#hacking tutorials

What is Static Malware Analysis?

Static malware analysis is when you attempt to learn about a malicious program without letting it run. This could be to gain some insight as to how it runs to be used in dynamic analysis later.

Handling Malware Safely:

When analysing malware, the most important thing (in my opinion at least) is to keep your network safe. If you detect malware on your network and manage to isolate it, the last thing you want is to re-release it.

I would recommend having a separate machine used just for malware analysis to avoid data theft on your main device. You could use a physical computer for this, but that could be expensive. A dedicated virtual machine is perfectly sufficient for this (If you don’t know how to set up a VM, you can read my guides on using VirtualBox and VMware).

When dealing with malware it is a good idea to isolate the machine. This stops the malware from spreading to other devices. This could be done by either disconnecting the machine from the network (via disabling the network adapter) or, if the machine requires some form of network access, putting it on a virtual LAN segment.

To conclude: Have a dedicated device (preferably a VM) and disable the network adapter to isolate the machine when you start handling the malware. Once you have safely set up your machine you can download a sample from my GitHub, which can be unzipped with the password “infected”.

Detecting a Malware:

We know that what we just downloaded is malicious, but let’s pretend we don’t. An antivirus program is a good indicator of if a file is malicious or not, but they have their limitations: namely that they can’t detect malware with 100% efficiently. To get a more accurate idea of if a file is malware or not we will need multiple antivirus programs. Enter VirusTotal. This website runs any file you upload to it through multiple different antivirus and reports if they find the software suspicious.

When I run the sample through VirusTotal, I get output like so:

Not every AV detected the sample, however over half of them did. This is enough to decide fairly conclusively that the file is malicious.

VirusTotal also has a feature where you can search with a hash of a file. You can use either MD5 (which can be found with the command ‘md5sum [filename]’) or SHA256 (‘sha256sum [filename]’)

After getting the hash of the file, you can search for it in VirusTotal. Since the hash and the file you uploaded mean the same thing, the results will be identical.

When you search on VirusTotal, the website automatically converts the search to a SHA256 hash. This is why you can upload a file or different types of hashes.

Static Analysis

VirusTotal also gives you more information than whether a file is malicious. In the ‘Behaviour’ tab you can see information on the malware such as what domains/IP addresses it tried to reach, as well as any files it modifies. As a Blue-Teamer you can block the domains that it talks to from being accessed on your network, and also look for files that it leaves behind to tell if the malware has run.

We can see that the trickbot sample downloads a file from soberlifeco[dot]com. We can also see that it makes a TCP request to an IP address (This corresponds to the domain found, but it may be useful to know both). Needless to say, you probably shouldn’t go to this domain unless you know what you are doing and can do so safely.

Up to recently we’ve been relying on another service for our analysis, but what if we want to do some ourselves? Maybe we’ve found a file which isn’t on VirusTotal, or maybe we want to verify the findings for ourselves. A simple tool I found for reverse engineering is the ‘strings’ command. This command searches through the file you pass to it and outputs what it thinks might be human-readable text. When we run ‘strings’ on trickbot.xls, we get output like this:

It is important to remember that what is readable for a human is not for a computer and vice versa, so most output from a ‘string’ command isn’t useful however if we look through, we can see the URL we found on VirusTotal:

It’s been broken up by another bit of text, but on one line you can see “http://” indicating the protocol to use, and then two lines later is the rest of the domain (“soberlifeco[dot]com”) and the path to the file that our sample downloads.

Conclusion:

By no means is this an exhaustive wealth of knowledge on static malware analysis, but I hope it will be a useful introduction. Recently I’ve been doing some Capture the Flag competitions and I’ve found that this has been enough to get me started on the subject.

When discussing privacy online a common suggestion is to use a VPN or a proxy with the assertion that it will protect your privacy, but if you are like me you may not know how either works or even that there is a difference between the two. In this post I will teach you what they are, and how they are different to each other.

What is a Proxy?

You can think of a proxy as a ‘go-between’ that sits between your machine and the server you want to connect to (I’m going to use a webserver for this example, but it could be anything). When you want to interact with the website, you send the requests through the proxy server which sends them to the website. The proxy server then receives the result from the webserver and sends it back to you.  This hides your IP address, as the webserver only sees the IP address of the proxy server, not of your machine.

How is a VPN Different to a Proxy?

A VPN is also a ‘go-between’, but this time the data you send between the VPN and the proxy is encrypted (data sent between the VPN server and the webserver are not necessarily encrypted). A VPN also hides your IP address, as well as hiding your browsing from people on the same network using packet sniffers, which a proxy does not.

Creating a Strong Password:

When creating a password, it is important that it meets three criteria. A good password must:

Be at least eight characters in length, but preferably more. I have heard of people using passwords of 64 characters.

Include a mix of uppercase and lowercase numbers.

Contain numbers and special characters.

Each of these intends to increase the complexity of the password, and increase the amount of time it will taker for a cyber-criminal to guess the password through a method called a brute-force attack. Brute-forcing is when a hacker tries every possible combination until they find the correct one, and by increasing the complexity of the password you increase the amount of guesses needed until it becomes infeasible.

