Category: NT DEV

Big
news appeared on the 15th feb 2011 the famous www.rootkit.com (HBGary)
was
attacked and all the data in its mysql db and emails were stolen and
posted online. Being a huge fan of the book Rootkits: subverting the
windows kernel
by Hoguland and Butler, I was an active member of the
community there.
It is believed that the site http://dazzlepod.com/rootkit/
had published the username and password of all accounts in clear text
(And yes mine toooo!!). As many users are in a habit of keeping the
same password for all accounts like their mail or facebook etc, this
posed a great risk.
The good thing is that the site has now removed the cleartext passwords
stating that it has the potential to compromise people’s social
networking or mailing accounts. But the download to the backup of the
mysql db still is available at : http://stfu.cc/rootkit_com_mysqlbackup_02_06_11.gz.
Moreover, the password field in the database is hashed.
So, can you see your password (clear text) in here… Yes, it is now a
DIY thing.
You will have to use the JTR (John the ripper password cracker) tool.
The hash used is a vulnerable MD5 hash which can be broken given JTR
has the right dictionary (http://dazzlepod.com/site_media/txt/passwords.txt).
JTR is available at : http://www.openwall.com/john/
  • Step 1: Download backup, JTR, dictionary (john is in synaptic for
    ubuntu users).
  • Step 2: Extract the .gz file and open the extracted file as text,
    search for your login name and get your password’s hash (I used nano to
    open the file and searched for my login name. Hash is the field next to
    your login name). Note only the first occurence of your username as
    rest may be entries for comments and other stuff.
  • Step 3: Create a text file test.txt with content
    “mypassword:<hash>” without the “” and replace <hash> with
    the hash you found in step 2.
  • Step 4: Open terminal and ask jtr to do its magic using the
    following command :
             
      john
-wordlist=passwords.txt -format=raw-MD5 test.txt
That was easy.. funny part is that it took 0.00 secs to crack my
password. Am thinking of increasing my password strength….
Now what???
If you or someone you know is a rootkit.com user then you must
immediately change
your password for all site accounts that have the same password. Go Go
Go!!!
With all that being said and done, I feel that it is really unethical
of someone to post such stuff online and posing a threat to other
sites.However, It is our duty to stay vigilant enough and act on it as soon as possible. I am also the kind of person who likes to keep one password for
all accounts (I know its not recommended but its just easier this way)
and hence had to go through a lot of settings and change
password pages. Thankfully, none of my accounts were compromised before
I changed my password. Hope it is the same for you.:)

NT DEV

There are often cases when some unwanted program (mostly spyware and worms) try to hide their activity by hiding themselves using kernel level techniques.
So, to uncover these processes/modules/threads we have a driver which is compiled with Microsoft Windows DDK. The Driver is compatible with windows xp sp2 and sp3.

Downloads Section
The Driver(Zip File)

So what we have to do is just run the InstDrv.exe (bundled along in the zip file). As With all the drivers we have to install my driver(TheOne.sys).

To Do This Start Install Drv by double clicking on it. Type in the path to TheOne.sys and click Install.

And when it says Operation Successfull click on Start to Start Our Driver
Ok .. So we have Our Driver Up And Running….

To Interface With the driver we also have a Usermode Program (Enlist.exe Bundled In Zip) in Microsoft Visual C++.
Run it to get the results from our driver. We get the following message on running it.

Now the output on the console will not be desirable so enlist.exe outputs the results to a LISTING.txt File created in the working directory.


Lets See What have we got in our LISTING.txt


As You can see that this also gives you the base address of the module loaded so if you are viewing memory its easy for you to locate them…

HOPE THIS HELPS….

NT DEV

These are tools written in c.Packer can be used to tail multiple files to a windows executable. The files are simply appended to the exe and new executable is created.

Usage : pack (desired_exe) (file_1) (file_2)…

(desired_exe)- It is the name of the requested file with .exe extension which is to be generated .
(file_x) specifies the different files that are to be tailed along with the exe. Eg
pack theone.exe load.exe theone.sys
This would replicate the extractor.exe and rename it to theone.exe and tail it with load.exe and theone.sys. NOTE:
1) The load.exe and extract.exe should be in the same folder.
2) The exe thus created when executed will try to run a tailed exe if any. ie with above example the new generated theone.exe when executed will :
a) extract the tailed files
b) execute the load.exe and pass any command line arguments that were given to itself. so we would like to call:
c:>theone.exe theone.sys
Now since my driver is only for windows xp uses a sysfile that gives output using DbgPrint, so use the link to download DbgView To view all processes(inclusive of hidden) in your WinDbg Console.

Screenshots :



download:
Executables (contains Packer & Extracter with sample Theone.exe)
Source Code (Source for Packer & Extractor)

NT DEV

This is a tool I wrote in c. It can be used to load a driver(sys file) and start the driver. Eg

load xyz.sys
this loads the sysfile and starts the service with the name THEONE. after that it stops the service automatically.

It can also be used with -r attribute to remove a named service. Eg
load -r THEONE
this will remove the named service viz THEONE.

An Exe With The Source Code Can Be Found here.

NT DEV