Mayara S2 Felipe: 05/16/20

sábado, 16 de maio de 2020

Remot3d - An Easy Way To Exploiting

Lockdoor-Framework: A PenTesting Framework With Cyber Security Resources

About Lockdoor-Framework
Author: SofianeHamlaoui

Tested on: Kali Linux, Ubuntu, Arch Linux, Fedora, OpenSuse and Windows (Cygwin)

LockDoor is a Framework aimed at helping penetration testers, bug bounty hunters And cyber security engineers. This tool is designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. But containing the favorite and the most used tools by Pentesters. As pentesters, most of us has his personal ' /pentest/ ' directory so this Framework is helping you to build a perfect one. With all of that ! It automates the Pentesting process to help you do the job more quickly and easily.

Lockdoor-Framework installation:
For now, Lockdoor-Framework supports Debian-based Linux distros (Kali Linux, ParrotSec, Ubuntu...), Arch Linux based distros (Manjaro, BlackArch, ArchStrike...), Fedora, OpenSuse, Cygwin on Windows.

Open your Terminal and enter these commands:

You can watch detail here:

Lockdoor Tools contents 🛠️:
* Information Gathering 🔎:

dirsearch: A Web path scanner
brut3k1t: security-oriented bruteforce framework
gobuster: DNS and VHost busting tool written in Go
Enyx: an SNMP IPv6 Enumeration Tool
Goohak: Launchs Google Hacking Queries Against A Target Domain
Nasnum: The NAS Enumerator
Sublist3r: Fast subdomains enumeration tool for penetration testers
wafw00f: identify and fingerprint Web Application Firewall
Photon: ncredibly fast crawler designed for OSINT.
Raccoon: offensive security tool for reconnaissance and vulnerability scanning
DnsRecon: DNS Enumeration Script
Nmap: The famous security Scanner, Port Scanner, & Network Exploration Tool
sherlock: Find usernames across social networks
snmpwn: An SNMPv3 User Enumerator and Attack tool
Striker: an offensive information and vulnerability scanner.
theHarvester: E-mails, subdomains and names Harvester
URLextractor: Information gathering & website reconnaissance
denumerator.py: Enumerates list of subdomains
other: other Information gathering,recon and Enumeration scripts I collected somewhere.
ReconDog: Reconnaissance Swiss Army Knife
RED_HAWK: All in one tool for Information Gathering, Vulnerability Scanning and Crawling
Dracnmap: Info Gathering Framework

* Web Hacking 🌐:

Spaghetti: Spaghetti - Web Application Security Scanner
CMSmap: CMS scanner
BruteXSS: BruteXSS is a tool to find XSS vulnerabilities in web application
J-dorker: Website List grabber from Bing
droopescan: scanner, identify, CMSs, Drupal, Silverstripe.
Optiva: Web Application Scanner
V3n0M: Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
AtScan: Advanced dork Search & Mass Exploit Scanner
WPSeku: Wordpress Security Scanner
WPScan: A simple Wordpress scanner written in python
XSStrike: Most advanced XSS scanner.
SQLMap: automatic SQL injection and database takeover tool
WhatWeb: the Next generation web scanner
joomscan: Joomla Vulnerability Scanner Project
Dzjecter: Server checking Tool

* Privilege Escalation ⚠️:

Linux 🐧:linux_checksec.sh
linux_enum.sh
linux_gather_files.sh
linux_kernel_exploiter.pl
linux_privesc.py
linux_privesc.sh
linux_security_test
Linux_exploits folder
Windows : windows-privesc-check.py
windows-privesc-check.exe
MySql:raptor_udf.c
raptor_udf2.c

* Reverse Engineering ⚡:

