Ads 468x60px

16 de octubre de 2017

How to create a Backdoor for Android systems



There are lots of documentation, how-to and videos today on the net to create our own backdoor for Android devices. Therefore, it’s increasingly easy to “develop” a backdoor and trojan to spy someone and thus this is extremely dangerous in the wrong hands. Once again, if we don’t want to be the victim, security awareness is too important to detect social engineering attacks and block access to malicious websites or unknown mail.

I’m going to write an easy how-to today to create a backdoor for Android devices although there are many tutorials on the net like this. Of course, I’m not responsible for any illegal activity performed by the reader because this is for education purpose only.

Step 1: We are going to create a payload .apk file from Kali Linux with the MSFvenom tool. This tool is a combination of msfpayload and msfencode, which are no longer used.

MSFvenom payload

-p = Payload to be used
LHOST = Localhost IP to receive a back connection. We have used private IP address for testing into the lab while if the victim are going to be on the Internet, LHOST should be a public IP address.
LPORT= Localhost Port on which the connection listen for the victim.
R = Raw format (We select apk).
Location = to save the file.

Step 2: Once successfully created .apk file, we have to sign the .apk file because Android devices don’t allow installing apps without the appropriately signed certificate. Therefore, we are going to sign the .apk file manually.

First, if we don’t have a valid keystore, we have to create our own keystore.

Keytool making Keystore

Second, we are going to sign the .apk file with our own key.

Signing an apk file with JARsigner

Third, we are going to align the .apk file into a new file with zipalign. It’s important to highlight that zipalign package isn’t installed by default in Kali Linux thus we’ll have to install zipaling previously with apt-get install zipalign.

Aligning the apk into new file using zipalign
 
Step 3: We have already finished with the backdoor app and it’s time for starting the listener with multi/handler exploit using Metasploit.

Starting Metasploit
 
We’ll also have to setting up the parameters for listening in the right IP address and TCP port number with a reverse TCP meterpreter:

Setting up the exploit

Finally, we run the exploit and wait for victims:

Executing the exploit

Step 4: It’s time for sharing and installing the android.apk file to the victim mobile device. If we have configure a public IP address into the apk payload, we can use the android.apk file everywhere, which is what attackers actually do. On the other hand, the way to share the android.apk file is up to you because what attackers actually do is sharing by social networks, mail, etc.

Installing the application on an Android device

Step 5: Once the App is installed into the victim mobile device, we can go back to Kali Linux to see a session meterpreter is opened, which means we have access to the mobile device.

Successfully got the meterpreter session
From a session meterpreter we can get contacts (dump_contacts), last calls (dump_calllog), upload/download files, record audio with the microphone (record_mic), even take picture or open the webcam.

Webcam Streaming
 
As we can see, it’s easy to create a backdoor for Android mobile devices. From my point of view, it’s a cyberweapon for spying that in the wrong hands, and with a little bit creativity, could be harmful for innocent people.

Regards my friends and be a good guy!

9 de octubre de 2017

Governance of Information Security



Six years ago, I got my first certification about best practices for IT service management (ITSM), which was my first steps into processes, procedures and tasks to know how to align my daily tasks into the business needs. Next, the company where I work, Ariadnex, decided to get the ISO 20000 and the ISO 27001 to implement service quality and information security, which was a hard time because we were developing and writing many policies and procedures to define, measure and improve services, and at the same time, protecting the systems and information. After that, I got CISA and CISM certifications where I learnt about Information Systems Auditing and Information Security Management as well as about strategies, policies and procedures.

Today, after 8 years of working in IT, I've come across with many Security Frameworks, and IT Service Management Frameworks as well. Everybody knows about ISO 27001 and ISO 20000 but when we speak about COSO for Corporate Governance; COBIT, Val IT or ISO 38500 for IT Governance and Management; or ISO 27014 for Information Security Governance, it's difficult to understand well enough the differences. However, there are many other frameworks like SABSA, TOGAF, etc.

Topology of IT-related standards

Nevertheless, most of these frameworks are created for big companies where there is a department for compliance, monitoring and control, but Spain is different because most companies are medium and small companies where there is no department about compliance, monitoring and control nor security department either. I’m wondering how many companies there are in Extremadura with more than five people in the security department? One? Two?

