Pcap of Wannacry Spreading Using EthernalBlue

Saw that a lot of people were looking for a pcap with WannaCry spreading Using EthernalBlue.I have put together a little "petri dish" test environment and started looking for a sample that has the exploit. Some samples out there simply do not have the exploit code, and even tough they will encrypt the files locally, sometimes the mounted shares too, they would not spread.Luckily, I have found this nice blog post from McAfee Labs: https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/ with the reference to the sample SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c (they keep referring to samples with MD5, which is still a very-very bad practice, but the hash is MD5: DB349B97C37D22F5EA1D1841E3C89EB4)Once I got the sample from the VxStream Sandbox site, dropped it in the test environment, and monitored it with Security Onion. I was super happy to see it spreading, despite the fact that for the first run my Windows 7 x64 VM went to BSOD as the EthernalBlue exploit failed.But the second run was a full success, all my Windows 7 VMs got infected. Brad was so kind and made a guest blog post at one of my favorite sites, www.malware-traffic-analysis.net so you can find the pcap, description of the test environment and some...
Read more

Workshop and Presentation Slides from 2016 Q4 and 2017 Q1

Many of you were asking for the slides of presentations and workshops I gave recently and I know that for certain cases it took waaay longer than it should have, but hey! Better late than never, right? Right? :)Anyways, here is the Google Drive folder with all the presentations.And the breakdown of the folders:2016_Hack.lu : workshop slides and VM image2016_Hacktivity : workshop slides, the VM image is the same as 2016 Hack.lu2017_BSidesBUD : workshop slides and USB content2017_BSidesLjubljana_0x7E1 : workshop slides, the USB content is the same as 2017 BSidesBUD2017_SANS_Munich_Winter_@Night_Talk : presentation slides and videos
Read more

CSRF Referer header strip

IntroMost of the web applications I see are kinda binary when it comes to CSRF protection; either they have one implemented using CSRF tokens (and more-or-less covering the different functions of the web application) or there is no protection at all. Usually, it is the latter case. However, from time to time I see application checking the Referer HTTP header.A couple months ago I had to deal with an application that was checking the Referer as a CSRF prevention mechanism, but when this header was stripped from the request, the CSRF PoC worked. BTW it is common practice to accept empty Referer, mainly to avoid breaking functionality.The OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet tells us that this defense approach is a baaad omen, but finding a universal and simple solution on the Internetz to strip the Referer header took somewhat more time than I expected, so I decided that the stuff that I found might be useful for others too.Solutions for Referer header stripMost of the techniques I have found were way too complicated for my taste. For example, when I start reading a blog post from Egor Homakov to find a solution to a problem, I know that...
Read more