Radare2: unix-like reverse engineering framework
VirtusTotal: VirusTotal tools
Miasm: Reverse engineering framework
Mirror: reverses the bytes of a file
DnSpy: .NET debugger and assembly
AngrIo: A python framework for analyzing binaries (Suggested by @Hamz-a)
DLLRunner: a smart DLL execution script for malware analysis in sandbox systems.
Fuzzy Server: a Program That Uses Pre-Made Spike Scripts to Attack VulnServer.
yara: a tool aimed at helping malware researchers toidentify and classify malware samples
Spike: a protocol fuzzer creation kit + audits
other: other scripts collected somewhere

* Exploitation ❗:

Findsploit: Find exploits in local and online databases instantly
Pompem: Exploit and Vulnerability Finder
rfix: Python tool that helps RFI exploitation.
InUrlBr: Advanced search in search engines
Burpsuite: Burp Suite for security testing & scanning.
linux-exploit-suggester2: Next-Generation Linux Kernel Exploit Suggester
other: other scripts I collected somewhere.

* Shells 🐚:

WebShells: BlackArch's Webshells Collection

ShellSum: A defense tool - detect web shells in local directories

Weevely: Weaponized web shell

python-pty-shells: Python PTY backdoors

* Password Attacks ✳️:

crunch : a wordlist generator

CeWL : a Custom Word List Generator

patator : a multi-purpose brute-forcer, with a modular design and a flexible usage

* Encryption - Decryption 🛡️:

Codetective: a tool to determine the crypto/encoding algorithm used
findmyhash: Python script to crack hashes using online services

* Social Engineering 🎭:

scythe: an accounts enumerator

Contributing:

Fork Lockdoor-Framework:
git clone https://github.com/SofianeHamlaoui/Lockdoor-Framework.git

Create your feature branch

Commit your changes

Push to the branch

Create a new Pull Request

Features 📙:

Pentesting Tools Selection 📙:

Tools ?: Lockdoor doesn't contain all pentesting tools (Added value) , let's be honest ! Who ever used all the Tools you find on all those Penetration Testing distributions ? Lockdoor contains only the favorite (Added value) and the most used toolsby Pentesters (Added value).
what Tools ?: the tools contains Lockdoor are a collection from the best tools (Added value) on Kali Linux, ParrotSec and BlackArch. Also some private tools (Added value) from some other hacking teams (Added value) like InurlBr, iran-cyber. Without forgeting some cool and amazing tools I found on Github made by some perfect human beigns (Added value).
Easy customization: Easily add/remove tools. (Added value)
Installation: You can install the tool automatically using the install.sh. Manually or on Docker [COMING SOON]

Resources and cheatsheets 📙 (Added value):

Resources: That's what makes Lockdoor Added value, Lockdoor Doesn't contain only tools! Pentesing and Security Assessment Findings Reports templates (Added value), Pentesting walkthrough examples and tempales (Added value) and more.
Cheatsheets: Everyone can forget something on processing or a tool use, or even some trciks. Here comes the Cheatsheets (Added value) role! there are cheatsheets about everything, every tool on the framework and any enumeration,exploitation and post-exploitation techniques.

Check the Wiki Pages to know more about the tool 📙:

Lockdoor Wiki page Home

Lockdoor Demos

Lockdoor Screenshots

Lockdoor-Framework's screenshots:

First Step

Lockdoor update

ROOT Menu

Information Gathering

Web Hacking

Exploitation

Reverse Engineering

Enc/Dec

Password Attacks

Shells

PrivEsc

Social Engineering

PSAFRT

Walkthroughs

About

Support the author:

On Paypal: Sofiane Hamlaoui

BTC Address:

Download Lockdoor-Framework

Ufonet - Dos And Ddos Attack Tool | How To Install Bot

More information

System Hacking: Password Cracking Techniques And Types Of Passwords

This blog based on two major concepts:

Understand password-cracking techniques
Understand different types of passwords

The simplest way to crack the passwords

The first step is to access the system is that you should know how to crack the password of the target system. Passwords are the key element of information require to access the system, and users also selects passwords that are easy to guess such as mostly people has a passwords of their pet's name or room number etc to help them remember it. Because of this human factor, most password guessing is successful if some information is known about the target. Information gathering and reconnaissance can help give away information that will help a hacker guess a user's password.

