Facebook’s Account Kit is an easy authentication mechanism for third party apps

Facebook launched Account Kit at its F8 conference in April this year. Since it's release, Account Kit has been used by developers in over 26 countries to rapidly grow their apps using the easy phone number based sign up mechanism.

Account Kit is a sign up solution that is complementary to Facebook Login. The end user only needs to authenticate a phone number or an email address to sign up. Facebook allows for 100,000 authentication SMS messages per month per app for free. The process works even if users do not have a Facebook account. However, in case there are problems with the SMS authentication, there is an option to sign up through a Facebook account.

Account Kit is showing promising conversion rates of up to 90 per cent. This means that Account Kit is helping third party apps grow rapidly, with an easy to use authentication process. It also helps local applications with global growth.

Fynd is an Indian fashion shopping app that uses Account Kit. Fynd Co-founder Farooq Adam said "Account Kit is a great solution for any app developer looking to build mobile number-based authentication. Facebook's fast SMS delivery and seamless one-time password (OTP) ensures our customers get a flawless login experience. Account Kit's global reach allows us to serve customers worldwide; using it has significantly increased our number of sign-ups and improved successful sign-ups by over 25%."

Do Subscribe on YouTube!
Follow Me on Twitter>>> @iamBhavish
And like us on Facebook>>> The Gud1

[Hook Analyser 2.5] Application (and Malware) Analysis tool

Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog v2.5

This has now five (5) key functionalities:

1. Spawn and Hook to Application – This feature allows analyst to spawn an application, and hook into it. The module flow is as following -
1. PE validation (with XOR bruteforce)
2. Static malware analysis.
3. Other options (such as pattern search or dump all)
4. Type of hooking (Automatic, Smart or manual)
5. Spawn and hook

Currently, there are three types of hooking being supported –

• Automatic – The tool will parse the application import tables, and based upon that will hook into specified APIs
• Manual – On this, the tool will ask end-user for each API, if it needs to be hooked.
• Smart – This is essentially a subset of automatic hooking however, excludes uninteresting APIs.

2. Hook to a specific running process-The option allows analyst to hook to a running (active) process. The program flow is –

1. List all running process
2. Identify the running process executable path.
3. Perform static malware analysis on executable (fetched from process executable path)
4. Other options (such as pattern search or dump all)
5. Type of hooking (Automatic, Smart or manual)
6. Hook to a specific running process
7. Hook and continue the process

3. Static Malware Analysis – This module is one of the most interesting and useful module of Hook Analyser, which performs scanning on PE or Widows executables to identify potential malware traces. The sub-components have been mentioned below (and this is not the full list) -

1. PE file validation (with XOR bruteforce)
2. CRC and timestamps validation
3. PE properties such as Image Base, Entry point, sections, subsystem
4. TLS entry detection.
5. Entry point verification (if falls in suspicious section)
6. Suspicious entry point detection
7. Packer detection
8. Signature trace (extended from malware analyser project), such as Anti VM aware, debug aware, keyboard hook aware etc. This particular function searches for more than 20 unique malware behaviours (using 100’s of signature).
9. Import intel scanning.
10. Deep search (module)
    Online search of MD5 (of executable) on Threat Expert.
11. String dump (ASCII)
12. Executable file information
13. Hexdump
14. PEfile info dumping
15. …and more.

4. Application crash analysis – This module enables exploit researcher and/or application developer to analyse memory content when an application crashes.This module essentially displays data in different memory register (such as EIP).

• Application crash analysis video demonstration – http://www.youtube.com/watch?v=msYo7pPsu6A

5. Exe extractor – This module essentially extracts executables from running process/s, which could then be further analysed using Hook Analyser , Malware Analyser or other solutions. This module is potentially useful for incident responders

More Information:

• http://hookanalyser.blogspot.com

Download Hook Analyser v2.5

[REMnux] A Linux Distribution for Malware Analysis

REMnux incorporates a number of tools for analyzing malicious executables that run on Microsoft Windows, as well as browser-based malware, such as Flash programs and obfuscated JavaScript. This popular toolkit includes programs for analyzing malicious documents, such PDF files, and utilities for reverse-engineering malware through memory forensics.

REMnux can also be used for emulating network services within an isolated lab environment when performing behavioral malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and redirects the connections to the REMnux system listening on the appropriate ports.

