Healthcare and Medical News

at May 31, 2023

During a CTF game, we came across very-very old systems. Turns out, it is not that easy to hack those dinosaur old systems, because modern tools like Metasploit do not have sploits for those old boxes and of course our "133t h4cking skillz" are useless without Metasploit... :)

But I had an idea: This can be a pretty good small research for fun.

The rules for the hack are the following:

Only publicly available tools can be used for this hack, so no tool development. This is a CTF for script bunniez, and we can't haz code!
Only hacks without user interaction are allowed (IE based sploits are out of scope).
I need instant remote code execution. For example, if I can drop a malware to the c: drive, and change autoexec.bat, I'm still not done, because no one will reboot the CTF machine in a real CTF for me. If I can reboot the machine, that's OK.
I don't have physical access.

I have chosen Windows 95 for this task. First, I had to get a genuine Windows 95 installer, so I visited the Microsoft online shop and downloaded it from their official site.

I installed it in a virtualized environment (remember, you need a boot floppy to install from the CD), and it hit me with a serious nostalgia bomb after watching the installer screens. "Easier to use", "faster and more efficient", "high-powered performance", "friendly", "intuitive interface". Who does not want that? :)

Now that I have a working Windows 95 box, setting up the TCP/IP is easy, let's try to hack it!

My first tool is always nmap. Let's scan the box! Below I'm showing the interesting parts from the result:

PORT      STATE           SERVICE       VERSION 139/tcp   open            netbios-ssn 137/udp   open|filtered   netbios-ns 138/udp   open|filtered   netbios-dgm Running: Microsoft Windows 3.X|95 OS details: Microsoft Windows for Workgroups 3.11 or Windows 95 TCP Sequence Prediction: Difficulty=25 (Good luck!) IP ID Sequence Generation: Broken little-endian incremental

The first exciting thing to note is that there is no port 445! Port 445 is only since NT 4.0. If you check all the famous windows sploits (e.g., MS03-026, MS08-067), all of them use port 445 and named pipes. But there are no named pipes on Windows 95!

Because I'm a Nessus monkey, let's run a free Nessus scan on it!

Only one critical vulnerability found:

Microsoft Windows NT 4.0 Unsupported Installation Detection

Thanks for nothing, Nessus! But at least it was for free.

Next, I tried GFI Languard, nothing. It detected the machine as Win95, the opened TCP port, and some UDP ports as open (false-positive), and that's all...

Let's try another free vulnerability scanner tool, Nexpose. The results are much better:

CIFS NULL Session Permitted
Weak LAN Manager hashing permitted
SMB signing not required
Windows 95/98/ME Share Level Password Bypass
TCP Sequence Number Approximation Vulnerability
ICMP netmask response
CIFS Share Readable By Everyone

I think the following vulnerabilities are useless for me at the moment:

Weak LAN Manager hashing permitted - without user interaction or services looking at the network, useless (I might be wrong here, will check this later)
TCP Sequence Number Approximation Vulnerability - not interesting
ICMP netmask response - not interesting
CIFS Share Readable By Everyone - unless there is a password in a text file, useless

But we have two interesting vulns:

CIFS NULL Session Permitted - this could be interesting, I will check this later ...
Windows 95/98/ME Share Level Password Bypass - BINGO!

Let me quote Nexpose here:

"3.2.3 Windows 95/98/ME Share Level Password Bypass (CIFS-win9x-onebyte-password)

A flaw in the Windows 95/98/ME File and Print Sharing service allows unauthorized users to access file and print shares by sending the first character of the password. Due to the limited number of attempts required to guess the password, brute force attacks can be performed in just a few seconds.

Established connection to share TEST with password P."

The vulnerability description at MS side:

http://technet.microsoft.com/en-us/security/bulletin/ms00-072

For example if the password is "Password" (without quotes) and the client sends the password "P" (without quotes) and the length of 1, the client is authenticated. To find the rest of the password, the attacker increments the length to 2 and starts guessing the second letter until he reaches "PA" and gets authenticated again. As share passwords in Windows 95 are not case sensitive, "Pa" and "PA" will also be accepted. The attacker can continue to increment the length and guessing the next letter one-by-one until he gets the full "PASSWORD" (as the maximum length is 8 characters).

I believe all characters between ALT+033 and ALT+255 can be used in the share password in Windows 95, but as it is case insensitive, we have 196 characters to use, and a maximum length of 8 characters. In worst case this means that we can guess the full password in 1568 requests. The funny thing is that the share password is not connected to (by default) any username/account, and it cannot be locked via brute force.

