TEAM Proofreaders

&
Editor-in-Chief
 Betatesters:
Joanna Kretowicz 

[email protected]
Lee McKenzie
Editors:

Marta Sienicka
 Avi Benchimol

[email protected]
Bernhard Waldecker
Marta Strzelec

[email protected] Hammad Arshed

Anna Kondzierska
 Ivan Gutierrez Agramont

[email protected]
John Webb
Proofreader:
Lee McKenzie
David von Vistauxx
Senior Consultant/Publisher: 

Paweł Marciniak  Tom Updegrove

CEO: 
 K S Abhiraj
Joanna Kretowicz 

[email protected]  greg mckoy
Marketing Director: 

Ayo Tayo balogun
Joanna Kretowicz 

[email protected]
Jonus Gerrits
DTP 

Marta Sienicka
 Michal Jáchim
[email protected]
Mitch Impey
Cover Design
Hiep Nguyen Duc Wayne Kearns

Publisher 
 Robert Fling

Hakin9 Media Sp. z o.o.

02-676 Warszawa
 Francesco Mura
ul. Postępu 17D 

Phone: 1 917 338 3631  Paul Mellen

www.hakin9.org Matthew Sabin

All trademarks, trade names, or logos mentioned or used are the

property of their respective owners.

The techniques described in our articles may only be used in private,

local networks. The editors hold no responsibility for misuse of the
presented techniques or consequent data loss.
Dear Readers!

We would like to present to you our newest issue, the first one in 2018. We hope you will find the arti-

cles interesting and will have time to read them all.

We will start with learning about PortSpoof tool and active defense technique, where you initiate a

counter attack targeting the attackers. Then we will dive into SCADA security and find out how it influ-

ences the cybersecurity field. And for Python users we have a special article, in which you will learn

how to make your own botnet and have fun with the MQTT protocol.

Make sure to read our main article; How to open a backdoor in Android devices. Together with the

author we will follow simple steps to infect an Android application with a payload, which allows remote

access to the victim’s device.We will do all of that using Metasploit Framework!

With Mark Bishop’s article you will have a chance to see how to encrypt the password list. Jacob Bell

will present the most important aspects of DDoS attacks and Peter Anderson Lopes will demonstrate

the main steps to perform an invasion test in his article about exploiting SMB and Kerbos to obtain ad-

ministrator access. All of this and more can be found inside this issue.

We would also like to thank you for all your support. We appreciate it a lot. If you like this publication,

you can share it and tell your friends about it! Every comment means a lot to us.

Enjoy your reading,

Hakin9 Magazine

Editorial Team
PortSpoof-Active Defense Tool
7
by Osama Alaa

SCADA -Security in the Wild

16
by Prasenjit Kanti Paul

Python for IOT: Make your own botnet and have fun
with the MQTT protocol 37
by Adrian Rodriguez Garcia

How To Open a Backdoor in Android Devices

Through the Insertion of a Payload in a Legitimate APK 71
by Lucas García

“I want it to be a good tool that I can be proud of”

83
Interview with Daniel Araujo, creator of Proctal

Distributed Denial of Service Attacks: Recent Incidents

and how Organizations can Mitigate Impacts 96
by Jacob Bell

Exploiting SMB and Kerberos to obtain Administrator

access 108
by Petter Anderson Lopes

5
Implementing a One-Time-Pad-Based Password Vault:
A Poor Person’s Solution 120
by Mark Bishop

Correlation of Log SOC

135
by Seifallah Karaa

Cloud Beyond the Hacking

140
by Andrea Cavallini

6
PYTHON FOR IOT:
MAKE YOUR
OWN BOTNET
AND HAVE FUN
WITH THE MQTT
PROTOCOL
by Adrian Rodriguez Garcia
 ABOUT THE AUTHOR

Adrian Rodriguez Garcia

Adrian Rodriguez Garcia, graduate in telecommunication engineering in the specialty of

telematics and graduate of the Master in security of the information and communications in

the University of Seville.

Currently, I work in Telefonica cybersecurity unit (ElevenPaths), in the area of innovation and

laboratory, where I work on researching and developing solutions related to security.

I'm a fan of cybersecurity, especially those thematic directed to the fight against malware, rea-

son by which I design all kind of solutions to prevent and mitigate any incident that can be pro-

duced in network systems. In addition, I’m a curious person who likes to study and test new

technologies to the extreme to take full advantage of its features or to know the limitations

and improve them.

In short, I enjoy in the world of cybersecurity and new technologies where I feel happy and

wanting to learn something new every day.