Once a password is guessed or cracked, it can be the launching point for escalating privileges, executing applications, hiding files, and covering tracks. If guessing a password fails, then passwords may be cracked manually or with automated tools such as a dictionary or brute-force method.

Types of Passwords

Only numbers
Only letters
Only special characters
Letters and numbers
Only letters and special characters
Numbers, letters and special characters

A strong password is less susceptible to attack by a hacker. The following rules, proposed by the EC-Council, should be applied when you're creating a password, to protect it against attacks:

Must not contain any part of the user's account name
Must have a minimum of eight characters
Must contain characters from at least three of the following categories:
- Non alphanumeric symbols ($,:"%@!#)
- Numbers
- Uppercase letters
- Lowercase letters

A hacker may use different types of attacks in order to identify a password and gain further access to a system. The types of password attacks are as follows:

Passive Online

Eavesdropping on network password exchanges. Passive online attacks
include sniffing, man-in-the-middle, and replay attacks. Moreover, a passive online attack is also known as sniffing the password on a wired or wireless network. A passive attack is not detectable to the end user. The password is captured during the authentication process and can then be compared against a dictionary file or word list. User account passwords are commonly hashed or encrypted when sent on the network to prevent unauthorized access and use. If the password is protected by encryption or hashing, special tools in the hacker's toolkit can be used to break the algorithm.

Another passive online attack is known as man-in-the-middle (MITM). In a MITM attack, the hacker intercepts the authentication request and forwards it to the server. By inserting a sniffer between the client and the server, the hacker is able to sniff both connections and capture passwords in the process.

A replay attack is also a passive online attack; it occurs when the hacker intercepts the password en route to the authentication server and then captures and resend the authentication packets for later authentication. In this manner, the hacker doesn't have to break the password or learn the password through MITM but rather captures the password and reuses the password-authentication packets later to authenticate as the client.

Active Online

Guessing the Administrator password. Active online attacks include auto-
mated password guessing. Moreover, The easiest way to gain administrator-level access to a system is to guess a simple password assuming the administrator used a simple password. Password guessing is an active online attack. It relies on the human factor involved in password creation and only works on weak
passwords.

Assuming that the NetBIOS TCP 139 port is open, the most effective method of breaking into a Windows NT or Windows 2000 system is password guessing. This is done by attempting to connect to an enumerated share ( IPC$ or C$ ) and trying a username and password combination. The most commonly used Administrator account and password combinations are words like Admin, Administrator, Sysadmin, or Password, or a null password.
A hacker may first try to connect to a default Admin$ , C$ , or C:\Windows share. To connect to the hidden C: drive share, for example, type the following command in the Run field (Start ➪ Run):

\\ip_address\c$

Automated programs can quickly generate dictionary files, word lists, or every possible combination of letters, numbers, and special characters and then attempt to log on using those credentials. Most systems prevent this type of attack by setting a maximum number of login attempts on a system before the account is locked.

In the following sections, we'll discuss how hackers can perform automated password guessing more closely, as well as countermeasures to such attacks.

Performing Automated Password Guessing

To speed up the guessing of a password, hackers use automated tools. An easy process for automating password guessing is to use the Windows shell commands based on the standard NET USE syntax. To create a simple automated password-guessing script, perform the following steps:

Create a simple username and password file using Windows Notepad. Automated tools such as the Dictionary Generator are available to create this word list. Save the file on the C: drive as credentials.txt.
Pipe this file using the FOR command: C:\> FOR /F "token=1, 2*" %i in (credentials.txt)
Type net use \\targetIP\IPC$ %i /u: %j to use the credentials.txt file to attempt to log on to the target system's hidden share.

Offline Attacks

Offline attacks are performed from a location other than the actual computer where the passwords reside or were used. Offline attacks usually require physical access to the computer and copying the password file from the system onto removable media. The hacker then takes the file to another computer to perform the cracking. Several types of offline password attacks exist.

Types of Attack	Characteristics	Password Example
Dictionary attack	Attempts to use passwords from a list of dictionary words	Administrator
Hybrid attack	Substitutes numbers of symbols for password characters	Adm1n1strator
Brute-force attack	Tries all possible combinations of letters, numbers, and special characters	Ms!tr245@F5a

A dictionary attack is the simplest and quickest type of attack. It's used to identify a password that is an actual word, which can be found in a dictionary. Most commonly, the attack uses a dictionary file of possible words, which is hashed using the same algorithm used by the authentication process. Then, the hashed dictionary words are compared with hashed passwords as the user logs on, or with passwords stored in a file on the server. The dictionary attack works only if the password is an actual dictionary word; therefore, this type of attack has some limitations. It can't be used against strong passwords containing numbers or other symbols.

A hybrid attack is the next level of attack a hacker attempts if the password can't be found using a dictionary attack. The hybrid attack starts with a dictionary file and substitutes numbers and symbols for characters in the password. For example, many users add the number 1 to the end of their password to meet strong password requirements. A hybrid attack is designed to find those types of anomalies in passwords.

The most time-consuming type of attack is a brute-force attack, which tries every possible combination of uppercase and lowercase letters, numbers, and symbols. A brute-force attack is the slowest of the three types of attacks because of the many possible combinations of characters in the password. However, brute force is effective; given enough time and processing power, all passwords can eventually be identified.

Hacking All The Cars - Part 1

A step by step lab based mini course on analyzing your car network

I wanted to learn about hacking cars. As usual I searched around the internet and didn't find any comprehensive resources on how to do this, just bits and pieces of the same info over and over which is frustrating. I am not a car hacking expert, I just like to hack stuff. This mini course will run in a fully simulated lab environment available from open garages, which means in 5 minutes from now you can follow along and hack cars without ever bricking your girlfriends car. Since you obviously wouldn't attack your own Lambo, totally use your girlfriends Prius.

Below are the topics covered in this blog series so you can decide if you want to read further:

Whats covered in this car hacking mini course:

Setting up Virtual Environments for testing

Sniffing CAN Traffic

Parsing CAN Traffic

Reverse Engineering CAN IDs

Denial of service attacks

Replaying/Injecting Traffic

Coding your own CAN Socket Tools in python

Targeted attacks against your cars components

Transitioning this to attacking a real car with hardware

The first thing we are going to do before we get into any car hacking specifics such as "WTF is CAN?", is get your lab up and running. We are going to run a simple simulated CAN Bus network which controls various features of your simulated car. Its better to learn by doing then sit here and recite a bunch of car network lingo at you and hope you remember it.

I also don't want you to buy a bunch of hardware and jack into your real car right away. Instead there are options that can get you started hacking cars RIGHT NOW by following along with this tutorial. This will also serve to take away the fear of hacking your actual car by understanding what your doing first.

Video Playlist:

Setting up your Lab:

First things first, set yourself up with an Ubuntu VMware install, and load it up. Optionally you could use a Kali Iinux VM, however, that thing drives me nuts with copy paste issues and I think Kayak was giving me install problems. So support is on you if you would like to use Kali. However, I do know Kali will work fine with OpenGarages virtual car.. So feel free to use it for that if you have it handy and want to get started right away.

Install PreReq Libraries:

Once you load this up you are going to want to install CAN utilities and pre-requisite libraries. This is really easy to do with the following Apt-get commands:

sudo apt-get update

sudo apt-get install libsdl2-dev libsdl2-image-dev can-utils

Then we are going to pull down the ICSimulator repo:

git clone https://github.com/zombieCraig/ICSim.git

Starting the simulator:

Once this is done we can startup the simulator by changing directories to the downloaded repo and running the following 2 commands, which will setup a virtual CAN interface and a simulator GUI Cluster:

Run the setup Script to get the vcan0 interface up:

root@kali:~/ICSim# ./setup_vcan.sh

root@kali:~/ICSim# ./icsim vcan0

On a new terminal tab we will open up our simulators controller with the following command,

root@kali:~/ICSim#./controls vcan0

Note: that the controller must be the in-focus GUI screen to send keyboard commands to the simulator.

How to Use the Simulator:

The simulator has a speedometer with Right and Left turn signals, doors etc. Below are the list of commands to control the simulator when the Control panel is in focus. Give them each a try and note the changes to the simulator.

Up and Down keys control the gauges clusters speedometer

Left and Right keys Control the Blinkers

Right Shift + X, A or B open doors

Left Shift + X, A or be Close doors

Try a few of the above commands for example Right Shift +X and you will see the interface change like so, notice the open door graphic:

Awesome, thanks to OpenGarages you now you have your very own car to hack

Notice in the setup commands above we used a VCan0 interface. Run Ifconfig and you will now see that you indeed have a new network interface that speaks to the CAN network over VCan0.

ficti0n@ubuntu:~/Desktop/ICSim$ ifconfig vcan0

vcan0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

UP RUNNING NOARP MTU:16 Metric:1

RX packets:558904 errors:0 dropped:0 overruns:0 frame:0

TX packets:558904 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1

RX bytes:3663935 (3.6 MB) TX bytes:3663935 (3.6 MB)

Car networks run on a variety of protocols most prevalent being CAN. You can think of a CAN Bus like an old school networking hub where everyone can see everyone elses traffic. This is true to some extent although you may not see all of the cars traffic if its not connected to that particular bus your plugged into. You can think of CAN traffic kind of like UDP in that its send and forget, the main difference being parts of the CAN bus network don't actually have addresses and everything runs off arbitration IDs and priorities. Thats enough background to get you doing rather then reading.

With a little knowledge out of the way lets check if we can see our CAN traffic from our virtual car via the CanDump utility, which you installed as part of CanUtils package above. Using the following command on the vcan0 interface our simulator uses you can view a stream of traffic:

ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0

Above we can see a bunch of CAN frames, and if we perform actions on the vehicle we will see changes to data values in the CanDump output. However this may happen very fast, and we may not be able to see if for example we unlocked our simulators door. This is because things are changing constantly in the cars IDLE state. One single value changing may not stand out enough for us to take notice or may scroll so fast we cant see it.

Capture and Replay CAN Actions:

One option would be to perform an action and replay it, we should see the actions happen again in the replay if the traffic for the action we recorded is on the same bus network our device is plugged into. There are loads of networks within a car and its not guaranteed our network tap for example an OBD2 port plugin is connected to the same network as door we opened. Or the door may not be connected to the network at all depending on your car and its age or how its configured.

Replaying dumps with CanPlayer:

Another useful tool included with CanUtils package is CanPlayer for replaying traffic. If the functionality we are trying to capture is on the same Bus as the adaptor plugged into the car, or in this case our Virtual CAN interface, we can use CanDump to save traffic to a file. We then use CanPlayer to replay the traffic on the network. For example lets run CanDump and open a door and then replay the functionality with CanPlayer.

Lab 1 Steps:

Run CanDump
Right Shift + X to open a door
Cancel CanDump (ctrl+c)
Left Shift + X to close the door
Run can player with the saved dump and it will replay the traffic and open the door

Recording the door opening: (-l for logging)

ficti0n@ubuntu:~/Desktop/ICSim$ candump -l vcan0

Replaying the CanDump file: (use the file your can dump created)

ficti0n@ubuntu:~/Desktop/ICSim$ canplayer -I candump-2018-04-06_154441.log

Nice, so if all went well you should see that your door is now open again. If this did not happen when attacking a real car, just try to replay it again. CAN networks are not like TCP/IP, they are more like UDP in that you send out your request and its not expecting a response. So if it gets lost then it gets lost and you have to resend. Perhaps something with higher priority on the network was sending at the time of your replay and your traffic was overshadowed by it.

Interacting with the Can Bus and Reversing Traffic:

So thats cool, but what about actually understanding what is going on with this traffic, CanDump is not very useful for this, is scrolls by to quickly for us to learn much from. Instead we can use CanSniffer with colorized output to show us the bytes within packets that change. Below is an example of CanSniffer Traffic:

To startup can sniffer run the following:

ficti0n@ubuntu:~/Desktop/ICSim$ cansniffer -c vcan0

You will see 3 fields, Time, ID and Data. Its pretty easy to figure out what these are based on thier name. The most important part for our usage in this blog are the ID and the Data fields.

The ID field is the frame ID which is loosely associated with the device on the network which is effected by the frame being sent. The ID to also determines the priority of the frame on the network. The lower the number of the CAN-ID the higher priority it has on the network and more likely it will be handled first. The data field is the data being sent to change some parameter like unlocking a door or updating output. You will notice that some of the bytes are highlighted RED. The values in red are the values that are changing during the idle state you are currently in.

Determine which ID and Byte controls the throttle:

So with the terminal sniffing window open put the simulator and the controller into the foreground, with the controller being the window you have clicked and selected. Pay attention to the CanSniffer output while hitting the UP ARROW and look for a value that was white but is now Red and increasing in value as the throttle goes up. This might take you a few minutes of paying attention to whats going on to see.

The following 2 pictures show ID 244 in the IDLE state followed by pressing the up button to increase the speed. You will notice a byte has turned red and is increasing in value through a range of HEX values 0-F. It will continue to enumerate through values till it reaches its max speed.

The byte in ID 244 which is changing is the value while the throttle is engaged, so 244 associated in some way with the increasing speed. The throttle speed is a good value to start with as it keeps increasing its value when pressed making it easier to spot while viewing the CanSniffer output.

Singling out Values with Filters:

If you would like to single out the throttle value then click the terminal window and press -000000 followed by the Enter key which will clear out all of the values scrolling. Then press +244 followed by the Enter key which will add back the throttle ID. You can now click the controller again and increase the speed with your Up arrow button without all the noise clouding your view. You will instead as shown below only have ID 244 in your output:

To get back all of the IDs again click the terminal window and input +000000 followed by the Enter key. Now you should see all of the output as before. Essentially 000000 means include everything. But when you put a minus in front of it then it negates everything and clears your terminal window filtering out all values.

Determine Blinker ID:

Now lets figure out another ID for the blinkers. If you hit the left or right arrow with the controls window selected you will notice a whole new ID appears in the list, ID 188 shown in the picture below which is associated with the blinker.

This ID was not listed before as it was not in use within the data output until you pressed the blinker control. Lets single this value out by pressing -000000 followed by +188. Just like in the throttle example your terminal should only show ID 188, initially it will show with 00 byte values.

As you press the left and the right blinker you will see the first Byte change from 00 to 01 or 02. If neither is pressed as in the screenshot above it will be 00. Its kind of hard to have the controller in focus and get a screenshot at the same time but the ID will remain visible as 00 until it times out and disappears from the list when not active. However with it filtered out as above you can get a better view of things and it wont disappear.

Time for YOU to do some Protocol Reversing:

This lab will give you a good idea how to reverse all of the functionality of the car and associate each action with the proper ID and BYTE. This way you can create a map of intended functionality changes you wish to make. Above we have done a few walk throughs with you on how to determine which byte and ID is associated with an action. Now its time to map everything out yourself with all the remaining functionality before moving on to attacking individual components.

Lab Work Suggestion:

Take out a piece of paper and a pencil
Try unlocking and locking doors and write down the ID which controls this action (remember your filters)
Try unlocking each door and write down the BYTES needed for each door to open
Try locking each doors and what Bytes change and what are their values, write them down
Do the same thing for the blinkers left and right (Might be different then what I did above)
What ID is the speedometer using? What byte changes the speed?