I think the most known security standard is the ISO 27001 but, maybe, there should be a light ISO 27001 for medium and small companies as well because 14 security domains and 114 controls is too much for companies with less than 25 employees. On the other hand, if we speak about Governance of Information Security or the ISO 27014, most medium and small companies don’t know what I’m talking about because their needs are not to establish organization-wide information security, adopt a risk-based approach, set the direction of investment decisions, ensure conformance with internal and external requirements, foster a security-positive environment or review performance in relation to business outcomes, but they don’t have time to think about it and they are working without any alignment to the business needs.

ISO/IEC 27014

This last week, I read about a governance framework I didn’t know which is called Val IT. I came across to Val IT when I was reading about ISO 38500 and ISO 27014, and it’s a framework to create business value from IT investments which has three domains (Value Governance, Portfolio Management and Investment Management). This is an old framework developed by ISACA in 2008 that along with Risk IT and COBIT 4.1 was released the new COBIT 5.

Governance of Enterprise IT

I’m finishing of writing this post and I’ve just realised that I wrote about Information Security Governance two years ago when I was studying for CISA and CISM certifications thus this is a new thinking about Governance of Information Security.

Regards my friends and keep studying!

1 de octubre de 2017

Computer Forensics



Technology grows exponentially and this is good for our society because we can live better, we can keep in touch easily with each other regardless where we are and even there will be more jobs opportunities in jobs that nobody knows today because they still have to be invented. However, this growth is challenging because there are increasingly more threats and we also have to keep studying again and again to learn new things. Therefore, I'm going to write about computer forensics this time which is a new field I’m studying these days, and it’s unknown for many IT engineers, but it is very important when we have to analyse an attack.

The forensic process has four phases which are collection, examination, analysis and reporting. The first one, collection, is for identifying, labelling, recording and collecting a data related to a specific event. The second one, examination, forensic tools and techniques are executed to identify and extract the relevant information from the collected data. The third one, analysis, is for analysing the results of the examination to get useful information. The last one, reporting, is for reporting the result of the analysis, which may include describing the actions performed, determining what other actions need to be done, etc.

Forensic Process

The investigator role is very important in forensics because if the investigator makes something wrong with digital evidences, they can be modified or destroyed, thus the evidence would be useless. This is the reason why there are usually two roles into the investigation. One role called Digital Evidence First Responder (DEFR) for identification, gathering, acquisition and preservation of the digital evidence, and another role called Digital Evidence Specialist (DES) to help DEFR with the expertise of analysing determined evidences.

Investigators should work in a laboratory where they can store evidences securely because the integrity and security of evidences are very important. On the other hand, investigators should have all kind of operating systems and many hardware and software tools like password recovery software, forensic analysis suites, virtualization software, management project software, antivirus, etc.

Forensic Analysis Suites

Investigators should also keep the chain of custody which is a process where evidences are handled without any modification to assure the integrity, authenticity, traceability, preservation and location of digital evidences. The chain of custody is done through documentation and hashing.

Chain of Custody

Finally, it’s important to highlight that everyone could be an investigator to perform forensic activities because it’s not required any certification, although it helps. What’s really mandatory is to say always the truth and we must be unbiased to show clearly and understandably to the judge those technical aspects difficult to understand in a court of law.

Regards my friends, extends your knowledge, keep studying!!

25 de septiembre de 2017

Spy Files Russia



It’s time for Russia. After reading about Snowden and the NSA and writing about hacking tools and malware frameworks, it seems it’s time for the Russian government because Spy Files Russia are coming from WikiLeaks. I’m also wondering how this information are going to be published because Edward Snowden is living in Russia today and I don’t think he is the whistleblower this time but there must be another one, who? Maybe the government of the EEUU? Who knows!

Documents from WikiLeaks speak about the System for Operative Investigative Activities (SORM) of the Russian government which is a system for mass surveillance in Russia. There are three versions of SORM. The first one, SORM-1, was able to monitor users’ communications metadata and content like phone calls, email traffic and web browsing activity. The second one, SORM-2, was also able to track all credit card transactions and monitoring social networks, chats and forums. The last version, SORM-3, also supports IPv6 and Deep Packet Inspection (DPI) capability.

