Thursday, January 26, 2017

Malware Reverse Engineering tools and techniques

I just found an virus sample. But I do not know,
  •  what it is
  • from where did virus came
  • how it was infected
  • what is the functionality of virus
  • what type of damage did to the system
so I decided to analyze it  by using malware analysis/reverse Engineering tools and techniques.
There are two type of analse
  1. Static Analysis = analyze the malware based on  binary/code and understand functionality
  2. Behavioral analysis = analyze the malware based on its behavior.
IF you did not understand any think while reading it is natural :D.
Just follow the all steps one by one finaly you will realize what did you do.

Let's Start from Behavioral Analysis. :D

Step 1 - download OS

  • I used windows 7 machine to plant virus and analyze it.
  • I used Remnux linux virtual machine to network resolving. (fake dns resolve , wireshark analysis kind of things)
Step 2 = Setting up the Windows 7  OS



1. first of all switch off the firewall. :P 

firewall disable
2. then configure vm network to Host only network. 

 3. Windows 7 network configuration
Windows 7 network configuration

 4. download and install some tools by google searching => I will describe them while using. (name and Icon on the screenshot



5. additionally you have to download strings2.exe and upx.exe and copy them to c:\windows\system32 Directory.  (just google for latest version)

6. take an snapshot of configured environment (optional)



Step 3 = Setting up the remnux OS

 1. setting up the remnex ip adress 




2. ping from remnux to windows7 machine ( by using terminal , use bellow command)
ping 172.16.124.150

ping from windows 7 to remnux (by using windows 7 cmd)

ping 172.16.124.10


3. start wireshark on remnux os.

4. if you feel virus will communicate over web or irc , or required DNS resolve ,
it is better to start this services
commands are,
 ircd start
 httpd start
 fakedns 
 
service start
 (if you can not even guess don't worry :) I will explain how to guess later.)

Friday, February 7, 2014

Describe and compare IPv4 and IPv6 addressing schemes.
IPv4
IPv4 stands for Internet Protocol version 4. It is the underlying technology that makes it possible for us to connect our devices to the web. Whenever a device access the Internet (whether it's a PC, Mac, smartphone or other device), it is assigned a unique, numerical IP address such as 99.48.227.227. To send data from one computer to another through the web, a data packet must be transferred across the network containing the IP addresses of both devices.
IPv4 uses 32-bit addresses for Ethernet communication in five classes, named A, B, C, D and E. Classes A, B and C have a different bit length for addressing the network host. Class D addresses are reserved for multicasting, while class E addresses are reserved for future use.
Class A has subnet mask 255.0.0.0 or /8, B has subnet mask 255.255.0.0 or /16 and class C has subnet mask 255.255.255.0 or /24. For example, with a /16 subnet mask, the network 192.168.0.0 may use the address range of 192.168.0.0 to 192.168.255.255. Network hosts can take any address from this range; however, address 192.168.255.255 is reserved for broadcast within the network.
IPv6
IPv6 is the next generation protocol for Internet networking. IPv6 expands on the current Internet Protocol standard known as IPv4. Compared to IPv4, IPv6 offers better addressing, security and other features to support large worldwide networks. 
In IPv6, IP addresses change from the current 32-bit standard and dotted decimal notation to a new 128-bit address system. IPv6 addresses remain backward compatible with IPv4 addresses. For example, the IPv4 address "192.168.100.32" may appear in IPv6 notation as "0000:0000:0000:0000:0000:0000:C0A8:6420" or "::C0A8:6420". 
Main reasons for running out of IPv4.
The IPv4 protocol was created in 1981 like a technology supposed to last for a very long time, with an addressing space of 4000 million of addresses, but the enormous growth of the internet and the way the addresses were assigned (classes A, B and C), resulted in a serious lack of addresses. There are several methods that avoid the total run out of addresses: PPP/DHCP (address sharing), CIDR (classless inter-domain routing) and NAT (network address translation), but do not seem to be enough in a few years, specially having into account the growing number of devices that need a permanent allocation of an IP address (UMTS, DSL, etc), and the applications that are end-to-end, and are not compatible with NAT (IPsec, VoIP, etc.).
Another problem is that, because of being designed many years ago, the functionalities involved with security, mobility and quality are handled by additional protocols, because they are not integrated in the protocol itself.
So, these 2 problems, plus the fact of the great growth of the number of elements in the routing tables motivated the necessity of a new version of the protocol became very important, so a new working group of the Internet Engineering Task Force (IETF) was created with the name: “IP next generation” (IPng). And some time later, the name was changed to IPv6. The main characteristics of this protocol had to be the following:
·         Larger addressing space, structured addresses and no addresses classes.
·         Automatic configuration.
·         Simplified routing.
·         Better structuring options for the networks.
·         Improved security features.
·         Support for real-time and multimedia services.

