Wednesday 31 May 2023

BurpSuite Introduction & Installation



What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.











Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from   https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.


Video for setup and installation.




You need to install compatible version of java , So that you can run BurpSuite.

Related posts


  1. Hacking Tools Name
  2. Hacking Tools Free Download
  3. Hacker Tools Apk Download
  4. Hack Tools For Ubuntu
  5. Hacker Tools For Mac
  6. Hacking Tools For Windows
  7. Hack And Tools
  8. Pentest Tools For Windows
  9. Game Hacking
  10. How To Install Pentest Tools In Ubuntu
  11. Hacker Tool Kit
  12. Hack Tools Online
  13. Pentest Tools For Mac
  14. Pentest Tools Website
  15. Hacker Tools
  16. Hacker Security Tools
  17. Growth Hacker Tools
  18. Hack App
  19. Pentest Tools Port Scanner
  20. Pentest Tools Apk
  21. Hack Tools Pc
  22. How To Hack
  23. Hacker Tools 2019
  24. Ethical Hacker Tools
  25. Hacking Tools Free Download
  26. Hacking Tools For Beginners
  27. Hacker Tools Github
  28. Hacker Tools 2020
  29. Hack Tools
  30. Pentest Reporting Tools
  31. Pentest Tools Subdomain
  32. Pentest Tools Port Scanner
  33. Hackrf Tools
  34. Hacker Tools Apk
  35. How To Hack
  36. Hack Tools Mac
  37. Physical Pentest Tools
  38. Pentest Reporting Tools
  39. Hacking Tools 2020
  40. Hack Tool Apk No Root
  41. Tools Used For Hacking
  42. Pentest Tools Subdomain
  43. Pentest Box Tools Download
  44. Wifi Hacker Tools For Windows
  45. World No 1 Hacker Software
  46. Best Hacking Tools 2020
  47. Hack Website Online Tool
  48. Top Pentest Tools
  49. Hack And Tools
  50. Hacker Tools For Windows
  51. Underground Hacker Sites
  52. Pentest Tools Online
  53. Pentest Tools List
  54. Pentest Tools Windows
  55. Hack Tools Download
Posted by at No comments:

APT Calypso RAT, Flying Dutchman Samples




Attackers exploit Windows SMB vulnerability CVE-2017-0143 or use stolen credentials to gain access, deploy the custom Calypso RAT and use it to upload other tools such as Mimikatz, EternalBlue and EternalRomance. They move laterally and steal data.