Attacking Functionality Directly:

With all of the functionality mapped out we can now try to target various devices in the network directly without interacting with the controllers GUI. Maybe we broke into the car via cellular OnStar connection or the center console units BLE connection which was connected to the CAN network in some way.
After an exploit we have direct access to the CAN network and we would like to perform actions. Or maybe you have installed a wireless device into an OBD2 port under the dashboard you have remote access to the automobile.

Using the data from the CAN network reversing lab above we can call these actions directly with the proper CAN-ID and Byte. Since we are remote to the target we can't just reach over and grab the steering wheel or hit the throttle we will instead send your CAN frame to make the change.

One way we can do this is via the CanSend utility. Lets take our information from our lab above and make the left turn signal flash with the following ID 188 for the turn signal by changing the first byte to 01 indicating the left signal is pressed. CanSend uses the format ID#Data. You will see this below when sending the turn signal via CanSend.

ficti0n@ubuntu:~/Desktop/ICSim$ cansend vcan0 188#01000000

You should have noticed that the left signal flashed. If not pay more attention and give it another try or make sure you used the correct ID and changed the correct byte. So lets do the same thing with the throttle and try to set the speed to something with ID 244 that we determined was the throttle.

ficti0n@ubuntu:~/Desktop/ICSim$ cansend vcan0 244#00000011F6

My guess is that nothing happened because its so fast the needle is not going to jump to that value. So instead lets try repeating this over and over again with a bash loop which simply says that while True keep sending the throttle value of 11 which equates to about 30mph:

ficti0n@ubuntu:~/Desktop/ICSim$ while true; do cansend vcan0 244#00000011F6; done

Yes thats much better, you may notice the needle jumping back and forth a bit. The reason the needle is bouncing back and forth is because the normal CAN traffic is sent telling the car its actually set to 00 in between your frames saying its 30mph. But it worked and you have now changed the speed the car sees and you have flashed the blinker without using the cars normal blinker controls. Pretty cool right?

Monitor the CAN Bus and react to it:

Another way to handle this issue is to monitor the CAN network and when it sees an ID sent it will automatically send the corresponding ID with a different value.. Lets give that a try to modify our speed output by monitoring for changes. Below we are simply running CanDump and parsing for ID 244 in the log output which is the throttle value that tells the car the speed. When a device in the car reports ID 244 and its value we will immediately resend our own value saying the speed is 30mph with the value 11. See below command and try this out.

ficti0n@ubuntu:~/Desktop/ICSim$ candump vcan0 | grep " 244 " | while read line; do cansend vcan0 244#00000011F6; done

With this running after a few seconds you will see the speed adjust to around 30MPH once it captures a legitimate CAN-ID 244 from the network traffic and sends its own value right after.

Ok cool, so now while the above command is still running click the controller window and start holding down the Up arrow with the controller in focus.. After a few seconds or so when the speed gets above 30MPH you will see the needle fighting for the real higher value and adjusting back to 30MPH as your command keeps sending its on value as a replacement to the real speed.

So thats one way of monitoring the network and reacting to what you see in a very crude manner. Maybe someone stole your car and you want to monitor for an open door and if they try to open the door it immediately locks them in.

Conclusion and whats next:

I am not an expert car hacker but I hope you enjoyed this. Thats about as far as I want to go into this subject today, in the next blog we will get into how to code python to perform actions on the CAN network to manipulate things in a similar way. With your own code you are not limited to the functionality of the tools you are provided and can do whatever you want. This is much more powerful then just using the CanUtils pre defined tools. Later on I will also get into the hardware side of things if you would like to try this on a real car where things are more complicated and things can go wrong.

More info

Thousand Ways To Backdoor A Windows Domain (Forest)

When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of the following blog post made some waves:
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."

Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use new hardware ;)

But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).

There are countless documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.