You can learn the malware analysis techniques that make use of the tools installed and pre-configured on REMnux by taking the Reverse-Engineering Malware course that my colleagues and I teach at SANS Institute.

REMnux focuses on the most practical freely-available malware analysis tools that run on Linux. If you are looking for a more full-featured distribution that incorporates a broader range of digital forensic analysis utilities, take a look at SANS Investigative Forensic Toolkit (SIFT) Workstation.

Originally released in 2010, REMnux has been updated to version 4 in April 2013.

What’s New in REMnux v4

REMnux is now available as a Open Virtualization Format (OVF/OVA) file for improved compatibility with virtualization software, including VMware and VirtualBox. (Here’s how to easily install the REMnux virtual appliance.) A proprietary VMware file is also available. You can also get REMnux as an ISO image of a Live CD.

Key updates to existing tools and components:

• Core system: Upgraded the underlying Ubuntu OS components and packages; increased default RAM of the virtual appliance to 512MB; replaced OpenJDK with Oracle Java 7 runtime.
• Memory analysis: Updated Volatility to version 2.2.
• PDF analysis: Updated pdfid and pdf-parser, Origami, peepdf
• Web analysis: Updated SWFTools, V8, libemu, NetworkMiner, Burp Proxy, Wireshark, Firefox and its add-ons.
• Other changes: Updated xorsearch, DensityScout, Pyew, passive-dns, ClamAV, capabilities.yara; replaced FreeMind with XMind

New tools added to REMnux:

• Windows tools: Installed Wine; added OfficeMalScanner, Malzilla
• XOR analysis: Added NoMoreXOR, brutexor, XORBruteForcer
• PE file analysis: Added pev, dism-this, ExeScan, udis86 (udcli), autorule (/usr/local/autorule), distool
• Other file analysis: Added extract_swf.py, ExifTool, MASTIFF
• Other additions: Added hack-functions (/usr/local/hack-functions), bulk_extractor, ProcDot

Getting Started With REMnux

The one-page REMnux Usage Tips cheat sheet outlines some of the more popular tools installed on REMnux. Feel free to customize it to incorporate your own tips and tricks.

The recorded Malware Analysis Essentials Using REMnux webcast provides a good overview and examples of some of the tools for performing static malware analysis.

If you find REMnux useful, take a look at the reverse-engineering malware course. It makes use of REMnux and various other tools.

Download REMnux

[Binwalk v1.2] Firmware Analysis Tool

Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility.

Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc.

Changelog v1.2

• Recursive File Scanning and Extraction: Often files extracted by binwalk need to be further scanned / analyzed.
• Entropy and Strings Analysis: Binwalk’s signature analysis is great, but how do you know it didn’t miss something? What do you do if binwalk doesn’t find anything at all? Examining a file’s entropy can reveal a lot about its contents
• Plugin Support: In addition to a scriptable API, binwalk now supports plugins that are afforded considerable control over binwalk’s scan process. Plugins are particularly useful for extending or modifying binwalk’s analysis where custom signatures fall short.

Plugins are easy to write; check out some of the examples on the wiki!

Full Changelog: here

Download Binwalk v1.2

[360-FAAR v0.4.1] Firewall Analysis Audit And Repair

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Changes: This release adds the 'mergelog' mode to merge binary log entries from one config with another and significantly updates the user interface. All configs can be loaded from the 'load' menu instead of specifying them on the command line. Added 'verbose' switches to 'print' and 'rr' modes so that screen output can be switched off, and all 'end.' key words have been changed to simply '.' to reduce the number of keystrokes needed. Entering '0' now adds all options and '.' chooses the default if available. The Netscreen output stage now uses a default zone if none are specified.

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),

Netscreen ScreenOS (in get config / syslog format),

Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

Download 360-FAAR Firewall Analysis Audit And Repair 0.4.1

[Capsa packet Sniffer] Herramienta Portable para Análisis de Red

Capsa es una Herramienta Portable para Análisis de Red gratuito para que los administradores de red puedan supervisar, diagnosticar y solucionar sus problemas en network. La versión gratuita del analizador viene con toneladas de características, y es lo suficientemente buena para se uso doméstico, así como su uso en la pequeña empresa.

Con Capsa Sniffer puedes monitorear y capturar los datos de red de 50 direcciones IP.