Each of your accounts should use a secure password, as detailed above, but they should also use a unique one. You shouldn’t use the same password for different accounts.

Using a Unique Password:

It is an unfortunate truth that websites get hacked, and quite often data is stolen. This data can contain personal data like names, but can also contain login details. Cyber criminals often try to use this leaked data, together with peoples habit to use the same password for multiple accounts, to try and gain access to other accounts than the one that got leaked.

Using different passwords for each account minimises this risk. If your password for facebook gets leaked for example, they can’t use that password to access your emails.

Using a Password Manager:

If you are following good password practices, it will be impossible to remember all of your passwords. You could write them all down on a piece of paper, but using a password manager is much more convenient.

A password manager allows you to store all your passwords in a secure manner. There are many different password managers to choose from, each with pros and cons, so you should do some research into which is best for you. Personally I use KeePass, but there are many other good options such as 1Password and Dashlane (This post is not sponsored by anyone, these are just highly rated services) .

A password manager with auto-fill can also help to protect you against phishing (which you can read my guide on here), because if it doesn’t automatically fill in your password then that is a clue that the website you are on might not be legitimate.

Conclusion:

If you’ve been reading my blog, you may have noticed me mention the site TryHackMe (In my post on nmap). I use this site often, and in my experience it has been a brilliant resource in learning not only hacking, but also using the Linux terminal and other more broad subjects. In this post I will teach how to make an account, connect to the TryHackMe network, and start hacking.

Creating an Account:

The first step is to create an account at tryhackme.com/signup. Here you can choose a username, an an experience level to describe your level of experience with hacking (This isn’t displayed, so don’t feel bad if your experience level is low)

After signing up, you’ll be taken to a ‘room’. Rooms are a series of activities to help you learn an aspect of cyber security. Each task has at least one ‘question’ (although there don’t always require an answer, sometime you just need to read or do something). This is what the room looks like for me, but I think it’s different depending on your experience level:

On completing all the tasks of a room, you will be congratulated. You can use this to share your achievement on social media, or just click the cross if you want to keep your success to yourself.

You can now go to the Dashboard. This is the home screen, from which you can navigate the website as well as see statistics on your learning. I’m going to let you discover most of what the website has to offer, but I’ll walk you through a few things.

‘Pathways’ are groups of rooms with a similar subject, designed as more structured learning than doing the rooms on their own. Some of these rooms require a paid VIP account, but all pathways have at least one free room for you to do. A ‘series’ is a similar thing, but giving fun challenges to test your knowledge. These two groups don’t come close to including everything TryHackMe has to offer, for that there are individual rooms you can access from the ‘Learn’ tab

If you feel like giving yourself an extra challenge try the ‘Compete’ tab to either check the leaderboard and see where you place, or compete against other hackers in a King of the Hill.

Before you get into doing activities however, there’s one important thing to know. Many rooms include a virtual machine to hack against, but in order to connect to it you have to connect to the TryHackMe VPN (Virtual Private Network). I’ll explain what a VPN is in a later guide, but for now just know that it connects you to TryHackMe’s network, which has the VMs to hack on it.

Connecting to the VPN:

To connect to the VPN, the first thing you need to do is download the configuration file. this can be done by clicking your profile in the top right, then ‘connect’, or by going to tryhackme.com/access. A download will start for a [your username].ovpn file - click ‘Save File’ and the download should be finished very quickly.

Open a terminal and cd to your Downloads directory. You should see your .ovpn file there.

You should have openVPN installed by default on Kali, so you simply start the VPN connection with the command “sudo openvpn [username].ovpn”, after running the command you should see a lot of output. You can now open a new terminal window or tab with CTRL+SHIFT+T, and get to hacking.

(I had to switch machines and TryHackMe accounts because I had an error. If you have problems connecting, please send me a DM on twitter, or a message here on tumblr)

You can then check  you are connected, by going back to the ‘access’ page. You should see this:

This panel also tells you your Internal IP address, which is useful for executing some exploits/shells, in case you forgot how to find that from the terminal. Your VPN server name may differ, depending on your geographic region.

Conclusion:

Go forth and hack things! As I mentioned before, TryHackMe is a great resource for hands-on learning. There are rooms about all manner of things, from cyber security to python programming and general Linux use.

About ProtonMail:

ProtonMail is a free and private email provider. Emails sent between ProtonMail users are encrypted end-to-end, and ProtonMail cannot access any emails sent. This end-to-end encryption also protects you against Meddler in the Middle attacks (MitM), so hackers can’t easily intercept and snoop your emails

Things to Know About ProtonMail:

Although emails are encrypted end-to-end, metadata about the emails (such as subject lines, and sender & recipient) is stored by ProtonMail.

Emails sent between ProtonMail users are encrypted, but users sent between ProtonMail and non-ProtonMail users are not encrypted in transit. This means that if the (non-ProtonMail) recipient’s inbox gets breached, all of the emails will be visible by default. This can be remedied by using the encryption features, or PGP.

