HTTPS/SSL traffic, including usernames and passwords. The only information you need to know about your victim in order to attack is their internal IP address, and the gateway address of the network you are on (which means you need to be on the same network as the victim to do this).

I will be using backtrack linux as the attacker and windows xp as the victim. Both are virtual machines.

First, run ifconfig and take note of what network interface you are currently using.

Now lets make sure that ip_forwarding is enabled (need to be root).

echo 1 > /proc/sys/net/ipv4/ip_forward

and now verify that it worked.

cat /proc/sys/net/ipv4/ip_forward

should return 1.

Next, run arpspoof. As the name suggests, it is an ARP spoofing tool. use "-i <network interface>", followed by "-t <target>" (your victim's internal IP), and finally specify the internet gateway. you will see ARP network traffic start to stream in the terminal window.

arpspoof -i eth2 -t 192.168.194.130 192.168.194.2

Now, in a new terminal window (don't close arpspoof!) issue an iptables command. Iptables is a tool for ipv4 maintenance. I won't go into any more detail for now.

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

And finally, run SSLStrip. we will use "-w <output file>" to specify somewhere to dump off the data we are redirecting.

python sslstrip.py -w output.dmp

Everything is now set up, and any HTTPS/SSL web browsing that the victim does will be dumped to the output file we specified when we started sslstrip.py. That's about all you need to know! Now go out there and get hacking!

Here's some sample output from SSLStrip, notice the username and password in plaintext at the end of the string. (SNAP!!!)

Now on the victim, I went to gmail.com before executing sslstrip. once I started it, I signed in. Very few people would notice this, or be weary if they noticed it, but traffic will now appear to the victim as HTTP. SSLStrip will encrypt the packets before sending them to the gateway, as servers like gmail and paypal don't allow http.

Here's a visual representation of before and during an attack.

Illustrated in the picture below is one sign that you are being MITM'd. While connecting to gmail, your browser will show that you are using HTTP. It attempted HTTPS/SSL, but was unable to make the connection, so un-secure HTTP is forced. Only a conscious and educated victim will identify this as suspicious, and of those people only the bored will care to investigate it.

Another way to tell that you are being MITM'ed is your arp address will change to the hacker's internal IP. Here's a screenshot of the "arp -a" command being issued on the victim before and then during the attack.

One of the arts of SSLStrip attacks is the social engineering aspect. You must gather recon on a potential victim and try to discern when they might be using their computer and on what networks they will be on.

Have fun!

Thanks for reading!

Sorry the images from this post have been lost to the sands of time. :(

must...go...deeper...

Trending Blogs

Recently Viewed Blogs

Bill Smartt