Un grupo que sigo y bastante porque les encanta participar de CTF son la gente de Amnesia Team, un equipo que con cada WriteUp que comparte en su canal de Telegram aprendo y cada vez un poco más, esta resolucion del CTF de DragonJar 2016 fue realizada por @NoxOner, @javierprtd, @alguien_tw y @MaranonD.



Estoy seguro que para todos los que comenzamos en la participacion de CTF, leer un documento de estas características nos ayudara a ver todo de una manera diferente y aun más con el paso a paso y el detalle de este documento, así tambien les recuerdo de la entrada donde compartimos material para prepararnos ante un CTF.

Me queda felicitar a los integrantes de Amnesia por compartir sus conocimientos una vez mas, por si no conocen del equipo pueden seguirlos por Telegram que tienen su Canal Oficial. Amn3s1a.

Regards,
Snifer
Leer Mas
Cuando uno piensa en informática forense siempre tiene en mente el proceso o procedimientos a ejecutar como tambien el usar alguna herramienta que permita automatizar como se dice una de boton gordo, e incluso a veces necesitamos tener una especifica por tarea como ser obtencion de memoria RAM, análisis de registro, analisis esteganográfico y más como saben esto es un tema de nunca acabar por la cantidad de ramas y puntos a analizar.



En el enlace que comparto donde se tiene un repositorio bastante extenso de herramientas forenses, con el cual se tiene lo necesario para ir aprendiendo poniendo en practica en pruebas y retos de esta tematica o bien en el ambiente laboral de ser necesario recurrir a una de estas herramientas, que se encuentran centralizadas por dfir-training.

Cada vez menos escribo en el blog, pero entre el trabajo y el disfrute del cumpleaños mas una breve vacación por decirlo asi que tuve me desconecte de todo, ya retornamos con el blog paciencia!!! Ademas que el servicio de INTERNET anda una pena.


Regards,
Snifer
Leer Mas
Hola a todos, y de nuevo gracias a Snifer por permitirme escribir en su blog.

En esta breve entrada conoceremos una web que he descubierto recientemente, y es realmente útil para practicar el análisis de código en base a una futura auditoría de código que nos podamos encontrar, o simplemente por el mero hecho de tener mayores conocimientos que es lo que venimos buscando siempre.


La web es Gameofhacks y su funcionamiento es como el de un quiz, va en base a preguntas tipo test. En la página principal tenemos una bonita interfaz azul y negra que ya de primeras te incita a seguir en la página, pero lo importante es el contenido de las preguntas del quiz. Tenemos tres opciones en esta página principal:

  • Single player: te pregunta el nivel (Principiante, Medio o Avanzado) para comenzar un quiz individual, con rondas de 5 preguntas y un minuto como máximo para contestar cada pregunta. Las preguntas son siempre en base a un código que te presentan en la parte derecha, y en la parte izquierda te dan cuatro opciones entre las que elegir sobre qué vulnerabilidad existe en dicho código. Entre estas podemos encontrar desde Buffer Overflow, SQL Injection, Reflected XSS…
  • Challenge your friend: te pide introducir el nombre que elijas y tu correo electrónico, y así mismo el nombre del contrario y su correo electrónico. Esta opción no he podido probarla (si es que funciona realmente) ya que cada vez que la selecciono e introduzco los datos, tras introducir mi nivel me aparece una bonita página de “Application Error” y de ahí no pasa.
  • Add your own code to the game: te abre un formulario en el que introducir nombre, email, lenguaje en el que está escrito el código a mandar, cómo quieres formular la pregunta, el código en el que se encuentra la vulnerabilidad, y las cuatro opciones disponibles para responder (además de un bonito captcha para verificar que no somos un genial bot manda-preguntas).

Esperamos vuestros comentarios sobre vuestra experiencia en dicha plataforma, y que os sirva de entrenamiento para seguir aprendiendo.


Un saludo y hasta la próxima.


Leer Mas
Regularmente ando revisando y buscando algunos Check List para las diferentes tareas de pentesting como esta de  Check List - Web Application Testing y hace un par de meses atras vinimos con uno semejante que es Check List - Mobile Application Testing debido a ello esta es una versión II y seguro se preguntan que tiene de diferente a la anterior. 

 


Este checklist fue realizado de una manera totalmente diferente pero si basado en el OWASP Top 10 Mobile si veran en el boton que esta despues del enlace de descarga cuenta con un listado propio de herramientas para cada etapa.

The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.