Luckily there is a great tool which can exploit this vulnerability:

Share Password Checker

Let's check this tool in action:

W00t w00t, it brute forced the password in less then 2 seconds!

Looking at a wireshark dump we can see how it is done:

As you can see, in the middle of the dump we can see that it already guessed the part "PASS" and it is brute-forcing the fifth character, it founds that "W" is the correct fifth character, and starts brute-forcing the sixth character.

If we are lucky with the CTF, the whole C:\ drive is shared with full read-write access, and we can write our team identifier into the c:\flag.txt. But what if we want remote code execution? Stay tuned, this is going to be the topic of the next part of this post.

More info

at May 31, 2023

This video is specially for educational purpose only. I'm not responsible for your any illegal activity. Thanks!

Social Engineering Attack

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. The purpose of this video tutorial is to show you How hackers hacked any thing by Social Engineering Attack.

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Kali Linux has many tools for doing social engineering attacks. Setoolkit is the most powerful tool in Kali Linux to do a social engineering attacks over the same and different networks.

Social Engineering over the same network requires the local IP address of your system just like this one 192.168.1.2. Now how you can get your local IP address from your system. To find local IP address just open up your terminal in Linux distribution:

Type: ifconfig wlan0 (if you are using WiFi)
Type: ifconfig eth0 (if you are using eth0)
Type: ifconfig (It display all information about your network)

Now you've another thing to do is that you just have to clone a web page you wanna clone like Facebook, g-mail, twitter etc. Similarly, If you wanna clone a facebook page so for this you just have to type www.facebook.com over your system's terminal for cloning a login page for Social Engineering attack.Still If you don't know how to do that so don't be worry, I did all the process practically in the below just go down and watch it!

How hackers do Social Engineering Attacks. In this video you'll see How to hack Facebook by Phishing attack.

Find out more

Connect with NCCIH

SUBSCRIBER SERVICES:
Manage Preferences/Unsubscribe | Subscription Help

This email was sent to myhcistech.healthnews360@blogger.com using GovDelivery Communications Cloud on behalf of: National Center for Complementary and Integrative Health · 9000 Rockville Pike · Bethesda, MD 20892

at May 31, 2023

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related links

at May 31, 2023

Hello HCIS,

Thank you for your interest in news from the American Heart Association. Click below to see the latest updates:

May 31, 2023
Heart health is sub-optimal among American Indian/Alaska Native women, supports needed

https://newsroom.heart.org/news/heart-health-is-sub-optimal-among-american-indianalaska-native-women-supports-needed

Click below to unsubscribe from American Heart Association email alerts.

Unsubscribe

at May 31, 2023

Hello HCIS,

Thank you for your interest in news from the American Heart Association. Click below to see the latest updates:

May 31, 2023
1 in 3 adults with Type 2 diabetes may have undetected cardiovascular disease

https://newsroom.heart.org/news/1-in-3-adults-with-type-2-diabetes-may-have-undetected-cardiovascular-disease

Click below to unsubscribe from American Heart Association email alerts.

Unsubscribe

at May 30, 2023

Sentry MBA is an automated account cracking tool that makes it one of the most popular cracking tools. It is used by cybercriminals to take over user accounts on major websites. With Sentry MBA, criminals can rapidly test millions of usernames and passwords to see which ones are valid on a targeted website. The tool has become incredibly popular — the Shape Security research team sees Sentry MBA attack attempts on nearly every website we protect. Download Sentry MBA v1.4.1 latest version.

FEATURES

Sentry MBA has a point-and-click graphical user interface, online help forums, and vibrant underground marketplaces to enable large numbers of individuals to become cybercriminals. These individuals no longer need advanced technical skills, specialized equipment, or insider knowledge to successfully attack major websites.

Sentry MBA attack has three phases,

Targeting and attack refinement
Automated account check
Monetization

Healthcare and Medical News

Wednesday, May 31, 2023

Hacking Windows 95, Part 1

More info

How To Hack Facebook By Social Engineering Attack

This video is specially for educational purpose only. I'm not responsible for your any illegal activity. Thanks!

Social Engineering Attack

More articles

American Heart Association: Improving emergency, critical and operative care in low and middle-income countries

Spanish-Language Resources From NCCIH

Find out more

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

American Heart Association: Heart health is sub-optimal among American Indian/Alaska Native women, supports needed

American Heart Association: 1 in 3 adults with Type 2 diabetes may have undetected cardiovascular disease

Tuesday, May 30, 2023

DOWNLOAD SENTRY MBA V1.4.1 – AUTOMATED ACCOUNT CRACKING TOOL

FEATURES

Related news