Although ProtonMail is more private than mainstream email providers (gmail, hotmail etc.), and safer against hackers, it will not protect you against government agencies. ProtonMail will help you regain some privacy online, but won’t help you hide your firearm smuggling/money laundering business. Sorry

Setting up a ProtonMail Account:

To create a ProtonMail account, go to protonmail.com/signup, where you can select what tier of membership you want. The more expensive tiers have their advantages, but for most people the free account is more than plenty. After selecting the tier, you’ll be taken to the following page:

You can then choose a username, as well as the domain you want. You can choose between a .com or .ch email address. You’ll see this while it sets up your account:

Once it’s finished creating your account, you’ll be able to set a screen name to be displayed to others when they receive an email from you.

And with that, your account is set up!

How to Use ProtonMail:

Despite sounding technical with encryption and all that, it really seems like any other email client. The inbox is very similar to something like gmail.

I think the only thing I really need to explain is the encryption. As mentioned before, emails sent between ProtonMail users are encrypted end-to-end, but anything sent between a ProtonMail and non-ProtonMail user will not be encrypted by default. Luckily you have an option to encrypt messages sent over ProtonMail. Clicking ‘Compose’ will show a pop-up like this:

brb while I write an email.

Ok, I’m back

Now, to encrypt it I click the padlock button on the bottom left. This will lock the email, and require a password to open, as well as scrambling it so hackers can’t read it.

I’ve encrypted this with a password of “UncrackablePassword”(Note: This is not a very secure password. For any sensitive emails, please use a more secure password). I click ‘Set’, then I send my first encrypted password!

Now the spy logs into their email address. This is what they see:

In order to view the email, they need to click the link and enter their password. Doing so reveals the email:

Conclusion:

Hopefully you know know how to create and use a ProtonMail account. Remember to bear in mind the things I told you before. ProtonMail may be good, but it isn’t unbreakable

 A few days before Christmas, employees of the web-hosting company GoDaddy received an email containing a link to claim a $650 bonus. Unfortunately for the employees, the email was fraudulent and there was no bonus. GoDaddy sent out this fake email which pretended to be real to test how it’s employees respond to a type of attack called “phishing”.

Phishing is a type of “social engineering” attack, meaning that it targets humans instead of machines. A phish email or text seems legitimate and usually contains either a link to a malicious website, or a malware file for the target to download. Luckily there are often telltale signs that an attempt is not legitimate.

Impersonal Greeting: Attackers often send these emails in bulk, and do not greet every person individually. A typical phish will start with “dear sir/madam” instead of “dear <name>”

Spelling mistakes: Phishing messages often contain multiple spelling/punctuation/grammatical mistakes, as well as formatting mistakes.

Incorrect URL: A common method of phishing includes sending the target a link to a spoofed login page. At first the link may look legitimate, but on further inspection you may find it is not. Look for spelling mistakes or incorrectly formatted URLs (www.example.realbank.com belongs to realbank.com, whereas www.realbank.example.com belongs to example.com)

Carrot or Stick: The attacker knows you have to have a reason to click the link. This can either be a good reward (such as a large amount of money) or a stick (punishment if you do not click the link)

Pressure: The attacker will normally give a deadline to click the link. The short deadline tries to make you panic, which will reduce your critical thinking skills and increase the chance of you missing the red flags.

Phishing Breakdowns:

Here is an example of a not very convincing phishing attempt I received.

Right off the bat, we can tick off numbers 1 & 2 from the list. Instead of being greeted personally, I just got “Dear Sir/Ma”, with an error spelling “Ma’am”. There isn’t a link for us to click, but a curious thing is that the address of the sender is different to the address I’m meant to contact.  We can also see no. 4, being an unclaimed fund (presumably money), there is no no. 5 besides the chance of not receiving the money.

Not all phish attacks are emails, here’s an SMS one I received a while ago:

1 can be ticked off, as there is no greeting at all. Everything seems to be spelled correctly so number 2 doesn’t apply. The carrot here is the tax return, but on inspection the URL does not belong to the actual HMRC (UK government domains end in .gov.uk) which gives us an example of number 3.

Conclusion:

Phishing attacks rely on people’s ignorance of the warning signs, and pressuring people into responding before thinking. If you’re not sure, the best thing to do is to be cautious and think carefully.

Python:

Introduction to Variables

User Input and Selection

An Introduction to While Loops

Putting it Together

Introduction to Lists

Website:

Into to HTML

Binary:

Decimal to Binary and Vice Versa

Basic Logic Gates

Hacking:

Securing Kali Against Hacking

Finding Open Ports With Nmap

Finding Exploits

Hacking Metasploitable

Staying Safe Online:

Spotting Phishing Attacks

HTTP vs HTTPS

Good Password Etiquette

Proxies and VPNs

MultiFactor Authentication

Virtual Machines:

Kali for VMWare

Kali for VirtualBox

Creating a Live USB

Linux:

Directory Traversal and File Creation/Deletion

Basic Networking Commands

Remote Access

Finding Files

Blue Team:

Static Malware Analysis 101

General Programming: