Monthly Archives: November 2017

Deobfuscating the PowerShell Code to get IOCs

Posted in Malware Analysis, network security by

Malicious Actors often obfuscate the code to bypass the antivirus or to make the reverse engineering harder. Here I got a samples from Hybrid Analysis and will show you how to deobfuscate it. I’ve been enjoying these a lot and hope you will love it as well.
The sample that I got is of the document that has a hash: 7cb3fa5500d7ddbfa9631df5d3dff5.
You can get the sample of it from here. I’ll be using Notepadqq for my Ubuntu, but you can use Notepad++ if you are using Windows.

  1. Get the base64 of the code from here and decode it using https://www.base64decode.org/1oc2oc
  2. I copied the decoded base64 stream to my notepad, but it doesn’t seem to be clear much.3oc
  3. Now delete some of those redundant characters to deobsuate the stream. Here I am replace those alphabets in ‘’ by ‘single space’, using “Replace all”.4oc5oc
  4. Not readable yet! But atleast we can see clear decimal format. So, I’ll be using rapidtables.com to convert this piece into readable format.6oc
  5. Now you have those malicious links from where the payload will be downloaded.7oc70c

This is just a way to deofsucate the Malware code, you can do the same for others as well or you can use the available tools as well!!
Enjoy the fun stuff!! 🙂

Phishing with KALI – Social Engineering Toolkit

Posted in Kali, network security by

“There is no need to penetrate a network when you can breach the people who run it” – Unknown

Whoever said that is so right! Isn’t it? And this Phishing has become so common these days. Anyways here, I am going to show you another wonderful tool from my favorite Kali.

To launch this tool you can just type “setoolkit” in terminal or you can go to Application ->social engineering toolkit, which will take you the tool [as in screen shot 2]

1se

3se

Select 1 (Social-Engineering Attacks) from the options.
And after selecting “Website Attack Vectors” , choose “Credential Harvestor Attack Method”.

4se5se

So, here you have a option – Web Template or Site Cloner. If you are planning to clone any of those from the facebook, gmail or yahoo, you can always go with the first or if you want to clone a different site then choose second option.

Before going any further, open another terminal and check the IP of your machine.

7se

Enter your IP when asked and remember not to close your terminal.

8se

 

Go to browser and enter your IP, you can also change your IP to look like URL by using any of the tinyURL services available.

15se

Wow! Now its a time to harvest those credentials. 🙂 Go to the directory – /var/www/html
Now, enter a command to list all the files in the directories.

18se

Copy the one that you want to see and enter the command below to display the contents of the file and here we go:

13se

So, this was one of things you can do with this tool. To make it work over internet, you need to use your Public IP and  port forward it over  port 80. Enjoy your Hack and make sure not to use it for wrong purposes or you will be in trouble. 🙂