Contact: www.linkedin.com/in/adrian-rodriguez-garcia-64257698

8
 Python for IOT: Make your own botnet and have fun with the MQTT protocol

‘Control any type of device connected to the network’ has become one of the main objectives of cybercrimi-
nals. Controlling many devices allows them to attack big network infrastructures to achieve their goal or only
to cause a denial of service.

What will you learn? What should you know?

In this article, we will introduce the world of
Internet Of Things using Python, specifically,
the device control from Microsoft Window and
Android systems. Additionally, we will learn
MQTT protocol to control devices related to
automation. The topics addressed are as fol-
lows:
No prior knowledge is required about program-
ming, systems or cybersecurity because all nec-
essary knowledge will be explained in this arti-
cle.
You just need to have fun reading, learning and
researching.

• Main attacks of 2017.

• Build a botnet by indirect attack.

• Build a botnet by direct attack.

• MQTT Protocol.

Introduction
First, we’re going to talk about the main attacks that have occurred during this year. The objective is to show
the big security problem that exists today due to the knowledge of cybercriminals and the lack of knowledge or
awareness of people.

Then, we will use the Python language and the enormous power of its libraries to demonstrate how to create a
basic botnet by indirect attack. That is, no attack will be made to any system because it will be the people who
install malicious software made by us.

Next, we will make a direct attack to Android systems with the objective to obtain a botnet. For this, we will
use a search engine for devices, like Shodan.

9
 Python for IOT: Make your own botnet and have fun with the MQTT protocol

Finally, we will talk about an MQTT protocol, very frequently used in the IOT world, and as it will be seen,
very dangerous if it’s not secured correctly.

Main attacks of 2017

Throughout this year, different security incidents have occurred related to the security of Internet-connected
devices. Then, we will talk about some of the most important to understand different methods used, how their
botnets work and what objectives they pursue.

IOT_reaper

It was seen for the first time in September. This botnet caused vast Internet outages by launching massive
DDoS attacks and its main feature is its rapid growth. The malware infected two million devices and it had a
growth rate of 10,000 new devices per day. IOT_reaper no longer depends on cracking weak passwords, in-
stead, it exploits vulnerabilities in various IoT devices and enslaves them into a botnet network.

Persirai

It’s a botnet that aimed at more than 1,000 models of IP cameras. Nobody knows the exact number of devices
that the botnet has, but we know, thanks to Trend Micro, that there are more than 120.000 vulnerable that
can be found in Shodan. Many of these vulnerable users do not know that their IP cameras are exposed to the
Internet. This makes it much easier to gain access to the web interface of the IP camera through TCP port 81.

Amnesia

Amnesia is an IoT botnet targeting digital video recorders (DVRs). The malware exploits a vulnerability dis-
closed more than a year ago involving remote code execution in DVRs’ Linux-based firmware. This Linux-
based malware is the first of its kind and considered advanced, due to its virtual machine evasion techniques.
The malware detects if it’s running in a VirtualBox, VMware or QEMU VM, typical sandboxes or honeypots.
Amnesia can turn more than 200.000 vulnerable devices worldwide into a botnet. The malware communi-
cates to the Command and Control (C&C) servers via IRC protocol, downloads payload via HTTP requests and
uses TCP and UDP flooding techniques.

BrickerBot

BrickerBot vector attack is similar to Mirai botnet, for example, it employed dictionary attacks to gain unau-
thorized access in the device but it’s different because it executes a chain of malicious Linux commands that
result in permanent damage in the device instead of denial of service.

10
 Python for IOT: Make your own botnet and have fun with the MQTT protocol

This malware takes advantage of security flaws in BSLN and MTLN devices that allow remote code execution.
BSNL and MTNL allowed anyone from the Internet to connect through port 7547 to routers and modems in
their internal network. Thanks to this fact, BrickerBot caused damage between the two Indian ISPs for a week.

BlueBorne

It’s not a botnet or malware, it is a vulnerability of Bluetooth technology. The attack does not require the vic-
tim to interact with the attacking device. This means that they can take control of device without having to in-
teract with it. There’re two ways attackers can use BlueBorne. The first way is to connect to a target device and
execute remote code on the device. Also, it can create a Bluetooth Pineapple to sniff out traffic, hijack this con-
nection, and redirect traffic. It’s calculated that there are around 5 billion vulnerable devices. This means that
it’s the most serious Bluetooth vulnerability identified to date.

Build a botnet by indirect attack

As seen in the previous section, cybercriminals have cameras, DVRs or routers among many other devices as
targets. Each attack is different from the previous one, both in form and in objectives, but all have a common
philosophy to achieve the goals set. This way of thinking is summarized in one word, "IOT" (Internet Of
Things). That is, any device that’s connected to the Internet serves their purpose.

