Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlisttemp): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 273

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlist): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 277

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/ips): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 281

Warning: Cannot modify header information - headers already sent by (output started at /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php:273) in /home/seclistu/public_html/wp-includes/feed-rss2.php on line 8
anti-forensic – Security List Network™ http://seclist.us Wed, 25 Apr 2018 22:10:46 +0000 en-US hourly 1 PEframe is a open source tool to perform static analysis on (portable executable) malware. http://seclist.us/peframe-is-a-open-source-tool-to-perform-static-analysis-on-portable-executable-malware.html Thu, 09 Nov 2017 14:59:03 +0000 http://seclist.us/?p=15907 PEframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions, and much more information about the suspicious files.

peframe v5.0.1

Dependencies:

+ Python 2.7.x

Usage:

git clone https://github.com/guelfoweb/peframe && cd peframe
pip install simplejson

python setup.py install
peframe example.exe

Source: https://github.com/guelfoweb

]]>
AntiFor – an Anti-Forensics Script In the Makings. http://seclist.us/antifor-an-anti-forensics-script-in-the-makings.html Wed, 27 Sep 2017 06:50:28 +0000 http://seclist.us/?p=15567 Disclaimer:
This script allows you to destroy data which could potentially be data you should not be destroying. This script is for educational purposes only and I am not responsible for any user stupidity that is brought about using the script.

AntiFor is An anti-forensic multitool written in bash
Dependencies
– bleachbit
– mat (Metadata Anonymization Toolkit)
– exiftool
– python
– shred

AntiFor

Usage:

apt install libimage-exiftool-perl bleachbit mat
git clone https://github.com/irrecoverable/AntiFor && cd AntiFor
chmod +x *.sh
sudo ./anti.sh

Source: https://github.com/irrecoverable

]]>
vlany is a LD_PRELOAD rootkit for x86_64, i686 and ARM architectures. http://seclist.us/vlany-is-a-ld_preload-rootkit-for-x86_64-i686-and-arm-architectures.html Mon, 07 Nov 2016 14:01:39 +0000 http://seclist.us/?p=12390 NOTICE: THIS POST JUST FOR EDUCATION & RESEARCH PURPOSE ONLY! YOU CAN LEARN HOW TO rootkit takes control of the system.
vlany is a LD_PRELOAD rootkit for x86_64, i686 and ARM architectures complete with gid based process hiding, xattr based file hiding, network port hiding, anti-detection, anti-debug, persistent installation, execve commands, PAM (ssh/sftp) backdoor, accept() SSL/plaintext backdoor, easy-to-use installation script, incredibly robust configuration.

vlany installation

vlany installation

Features:
* Process hiding
* User hiding
* Network hiding
* LXC container
* Anti-Debug
* Anti-Forensics
* Persistent (re)installation & Anti-Detection
* Dynamic linker modifications
* Backdoors
*** accept() backdoor (derived from Jynx2)
*** PAM backdoor
**** PAM auth logger
* vlany-exclusive commands

Vlany rootkit library

Vlany rootkit library

Latest Change 7/11/2016:
* Update patch_ld.py
* Update config.py

Use and download:

wget https://github.com/mempodippy/vlany/archive/master.tar.gz && tar -xf master.tar.gz
./install.sh

Source: https://github.com/mempodippy

]]>
usbdeath ~ anti-forensic tool that writes udev rules for known usb devices. http://seclist.us/usbdeath-anti-forensic-tool-that-writes-udev-rules-for-known-usb-devices.html Wed, 24 Aug 2016 19:46:39 +0000 http://seclist.us/?p=11792 usbdeath is a small script inspired by usbkill( https://github.com/hephaest0s/usbkill), “an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer”. The main differences are:
+ it is written in bash, so literally anyone with basic programming skills could read through the code and audit it
+ it is not a daemon, just a rule file manipulation script, all monitoring stuff are done by existing udev daemon
+ it uses more identification values for usb devices (if usb device has these values) such as name and serial number

usbdeath

usbdeath

Dependencies:
* bash
* modern linux os with udev and probably systemd

Usage and download from git:

git clone https://github.com/trpt/usbdeath && cd usbdeath
or wget https://github.com/trpt/usbdeath/blob/master/usbdeath
chmod a+x usbdeath
./usbdeath