Links updated: Jan 19, 2023

Download

             Other malware




Hashes




MD5SHA256SHA1FilenameFile TyeeStage
aa1cf5791a60d56f7ae6da9bb1e7f01ed5afa3bfd423ba060207ad025467feaa56ac53d13616ac8782a7f63c9fc0fdb4bdd8b9115d1ae536d0ea1e62052485e5ad10761fMPSSVC.dllpe dllCalypso RAT Payload
1e765fed294a7ad082169819c95d2c85f6a09372156a8aef96576627a1ed9e57f194b008bb77e32ca29ac89505f933f060dda7ccd9ae00701046923b619a1b9c33c8e2acWscntfy.exepe exeCalypso RAT Dropper
17e05041730dcd0732e5b296db16d757b6c21c26aef75ad709f6c9cfa84bfa15b7ee709588382ce4bc3544a04bceb661f3301405d8ad5b160747241d6b2a8d88bf6292e8pe exeCalypso RAT Dropper
1ed72c14c4aab3b66e830e16ef90b37beebff21def49af4e85c26523af2ad659125a07a09db50ac06bd3746483c89f9ddc0d0a34f107d140d9e47582e17a7fec945403eacoal.exepe exeCalypso RAT Dropper
e24a62d9826869bc4817366800a8805cc407c3dde18c9b56ed24492ca257d77a570616074356b8c7854a080823f7ee1753791c9e7c41931a6becb999fee4eb7daf9b1a11data01.binpe dllCalypso RAT Dropper
c9c39045fa14e94618dd631044053824ab39301d45045172ad41c9a89210fdc6f0d3f9dccb567fd733b0dbffbfcfbcc31cda28bc307c09508dbb1f3495a967bbcc29326epe exeCalypso RAT Dropper
69322703b8ef9d490a20033684c28493e6a3b43acdaa824f3280095b10798ea341839f7d43f0460df8989f13c98fa6e0f203680d97705d99f92fe9797691be6177f5fd41RasCon.dllpe dllCalypso RAT Dropper
85ce60b365edf4beebbdd85cc971e84d5dfdee5dd680948d19ab4d16df534cf10aca5fa0b157c59659d6517fe897c62fd9c14f7b6de8e26ae33e41a72ae8e35bb1af4434pe exeCalypso RAT Dropper
6347e42f49a86aff2dea7c8bf455a52a281583aca23f8fd8745dd88a600cbfc578d819859a13957ec022b86c3c1c99f48b2a81af85590e0e36efc1c05aa4f0600ea21545HIDMgr.dllpe dllCalypso RAT Dropper
cb914fc73c67b325f948dd1bf97f57330031c7b63c1e1cd36d55f585d97e2b21a13a19858d5a1aa5455e5cc64b41e6e937ce4d0a3168e3b2f80b3fae38082e68a454aee0pe exeCalypso RAT Dropper
c84df4b2cd0d3e7729210f15112da7ac4e8351ddaff18f7df6fcc27a3c75598e0c56d3b406818d45effb4e78616092c241a0c5a1aad36f405c8755613c732591e3300f97mscorsvw.dllpe dllCalypso RAT Dropper
5199ef9d086c97732d97eddef56591ec511683c8ee62478c2b45be1f782ce678bbe03c4349a1778651414803010b3ee9d19a786adc09dff84642f2c2e0386193fa2a914bdnscache.dllpe dllFlyingDutchman
06c1d7bf234ce99bb14639c194b3b318a9a82099aa812d0c4025bee2b34f3b34c1d102773e36f1d50648815913dbe03d464ab9e11d371bf24de46c98c295d4afe7e957c1fromResource.exepedllFlyingDutchman
617d588eccd942f243ffa8cb13679d9c0664b09a86ec2df7dfe01a93e184a1fa23df66ea82cab39000944e418ec1f7b21b043fdcb582ed13cbf7dabcef6527762b5be93cpe dllHussar
2807236c2d905a0675878e530ed8b1f8314e438198f8cc2ee393c75f8e9f2ebd2b5133fd6f2b7deb1178f82782fc63302f6fe857632a67e87f4f3631bfa93713ccdf168aAeLookupMgr.dllpe dllCalypso RAT Payload
cce8c8ee42feaed68e9623185c3f7fe438cc404437b936660066b71cc87a28af1995248d6d4c471706eb1dd347129b4b9d2235c911b86bb6ad55d953a2f56ea78c5478e5AppCert.dll.crtCalypso RAT Payload
e1a578a069b1910a25c95e2d9450c710413622ded5d344a5a78de4fea22cfdabdeb4cdccf69e9a1f58f668096c32473836087a5b0809dc3f9dc5a77355a88e99af491a88RasCfgMan.dll.crtCalypso RAT Payload
0d532484193b8b098d7eb14319cefcd3f8043d6bfc3e63d8561f7f74e65cb7ff1731577ecf6c7559795d9de21298f0fc31f4c6dc6ce78b4e0439b30c830dfd5d9a3fc4feRasCfgMan.dllpe dllCalypso RAT Payload
974298eb7e2adfa019cae4d1a927ab070461710e681fd6dc9f1c83b57f94a88cd6df9e6432174cbfdd70dfd24577a0f841bc37679ce3caeecc176d10b4f8259918e25807VirtualUMP.dll.crtCalypso RAT Payload
05f472a9d926f4c8a0a372e1a71939988017923cd8169bf951106f053408b425f1eb310a9421685638ead55bb3823db38d909bd3450ebe0cffd0cb17b91bc28d23ef5083EFSProvider.dll.crtCalypso RAT Payload
d1a1166bec950c75b65fdc7361dcdc63f3f38c097b0cc5337b7d2dbec098bf6d0a3bb4a3e0336e7b1c8af75268a0a49d5731350f68a74fb4762c4ea878ecff635588a825RasCon.dllpe dll 64bits assemblyCalypso RAT Payload
e3e61f30f8a39cd7aa25149d0f8af5efc4dc7519bccc24c53794bf9178e4a4d0823875c34479d01cedbb3e9b10f5c7301b75ea494c3ac171c5177bdcc263b89a3f24f207MPSSVC.dllpe dllCalypso RAT Payload

Related posts


Posted by at No comments:

Hackerhubb.blogspot.com

Hackerhubb.blogspot.comContinue reading
Posted by at No comments:

Tuesday 30 May 2023

Reversing Pascal String Object

There are many goodware and malware developed in pascal, and we will see that the binary generated by the pascal compilers is fascinating, not only because the small and clean generated binaries, or the  clarity of the pascal code, but also the good performance. In Linux we have Lazarus which is a good free IDE like Delphi and Kylix the free pascal IDE for windows.

The program:

program strtest;

 var
  cstr:  array[0..10] of char;
  s, s2:  ShortString;

 begin
  cstr := 'hello world';
  s  := cstr;
  s2 := 'test';
  
  WriteLn(cstr + ' ' + s + ' ' + s2);
end.


We are going to compile it with freepascal and lazarus, and just the binary size differs a lot:

lazarus          242,176 btytes  845 functions
freepascal       32,256 bytes   233 functions
turbopascal      2,928 bytes     80 functions  (wow)

And surprisingly turbopascal binaries are extremely light.
Lets start with lazarus:




Logically it imports from user32.dll some display functions, it also import the kernel32.dll functions and suspiciously the string operations of oleaut32.dll 


And our starting point is a function called entry that calls the console initialization and retrieve some console configurations, and then start a labyrinth of function calls.