Internet backbone infrastructure in Russia

SORM has three main components. The Data Retention System (DRS) which is a mandatory component for operators by law and it stores all communication metadata locally for three years. The Traffic Data Mart (TDM) which is an IP traffic analysis system that allows the creation of reports for a specified time range. Finally, the Service СП-ПУ is a data exchange interface based on HTTPS which receives search requests from state intelligence authorities and delivers results back to the initiator.

Components of PETER-SERVICE software
 
According to WikiLeaks, the Russian mass surveillance system has been implemented with the help of firm Peter-Service which is a Russian company who works for government agencies. This firm has a product called DPI*GRID which is a hardware solution for “Deep Packet Inspection” allowing to inspect and analyse traffic up to 10 Gbps per unit where resulting metadata and extracted information are collected in a database for further investigation.

Hационaлbнbiй oпepaтop

Another company who maybe is working on SORM is an Israeli firm called Cellebrite, that one who was hacked 900 GB of data at the beginning of this year, who is working with the Italian company Hacking Team and who has recently changed his name to Mobilogy. They sell products and services for data extraction, transfer and analysis of mobile devices whose products and services about phone hacking technology have been sold to countries such as Russia and Turkey according to data stolen.

Cellebrite Touch
 
We’ll be alert about next Spy Files Russia but, once again, we see Internet is not as free as it used to be because terrorism is a real threat and espionage is everywhere, meanwhile our communications are intercepted.

Best regards my friends and keep alert!

18 de septiembre de 2017

No Place to Hide: Snowden and the NSA



We no longer know who are our friends because spying and distrusting are increasing between governments, allies and everybody, maybe this is due to the fact that technology is increasingly used and as a result is easier to reach someone or something through Internet. After reading Steve Jobs biography and The truth about your future, I’ve just finished this week another book called No place to hide by Gleen Greenwald where espionage and surveillance programs of the United States are the main topics in this interesting book.

This is a book about the whistleblower Edward Snowden who decided to meet with Gleen Greenwald and Laura Poitras to publish lots of secret documents about the NSA and the United States surveillance programs. Some of them are the well-known PRISM surveillance program to collect internet communications from at least nine major US internet companies, Bullrun decryption program to crack encryption of online communications and data, as well as the XKeyscore secret computer system to search and analyse global internet data.

XKeyscore secret computer system
 
However, this book speaks about many other surveillance programs like Egotistical Giraffe program to attack Tor users through vulnerable software on their computers, MUSCULAR surveillance program to break into main communications links that connect the data centers of Yahoo! and Google, Boundless Informant system for big data analysis and data visualization, and the Olympia program to map the communications of Brazil’s Mines and Energy Ministry by targeting the metadata of phone calls and emails to and from the ministry.

MUSCULAR surveillance program

As we can see, there are many surveillance programs to break into the privacy of citizens to, the United States said, fight against terrorism. But there are many more surveillance programs like ShellTrumpet to capture sensitive internet metadata, Blarney, Fairview, OAKSTAR and STORMBREW for collecting data at facilities in the United States as well as collecting outside the US, Tempora secret computer system to buffer most Internet communications that are extracted from fiber-optic cables, or the Thieving Magpie and the Homing Pigeon programs to intercept data from passengers travelling on board commercial aircraft.

Thieving Magpie and the Homing Pigeon programs

Meanwhile, we see how governments ban foreign products and technologies in their countries due to the fear of espionage and surveillance like last news about Trump administration bans Kaspersky software from US agencies, or when US lawmakers sought to block China Huawei and ZTE.

What’s more, we have also able to read this week in the press that the European Union wants to curb foreign takeovers of strategic assets. I think, this is a good news because it is also aligned with the Cybersecurity Strategy of the EU where we must protect strategic assets with EU technologies and this is the way tech companies, which protect strategic assets, aren’t bought by non-EU countries.

Best regards my friends!

11 de septiembre de 2017

AWS Cloud – firewalls, load balancers, WAF …



I’ve worked with firewalls, load balancers, WAFs, SIEM products, etc and I've installed them both physical and virtual appliances. I’ve also worked with cloud providers like OVH, Arsys, Bluehost, etc but none of them are like AWS Cloud because Amazon has changed the way we see this IT world with many services and easy payments where we pay as we use. However, installing network or security appliances into the Amazon Cloud, at first, it’s not an easy task because we have to change our mind to the Amazon World where, for instance, all traffic is unicast and the ARP protocol is gone.

