Tuesday, June 27, 2017

TOOLS: Hide your WHID!

Installing the WHID Injector directly to the motherboard:


This quick how-to will help you get your WHID-Injector installed directly to a motherboard of your choosing...allowing for the stealthy deployment of WIRELESS RUBBER DUCKIES for red-teaming (and some fun). This will require some preparation and some items...

1. Get yourself a WHID Injector:
https://github.com/whid-injector/WHID
-----

2. Salvage some unused USB attachment cables from an old computer:

-----

3. SNIP & attach the female USB connector to the female MOTHERBOARD connector (solder, tape, bubblegum):
-----

4. Plug WHID-Injector into female USB connector:
-----

5. Identify available USB connection on TARGET MOTHERBOARD (YES...THIS REQUIRES OPENING THE TARGETS COMPUTER CASE):
-----

6. Plug WHID-Injector into USB CONNECTION & CLOSE COMPUTER CASE:
-----

7. Connect to WHID-Injector (over WiFi network), run payload...


http://www.eeggs.com/items/48580.html

Posted by at No comments:

Sunday, June 18, 2017

BLACKLIST: McPhishin' Detected!

The Case of the Dirty Ron's Dirty Domain:


So there I was...testing out an OSINT/NextPivot tool & performing info gathering around 'mcdonalds.com' when I came across a BLACKLISTED domain in their digital asset pool:

                      mcencasa.com


(Screenshot from kryio.com)
Why does McDonald's have a domain that is currently blacklisted?!?!

BLACKLISTED BY:
Google Safe Browsing
McAfee Site Advisor
Virus Total

Taking a closer look at the domain reveals a previous owner may have used the domain for PHISHING and lost the domain in dispute.



 Excerpt below from 'http://www.wipo.int/amc/en/domains/decisions/text/2015/d2015-0956.html':
The Respondent registered the disputed domain name and then redirected it to a Web site ("www.mcencasa.com") in which it created an appearance that consisted of appearing before the Internet user as if it were an official site of the Claimant .Indeed, it reproduced the distinctive signs of the Complainant which, in the Expert's view, implies a clear violation of the Policy. That is, knowing the existence of trademark rights, the Respondent proceeded to register.

More info...
http://www.wipo.int/amc/en/domains/search/case.jsp?case=D2015-0956
https://www.dndisputes.com/case/d2015-0956/


I'm not investing any more time on this McRabbithole but wanted to leave a nibblet here in case anyone else is curious. I personally believe BLACKLISTING can work but relies on having accurate, clean, real-time data. If this domain is not a threat...then it shouldn't be on the current lists...


However...the sites below tell us to WATCH OUT...for McPhishin'!
https://www.google.com/transparencyreport/safebrowsing/diagnostic/?hl=en#url=mcencasa.com


https://www.virustotal.com/en/url/635588d4160e7f43a2ab1935efb5f217b339adb92ed16d8c471ceaf40bc5fca4/analysis/

https://www.siteadvisor.com/sites/mcencasa.com



 
Posted by at No comments:

IN THE WILD: XSS over Whois

When your carrots try to fight you!


Was doing a bit of rabbitholin' when I came across an interesting looking domain: n0rb3r7.com. The domain was registered using Cross-Site-Scripting (XSS) techniques for some of the WHOIS information. This creates a nice WATERHOLE type attack vector when users query public WHOIS LOOKUP websites and get back rendered JAVASCRIPT packed with goodies. Below are some of the sites we observed not validating/sanitizing output for their users (excluding ICANN which is safe for now). Doh!

NIBBLET: Appears to be the work of  a 'Chase Miller'. Well played sir...
https://hackerone.com/n0rb3r7?sort_type=latest_disclosable_activity_at&filter=type%3Aall%20from%3An0rb3r7&page=1&range=forever


ICANN Whois Lookup for 'n0rb3r7.com':
(NOTE: Safe to View / NO XSS rendered!)

https://whois.icann.org/en/lookup?name=n0rb3r7.com
















UNSAFE WHOIS RESULTS FOR 'n0rb3r7.com':

(NOTE: XSS IS LIVE! THESE CARROTS WILL ATTACK!)


1. WHOIS.COM -  hXXps://www[.]whois[.]com/whois/n0rb3r7.com













-----------------------------------------------------------------------------

2. WA-COM.COM -   hXXp://wa-com[.]com/n0rb3r7.com




-----------------------------------------------------------------------------

3. TUCOWS -  hXXp://www[.]tucowsdomains[.]com/whois













-----------------------------------------------------------------------------

4. WHOISOLOGY -  hXXps://whoisology[.]com/n0rb3r7.com











-----------------------------------------------------------------------------

5. DNSSTUFF --

hXXp://www[.]dnsstuff[.]com/tools#whois|type=domain&&value=n0rb3r7.com













-----------------------------------------------------------------------------

6. PUREWHOIS -  hXXps://www[.]purewhois[.]com/index.php














-----------------------------------------------------------------------------

7. WHOISXMLAPI -- 

hXXps://www[.]whoisxmlapi[.]com/?domainName=n0rb3r7.com&outputFormat=xml




Posted by at No comments:

Saturday, June 17, 2017

Lost Rabbit Labs

Welcome to 'Lost Rabbit Labs':

Here you will find information & tools to assist you with all your rabbit-holin' adventures.

 No Rabbit Left Behind!
Our mission is to ensure the safe return of all rabbits along with their rewards...the carrots. We will be sharing custom tools and offering a sandbox for all rabbits to collaborate & share ideas and information. More info below and over there ---------->

  • OSINT techniques
  • DARKNET Research
  • REDTEAM tools
  • NEXT-PIVOTing
  • SECURITY Research
  • THREAT Intel
  • INFO Sharing

"I knew I shoulda taken that left turn at Albuquerque!"



Posted by at No comments:
Subscribe to: Posts (Atom)