In this section, the same philosophy will be followed. It should be clear that each device has an operating sys-
tem to work with (IOS, Android, Windows, Linux, ...). In this case, a botnet of devices with Windows operat-
ing system (laptops, tablets or desktops) will be created due to my personal predilection for this kind of sys-
tem. It has been called "indirect" because it is not intended to directly attack any particular device, we will
wait until through phishing or other methods, people "give us" a session to their devices. To achieve the goal,
we will use the the following programming language and libraries:

• Python 2.7

• Ctypes Python library

• Sockets Python library

• Json Python library

• Subprocess Python library

• WMI Python library

11
 Python for IOT: Make your own botnet and have fun with the MQTT protocol

WMI is the infrastructure for data management and Windows operations. The WMI Python library provides
an interface for interacting with Windows WMI so we can manage Windows services, which interests us to
make our botnet persistent.

To perform the botnet, clients are needed on the one hand and the server on the other. So, in the first place,
the server will be made. In this case, sockets Python library will be used, which will allow us to connect devices
through a port. Therefore, it’s necessary to create a socket that’s listening and accepting connections continu-
ously.

Listing 1:

import socket

newsocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

newsocket.bind((<IP>, <PORT>))

newsocket.listen(1000)

while True:

try:

connection, address = newSocket.accept()

except Exception:

break

finally:

newsocket.close()

Once we have a basic server, we introduce features such as the following:

• Run remote commands

• Download files from clients

• Upload files to clients

12
IMPLEMENTING A
ONE-TIME-PAD-
BASED PASSWORD
VAULT: A POOR
PERSON’S SOLUTION

by Mark Bishop
 ABOUT THE AUTHOR

Mark Bishop

Mark Bishop is an analytical/computational chemist at New

England Testing Laboratory, Inc. in West Warwick, RI. His work

focuses on chemical informatics and laboratory information

management systems (LIMS) administration. He is actively in-

volved in open-source software development and has several

tutorials hosted at CodeProject. For further background, see:

http://www.mark-bishop.net/contact.php

14
 Implementing a One-Time-Pad-Based Password Vault: A Poor Person’s Solution

Introduction:
Simple password managers that unlock many passwords with a single password are disturbing because all
passwords are just one brute-force password away. Integration of any encryption solution with vulnerable sys-
tem components, such as flawed hardware or compromised software-integrated password managers, further
dilutes our confidence. We ask, what flaws, perhaps intentional weaknesses, are lurking in these solutions?
There are too many examples of poor design, understandable mistakes, misguided objectives, and deliberate
malevolence to dismiss these concerns.

This article presents one way of encrypting personal password lists, an alternative where we can know all of
the details of the very simple implementation. It relies on a powerful, intrinsically simple encryption method:
the Vernam Cipher or one-time pad (OTP). I have used the solution discussed here, implemented on a Linux
platform, to protect my personal password lists. The author provides no warranty for the approach, not even
any implied warranty of merchantability or fitness for a particular purpose.

I hope readers will not infer a sinister promotion of fear, uncertainty, and doubt. I find this topic interesting
and fun, and part of my enjoyment is an imaginary conflict with a hypothetical adversary, a mind experiment
familiar to all information security enthusiasts. All will agree that keeping passwords safe is a good practice
and that having a list of them available in a couple mouse clicks is convenient and conducive to the use of mul-
tiple, strong passwords.

General:

Implemented carefully, OTP encryption cannot be defeated with any certainty in the result without a unique
encryption key. There is no undiscovered algorithm, no coming quantum platform, and no future advance in
parallel processing that can computationally defeat it given only the encrypted form. Why? Because the ci-
phered text will decrypt to every possible signal of equal length, including gibberish [1].

The most important words in the preceding paragraph are the first two: implemented carefully. Unacceptable
weaknesses of the method occur when the key is not random, or the key is used to encrypt multiple messages,
or the key is compromised. Additionally, we do not want any circumstantial evidence, like the length of the ci-
phered text, to provide clues. For example, an OTP ciphered text containing two bytes and known to be an an-
swer to a yes/no question probably decrypts to no ‒ if English is assumed.

There will always be weaknesses in the implementation of any cryptographic method. For example, to decrypt
OTP ciphered text, the key must come into contact with it and, to be useful, the plain text must be observable,

15
 Implementing a One-Time-Pad-Based Password Vault: A Poor Person’s Solution

if only for a moment. We can’t prevent this, but simplicity, transparency, and user understanding of the imple-
mentation can reduce exposure.