All-in-One Mobile Security Frameworks

  • Mobile Security Framework - MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis.
    • python manage.py runserver 127.0.0.1:1337

Android Application Penetration Testing

Android Testing Distributions

  • Appie - A portable software package for Android Pentesting and an awesome alternative to existing Virtual machines.
  • Android Tamer - Android Tamer is a Virtual / Live Platform for Android Security professionals.
  • AppUse - AppUse is a VM (Virtual Machine) developed by AppSec Labs.
  • Mobisec - Mobile security testing live environment.
  • Santoku - Santoku is an OS and can be run outside a VM as a standalone operating system. #### Reverse Engineering and Static Analysis
  • APKInspector - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
  • APKTool - A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications.
    • Disassembling Android apk file
      • apktool d [apk file]
    • Rebuilding decoded resources back to binary APK/JAR with certificate signing
      • apktool b [modified folder]
      • keytool -genkey -v -keystore keys/test.keystore -alias Test -keyalg RSA -keysize 1024 -sigalg SHA1withRSA -validity 10000
      • jarsigner -keystore keys/test.keystore dist/test.apk -sigalg SHA1withRSA -digestalg SHA1 Test
  • Dex2jar - A tool for converting .dex file to .class files (zipped as jar).
    • Converting apt file into jar file
      • dex2jar [apk file]
  • Oat2dex - A tool for converting .oat file to .dex files.
    • Deoptimize boot classes (The output will be in "odex" and "dex" folders)
      • java -jar oat2dex.jar boot [boot.oat file]
    • Deoptimize application
      • java -jar oat2dex.jar [app.odex] [boot-class-folder output from above]
    • Get odex from oat
      • java -jar oat2dex.jar odex [oat file]
    • Get odex smali (with optimized opcode) from oat/odex
      • java -jar oat2dex.jar smali [oat/odex file]
  • JD-Gui - A tool for decompiling and analyzing Java code.
  • FindBugs + FindSecurityBugs - FindSecurityBugs is a extension for FindBugs which include security rules for Java applications.
  • Qark - This tool is designed to look for several security related Android application vulnerabilities, either in source code or packaged APKs.
  • AndroBugs - AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
  • Simplify - A tool for de-obfuscating android package into Classes.dex which can be use Dex2jar and JD-GUI to extract contents of dex file.
    • simplify.jar -i [input smali files or folder] -o [output dex file]
  • ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.

Dynamic and Runtime Analysis

  • Introspy-Android - Blackbox tool to help understand what an Android application is doing at runtime and assist in the identification of potential security issues.
  • Cydia Substrate - Cydia Substrate for Android enables developers to make changes to existing software with Substrate extensions that are injected in to the target process's memory.
  • Xposed Framework - Xposed framework enables you to modify the system or application aspect and behaviour at runtime, without modifying any Android application package(APK) or re-flashing.
  • CatLog - Graphical log reader for Android.
  • Droidbox - DroidBox is developed to offer dynamic analysis of Android applications.
  • Frida - The toolkit works using a client-server model and lets you inject in to running processes not just on Android, but also on iOS, Windows and Mac.
  • Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
    • Starting a session
      • adb forward tcp:31415 tcp:31415
      • drozer console connect
    • Retrieving package information
      • run app.package.list -f [app name]
      • run app.package.info -a [package name]
    • Identifying the attack surface
      • run app.package.attacksurface [package name]
    • Exploiting Activities
      • run app.activity.info -a [package name] -u
      • run app.activity.start --component [package name] [component name]
    • Exploiting Content Provider
      • run app.provider.info -a [package name]
      • run scanner.provider.finduris -a [package name]
      • run app.provider.query [uri]
      • run app.provider.update [uri] --selection [conditions] [selection arg] [column] [data]
      • run scanner.provider.sqltables -a [package name]
      • run scanner.provider.injection -a [package name]
      • run scanner.provider.traversal -a [package name]
    • Exploiting Broadcast Receivers
      • run app.broadcast.info -a [package name]
      • run app.broadcast.send --component [package name] [component name] --extra [type] [key] [value]
      • run app.broadcast.sniff --action [action]
    • Exploiting Service
      • run app.service.info -a [package name]
      • run app.service.start --action [action] --component [package name] [component name]
      • run app.service.send [package name] [component name] --msg [what] [arg1] [arg2] --extra [type] [key] [value] --bundle-as-obj

Network Analysis and Server Side Testing

  • Tcpdump - A command line packet capture utility.
  • Wireshark - An open-source packet analyzer.
    • Live packet captures in real time
      • adb shell "tcpdump -s 0 -w - | nc -l -p 4444“
      • adb forward tcp:4444 tcp:4444
      • nc localhost 4444 | sudo wireshark -k -S -i –
  • Canape - A network testing tool for arbitrary protocols.
  • Mallory - A Man in The Middle Tool (MiTM) that use to monitor and manipulate traffic on mobile devices and applications.
  • Burp Suite - Burp Suite is an integrated platform for performing security testing of applications.
  • Proxydroid - Global Proxy App for Android System.

Bypassing Root Detection and SSL Pinning

  • Android SSL Trust Killer - Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
  • Android-ssl-bypass - an Android debugging tool that can be used for bypassing SSL, even when certificate pinning is implemented, as well as other debugging tasks. The tool runs as an interactive console.
  • RootCoak Plus - Patch root checking for commonly known indications of root.

