Definitions Anti-Debugging Techniques to compromise debuggers and/or the debugging process
Anti-Disassembly Techniques to compromise disassemblers and/or the disassembling process
Obfuscation Techniques to make the signatures creation more difficult and the disassembled code harder to be analyzed by a professional
Anti-VM Techniques to detect and/or compromise virtual maschnies
Anti-disassembly techniques API obfuscation API obfuscation changes the names of identifies (class names, method names, field names) to random names so that the reader of the code doesn’t know what the code is doing.
Simple Sample Code #include <stdio.h> #include <stdlib.h> void unreachableFunction(void) { printf("\nI'm hacked! I'm a hidden function! :-)\n"); exit (0); } int main(void) { printf("Hello World!"); printf("01234567890 ..."); return 0; } Compile with Debug Info, 32Bit and 64Bit gcc -m32 -ggdb -o eipExample_32 eipExample.c gcc -ggdb -o eipExample_64 eipExample.c run gdb eipExample_32 Intel Syntax (gdb) set disassembly-flavor intel Run Programm (gdb) r Starting program: /home/hacker/test_gdb/eipExample_32 Hello World!01234567890 ...[Inferior 1 (process 4775) exited normally] Set Breakpoint at main (gdb) b main Breakpoint 1 at 0x1205: file eipExample.
Binary Stuff 4 Bit -> Nibble 8 Bit = 1 Byte 16 Bit = 2 Byte -> Word 32 Bit = 4 Byte -> Double Word 64 Bit = 8 Byte -> Quad Word Hex 0xffffd040 is 4 bytes and is a double word CPU 4 Parts
1) Control Unit Retrieves and decodes instructions from the CPU and then storing and retrieving them to and from memory 2) Execution Unit Where the execution of fetching and retrieving instructions occurs 3) Registers Internal CPU memory locations used a temporary data storage 4) Flags Indicate events when execution occurs Registers EIP: Instruction Pointer contains the address of the next instruction to be fetched from memory and then executed General-purpose Registers EAX: Main register used in arithmetic calculations.
Webhacking 1/2 XSS Attacks Stored XSS injected Script is permanently stored on the target server
Reflected XSS need to construct a malicious URL
DOM based XSS vulnerability is in the client-side code rather rhan the server-side code
Stored XSS Angreifer sendet JS Code an Server. Wird dort gespeichert in DB, File, was auch immer ein Opfer geht später auf die Website und der JS Code wird injected skaliert gut, alles Clients werden infisziert und der JS Code auf Client Site / Victim Browser ausgeführt
Disk & Network Forensics 6 * W - Questions Who did it ? What happened ? When did it happen ? Where did it happen ? Why was it done ? How did it happen ? Linux File ID Fulltime ls -lih --full-time total 113M 1226 -rw-r--r-- 1 root root 113M 2022-01-27 09:40:41.000000000 +0100 checkmk.deb 1442 drwx------ 2 root root 4.0K 2022-02-11 11:21:35.821224899 +0100 ssh-TfT7oxzck4 786 drwx------ 3 root root 4.
URL https://www.nasm.us/ https://en.wikipedia.org/wiki/Executable_and_Linkable_Format https://github.com/diogovk/c2nasm https://en.wikipedia.org/wiki/Processor_register https://en.wikipedia.org/wiki/X86 https://filippo.io/linux-syscall-table/ https://en.wikipedia.org/wiki/Stack-based_memory_allocation https://en.wikipedia.org/wiki/Word_(computer_architecture) https://en.wikipedia.org/wiki/Endianness https://en.wikipedia.org/wiki/FLAGS_register https://en.wikipedia.org/wiki/Branch_table https://en.wikipedia.org/wiki/X86_instruction_listings Notes to Assembly https://www4.cs.fau.de/Lehre/WS20/V_BS/Uebungen/seminar-asm.pdf https://www.tutorialspoint.com/assembly_programming/assembly_basic_syntax.htm https://www4.cs.fau.de/Lehre/WS09/V_BS/Uebungen/oostubs/assembler.shtml
Sections data bss text Data for declaring initialized data or constants
BSS Declaring Variables
Text Contains the actual Code
CPU Registers RAX: Akkumulator RBX: Base Register RCX: Counter RDX: Data Register RSI: Source Index RDI: Destination Index RBP: Base Pointer # Don't touch RSP: Stack Pointer # Don't touch RIP: Instruction Pointer -> contains the address of the command to be loaded next RFLAGS: Status Register -> contains PSW (Processor Status Word) Move mov rax, 43 -> Konstante to Register mov rax, rcx -> Register to Register mov rax, [0xb8000] -> Speicher to Register mov [0xb8000 + 4], rax -> Register to Speicher Stack pop rax -> Stack -> Register mov rax, [rsp] add rsp, 8 push rax -> Register -> Stack sub rsp, 8 mov [rsp], rax Check Args section .