Conventions: In this article, text surrounded with “<” and “>” means: replace the expression including the
“<” and “>” with user specific information. Shell commands are blue and file content is green.

The One-Time Pad: an XOR Operation

One-time pad encryption is based on a bitwise Exclusive OR (XOR) operation of a plain text message (plain-
text) with a cipher (key) to form an encrypted message (ciphertext). The process is reversed by performing a
bitwise XOR of the ciphertext with the key (it is a symmetric encryption).

An XOR is a logical operation that has the following truth table:

A B A XOR B
0 0 0

0 1 1

1 0 1

1 1 0

Note that: ( A XOR B ) XOR B produces A. As the truth table illustrates, given (A XOR B), it is impossible to
deduce A without having B (not just difficult or undiscovered, but intrinsically impossible). If A is plaintext
and B is a key, then (A XOR B) is a ciphered text that is uniquely decryptable only when the key is known:
plaintext = (ciphertext) XOR (key).

Characters may be mapped to binary encodings, e.g., D = 01000100, o = 01101111, g = 01100111.

On a computer, they are necessarily encoded this way using standardized mappings. The word Dog, on a com-
puter or a scribbled note, could have the following binary transformation: 010001000110111101100111
(length = 24). If Dog’s binary transformation is bit-by-bit XOR’d with, say: 110011001100110011001101,
the result is 100010001010001110101010.

A list of passwords, usernames, email addresses, secret questions, etc., can be recorded in plaintext and op-
tionally padded with useless information. The ciphertext is now, and forever shall be, utter and useless non-
sense without the key, provided the key is never used to encrypt another file and the key is cryptographically
random.

16
PORTSPOOF-
ACTIVE
DEFENSE TOOL
by Osama Alaa
 ABOUT THE AUTHOR

Osama Alaa
Cyber security consultant, works in security-meter company, loves pen-

testing and CTFs.

18
 PortSpoof - Active Defense Tool

Introduction
Everyday, we hear about campaigns targeting organizations worldwide. Is it right that organizations are
hacked due to lack of defensive layers? I don’t think so; in fact, everyone focuses on securing the environment
by different methods, such as hardening, patching and blocking suspicious Indicators of Compromise “IOCs”,
others may do regular assessments, etc., and we can say they are PROACTIVE. But meanwhile, attackers’ tech-
niques nowadays are more sophisticated than before where some of these methods may not be effective
against specific types of threats.

That’s why, in our article, we will discuss an interesting approach “Active Defense”, where we will defend our-
selves in addition to initiating counter attacks targeting attackers themselves.

Active Defense Definition

Active Defense is a deliberately planned and continuously executed campaign to identify and help eradicate
hidden attackers and defeat likely threat scenarios targeting your most critical assets. Active Defense can en-
hance organizational effectiveness by employing a deliberate operational cycle to plan, execute, and review
intelligence-driven activities to help implement targeted countermeasures, fortify defenses and hunt intrud-
ers.

Active Defense Stages

Active defense can be broken down into three main groups: annoyance, attribution, and attack.

• Annoyance: This is where we try to increase the amount of work effort an attacker needs to put forth
to attack a network. This can be achieved through honeypots, bogus DNS entries.

• Attribution: This is where we are trying to unmask the attackers. This can be done via wordweb bugs,
applets, ActiveX controls, and macros to identify the IP location and geolocation of attackers. This
phase is great for incident response.

• Attack:  This is where most people think active defense takes place. It is hacking back using pentest
tricks like fake websites with malware embedded, macros for remote access to an attacker’s system .

We will try to go through on of the tools for active defense to illustrate more the idea behind it, portspoof is
an effective tool which sometimes used as a honeypot module.

19
 PortSpoof - Active Defense Tool

PortScan
We all know Port scanning is the process used to find open ports on systems and hence know the services that
work in these ports. This is always the first step used by attackers to know their victims and start the recon-
naissance part. There are a lot of portscan tools, like nmap, masscan and amap, and today we will focus on
nmap in our scenario.

PortSpoof
Description

As officially defined, a tool called Portspoof can cause complications and confusion for the attacker. Portspoof
answers any attempted port scan with various signatures and payloads so it could answer 65535 ports with
fake signatures and fake vulnerable services which will result in consuming the time of attacker scan and also
consuming the time of attacker to exploit these fake vulnerable services.

Portspoof presents various service signatures on some or all available ports, making it very difficult to dis-
cover which services are actually running on the computer. The application can simulate more than 8,000 sig-
natures and has the ability to throw a couple of exploits back at the scanning computer.

Installation:

Download the package from github:

git clone https://github.com/drk1wi/portspoof.git

Install the package

• cd portspoof && ./configure && make && make install

20