IPv4/IPv6 Differences
Here are some of the major differences between IPv4 and IPv6. Both standards are extensive and many features are less obvious and important for only some environments.

 


IPv4
IPv6
Address
32 bits (4 bytes)
12:34:56:78
128 bits (16 bytes)
1234:5678:9abc:def0:
1234:5678:9abc:def0
Packet size
576 bytes required, fragmentation optional
1280 bytes required without fragmentation
Packet fragmentation
Routers and sending hosts
Sending hosts only
Packet header
Does not identify packet flow for QoS (Quality of service)  handling
Contains Flow Label field that specifies packet flow for QoS handling
Includes a checksum
Does not include a checksum
Includes options
up to 40 bytes
Extension headers used for optional data
DNS records
Address (A) records,
maps host names
Address (AAAA) records,
maps host names
Pointer (PTR) records,
IN-ADDR.ARPA DNS domain
Pointer (PTR) records,
IP6.ARPA DNS domain
Address configuration
Manual or via DHCP
Stateless address autoconfiguration (SLAAC) using Internet Control Message Protocol version 6 (ICMPv6) or DHCPv6
IP to MAC resolution
broadcast ARP
Multicast Neighbor Solicitation
Local subnet group management
Internet Group Management Protocol (IGMP)
Multicast Listener Discovery (MLD)
Broadcast
Yes
No
Multicast
Yes
Yes
IPSec
optional, external
required


Wednesday, January 1, 2014

ISO-OSI Layer Model + TCP/IP Model

ISO OSI and TCP/IP Model Comparison

                         OSI Model (Open Systems Interconnection)
This is reference model in this model we can identify architectural perspective for networks.
This is for how messages should be transmitted between any two points in a telecommunication network. (OSI model makes it easier to learn and understand the concepts involved) In this model have seven layers. They are,
·         Application Layer –  Layer 7
·         Presentation Layer – Layer 6            User support layers(5,6,7)
·         Session Layer  –        Layer 5

·         Transport Layer –      Layer 4

·         Network Layer –       Layer 3
·         Data Link Layer –     Layer 2             Network support layers(1,2,3)
·         Physical Layer –        Layer 1

Application Layer – Layer 7
This layer provides a user interface by interacting with the running application. E-mail, FTP, web browsers are network applications that run on this layer. Provide services and protocols to applications.
            Presentation Layer – Layer 6 
The data conversion takes place at this layer. The data that it receives from the application layer is converted into a suitable format that is recognized by the computer. For example, the conversion of a file from .wav to .mp3 takes place at this layer. Also concerned with the syntax and semantics of the information transmitted. And also doing Encapsulation of data for transmission through the network.
Session Layer –        Layer 5
This layer is responsible to establish and terminate connections between two communicating machines. This connection is known as a session, hence the name. It establishes full-duplex, half-duplex and simplex connection for communication. The sessions are also used to keep a track of the connections to the web server. Session services include:
·         dialog control (who transmits next)
·         token management (who is allowed to attempt a critical action next)
·         synchronization (check pointing long transactions so they can continue after a crash)


Transport Layer –      Layer 4
This layer provides end-to-end delivery of data between two nodes or the transport layer is responsible for the delivery of a message from one process to another. It divides data into different segments before transmitting it. On receipt of these segments, the data is reassembled and forwarded to the next layer. If the data is lost in transmission or has errors, then this layer recovers the lost data and transmits the same. Or Provides reliable, transparent transfer of data between end points by
      Service port addressing
      Connection controlling
      Flow controlling
      Error controlling

            Network Layer –       Layer 3
The main function of this layer is to translate the network address into physical MAC address. Or the network layer is concerned with controlling the operation of the subnet. The data has to be routed to its intended destination on the network. This layer is also responsible to determine the efficient route for transmitting the Packets to its destination / determining how packets are routed from source to destination. While doing so, it has to manage problems like network congestion, switching problems, etc. The protocols used here are IP, ICMP, IGMP, IPX, etc.
Data Link Layer –     Layer 2            
The data link layer is responsible for moving frames from one hop (node) to the next. And Provides for reliable transfer of information across the physical link. The main function of this layer is to convert the data packets received from the upper layer into frames, and route the same to the physical layer. Error detection and correction is done at this layer, thus making it a reliable layer in the model. It establishes a logical link between the nodes and transmit frames sequentially.
Physical Layer –        Layer 1
Physical layer coordinates the functions required to transmit a bit stream over a physical medium. It defines a number of network functions, not just hardware cables and cards. As the name suggests, this is the layer where the physical connection between two computers takes place. The data is transmitted via this physical medium to the destination's physical layer. The popular protocols at this layer are Fast Ethernet, ATM, RS232, etc.