The first time I take the plunge to use AWS Cloud was to install a firewall with VPN and IDS/IPS services with three simple networks. This, although it seems easy and simple, needs lots of hours of reading and understanding the Amazon World because, first, they already have VPN services like AWS Direct Connect or AWS VPN CloudHub, second, they have also Security services like EC2 Security Groups and Network ACLs, third, there is no SPAN ports or mirroring ports for IDS, forth, there is no VLANs but Virtual Private Clouds (VPC) and subnets, as you can see, we have to adapt our infrastructure and knowledge to the Amazon World if we want to use AWS Cloud.

EC2 Security Group
 
Another common task is to install a load balancer for better performance and availability of web services. Again, AWS Cloud has their own load balancers like Application Load Balancer (ALB) and Classic Load Balancer (CLB) into the Elastic Load Balancing (ELB) service. This is an “easy” way to balance our traffic between virtual machines, also called EC2 instances, and even configuring SSL offloading with AWS Certificate Manager (ACM) and AWS Identity and Access Management (IAM). Auto Scaling configuration is also a must for a quickly and easy growth. What’s more, GSLB is also an option thanks to Amazon Route 53 where we can have high availability between different AWS regions.

Cross-Zone Load Balancing
 
If we want to protect our web services against layer 7 attacks like SQLi, XSS or CSRF, we’ll need to install a WAF as well. Once again, Amazon has his own AWS WAF, which is useful to mitigate OWASP’s top 10 Web Application Vulnerabilities and it is integrated perfectly with ELB (Elastic Load Balancing) and Amazon CloudFront for delivering highly available and secure web services through the Content Delivery Network (CDN) of Amazon. In addition, we can also protect our services against layer 3/4 attacks with AWS Shield to mitigate, for example, DDoS attacks.

Web site with Amazon CloudFront and AWS WAF
 
As we can see, there are many Amazon services and there are many more like AWS Directory Service, Amazon EBS, Amazon S3, AWS KMS, Amazon RDS, AWS CloudTrail, etc. However, we can also install commercial solutions of Fortinet, Check Point, F5 Networks, Radware, Alienvault, etc into the AWS Cloud. Therefore, we can search Amazon Machine Images (AMI) from AWS Marketplace to install commercial products into the Amazon Cloud.

AWS Marketplace
 
Today, AWS Cloud has many services, many customers and lots of guide and docs to deliver our services in a reliable way, meanwhile, we’ll see how Google and Microsoft do their homework to eat a piece of this cake.

Best regards my friends!

4 de septiembre de 2017

Galicia & Porto



This summer has been totally different because I haven’t been in a workcamp like years before in Turkey, Russia or Czech Republic, instead, I’ve been reading a lot, studying French language, and travelling around the north of Spain, and Portugal too. In fact, I’ve also done the “Camino de Santiago” from Santiago de Compostela to Muxia, then, walking a lot, visiting beautiful towns and beaches, eating delicious food and speaking a lot with people.

Santiago de Compostela

Many friends always tell me I’m the other way around, and I don’t know, but, this time, it’s truth because I started from Santiago de Compostela, instead of ending there. Therefore, the first thing I did was visiting the Obradoiro square, next to the cathedral, and eating octopus. After sightseeing ... walking, walking and more walking to the first town, Negreira (22 Km walking for 5 hours), it was funny, without fatigue and good weather. Next, I went to the small town Olveiroa (36 Km walking for 8 hours), as a result, I was tired, even with sunburns, then I was in my room all day.

Negreira

The first two days were easy because the third was wet, but funny, to Cee (18 Km walking for 4 hours), it was raining with fog for all day. The following day was prettier and quiet because I walked next to the coast to Finisterre (20 Km walking for 5 hours) where the KM 0 is located. The last route was next to the coast as well to Muxia (28 Km walking for 6 hours), it was beautiful and amazing with clean beaches, although the Prestige oil tanker left oil there in 2002. From my point of view, Muxia was the most beautiful town I saw during the Camino de Santiago.

Muxia

After walking and walking, it was time for tourism. First, I went to A Coruña and I visited the Tower of Hercules, the Military Museum, squares, cathedrals, etc which was, from my point of view, prettier than Santiago de Compostela, I liked this city. I also went to Poio where I saw a long mosaic into the Monastery and I went to Combarro too for visiting small fishermen’s houses near the sea. O Grove was another town that I visited where I could see astonishing views from A Siradella balcony, as well as a chapel made of scallops.

