|Time Attack (1/2)|

The Shizo is in touch
Preface.

So, I'm sitting quietly, writing shit code, reading boring work and a lot of routine, when suddenly I get a message to the toad with a question about "time attacks" and an article from a person whose category I have already described: "ananimity" is not achieved in any way, again they write about 100% and bubu. So it is clear to everyone that it is not possible to achieve such anonymity of the USER, anonymity itself with close to 100% can be modeled when the actual moron departs from the device (I also mean myself). Stop shaking around this thesis already. As many people write that the special services will "click" your device in an instant, because they have a rubber budget (we do not take into account the FSB)  and supposedly there is a strong interest in your personality and they think that they will use the software and hardware of digital forensics, with strong enthusiasm they will pull out EDS (electronic digital traces), and send the hardware to the SEU (forensic institutions). Yeah, it's funny. I repeat once again: it all depends on how much they inherited, to whom they shat, to what extent the damage was caused, interest from state bodies or rarely - private offices and many more factors. I think it became clear, at least a little.

Now let's move on to the actual question. 
What is a "time attack"?  
This is one of the vectors of attacks aimed at deanonymizing someone, associated with weak control over the IB time synchronization policy (leakage of the present time spent by it on access to the resource), during which information about the time on the user's device is obtained (it is the present, and not which is spoofed /changed in the system settings). So there are a lot of Time Attack vectors: 

🗝Application-level Traffic
🗝Denial of Service
🗝Locating Onion Services
🗝Remote Code Execution
🗝Remote Device Fingerprinting
🗝Replay Attacks

There are also vectors of clock leaks (Clock Leak Attack):

🔑ICMP Timestamps
🔑NTP Clients
🔑TCP Initial Sequence Numbers (ISNs)
🔑TCP Timestamps
There is material about time synchronization mechanisms in detail at whonix.

|Time Attack (2/2)|

The most interesting thing is that there is protection from it, it will be discussed further.

For the most part , sdwdate(github) is used

 to fight in conjunction with software that moves the clock a few seconds and nanoseconds into the past or future during boot (boot time) randomly (not infrequently pseudorandom) or in another way is called Boot Clock Randomization, although sdwdate performs a similar function (to some extent). In this way, you can confidently protect yourself from removing the time-base fingerprint and just from setting the connection time, which I wrote about above. The main thing is to use sdwdate (which, as it were, also randomizes the system clock), by the way, it will be much safer than using programs to synchronize and set the 

system time:rdate and ntpdate

But, as practice has shown, sdwdate can incorrectly randomize the clock, so it is better to use it in conjunction with the aforementioned 

bootclockrandomization

As a counter-measure to the attack on obtaining TCP ISN CPU information, tirdad was developed . Also better yet:

🔧disable TCP timestamps (TCP timestamp) using kernel sysctl
🔧Don't forget to work with iptables to restrict (block) incoming ICMP messages and traffic.
🔧remove the timer output function from the Linux TCP ISN code (tirdad cited above, but you can also use handles)
So, in principle, it is possible to protect yourself from Time Attack, and successfully, only a lot will depend on your vigilance, the desire to dig into the technical documentation of the tools above, to dig in general into the abyss associated with time synchronization, attacks and counter-measures. And in the end, it will already be considered one of the last arrays of attack vectors that will be used to establish identity after the events in which you will be accused (attacking and causing any losses, in the case of an attempt to commit a crime, this is rarely used).
All these tools and add-ons are already in 

whonix and QubeOs.

The post will be updated over time, subsequently testing attacks and protecting against them in his small computer lab.

#shizo #privacy #timeAttack

Никуда не пропал, просто отдыхал.
Сейчас скину интересный репозиторий для пользователей chromium-based браузеров и продолжаю писать новые материалы.
I didn't disappear anywhere, I was just resting.
Now I will throw off an interesting repository for users of chromium-based browsers and continue to write new materials.

|Dump Chrome cookies on a remote host|

🛡Только в образовательных целях!
На примере этого репозитория можно посмотреть, как расширение в chrome-based браузерах модифицировать и дампить с его помощью кукисы на удалённую машину(хост). Автор приводит в пример видоизменённое расширение Cookiebro , которое будет вам отправлять кукисы жертвы. А вот каким образом вы заставите жертву установить его - думайте сами, подкину не самый список тактик с описанием от MITRE ATT&CK, хотя простейший способ описан итак в репе(но не подробно, дальше - ищите и включайте голову), так же и описано, как работает.
Повторюсь для новых подписчиков, зачем скидываю такие материалы. А затем, чтобы знали, как на вас могут напасть, а дальше начали размышлять о контр-мерах различным видам атак.