Características de Capsa :

• Detalle de tráfico de todos los equipos.
• Control de ancho de banda (para encontrar los equipos que están viendo vídeos en línea).
• Diagnóstico de Red para identificar problemas en la red.
• La registro de actividad del Netwok (para la grabación de mensajería instantánea y correo web).
• Red de monitoreo del comportamiento.

Download Capsa packet Sniffer

[HoneyProxy] A man-in-the-middle SSL Proxy & Traffic Analyzer

HoneyProxy is a lightweight tool that allows live HTTP(S) traffic inspection and analysis.

It focuses on features that are useful for malware analysis and network forensics.

Features

• Analyze HTTP(S) traffic on the fly
• Filter and highlight traffic, regex support included.
• Report Generation for saved flows, including a live JS editor.
• Save HTTP conversations for later analysis
• Make scripted changes with Python, e.g. remove Cache Header.
• based on and compatible to mitmproxy.
• cross-platform (Windows, OSX and Linux)
• SSL interception certs generated on the fly

Looking for more? Check out our GitHub wiki!

 

Quick Start

Download the latest release or pick a development snapshot.

Install all dependencies: pip install pyOpenSSL pyasn1 Twisted Autobahn
Windows users: Install the binaries for pyOpenSSL and Twisted manually (or compile yourself).
Ubuntu / Debian users: Install twisted as a package (sudo apt-get install python-twisted). If you get errors, check this page.

Start HoneyProxy with python honeyproxy.py or python honeyproxy.py --help.
If you don't use a modern browser, a kitten will die. We support both Firefox and Chrome!
Most command line parameters are documented in the mitmproxy docs.

[Dexter] A Free Tool for Mobile (Android) Malware Analysis

Bluebox Labs just released Dexter, a free tool which wants to help information security professionals and malware analysts to analyze Android mobile applications in order to find malware and vulnerabilities.

Dexter combines manual and automatic static program analysis to provide a better understanding of an Android application. Since the original application source code is not required, Dexter is useful during third party binary application analyses and malware reverse engineering.

The following core features are provided to the analyst:

• App statistics and direct access to all program entry points
• Package graph visualization
• Class and inheritance diagrams
• Class decompilation
• Method bytecode graph visualization
• A relational query language and text search feature
• APK file browser
• Coloring, tagging and commenting on package, class, method and even basic block layer
• String listing including code cross reference resolution
• Automated semantic annotation of program elements
• Integrated multi-user support for collaboration

More info Here.

[Converter v0.7] Analyzing and Deobfuscating Malicious Scripts

Malicious Java applets have been making news for awhile so I thought I would update Converter to include some new features to help with deobfuscating them.

This is a list of changes made to this version:

+ Replaced Binary-to/from-Text with Binary-to/from-Hex to make it more useful

+ Added Filter > “Keep Hex” to only keep hex characters

+ Added Format > “Mixed Octal to Hex” to convert a mixture of text and octal to hex

+ Added Format > “Sort Text” to sort a string

+ Added Format > “Hex Format – CSV” separates hex values with a comma

+ Added Tools > “String Builder” to keep values between quotes

+ Modified “Dec-to-Hex” and “Dec-to-Octal” to handle negative integers

+ Added “copy output to input” option to Secret Decoder Ring

+ Added ability to import first KB (or all) of data to Key Search/Convert

+ Eliminated extra fields in Key Search/Convert screen

+ Made expression capability in Key Search/Convert and Convert Binary File a little more robust (added Extra > “Expressions Help”)

Here’s a look at some of the features in action…

This applet used binary strings to hide its actions:

Just paste it in and the Binary-to-Hex feature will split on every eight characters and convert them to hex. You can choose the Output Format using the dropdown at the bottom.

Here we see an applet concatenating several variables together before it deobfuscates it:

Using the “String Builder” feature…

Just paste the section in and Converter will concatenate everything between the quotes together. Make sure the beginning and ending quotes are present.

This applet is using a mix of text and octal characters:

The “Mixed Octal to Hex” feature…

Will convert the string (including escaped characters) to hex.

This applet is using an array of positive and negative integers:

Converter now converts decimal to hex properly.

This particular applet takes this concatenated string and deobfuscates it by running through a decoder routine three times:

The Secret Decoder Ring now allows you to copy the output to the input field so you can decode it any number of times without having to manually copy/paste each time.

Finally, you can see the changes made to the Key Search/Convert screen. I tried to make the expressions as flexible as possible.