O Grove

I couldn’t come back to my house without going to Cíes Islands. First, I went to the top of the island by trekking to see beautiful views, after this, I went to the beach for resting and swimming into the cold sea. Baiona was another mandatory stop for visiting the caravel La Pinta, Virgin of the Rock, the mountain of Groba, the museum of the sea, etc. My last stop in Spain was in A Guarda for visiting Celtic fields and the mouth of the Miño river at the Atlantic Ocean.

Baiona

To finish my trip, I went to Porto, in Portugal. At the beginning I didn’t know what language to speak, whether English or Spanish, but later on I realized they understand Spanish well enough. I arrived at night and the city was dirty and smelly but the morning was much better when I visited Clérigos Church, Lello Bookstore, Dom Luís I Bridge, the cathedral, etc.

Porto - Lello Bookstore

This is an overview of my holidays, as you can see, no tech things for resting and enjoying the summer to be ready for the next course.

Regards my friends!!

31 de julio de 2017

Five years ago …



Five years ago I opened this blog to write about networking and security, and because I wanted to improve my writing skills and this was a good idea to be updated about technologies, standards, protocols, attacks, etc. In addition, I’ve been writing in English language for two years and I want to keep writing in English language because I don’t want to forget this language. Who knows if I’m going to be writing in French language in the future because I really love languages and I've started to learn French as well.

What have I done in the last year? I’ve done many things, as always, and I like it. I’ve been reading, studying, testing and teaching new datacenter technologies like Shortest Path Bridging (SPB), Virtual Extensible LAN (VXLAN) and Software-Defined WAN (SD-WAN). On the other hand, I’ve also installed, configured and/or supported load balancer appliances, SIEM appliances and firewall appliances, even I’ve been at FortiXpert (again) and ForoCiber conferences. Everybody has heard about WannaCry, which was just another cyberattack, and the Apache Struts Vulnerability, that I analysed and read about them to know how they work. Troubleshooting network performance issues and improving SSL VPN performance with DTLS are another two things which are improved my knowledge about networking, as well as studying the DTLS protocol for configuring SSL VPN over UDP. In addition, I’ve also been reading a lot about CIA hacking tools, the Security Directives for the EU, the cyber rights from the new GDPR, or books like the Steve Jobs biography and the truth about you future. So much reading and studying have done that I achieved the level of F5 Certified BIG-IP Administrator. What’s more, once again, I’ve been abroad in a workcamp for two weeks, working for free, in a small town of Czech Republic where I met interesting and kind people. Finally, I would also like to highlight the speech at CUM University where I returned to speak about security.

An overview about the most widely read posts in the last five years is the next:


With regard about from where the blog is visited, we can find the statistics next:


Last and not less important, I would like to thank to everybody who read this blog and support me because they are the main reason why I have already written 244 posts with almost 180000 views. If someone has something to say for improving this blog, it is welcome.

Regards my friends and I hope to see you again back in September after a great holiday.

24 de julio de 2017

Throw away your firewalls!!



I usually install firewall appliances with UTM (Unified Threat Management) features to protect the network and the information of our customer against virus, malicious websites, spam, attacks, etc. Most of these firewalls are installed in the perimeter of the network and most of them have VPN capabilities as well. Therefore, SSL VPN or IPSec VPN are used to connect to the organization from untrusted networks like coffee shops, airports, hotel, etc. Actually, this is a good way to give to remote users access to internal services.

However, Google wants to break the schemas, architecture and design that we are used to seeing with a new concept called BeyondCorp. They are working with a new approach to enterprise security where everything is untrusted, also called Zero Trust, and where access control are shifted from the perimeter to individual devices and users allowing employees to work securely from any location without the need for a traditional VPN. As a result, employees don’t have to install any VPN client, which is a great benefit, and internal services are no longer internal services but they are accessible from any location, even from Internet.