On functions 10000e8e0 there is the function that calls the main function.

I named execute_param2 because the second param is a function pointer that is gonna be executed without parameters, it sounds like main calling typical strategy.
And here we are, it's clearly the user code pascal main function.


What it seems is that function 100001800 returns an string object, then is called its constructor to initialize the string, then the string is passed to other functions that prints it to the screen.

This function executes the method 0x1c0 of the object until the byte 0x89 is a null byte.
What the hell is doing here?
First of all let's create the function main:


Simply right button create function:

After a bit of work on Ghidra here we have the main:


Note that the struct member so high like 0x1b0 are not created by default, we should import a .h file with an struct or class definition, and locate the constructor just on that position.

The mysterious function was printing byte a byte until null byte, the algorithm the compiler implemented in asm is not as optimized as turbopascal's.

In Windbg we can see the string object in eax after being created but before being initialized:












Just before executing the print function, the RCX parameter is the string object and it still identical:


Let's see the constructor code.
The constructor address can be guessed on static walking the reverse-cross-references to main, but I located it in debugging it in dynamic analysis.


The constructor reads only a pointer stored on the string object on the position 0x98.

And we have that the pointer at 0x98 is compared with the address of the literal, so now we know that this pointer points to the string.
The sentence *string_x98 = literal confirms it, and there is not memory copy, it only points reusing the literal.



Freepascal

The starting labyrinth is bigger than Lazarus so I had to begin the maze from the end, searching the string "hello world" and then finding the string references:


There are two ways to follow the references in Ghidra, one is [ctrl] + [shift] + F  but there is other trick which is simply clicking the green references texts on the disassembly.

At the beginning I doubted and put the name possible_main, but it's clearly the pascal user code main function.




The char array initialization Is converted by freepascal compiler to an runtime initialization using mov instructions.

Reducing the coverage on dynamic we arrive to the writeln function:


EAX helds  a pointer to a struct, and the member 0x24 performs the printing. In this cases the function can be tracked easily in dynamic executing the sample.

And lands at 0x004059b0 where we see the WriteFile, the stdout descriptor, the text and the size supplied by parameter.


there is an interesting logic of what happens if WriteFile() couldn't write all the bytes, but this is other scope.
Lets see how this functions is called  and how text and size are supplied to figure out the string object.



EBX helds the string object and there are two pointers, a pointer to the string on 0x18 and the length in 0x18, lets verify it on windbg.


And here we have the string object, 0x0000001e is the length, and 0x001de8a68 is the pointer.


Thanks @capi_x for the pascal samples.

Related links


  1. Hacking App
  2. Pentest Tools Url Fuzzer
  3. Tools 4 Hack
  4. How To Hack
  5. Pentest Tools Windows
  6. How To Install Pentest Tools In Ubuntu
  7. Tools Used For Hacking
  8. Nsa Hack Tools Download
  9. Pentest Tools Github
  10. Hackrf Tools
  11. Hacking Tools For Windows 7
  12. Top Pentest Tools
  13. Nsa Hack Tools Download
  14. Usb Pentest Tools
  15. Hack Tools Download
  16. Top Pentest Tools
  17. Hacker Tools Hardware
  18. Hack Tools For Ubuntu
  19. Hak5 Tools
  20. Hacker Tools Linux
  21. Pentest Tools For Windows
  22. Pentest Tools For Android
  23. Usb Pentest Tools
  24. Pentest Tools Website
  25. Best Pentesting Tools 2018
  26. Hacking Tools For Games
  27. Pentest Tools For Mac
  28. Ethical Hacker Tools
  29. What Are Hacking Tools
  30. Pentest Tools For Mac
  31. Hack Tools For Mac
  32. Hack And Tools
  33. Black Hat Hacker Tools
  34. Pentest Box Tools Download
  35. Free Pentest Tools For Windows
  36. Hack Tools For Mac
  37. Hacking Tools Kit
  38. Hacker Tools
  39. Pentest Tools List
  40. How To Make Hacking Tools
  41. Hack Tools Pc
  42. Hacking Tools Download
  43. Hack Tools Mac
  44. Hak5 Tools
  45. Hacking Tools For Pc
  46. Pentest Tools Apk
  47. Pentest Tools Github
  48. What Is Hacking Tools
  49. Hacking Tools Kit
  50. Pentest Tools Review
  51. Hacker Tools List
  52. Hacker Tools Software
  53. Hacker Tools List
  54. Pentest Tools
  55. Hack Tools Pc
  56. Hack Tools For Windows
  57. Hack Website Online Tool
  58. Hack Tools For Games
Posted by at No comments:
Subscribe to: Posts (Atom)