mimikittenz is a post-exploitation powershell tool that utilizes the Windows function ReadProcessMemory() in order to extract plain-text passwords from various target processes.
The aim of mimikittenz is to provide user-level (non-admin privileged) sensitive data extraction in order to maximise post exploitation efforts and increase value of information gathered per target.
NOTE: This tool is targeting running process memory address space, once a process is killed it’s memory ‘should’ be cleaned up and inaccessible however there are some edge cases in which this does not happen.
Currently mimikittenz is able to extract the following credentials from memory:
- Outlook Web
- Juniper SSL-VPN
- Citrix NetScaler
- Remote Desktop Web Access 2012
- Microsoft Onedrive
- AWS Web Services
You can download mimikittenz here:
Or read more here.
So if you are a Yahoo user (which most of us probably have been at some point) you will be aware of the Yahoo Hack – with 200 Million e-mail addresses being up for sale on the black market it seems up to 500 million have been compromised in one of the biggest hacks yet.
It seems likely it was some kind of nation-state attack, and the break-in actually occurred in late 2014. So if for some reason you signed up for a new Yahoo webmail account since then you’ll be safe.
Hackers strongly believed to be state-sponsored swiped account records for 500 million or more Yahoo! webmail users. And who knew there were that many people using its email?
The troubled online giant said on Thursday that the break-in occurred in late 2014, and that names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers, were lifted.
This comes after a miscreant calling themselves Peace was touting copies of the Yahoo! account database on the dark web. At the time, in early August, Yahoo! said it was aware of claims that sensitive information was being sold online – and then today, nearly two months later, it alerted the world to the embarrassing security breach.
“We have confirmed that a copy of certain user account information was stolen from the company’s network in late 2014 by what it believes is a state-sponsored actor,” said Yahoo!’s chief information security officer Bob Lord on Tumblr today.
“The ongoing investigation suggests that stolen information did not include unprotected passwords, payment card data, or bank account information; payment card data and bank account information are not stored in the system that the investigation has found to be affected.
I’m surprised Yahoo is even still around to be honest, it’s a relic from an era gone by. The only significant impact they’ve had on my Internet in the past decade was to completely screw up Flickr (which I loved).
The passwords are hashed (mostly with bcrypt) and no real sensitive date was leaked (payment details, SSNs etc) – but it’s still a pretty bad compromise.
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen and the investigation has found no evidence that the state-sponsored actor is currently in Yahoo’s network. Yahoo is working closely with law enforcement on this matter.”
Yahoo! has said it will email all those thought to be affected by the theft and is advising everyone who hasn’t changed their passwords in the last two years to do so. If you’ve forgotten your password however, you could be out of luck – security questions that Yahoo! was storing in unencrypted format have been deleted from the system.
Unlike others, Yahoo! doesn’t appear to be offering any kind of credit monitoring service for affected customers, but helpfully includes a link for users to check their own credit records. It also advises users to be on their guard against unsolicited emails.
The statement leaves many questions unanswered. For example – how many of these email accounts are actually active for a start. It’s difficult to imagine that Yahoo! actually has half a billion active email users and a quick poll around the office shows just over half of Vulture West staff have a Yahoo! account but that none of us have used it in the last year.
Yahoo! also fails to point out that the chief benefit to the hackers isn’t going to be their email accounts, but other online identities. People foolishly tend to reuse passwords and security question answers and that’s where the main value of the data comes from.
Unfortunately for you, if you forgot your password and haven’t changed it in the past 2 years you may be out of luck as security questions were stored in plain text and have since been deleted.
There’s also a very interesting article about how Yahoo hired some of the best people in the infosec industry and then proceeded to pretty much ignore them:
I’m also guessing it’s likely that this will take a toll on the Verizon deal, or at least slow it down.
Source: The Register
The Volatility Framework is an an advanced, completely open collection of tools for memory forensics, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available.
- A single, cohesive framework analyzes RAM dumps from 32- and 64-bit windows, linux, mac, and android systems.
- It’s Open Source GPLv2, which means you can read it, learn from it, and extend it.
- It’s written in Python, an established forensic and reverse engineering language with loads of libraries that can easily integrate into volatility.
- Runs on windows, linux, or mac analysis systems (anywhere Python runs) – a refreshing break from other memory analysis tools that only run on windows and require .NET installations and admin privileges just to open.
- Extensible and scriptable API gives you the power to go beyond and continue innovating.
- Unparalleled feature sets based on reverse engineering and specialized research.
- Comprehensive coverage of file formats – volatility can analyze raw dumps, crash dumps, hibernation files, VMware .vmem, VMware saved state and suspended files (.vmss/.vmsn), VirtualBox core dumps, LiME (Linux Memory Extractor), expert witness (EWF), and direct physical memory over Firewire.
- Fast and efficient algorithms let you analyze RAM dumps from large systems without unnecessary overhead or memory consumption.