Ways to backdoor a domain

So here you go, an incomplete list to backdoor a domain:

Create a new domain admin user. Easy to do, easy to detect, easy to remediate
Dump password hashes. The attacker can either crack those or just pass-the-hash. Since KB2871997, pass-the-hash might be trickier (https://technet.microsoft.com/library/security/2871997), but not impossible. Easy to do, hard to detect, hard to remediate - just think about service user passwords. And during remediation, consider all passwords compromised, even strong ones.
Logon scripts - modify the logon scripts and add something malicious in it. Almost anything detailed in this post can be added :D
Use an already available account, and add domain admin privileges to that. Reset its password. Mess with current group memberships - e.g. http://www.exploit-db.com/papers/17167/
Backdoor any workstation where domain admins login. While remediating workstations, don't forget to clean the roaming profile. The type of backdoor can use different forms: malware, local admin, password (hidden admin with 500 RID), sticky keys, etc.
Backdoor any domain controller server. For advanced attacks, see Skeleton keys
Backdoor files on network shares which are commonly used by domain admins by adding malware to commonly used executables - Backdoor factory
Change ownership/permissions on AD partitions - if you have particular details on how to do this specifically, please comment
Create a new domain user. Hide admin privileges with SID history. Easy to do, hard to detect, easy to remediate - check Mimikatz experimental for addsid
Golden tickets - easy to do, hard to detect, medium remediation
Silver tickets - easy to do, hard to detect, medium/hard remediation
Backdoor workstations/servers via group policy

HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce,
scheduled tasks (run task 2 years later),
sticky-keys with debug

Backdoor patch management tool, see slides here

[Update 2017.01.10]

Other tricks

The following list does not fit in the previous "instant admin" tips, but still, it can make the attackers life easier if their primary foothold has been disabled:

Backdoor recent backups - and when the backdoor is needed, destroy the files, so the files will be restored from the backdoored backup
Backdoor the Exchange server - get a copy of emails
Backdoor workstation/server golden image
Change permission of logon scripts to allow modification later
Place malicious symlinks to file shares, collect hashes via SMB auth tries on specified IP address, grab password hashes later
Backdoor remote admin management e.g. HP iLO - e.g. create new user or steal current password
Backdoor files e.g. on shares to use in SMB relay
Backdoor source code of in-house-developed software
Use any type of sniffed or reused passwords in new attacks, e.g. network admin, firewall admin, VPN admin, AV admin, etc.
Change the content of the proxy pac file (change browser configuration if necessary), including special exception(s) for a chosen domain(s) to use proxy on malicious IP. Redirect the traffic, enforce authentication, grab password hashes, ???, profit.
Create high privileged users in applications running with high privileges, e.g. MSSQL, Tomcat, and own the machine, impersonate users, grab their credentials, etc. The typical pentest path made easy.
Remove patches from servers, change patch policy not to install those patches.
Steal Windows root/intermediate CA keys
Weaken AD security by changing group policy (e.g. re-enabling LM-hashes)

Update [2015-09-27]: I found this great presentation from Jakob Heidelberg. It mentions (at least) the following techniques, it is worth to check these:

Microsoft Local Administrator Password Solution
Enroll virtual smart card certificates for domain admins

Forensics

If you have been chosen to remediate a network where attackers gained domain admin privileges, well, you have a lot of things to look for :)

I can recommend two tools which can help you during your investigation:

Lessons learned

But guess what, not all of these problems are solved by rebuilding the AD. One has to rebuild all the computers from scratch as well. Which seems quite impossible. When someone is creating a new AD, it is impossible not to migrate some configuration/data/files from the old domain. And whenever this happens, there is a risk that the new AD will be backdoored as well.

Ok, we are doomed, but what can we do? I recommend proper log analysis, analyze trends, and detect strange patterns in your network. Better spend money on these, than on the domain rebuild. And when you find something, do a proper incident response. And good luck!

Ps: Thanks to Andrew, EQ, and Tileo for adding new ideas to this post.

Check out the host backdooring post as well! :)