2.    TCP/IP (Transmission Control Protocol/Internet Protocol)
This is the Implementation of OSI model. TCP/IP is a set of protocols developed to allow cooperating computers to share resources across a network. The TCP/IP reference model is the network model used in the current Internet architecture.in this model main two protocols are Transmission Control Protocol and Internet Protocol. And so many other protocols are there. TCP/IP services can be divided into two groups:
         services provided to other protocols - IP, TCP and UDP
         services provided to end users directly – HTTP
In this model have four layers.
         Application Layer – Layer 4
         Transport Layer – Layer 3
         Internetwork Layer – Layer 2
         Network Interface Layer – Layer 1

Application Layer
In TCP/IP model, session or presentation layer are not present. Application layer is present on the top of the Transport layer. It includes all the higher-level protocols such as TELNET, FTP, DNS SMTP, SSH…
Transport Layer
This layer is responsible for providing datagram services to the Application layer. This layer allows the host and the destination devices to communicate with each other for exchanging messages, irrespective of the underlying network type. Error control, congestion control, flow control, etc., are handled by the transport layer. The protocol that this layer uses is TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). TCP gives a reliable, end-to-end, connection-oriented data transfer, while UDP provides unreliable, connectionless data transfer between two computers.
Internet Layer
This layer is also known as the Network Layer. The main function of this layer is to route the data to its destination. The data that is received by the link layer is made into data packets (IP datagrams). The data packets contain the source and the destination IP address or logical address. These packets are sent on any network and are delivered independently. This indicates that the data is not received in the same order as it was sent. The protocols at this layer are IP (Internet Protocol), ICMP (Internet Control Message Protocol), etc.

Network Interface Layer
This layer corresponds to the OSI's Physical and Data Link layers. It explains how the data is transmitted from the host, through the network. The physical connectors like the coaxial cables, twisted pair wires, the optical fiber, interface cards, etc., are a part of this layer. This layer can be used to connect different network types like ATM, Token ring, Ethernet, LAN, etc.

3.     Comparison Between OSI and TCP/IP Model







 3.1           Main Similarities between OSI and TCP/IP Model
      They share similar architecture
Both of the models share a similar architecture.  This can be illustrated by the fact that both of them are constructed with layers
      They share a common application layer
Both of the models share a common "application layer".  However in practice this layer includes different services depending upon each model
      Both models have comparable transport and network layers
This can be illustrated by the fact that whatever functions are performed between the presentation and network layer of the OSI model similar functions are performed at the Transport layer of the TCP/IP model
      Knowledge of both models is required by networking professionals
According to article obtained from the internet networking professionals "need to know both models"
      Both models assume that packets are switched
Basically this means that individual packets may take differing paths in order to reach the same destination
           
3.2           Main Differences Between OSI and TCP/IP Models

      The OSI model consists of 7 architectural layers whereas the TCP/IP only has 4 layers
      TCP/IP appears to be a more simpler model as it has fewer layers
      TCP/IP combines the presentation and session layer issues into its application layer
      TCP/IP combines the OSI data link and physical layers into the network access layer        
      OSI Model supports connection oriented communication in transport layer, whereas in network layer it supports both connectionless and connection oriented
      The TCP/IP model has only one mode in the network layer but supports both modes in transport layer

      OSI and TCP/IP models are based on the concept of a stack of independent protocols
      Functions of the layers are more or less similar
      Three concepts are central to OSI Model: Services, Interfaces, and Protocols
     Services: This definition tells what the layer does. It defines the layers semantics.
     Interface: It tells the process above it how to access it.
     Peer Protocols: Protocols used in a layer are the layer’s own business.
      TCP/IP model did not clearly distinguish between service, interface and protocol
      The protocols in the OSI model are better hidden than in the TCP/IP model and can be replaced relatively easily as the technology changes
      OSI  model was devised before the protocols were invented
     This ordering means that the model was not biased toward one particular set of protocols
     Downside of this ordering is that the designers did not have much experience with the subject and did not have good idea of which functionality to put in which layer
      With TCP/IP, the protocols came first and the model was really just a description of existing protocols.
     Protocols fit the model perfectly.
     But the model did not fit any other protocols stacks
      TCP/IP Protocols are considered to be standards around which the internet has developed. 
      The OSI model however is a generic, protocol- independent standard.




3.3           Protocol port comparison







 Other related details.




























This pictures also help you