- Serious and powerful community of practitioners and researchers who work in the forensics, IR, and malware analysis fields. It brings together contributors from commercial companies, law enforcement, and academic institutions around the world.
- Forensics/IR/malware focus – Volatility was designed by forensics, incident response, and malware experts to focus on the types of tasks these analysts typically form.
File Format Support
Volatility supports a variety of sample file formats and the ability to convert between these formats:
- Raw linear sample (dd)
- Hibernation file (from Windows 7 and earlier)
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME (Linux Memory Extractor) format
- Mach-O file format
- QEMU virtual machine dumps
- HPAK (FDPro)
The most basic Volatility commands are constructed as shown below. Replace plugin with the name of the plugin to use, image with the file path to your memory image, and profile with the name of the profile (such as Win7SP1x64).
$ python vol.py [plugin] -f [image] --profile=[profile]
Here is an example:
$ python vol.py pslist -f /path/to/memory.img --profile=Win7SP1x64
For everything beyond this example, such as controlling the output format, listing the available plugins and profiles, or supplying plugin-specific options, see the full documentation.
Here is what you need for the core functionality:
- A Windows, Linux, or Mac OS X machine
- Python version 2.6 or greater (but not 3.x)
Some plugins require third party libraries which you can get here:
- Distorm3 (Malware Plugins, Volshell)
- Yara (Malware Plugins)
- PyCrypto (Core)
- OpenPyxl (xlsx rendering for all plugins)
- Pil (Screenshot plugin)
You can download Volatility Framework here:
Or read more here.
OWASP Offensive Web Testing Framework is a project focused on penetration testing efficiency and alignment of security tests to security standards like: The OWASP Testing Guide (v3 and v4), the OWASP Top 10, PTES and NIST.
The purpose of this tool is to automate the manual and uncreative parts of pen testing. For example, Figuring out how to call “tool X” then parsing results of “tool X” manually to feed “tool Y” and so on is time consuming.
By reducing this burden we hope pen testers will have more time to:
- See the big picture and think out of the box,
- Find, verify and combine vulnerabilities efficiently,
- Have time to Investigate complex vulnerabilities like business logic, architectural flaws, virtual hosting sessions, etc.
- Perform more tactical/targeted fuzzing on seemingly risky areas
- Demonstrate true impact despite the short time-frames we are typically given to test.
This tool is however not a silver bullet and will only be as good as the person using it. Understanding and experience will be required to correctly interpret the tool output and decide what to investigate further in order to demonstrate the impact.
- Web UI. Now configure and monitor OWTF via a responsive and powerful interface accessible via your browser.
- Exposes RESTful APIs to all core OWTF capabilties.
- Instead of implementing yet another spider (a hard job), OWTF will scrub the output of all tools/plugins run to gather as many URLs as possible.
- Scan by various aggression levels: OWTF supports scans which are based on the aggressiveness of the plugins/tools invoked.
- Extensible OWTF manages tools through ‘plugins’ making it trivial to add new tools.
- OWTF has been developed keeping Kali Linux in mind, but it also supports other pentesting distros such as Samurai-WTF, etc.
- Tool paths and configuration can be easily modified in the web interface.
- Fastest Python MiTM proxy yet!
- Crash reporting directly to Github issue tracker
- Comprehensive interactive report at end of each scan
- Easy plugin-based system; currently 100+ plugins!
- CLI and web interface
You can download OWASP OWTF here:
wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; bash bootstrap.sh
Or read more here.
The big buzz on my Twitter this week was about the Tesla Hack carried out by a Chinese crew called Keen Security Lab. It’s no big surprise even though Tesla is known for being fairly security concious and proactive about it. With it being a connected car, that’s pretty important that any remote control capabilities […]
MANA Toolkit is a set of tools for rogue access point (evilAP) attacks and wireless MiTM. More specifically, it contains the improvements to KARMA attacks implemented into hostapd, as well as some useful configs for conducting MitM once you’ve managed to get a victim to connect. Contents MANA Toolkit contains: kali/ubuntu-install.sh – simple installers for […]
BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has […]
DDoS or Booter services have been around for a while, but VDoS-s.com was a particularly slick (and shameless) one with a content marketing strategy and active social media accounts. Two Israeli men were arrested for running the service after ironically being hacked by a security researcher. They called their service a ‘Stresser’ and claimed to […]
PunkSPIDER is a global-reaching web vulnerability search engine aimed at web applications. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly. In simple terms, that means the authors have created a security scanner and the required architecture that can execute a […]
DET is a proof of concept Data Exfiltration Toolkit using either single or multiple channel(s) at the same time. The idea behind DET was to create a generic tool-kit to plug any kind of protocol/service to test implemented Network Monitoring and Data Leakage Prevention (DLP) solutions configurations, against different data exfiltration techniques. Features DET already […]