Source: https://github.com/trpt

]]>
Postex is a Linux post exploitation tool for discovery, backdooring, and lateral movement. http://seclist.us/postex-is-a-linux-post-exploitation-tool-for-discovery-backdooring-and-lateral-movement.html Tue, 26 Jul 2016 07:37:07 +0000 http://seclist.us/?p=11502 Postex is a Linux post exploitation tool for discovery, backdooring, and lateral movement.

goals
+ run independently of the host environment (no dependence on existing executable utilities, e.g. python, ruby, find)
+ run with minimal liklihood of detection (no execution of potentially detectable commands, e.g. netstat, lsof, who)
+ run fast (parallelized native code)

discovery
+ grab a snapshot of host activity like processes, net connections, arp cache, logged in users, more
+ … do the above over a period of time to get a sense of how the machine is used and by whom
+ detect security controls: A/V & auditd rules
+ grab ssh keys
+ serialize discovery data as JSON for easy consumption laterpostex

backdoor
+ modify user’s ssh config to force user to enable connection sharing (ControlMaster) when ssh’ing to remote hosts
features
– add user to the system
– add ssh pubkey to the root user
– execute userspace commands
– extensible…

antiforensics
+ encrypted payload functions
— when the backdoor is at rest (not performing an operation), the interesting pieces of payload are encrypted in memory. This is accomplished by receiving a command -> decryption -> execution -> re-encryption. The control channel supports OTP– each command sent to the backdoor has the option of providing a new key. The need to re-encrypt with a new key goes away when diffie-hellmann is implemented for key exchange.
— this feature isn’t useful for an opensource backdoor….um ok. did I mention extensibility?
+ userspace command execution isn’t picked up by auditd or traditional kprobing
I’m debating whether to write a LiME memory dump modifier to tamper with accurate memory dumps. Maybe too devious.

howtodetect
+ you’ll have a tainted kernel if you “allow signed modules, but don’t require them”
+ all legitimate kernel modules will need to be signed for an unsigned module to be noticed
— you still need to safely get the fact that the kernel is tainted off the system somehow
— the kernel can be tainted for reasons other than unsigned driver loading, so pay attention to the taint code
+ volatility can show you there’s a netfilter hook in place. you probably aren’t expecting any, so this is usually high signal.
— you can then reverse this piece of the module, but shouldn’t be able to analyze the payload without the key
— unless something like diffie-hellmann is used for key exchange, you can capture the key over the network to decrypt payload
+ so it still means you need memory dump & pcap to analyze the payloa

lateral movement
+ piggy back on forwarded ssh credentials (ssh-agent reuse)
+ piggy back on existing ssh connections that have connection sharing enabled (ssh connection reuse)

use and download:

git clone https://github.com/unixist/postex && cd postex
cd discovery
go build
cd cmd
go run snappy.go --av | jq '.[] | select(.Name == "Antivirus")|.Values[].Name'
"OSSEC"
"Sophos"
"Tripwire"
"Samhain"


for Backdoor
cd persistence
make
Add a public key to the root user's /root/.ssh/authorized_keys file.
$ echo 'key:0124812401:1111111111:2' | nc -u $host 8001
and run all ko module

Source: https://github.com/unixist

]]>
« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer. http://seclist.us/usbkill-is-an-anti-forensic-kill-switch-that-waits-for-a-change-on-your-usb-ports-and-then-immediately-shuts-down-your-computer.html Thu, 07 May 2015 05:32:34 +0000 http://seclist.us/?p=7342 USBKillBanner

The project is still under development but it does work and is effective. Expect improvements to come. Custom commands for when a USB change is observed will be implemented.

« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
Why?
There are 3 reasons (maybe more?) to use this tool:
– In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library as happened to Ross). The police commonly uses a « mouse jiggler » to keep the screensaver and sleep mode from activating.
– You don’t want someone to install backdoors or malware on your computer or to retrieve documents from your computer via USB.
– You want to improve the security of your (Full Disk Encrypted) home or corporate server (e.g. Your Raspberry).
[!] Important: Make sure to use full disk encryption! Otherwise they will get in anyway.
Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

Additional requirement for OS X users
In order to make usbkill work on OS X, you have to install python3 by using brew:

Download : Master.zip  | Clone Url
Source : https://github.com/hephaest0s

]]>