Почитал ещё тут про этот способ, проверил сам и хочу дополнить:
данный метод не требует удалённый отладчик, а также DPAPI или Keychain, что облегчает написание кода и процесс заражения для дампа кукисов. Поэтому при запуске chromium-based браузеров советую следить за родительскими процессами, которые порождает браузер и искать подозрительные, либо как вариант попроще - смотреть, чтобы chromium-based браузер запускался без аргумента --load-extension.

🛡For educational purposes only!
Using the example of this repository, you can see how an extension in chrome-based browsers can be modified and used to dump cookies to a remote machine (host). The author gives an example of a modified Cookiebro extension , which will send you the victim's cookies. But how you will force the victim to install it - think for yourself, I will throw up not the most list of tactics with a description from MITRE ATT&CK , although the simplest method is described in repo (but not in detail, then look for and turn on the head), it is also described how it works.
I repeat for new subscribers, why do I throw off such materials. And then, so that they know how you can be attacked, and then they began to think about countermeasures to various types of attacks.

I read more here about this method, checked it myself and I want to add:
this method does not require a remote debugger, as well as a DPAPI or Keychain, which makes it easier to write code and the infection process for the cookie dump.Therefore, when launching chromium-based browsers, I advise you to monitor the parent processes that the browser generates and look for suspicious ones, or, as an easier option, make sure that the chromium-based browser starts without the --load-extension argument.

#chromium #dump

|Configuring IPsec Virtual Private Networks|

В 2020 году в начале пандемии, АНБ опубликовало руководство по конфигурированию IPsec VPN сетям, в котором
уделяется не мало внимания криптографии для обеспечения защиты информации, передаваемой в сети.
Вообще, изначальная концепция VPN - предоставление удалённого доступа, а также что не мало важно - безопасность этого подключения и если мы будем использовать дефолтные конфиги, то ничем хорошим это не закончится, как и глупое выполнение первых попавшихся руководств в интернете, а также халатное отношение к обновлению ПО и мониторингу за актуальными уязвимостями и патчами к ним. Также кайф в том, что тут не просто рекомендации, а ещё и примеры реализации и приведены рабочие настройки IPsec VPN. Приложу скрин из руководства с Q&A, он на последней странице(в аппендиксе), так что советую прочитать до конца.

In 2020, at the beginning of the pandemic, the NSA published a guide on configuring IPsec VPN networks, which
pays a lot of attention to cryptography to ensure the protection of information transmitted on the network.
In general, the initial concept of VPN is the provision of remote access, and also, not least, the security of this connection, and if we use default configs, it will not end well, as well as the stupid execution of the first manuals on the Internet, as well as negligent attitude to software updates and monitoring of current vulnerabilities and patches to him. Also, the buzz is that there are not just recommendations, but also implementation examples and working IPsec VPN settings. I will attach a screenshot from the Q&A manual, it is on the last page (in the appendix), so I advise you to read to the end.

#vpn

|Vulnerability in Linux Kernel Can Be Used To Root Android|

Думаю и без меня уже читали/слышали/пробовали проэксплуатировать уязвимость в ядре Linux 5.8(cve.mitre), было опубликовано много материалов про "Dirty Pipe"(количество репозиториев с уязвимостью на гите просто зашкаливает ). Теперь же наткнулся на статью про получение рут прав на андроиде с помощью этой уязвимости, а как мы знаем многие андроиды редко получают патчи безопасности, что даёт возможность атакующим рутовать устройство. А дальше сами знаете, что в дальнейшем может сделать нападающий с таким девайсом. Хотя есть плюс в таком способе рутования по собственному желанию - отключения root в любое время.
DirtyPipeAndroid(PoC)

I think they have already read/heard/tried to exploit the vulnerability without me in Linux kernel 5.8 "Dirty Pipe"(cve.mitre), a lot of materials have been published (the number of repositories with vulnerability on github just rolls over). Now I came across an article about getting root rights on android using this vulnerability, and as we know, many androids rarely get security patches, which makes it possible for attackers to root the device. And then you know yourself what an attacker can do with such a device in the future. Although there is a plus in this method of rooting at will - disabling root at any time.
DirtyPipeAndroid(PoC)

