Sandbox evasion: Identifying Blue Teams

12 de October de 2020 Por

Last March, Roberto Amado and I (Víctor Calvo) gave a talk at RootedCON 2020 titled Sandbox fingerprinting: Avoiding analysis environments. The talk consisted of two parts, the first of which dealt with classifying public sandbox environments for malware analysis, and the second with demonstrating whether it was possible to identify and even attack the person analyzing our samples. This second part is the one that will occupy this entry.

Introduction

During Red Team exercises it is always important to know who you are dealing with, their security measures and who is managing them. At this point we wondered if it would be feasible to reach the Blue Team and to know if our devices had been identified and if they were still useful in the exercise.

With this approach, we focused on malware analysis websites such as VirusTotal, Any.run, Hybrid Analysis… which are continually consulted by analysts to find information on samples or analyze them. The results are displayed on the web interface of these tools, showing useful information for the analysts such as IP addresses or domains to which they connect, commands executed, payloads introduced and a long list dedicated to making the life of the defenders easier.

With this information in mind, our approach was to find vulnerabilities in the web interface of these services in order to identify users. Cross-site scripting (XSS) was the perfect option for this task.

[Read more…]

Some vulnerability in ASUS routers

25 de January de 2018 Por

A few months ago, I changed my old TP-LINK router to an ASUS. Since it is the de facto manufacturer recommended by my ISP, in order to avoid any complications that could lead to delays in getting my Internet up and running I decided to go with it.

Then comes a lonely afternoon of boredom, or perhaps out of habit (I wanted to start writing a report:D), so I start by trying a little apostrophe here, a marquee as the Wi-Fi name, , command execution in one of the network diagnostic pages and a long list of etc. In the end, one thing leads to another (you know how that goes…), you get involved and when you’re conscious you have Burp or ZAP open, you’ve gone over halfway through OWASP and you’ve been looking for hours for something to play with, something interesting to see how safe your brand-new router is. [Read more…]