Security Libraries

  • PublicKey Pinning - Pinning in Android can be accomplished through a custom X509TrustManager. X509TrustManager should perform the customary X509 checks in addition to performing the pinning configuration.
  • Android Pinning - A standalone library project for certificate pinning on Android.
  • Java AES Crypto - A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
  • Proguard - ProGuard is a free Java class file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes.
  • SQL Cipher - SQLCipher is an open source extension to SQLite that provides transparent 256-bit AES encryption of database files.
  • Secure Preferences - Android Shared preference wrapper than encrypts the keys and values of Shared Preferences.
  • Trusted Intents - Library for flexible trusted interactions between Android apps.

iOS Application Penetration Testing

Access Filesystem on iDevice

  • FileZilla - It supports FTP, SFTP, and FTPS (FTP over SSL/TLS).
  • Cyberduck - Libre FTP, SFTP, WebDAV, S3, Azure & OpenStack Swift browser for Mac and Windows.
  • itunnel - Use to forward SSH via USB.
  • iFunbox - The File and App Management Tool for iPhone, iPad & iPod Touch.

Reverse Engineering and Static Analysis

  • otool - The otool command displays specified parts of object files or libraries.
  • Clutch - Decrypted the application and dump specified bundleID into binary or .ipa file.
  • Dumpdecrypted - Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
    • iPod:~ root# DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/Scan.app/Scan
  • class-dump - A command-line utility for examining the Objective-C runtime information stored in Mach-O files.
  • Weak Classdump - A Cycript script that generates a header file for the class passed to the function. Most useful when you cannot classdump or dumpdecrypted , when binaries are encrypted etc.
    • iPod:~ root# cycript -p Skype weak_classdump.cy; cycript -p Skype
    • #cy weak_classdump_bundle([NSBundle mainBundle],"/tmp/Skype")
  • IDA Pro - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
  • HopperApp - Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables.
  • iRET - The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing.

Dynamic and Runtime Analysis

  • cycript - Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion.
    • Show current view
      • cy# UIApp.keyWindow.rootViewController.topViewController.visibleViewController
    • Get an array of existing objects of a certain class
      • cy# choose(UIViewController)
    • List method at runtime
      • cy# [classname].messages or
      • cy# function printMethods(className) { var count = new new Type("I"); var methods = class_copyMethodList(objc_getClass(className), count); var methodsArray = []; for(var i = 0; i < *count; i++) { var method = methods[i]; methodsArray.push({selector:method_getName(method), implementation:method_getImplementation(method)}); } free(methods); free(count); return methodsArray; }
      • cy# printMethods("[classname]")
    • Prints out all the instance variables
      • cy# function tryPrintIvars(a){ var x={}; for(i in a){ try{ x[i] = (a)[i]; } catch(e){} } return x; }
      • cy# a=#0x15d0db80
      • cy# tryPrintIvars(a)
    • Manipulating through property
      • cy# [a pinCode]
      • cy# [a setPinCode: @"1234"]
      • cy# [a isValidPin]
      • cy# a->isa.messages['isValidPin'] = function(){return 1;}
  • iNalyzer - AppSec Labs iNalyzer is a framework for manipulating iOS applications, tampering with parameters and method.
  • idb - idb is a tool to simplify some common tasks for iOS pentesting and research.
  • snoop-it - A tool to assist security assessments and dynamic analysis of iOS Apps.
  • Introspy-iOS - Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.
  • gdb - A tool to perform runtime analysis of IOS applications.
  • keychaindumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
  • BinaryCookieReader - A tool to dump all the cookies from the binary Cookies.binarycookies file.

Network Analysis and Server Side Testing

  • Canape - A network testing tool for arbitrary protocols.
  • Mallory - A Man in The Middle Tool (MiTM) that use to monitor and manipulate traffic on mobile devices and applications.
  • Burp Suite - Burp Suite is an integrated platform for performing security testing of applications.
  • Charles Proxy - HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet.

Bypassing Root Detection and SSL Pinning

  • SSL Kill Switch 2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps.
  • iOS TrustMe - Disable certificate trust checks on iOS devices.
  • Xcon - A tool for bypassing Jailbreak detection.
  • tsProtector - Another tool for bypassing Jailbreak detection.

Security Libraries

  • PublicKey Pinning - iOS pinning is performed through a NSURLConnectionDelegate. The delegate must implement connection:canAuthenticateAgainstProtectionSpace: and connection:didReceiveAuthenticationChallenge:. Within connection:didReceiveAuthenticationChallenge:, the delegate must call SecTrustEvaluate to perform customary X509 checks.

Contribution

Your contributions and suggestions are welcome.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License
 LABS

Veran que el Check List es bastante completo, por mi parte cuando tenga la oportunidad de usarlo en campo de batalla lo tendre en cuenta y comentare el uso del mismo con todo lo que engloba a continuación les dejo la fuente en GITHUB. 
Regards,
Snifer

Regards,
Snifer
Leer Mas
Material de referencia para análisis de Malware, el cual cuenta con lo necesario para el trabajo con estos bichos como lo veran a continuación es un listado de referencia, desde la descarga de muestras, herramientas online como ser analisis de dominio, sanboxes y un largo etc.


A continuacion el listado mencionado con anterioridad.

El enlace respectivo a continuacion.

Regards,
Snifer
Leer Mas