User Controls
suspicious network activity
-
2020-11-03 at 8:08 PM UTCedited for privacy
-
2020-11-03 at 8:18 PM UTC
Originally posted by netstat any large/important site/service will be behind a ddos protection service like cloudflare nowadays, loic was fun 15 years ago but you would struggle to take down even a self-hosted blog with it in current year
Nope. The attack is still partially effective. No 100% remedy had been devised to defeat the LOIC. And even just to mitigate the attack, they have to filter out all UDP and ICMP traffic in their firewalls, which is quite an inconvenience for both large and small service providers. -
2020-11-04 at 3:18 PM UTC
-
2020-11-04 at 4:04 PM UTCI've found that the vast majority of systems already have a backdoor or two cleverly planted in it. All you have to do is find it, identify it, and then use author passwords and such to access it. Just port scan it, find out what ports are active, and then go from there.
-
2020-11-04 at 9:45 PM UTC
Originally posted by -SpectraL I've found that the vast majority of systems already have a backdoor or two cleverly planted in it. All you have to do is find it, identify it, and then use author passwords and such to access it. Just port scan it, find out what ports are active, and then go from there.
I already ran a port scan, and requested an intel report to follow up, it's in my reply a page back. Besides, there's no challenge in using a backdoor and designing the malware is half the fun. -
2020-11-04 at 10:29 PM UTCI used to like to take well-known, powerful, sneaky, tiny rats and edit the code in them in such a way as to make them FUD again, convert them to HEX code, obfuscate the HEX, and then inject them from temporary FTP severs using driveby scripts. With many of them, all you have to do is move the breakpoint in the executable code, or just remove the parts of the code you don't really need in order to still open up a communications port, and the scanners no longer pick them up.
-
2020-11-04 at 10:33 PM UTCok boomer
-
2020-11-04 at 10:36 PM UTChttps://samy.pl/slipstream/
really deserves its own thread but whatever
something I've been interested in a while, tracing paths through nat, accessing internal services from the other site of the firewall by sending naughty NAT/ALG requests -
2020-11-04 at 11:15 PM UTCok genx'er
-
2020-11-04 at 11:23 PM UTC
Originally posted by -SpectraL I used to like to take well-known, powerful, sneaky, tiny rats and edit the code in them in such a way as to make them FUD again, convert them to HEX code, obfuscate the HEX, and then inject them from temporary FTP severs using driveby scripts. With many of them, all you have to do is move the breakpoint in the executable code, or just remove the parts of the code you don't really need in order to still open up a communications port, and the scanners no longer pick them up.
Setting or moving a breakpoint is what you do in the debugger, it adds an instruction that raises an exception or interrupt that the debugger can recognize and hook. Don't you mean an entry point in the case of code injection and ex post facto executable modification? You're conflating exceptions/interrupts that are already present in your executable, with debugger breakpoints and the concept/meaning of an entry point.
Proper nomenclature is important. I'm just making sure we're all on the same page.
Also, got a drive-by script, you'd be willing to paste in a code block? -
2020-11-04 at 11:27 PM UTC
Originally posted by aldra https://samy.pl/slipstream/
really deserves its own thread but whatever
something I've been interested in a while, tracing paths through nat, accessing internal services from the other site of the firewall by sending naughty NAT/ALG requests
Samy Kamkar's work is always interesting and innovative, i've been following him for a while now. Although i missed this particular project, i did try to recreate PoisonTap with my rPi Zero. I'll give the info a read, if you want to make a thread about the concept and/or execution i'd be interested in reading about it. -
2020-11-04 at 11:33 PM UTC
Originally posted by Sophie Setting or moving a breakpoint is what you do in the debugger, it adds an instruction that raises an exception or interrupt that the debugger can recognize and hook. Don't you mean an entry point in the case of code injection and ex post facto executable modification? You're conflating exceptions/interrupts that are already present in your executable, with debugger breakpoints and the concept/meaning of an entry point.
Proper nomenclature is important. I'm just making sure we're all on the same page.
Also, got a drive-by script, you'd be willing to paste in a code block?
Because of the way many virus definitions are put together, simply moving the breakpoint in the executable code to another place in the code causes the scanner to not get a string match, basically rendering the whole of the code FUD. -
2020-11-04 at 11:48 PM UTC
Originally posted by -SpectraL Because of the way many virus definitions are put together, simply moving the breakpoint in the executable code to another place in the code causes the scanner to not get a string match, basically rendering the whole of the code FUD.
Yeah i know how checksums work. And FUD for static detecion, isn't really FUD at all. The point is i don't know of any tool that will add a breakpoint somewhere just to change the checksum. It only has utility in a debugging scenario, if you're going through the trouble of adding/modifying instructions you're not just going to add a breakpoint and call it a day, generally you perform some manner of encoding like polymorphic XOR. -
2020-11-05 at 12:02 AM UTC
Originally posted by Sophie Yeah i know how checksums work. And FUD for static detecion, isn't really FUD at all. The point is i don't know of any tool that will add a breakpoint somewhere just to change the checksum. It only has utility in a debugging scenario, if you're going through the trouble of adding/modifying instructions you're not just going to add a breakpoint and call it a day, generally you perform some manner of encoding like polymorphic XOR.
You can use any Exe editor to do it.
http://www.angusj.com/resourcehacker/ -
2020-11-05 at 12:06 AM UTC
Originally posted by -SpectraL You can use any Exe editor to do it.
http://www.angusj.com/resourcehacker/
I'm not trying to be annoying but you're still missing the point my dude. -
2020-11-05 at 12:08 AM UTC
-
2020-11-05 at 12:15 AM UTC
Originally posted by -SpectraL No, you don't understand. What I'm saying is, just the act of moving the breakpoint location in the code is enough to evade most virus definitions.
If you had properly read the rest of what i was saying in my replies to you, you would have noticed that i do actually understand. However for some reason you don't want to engage with some of the deeper technical stuff i brought up. I'm sure you'd agree that polymorphic XOR encoding is better than simply changing a single instruction. -
2020-11-05 at 12:18 AM UTC
Originally posted by Sophie Samy Kamkar's work is always interesting and innovative, i've been following him for a while now. Although i missed this particular project, i did try to recreate PoisonTap with my rPi Zero. I'll give the info a read, if you want to make a thread about the concept and/or execution i'd be interested in reading about it.
honestly it appears to exploit the handling of fragmented packets in old hardware more than anything else so it's not really a major thing, but I've been trying to get my head around how NAT works/can be exploited conceptually for a while now -
2020-11-05 at 12:19 AM UTCAnti-virus software uses sophisticated pattern analysis to find underlying patterns within the different mutations of the decryption engine, in hopes of reliably detecting such malware.
Emulation may be used to defeat polymorphic obfuscation by letting the malware demangle itself in a virtual environment before utilizing other methods, such as traditional signature scanning. Such a virtual environment is sometimes called a sandbox. Polymorphism does not protect the virus against such emulation if the decrypted payload remains the same regardless of variation in the decryption algorithm. Metamorphic code techniques may be used to complicate detection further, as the virus may execute without ever having identifiable code blocks in memory that remains constant from infection to infection.