Gaining Access Thomas and 3 Guest Speakers, was really cool and from TLP:WHITE till TLP:AMBER.
https://de.wikipedia.org/wiki/Traffic_Light_Protocol
sha256: 282a248093ba223dd37dbfcdb23670d17b378db83ae1e656ffb1e19be2281628
Little XmaSS Challenge provided by Compass Security. Why not take the Chance and learn some XSS Stuff ;)
https://xmass.compass-demo.com/
Level1: https://xmass.compass-demo.com/level1
<script>alert("alert(1)")</script> sha256: 3fe9f4ba6acdcae794b6dd201f8a159b223438d736ffc46c9b07a260e0b5e915
JavaScript Guide https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide
Comments // a one line comment /* this is a longer, * multi-line comment */ Declarations # Declare variable, optionally initialize it to a value var a = 1; # Declares a block-scoped, local variable, optionally initializing it to a value. let b = 2; # Declares a block-scoped, read-only named constant. const c = 3; A JavaScript identifier must start with a letter, underscore (_), or dollar sign ($).
Learning Json Takeing some failed SSH Password Attemps on a Honeypot and learn so Json :)
RAW Data cat <<EOF > data.json {"_etime":"2021-03-31T15:10:03+02:00","_host":"139.217.129.158:46882","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"external","username":"external","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:17:14+02:00","_host":"152.136.11.211:48528","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"support","username":"support","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:17:51+02:00","_host":"139.217.129.158:54804","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"ambilogger","username":"ambilogger","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:07+02:00","_host":"68.183.84.215:40716","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"passwd1234","username":"root","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:16+02:00","_host":"104.131.231.109:43296","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"guest","username":"Guest","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:32+02:00","_host":"91.217.83.61:45994","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"qwertyu","username":"test","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:36+02:00","_host":"181.143.81.52:37964","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"sh123456","username":"root","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:44+02:00","_host":"52.178.155.67:1024","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"Root12345!","username":"root","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:18:55+02:00","_host":"103.94.6.69:48871","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"wq","username":"wq","version":"SSH-2.0-libssh-0.6.3"} {"_etime":"2021-03-31T15:19:24+02:00","_host":"177.67.203.135:27752","_proto":"ssh","_server":"[::]:222","_type":"credential","method":"password","password":"daemon","username":"daemon","version":"SSH-2.0-libssh-0.6.3"} EOF Questions I take a bigger File with 1000 Entries
What SSH Agents are in use ? How many ? $ cat data1000.json |jq -r .version |sort |uniq -c |sort -rn |head -10 445 SSH-2.0-libssh-0.6.3 43 SSH-2.0-libssh2_1.4.3 30 SSH-2.
https://www.digitalocean.com/community/tutorials/an-introduction-to-json https://www.json.org/json-en.html https://jquery.com/ https://shancarter.github.io/mr-data-converter/ https://www.utilities-online.info/xmltojson https://stackoverflow.com/questions/35876490/how-to-remove-an-array-element-with-jq https://gnulinux.ch/json-query https://www.predic8.de/jq-json-kommandozeile.htm https://jsfiddle.net/ sha256: 082211b482c5b0c5ad0c74415126620e89b6489a070899ddb566bc255defde32
Cross-Origin Resource Sharing (CORS) https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
What requests use CORS? This cross-origin sharing standard can enable cross-site HTTP requests for:
Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be loaded cross-site and used by web sites that are permitted to do so. WebGL textures. Images/video frames drawn to a canvas using drawImage(). CSS Shapes from images. Simple Requests Some requests don’t trigger a CORS preflight.
Intro SOP restricts how a document or script loaded from one origin can interact with resource from another origin (cross domain traffic)
Implemented in the Browser
Policies are applied in the Background without User interaction required
Restrict access to:
DOM Cookies WebStorage Local Storage Session Storage IndexedDB Restrict Components
Javascript API XMLhttpRequest (XHR), Fetch API Flash (t 2020) … Applets, Silverlight, XDomainRequest How it Works SOP = Protocol = https = Hostname = www.
What is a HTTP Cookie? https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with later requests to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
Takeaway from http basics always send sensitive data over post (and not get request!) always send a redirect after sucessful login (so the data get’s flushed out of the client memory) always create a new session after sucessful login (Session Fixation) sha256: b98a2764ae1ac790fee3451f8e70f147420578c159d179332b8b29cbd7239e75