Download Converter v0.7
Official website: http://www.kahusecurity.com/

[Hook Analyser v2.4] Application (and Malware) Analysis tool

Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog v2.4

• Hook Analyser can now analyse DLLs. (Part of the Static Malware Analysis Module)
• The deep trace functionality has been improved significantly, and now it supports searching (and logging) for traces such as Shellcodes, Filenames, WinSockets, Compiler Traces etc.(Part of the Static Malware Analysis Module)
• Exe extractor – This is one of the feature which is useful for incident handlers, essentially allows dumping of executables from process/s, which could then be analysed using Hook Analyser, Malware Analyser or other tools for anomalies check. (New module added)
• The static malware analysis has been further improved, and new features have been added. I will let you explore this.(Part of the Static Malware Analysis Module)
• Minor bug fixes.

More Information:

• http://hookanalyser.blogspot.com

Download Hook Analyser v2.4

[Automater 1.2] IP and URL Analysis Tool

Automater is a IP and URL Analysis tool we created to help automate the analysis process. You can see a video of Automater in action in TekTip episode 15.

Download Automater 1.2

[Zeus] Registry Analysis Using Volatility Framework

How to analysis a registry from the memory using Volatility Framework.

In this video I’m using Zeus Memory for registry analysis, and l will show F-secure top10 malware registry launchpoints. Not all but some of them

Download Zeus Memory : http://malwarecookbook.googlecode.com/svn-history/r26/trunk/17/1/zeus.vmem.zip

Most trojans, worms, backdoors, and such make sure they will be run after a reboot by introducing autorun keys and values into the Windows registry. Some of these registry locations are better documented than others and some are more commonly used than others. One of the first steps to take when doing forensic analysis is to check the most obvious places in the registry for modifications.

Source : - http://www.f-secure.com/weblog/archives/00001207.html

[SAMHAIN 3.0.9] File Integrity Checker / Host-Based Intrusion Detection System

The Samhain host-based intrusion detection system (HIDS) provides file integrity checking and log file monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Samhain been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is an open-source multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Samhain is a file system integrity checker that can be used as a client/server application for centralized monitoring of networked hosts. Databases and configuration files can be stored on the server. Databases, logs, and config files can be signed for tamper resistance. In addition to forwarding reports to the log server via authenticated TCP/IP connections, several other logging facilities (e-mail, console, and syslog) are available. Tested on Linux, AIX, HP-UX, Unixware, Sun and Solaris.

Changes: Some build errors have been fixed, as well as the 'probe' command for the server (clients could be erroneously omitted under certain conditions). An option has been added to the Windows registry check to ignore changes if only the timestamp has changed, and full scans requested by the inotify module will now only run at times configured for regular full scans. 

Download SAMHAIN 3.0.9

[NetSleuth] Open source Network Forensics And Analysis Tools

NetSleuth identifies and fingerprints network devices by silent network monitoring or by processing data from PCAP files.

NetSleuth is an opensource network forensics and analysis tool, designed for triage in incident response situations. It can identify and fingerprint network hosts and devices from pcap files captured from Ethernet or WiFi data (from tools like Kismet).

It also includes a live mode, silently identifying hosts and devices without needing to send any packets or put the network adapters into promiscuous mode ("silent portscanning").

NetSleuth is a free network monitoring, cyber security and network forensics analysis (NFAT) tool that provides the following features:

• An easy realtime overview of what devices and what people are connected to any WiFi or Ethernet network.
• Free. The tool can be downloaded for free, and the source code is available under the GPL.
• Simple and cost effective. No requirement for hardware or reconfiguration of networks.
• “Silent portscanning” and undetectable network monitoring on WiFi and wired networks.
• Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more.
• Offline analysis of pcap files, from tools like Kismet or tcpdump, to aid in intrusion response and network forensics.

Download Here

[Diviner] OWASP Zed Attack Proxy Extension

 Diviner is a unique platform that attempts to predict the structure of the server-side memory, source code and processes,by executing scenarios aimed to fingerprint behaviors that derive from specific lines of code, processes or memory allocations,by employing the use of a variety of coverage processes, content differentiation tests and entry point execution scenarios,and by using deduction algorithms that convert this information into a visual map of the application.