BeyondCorp components and access flow
 
As we can see, this new approach has many components. As it trusts in individual devices and users instead of networks, there are two important databases, device inventory database and user/group database, where trustworthy users and devices are stored. However, the trust of a user or device can change over the time, for example if the device doesn’t have applied the last OS patch, the device doesn’t have the last antivirus signatures or the certificate is in the blacklist, that device is not trustworthy and it’s moved to untrusted network. All of these tasks are done by the trust inference component, the certificate issuer and the pipeline. On the other hand, the access control engine along with the access proxy provides service-level authorization to enterprise applications on a per-request basis. This new security model also has a Radius component to move users and devices from one VLAN to another inside Google buildings, and a Single Sign-On component for user authentication to all applications.

This new security approach of protecting our corporate security perimeter without firewalls has to publish all our internal services to Internet. As we can see, Google has resources like codereview.corp.google.com domain name registered in public DNS with a CNAME pointing to the access proxy:

DNS Intranet resources

Moma is the Intranet of Google employees and lots of resources are accessible from Internet through the access proxy with BeyondCorp:

MOMA Single Sign-On

From my point of view, firewalls aren’t going to disappear yet but we’ll go to the 4th generation of firewalls where we’ll configure firewall policies by users and devices easily instead of networks because any location and network will be untrusted. In addition, we’ll have better integration between all IT devices (servers, desktops, BBDD, WiFi, switches, mail, web, firewall, etc) for better security protection such as Fortinet is doing with his Fortinet Security Fabric.

Regards my friends and remember, the world is changing very fast and the IT security as well.

17 de julio de 2017

Reverse Engineering Malware



I’m used to work with network devices and security systems to improve network performance and protect the information. However, it seems I’m specialized to the networking and security fields but, in fact, there are lots of subfields inside network and security like forensics, reverse engineering, laws, pentesting, auditing, etc. Therefore, I’m not specialized yet to any field but I would like to write about reverse engineering this week, which is an amazing and very technical field that only few people know how to do it very well. Of course, I’m not one of them. I’m newbie in this field.

Reverse engineering is a field mainly for researches and antivirus companies who are interested in finding exploitation techniques, discover new encryption methods or finding encryption keys. They are also interested in finding new de-obfuscation techniques and investigating C&C communications. Therefore, they know how to do a completely reverse engineering with techniques such as static analysis, dynamic analysis, automated analysis, even manual analysis as well. Thus, knowing and picking the right tools is very important for reverse engineering.

There are many reverse engineering tools, some free and others commercials. For instance, the most popular static analysis tool for reverse engineering is IDA Pro, which is useful for Hex rays decompiling, but if we are newbies, we can use Radare2 for free and Linux commands like strings, file or otool. However, there are many more static analysis tools like PeiD, PEStudio, PE32, etc. On the other hand, there are many dynamic analysis tools like Immutiny debugger, OllyDbg, Sysmon, Regshot or the popular Wireshark/TCPdump.

IDA PRO
 
Sandboxing is another kind of dynamic analysis tool very popular and useful today. There are free online sandboxes like Malwr, Hybrid-analysis, DeepViz or VirusTotal, and there are also commercial sandboxes like FortiSandbox in the cloud or as an appliance on-site. Of course, local sandboxes, or on-premise, are better than online sandboxes because it is faster to upload the file to the sandbox and, as a result, we’ll have the results faster too. In addition, local sandboxes are more customized than online sandboxes because we can choose the language of the operating system and other kind of variables for better analysis.

FortiSandbox

If we don’t have a deep knowledge about malware analysis and we don’t have enough resources either, we can use Cuckoo Sandbox for reverse engineering malware. It is an automated malware analysis system which is able to analyse any malicious file under Windows, OS X, Linux and Android. Cuckoo is a free sandbox and 100% open source that easily integrates with our existing frameworks and storages with the data we want, in the way we want, with the format we want. Therefore, it’s highly recommended to have a Sandbox in our infrastructure then Cuckoo Sandbox is better than nothing. It’s another barrier for better security.

Cuckoo Sandbox

There are many others tools which help us to know what is happening in our infrastructure like OTX, which is the Collective Intelligence Framework of Alienvault and where we can subscribe to Pulses to exchange indicators of compromise with our USM or OSSIM. On the other hand, we can also search for IP or domain reputation in online services like FortiGuard.

OTX

Regards my friends and remember, reverse engineering malware is a subfield inside the security field which should be taken into account to protect our information.
Related Posts Plugin for WordPress, Blogger...

Entradas populares