#cve #poc

|CVE-2022-22954 PoC|

🛡Только в образовательных целях!
А вот и подъехал PoC для уязвимости CVE-2022-22954, предполагающее rce при внедрении шаблонов на стороне сервера, влияющая на VMware Workspace ONE Access и Identity Manager.
Недавно выходил патч безопасности от VMware.
Интересно то, что при успешной атаке, rce может произойти для неаутентифицированного пользователя.
PoC
CVE-2022-22954

🛡For educational purposes only!
And here comes the PoC for the vulnerability CVE-2022-22954, suggesting rce when implementing server-side templates, affecting VMware Workspace ONE Access and Identity Manager.
A security patch from VMware was recently released.
Interestingly, with a successful attack, rce can occur for an unauthenticated user.
PoC
CVE-2022-22954

#cve #poc #rce #VMware

|List of ransomware decryptors|

🔐Продолжаю тему с обнаружением и борьбой с зловредами(для обывателя, а не вирусного аналитика, хотя некоторые тулзы могут быть интересны и им).
Подготовил список с декрипторами рансомвари(трояны-вымогатели), с этим в принципе может каждый столкнуть и лучше иметь набор инструментов для борьбы с ними.
Ниже привожу, как онлайн инструменты, так и требующие установки(перед инсталляцией проверяйте сами тулзы на содержание зловредов, ведь всякое бывает)
Список будет пополняться.

🔐I continue the topic with detection and the fight against malware (for the layman, not the virus analyst, although some tools may be interesting to them).
I have prepared a list with ransomware decryptors (ransomware Trojans), in principle, anyone can face this and it is better to have a set of tools to deal with them.
Below I cite both online tools and those requiring installation (before installation, check the tools yourself for the content of malware, because anything happens)
The list will be updated.

🗝Ransomware Decryption Tools
🗝identifies ransomware
🗝PrometheusDecryptor
🗝MaMoCrypt Decryption
🗝Ransomware Decryptors
🗝Ransomware Decryptors(kaspersky)
🗝Ransomware Decryption
🗝nomoreransom
🗝DarksideDecryption
🗝87 Ransomware Decryptors

#shizo #ransomware #decrypt

|Nginx 18.1 zero-day|

🔥А вот и подъехала новость о зеродеи разработанном BrazenEagle, связанный с ldap-auth Nginx и позволяющая проводить LDAP- инъекции
Nginx 0-day

🔥And here came the news about the zerodei developed by BrazenEagle, associated with ldap-auth Nginx and allowing LDAP injections
Nginx 0-day

#zer0day

|CVE-2022-21907|
HTTP Protocol Stack RCE Vulnerability
CVSS score:3.1 9.8

🛡Только в образовательных целях!
Это уязвимость, которая сама может заражать другие уязвимые устройства самостоятельно, по-другому такой тип ещё называется wormable и связана с стеком протоколов HTTP(http.sys). Атакующий, который не был аутентифицирован, может отправить созданный для атаки пакет на атакуемый сервак. Также, хочу отметить, что атака может осуществляться на уровне протокола через один или несколько сетевых переходов. Что не мало важно уязвимая система может быть проэксплуатирована без вмешательства и взаимодействия самой жертвы. Список затронутых версий windows большой, на скрине, который приложил выше, можете посмотреть.

Приведу несколько репозиториев с PoC данной уязвимости:
📎тык1
📎тык2
Наткнулся ещё на DoS эксплоит на основе этой уязвимости. Пользоваться очень просто:
./cve-2022-21907.py -t 184.50.9.56 -p 80 -v 4 - думаю, что прикол с ip - поняли

🛡For educational purposes only!
This is a vulnerability that can infect other vulnerable devices on its own, in another way, this type is also called wormable and is associated with the HTTP protocol stack(http.sys ). An attacker who has not been authenticated can send a packet created for the attack to the attacked server. Also, I want to note that the attack can be carried out at the protocol level through one or more network transitions. What is not a little important, a vulnerable system can be exploited without the intervention and interaction of the victim himself. The list of affected versions of windows is large, you can look at the screenshot attached above.

Here are a few repositories with the PoC of this vulnerability:
📎 click1
📎 click2
I came across another DoS exploit based on this vulnerability. It is very simple to use:
./cve-2022-21907.py -t 184.50.9.56 -p 80 -v 4 - I think that the joke with the ip is understood

#shizo #rce #cve #poc