 

Diviner analyzes and reuses the requests found in ZAP's history at at the moment of its activation, activates the application entry points under different extreme conditions, generates and isolates specific application behaviors,and uses the information obtained to predict the structure of the server side memory,source code, and processes.These aspects are then presented in the form of a visual map,which includes leads, tasks and payload recommendations.

 Diviner also attempts to analyze this information in order to locate potential leads for vulnerabilities,both simple and complex, and provides recommendations for detecting and exploiting them.
 
Video Demo:  

Using the Clairvoyance Feature to Gain Insight into the Server Memory, Code and Processes
Using the Advisor Feature to Detect SQL Injection via Session Attributes
Using the Advisor Feature to Detect XSS via Session Attributes  

More info:http://sectooladdict.blogspot.com

Download: http://code.google.com

[360-FAAR] Firewall Analysis Audit And Repair 0.3.6

360-FAAR (Firewall Analysis Audit and Repair) is an offline, command line, Perl firewall policy manipulation tool to filter, compare to logs, merge, translate and output firewall commands for new policies, in Checkpoint dbedit, Cisco ASA or ScreenOS commands, and its one file!

Read Policy and Logs for:

Checkpoint FW1 (in odumper.csv / logexport format),
Netscreen ScreenOS (in get config / syslog format),
Cisco ASA (show run / syslog format),

360-FAAR uses both inclusive and exclusive CIDR and text filters, permitting you to split large policies into smaller ones for virutalisation at the same time as removing unused connectivity.

360-FAAR supports, policy to log association, object translation, rulebase reordering and simplification, rule moves and duplicate matching automatically. Allowing you to seamlessly move rules to where you need them.

TRY: 'print' mode. One command, and spreadsheet for your audit needs!

Features

• WRITTEN IN SIMPLE Perl - NEEDS ONLY STANDARD MODULES - IS ONE FILE
• .
• Easy to Edit Menu Driven Text Interface
• Capable of manipulating tens of thousands of rules, objects and groups
• Handles infinitely deep groups
• Capable of CIDR filtering connectivity in/out of policy rulebases.
• Capable of merging rulebases.
• Identifies existing connectivity in rulebases and policies
• Automatically performs cleanup if a log file is provided.
• Keeps DR connecitvity via any text or IP tag
• Encryption rules can be added during policy moves to remove the "merge from" rules for traffic that would be encrypted by the time it reached the firewall on which the "merge to" policy is to be installed - sounds complicated but its not in practice - apropriate ike and esp rules should be added manually
• Runs consistency checks on its own objects and rule definitions
• Extendable via a simple elsif in the user interaction loop section.
• .
• EASY TO EXECUTE:
• ./360-faar.pl <FW CONFIG TYPE> <log> <config> <nats> <FW CONFIG TYPE> <log> <config> <nats> <FW CONFIG TYPE> <log> <config> <nats>
• .
• CONFIG TYPES: - cisco soon!
• od = logexported logs, object dumper format config, fwdoc format nat rules csv
• ns = syslog format logs, screenos6 format config, nats are included in policy but not processed fuly yet, fwdoc format nats can be used though
• cs = cisco asa syslog file, cisco ASA format config, - not ready yet
• .
• OUTPUT TYPES:
• od = output an odumper/ofiller format config to file, and print the dbedit for the rulebase creation to screen
• ns = outputs netscreen screenos6 objects and policies (requires a netscreen config or zone info)
• cs = cisco asa format config - not ready yet
• .
• By default 360-FAAR accepts exactly 3 configs on the command line.
• Make an empty file called "fake" and and use this as the file name, for log config and nats if you want to process less than 3 configs at once.
• Log file headders in fw1 logexported logs are found automatically so many files can be cated together
• .
• FUTHER PROCESSING AND MANUAL EDITING:
• Output odumper/ofiller format files and make them more readable (watchout for spaces in names) using the numberrules helper script
• Edit these csv's in Openoffice or Excell using any of the object or group definitions from the three loaded configs.
• You can then use this file as a template to translate to many different firewalls using the 'bldobjs' mode

DOWNLOAD 360-FAAR Firewall Analysis Audit And Repair 0.3.6

Screens

[WebSploit] Framework 2.0.3 with Wifi Jammer

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability.

WebSploit Is An Open Source Project For :
[>]Social Engineering Works
[>]Scan,Crawler & Analysis Web
[>]Automatic Exploiter
[>]Support Network Attacks
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]USB Infection Attack
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack

Download WebSploit Framework 2.0.3