Monday, June 24, 2013

Hash Detector Tool

Since 2009 when I wrote: "The string Decoding Process" (published by hakin9 magazine) I use crafted tools to automatically decode strings (some of them have been published on this blog). Decoding strings results pretty hard especially nowadays where many encoding algorithms are commonly used over planty "daily life tools". Understanding what encoding we are facing becomes really important if we are analyzing Hashing. Let's assume we 've just got a file including hundreds of different hash strings, how to identify what kind of hashing algorithm have been used ? Having a list o hashes, that potentially could "hide" passwords or important data, having  the power of a bruteforce machine and the right tools to attack the hash list without knowing what algorithm have been used could be pretty nesty for attackers. Indeed attackers might have difficult time in attacking hashes without knowing what is the generation algorithm. 

Surfing on this "painful wave" I decided to share a pretty python code that helped me out in solving this specific problem. The script can be downloaded here (pastebin). The following image shows how simple the script is, and how could be really easy to update it within new hashing algorithms. If you are planning to add new features to the script, please give me the diff file, so that we can create a more generic tool able to detect as many different hashing algorithms as possible.

HashFinder.py (click to enlarge)

The script is quite modular and easy to update. What you need to to is to add your new hashing function within its own identifier into the "algorithms" array (lets see the following image).

Algorithms array list: easy to expand (click to enlarge)

After having filled up the "algorithms" array, you need to add the new function which finds out if the string you are processing might be generated (or not) from the hash algorithm you 've just "declared" in the "algorithms" array. The following image shows to you some examples already implemented.

Function that perform the detection (click to enlarge)

Finally, in a very quick'n dirty way you want to process the input string by adding the generated function to the main flow. 

Adding functions to control flow (click to enlarge)

Hope it could be useful to everybody, enjoy your new hash detector tool !

Sunday, June 16, 2013

ZeuS Evolution: it's time for P2P and RSA.

Today another "Hack Note" on my blog to point you out to a great analysis of ZeuS evolutions. I definitely suggest the reading titled "ZeuS-P2P" by Cert Polska because, in my personal opinion, it describes one of the most important evolutions of a "bot kit" happened so far: the distribution of the Command aNd Control (CNC) module. As you might remember the CNC modules evolved from single access point (such as IRC, Twitter, FaceBook, and so on) to multiple access points (often by implementing a Domain Generation Algorithm, DGA), in where attackers had a bounch (~1000)  of domains to generate and/or to compromise in order to spread commands to the infected hosts. The last ZeuS versions have been using a nice alternative: the P2P protocol. Specifically ZeuS bot-kit has been using a P2P protocol very close (in term of code) to Kademlia (xor map based). The following image taken from the aforementioned document written by Cert Polska, nicely illustrates the flow between the attacker and the attacked user.
The paper follows on describing interesting detatils about the new "ZeuS generation malware" including (decompiled) source code and highlighting interesting sections such as:PROXY_SERVER_HOST string replacement, DDoS module, HTTP DDoS variant module, DhTUdp DDos, Digital Signature verification (another great improvements respect to the "OLD versions"), and so on. Aditionally fully reversed-engineered P2P protocol can be found on a dedicated chapter. Have a nice reading !