Leaderboard

Ok,ce este aceasta "Uid Web Authentification"?Este un sistem de autentificare bazat de un uid(Unique Identification Number),in cazul nostru,adresa mac.Schema de mai jos incearca sa explice cam cum lucreaza acest sistem: Mai pe scurt,se ruleaza un executabil din calculatorul administratorului,executabilul trimite adresa mac catre serverul mysql si initializeaza o sesiune valabila un minut,timp in care mac adressul trebuie verificat din interfata web.Daca adresa mac si ip-urile coincid,atunci area de administrare ar trebui sa fie deschisa. Ok,de ce avem nevoie?Pai,eu am ales sa scriu exe-ul in php si sa il compilez cu bamcompiler,un compiler php=>exe destul de misto,partea nasoala ar fi ca,compileaza php 4.4.4.Site-ul bamcompile este Bambalam PHP EXE Compiler/Embedder 1.21 - Free php to exe converter!.Pasul urmator ar fi sa creezi o baza de date sau foloseste una deja creata,pentru ca nu avem nevoie decat de un tabel de genul asta: Pasul urmator ar fi sa scriem interfata web,deci: <? //pentru ca bamcompile compileaza doar cod php 4 si nu avem la dispozitie functia date_time_set,trebuie sa standardizam timpul dintre client si server. //functia de mai jos transforma orele si minutele in secunde,pentru o comparare a intervalelor de timp mai usoara. function time_in_seconds($string){ $string = explode(':',$string); $string[0] = $string[0] * 3600; $string[1] = $string[1] * 60; $time_in_seconds = $string[0] + $string[1] + $string[2]; $time_in_seconds = (int)$time_in_seconds; return $time_in_seconds; } if(isset($_GET['servertime'])){ print date('h:i:s'); } //mysql connection $sql_con = mysql_connect("localhost","root",""); if(!$sql_con){ die('Could not connect: ' . mysql_error()); } mysql_select_db("test1234", $sql_con); //sectiunea asta primeste date de la executabil si insereaza datele in mysql if(isset($_GET['insert'])){ $ip = $_SERVER['REMOTE_ADDR']; $date = date('m.d.y'); $time = $_GET['time']; $key = $_GET['key']; $sql = mysql_query("INSERT INTO uid_log (ip , date , time , mac) VALUES ('$ip' , '$date' , '$time', '$key')"); } //aceasta sectiune face verificarea intre adresa mac trimisa de user si cea stocata in baza de date if(isset($_POST['extract'])){ $count = mysql_num_rows(mysql_query("SELECT * FROM uid_log"));//////loadam ultima intrare in tabel $sql_query = mysql_query("SELECT * FROM uid_log where id=$count"); while($row = mysql_fetch_array($sql_query)){ if($row['mac'] == '00-1D-6A-96-5F-FC' && $row['ip'] == $_SERVER['REMOTE_ADDR'] // vedem daca adresele mac si ip-urile coincid && time_in_seconds($row['time']) + 60 > time_in_seconds(date('h:i:s')) ){//deasemenea verificam daca nu a trecut un minut de cand intrarea in tabel s-a facut echo '<center>Welcome!</center><br/>'; } else{ print '<center>Go away!</center>'; }}} print ' <center> <form action="'. $_SERVER["PHP_SELF"] .'" method="post"> <input type="radio" name="extract" style="visibility:hidden" checked="checked" /> <input type="submit" value="Login"> </form> </center>'; ?> Apoi codul ce urmeaza sa fie compilat: <? $string = file_get_contents('http://localhost/hid/simple.php?servertime=a');//intai de toate,trebuie sa terminam procesul de standardizare a timpului $pattern = '/[0-9]+:[0-9]+:[0-9]/'; preg_match($pattern,$string,$match); exec("getmac", $output);//preluarea adresei mac $output = implode(" " , $output); preg_match_all('/[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]+-[a-zA-Z-0-9]{2}/',$output,$macmatch);//cu niste ajutor de la un reg ex $url = 'http://localhost/hid/simple.php?insert=true&time=' . $match[0] . '&key=' . $macmatch[0][max(array_map("count" , $macmatch)) - 1]; if(max(array_map('count' , $macmatch)) > 1){ print 'you have more than 2 network adapters and I have no idea which one is the right one'; } else{ file_get_contents($url);//si pasam datele catre mysql print 'Data submited'; } ?> In acest exemplu am preluat adresa mac,dar o metoda si mai sigura ar fi preluarea id-urilor hardware,doar ca pentru a face asta e nevoie de lucru cu api-urile windows sau cu un dll ca asta: Unique hardware ID extractor|Extract real hard drive/disk and CPU serial number. Volume Partition Serial Number, Partition Serial Number, Hardware serial number|Extracts unique serial numbers from your computer's hardware .Problema ar fi lucrul cu ole/com in php pe windows,care este cam futere. Pentru a compila codul de mai sus,du-te in dir-ul unde este localizat bamcompile si foloseste comanda: bamcompile numele_la_php.php numele_la_exe.exe Pentru mai multe optiuni de compilare,citeste readme.txt.Mentionez ca sistemul de autentificare este prezentat ca si concept si ca inainte de a implementa un sistem ca aceasta,ar trebui luata in considerare si o eventuala transimise a datelor prin post,poate criptate,deasemenea,datele din tabel ar trebui stocate criptat,iar pentru o masura de securitate in plus,un sistem auxiliar/principal bazat pe user:pass ar fi recomandat. Sper ca ati inteles ceva.

THN Magazine is a free monthly magazine designed to spread awareness and knowledge about cyber security. Our goal is to provide the most up-to-date information on a wide variety of topics that relate to hackers and security experts worldwide. We welcome contributions from readers and hackers like YOU! Simply submit your idea or article to thehackernews@gmail.com and your submission could be featured in our next edition. Some topics of interest include, but are not limited to: * New attack and defense techniques * Vulnerability discovery * Small tactics and techniques; Big attacks and impact * Mobile hacking * Professional exploit development * Security and hacking events around the world * Technical book reviews * Security and hacking threats * Security tools * Expert interviews Issue 06 | November 2011 | Anniversary Edition - Download - RAR Format | PDF Format Issue 05 | October 2011 | Linux - Means Freedom - Download - RAR Format | PDF Format Issue 04 | September 2011 | No One is Secure Edition Download - RAR Format | PDF Format Issue 03 | June 2011 | Total Exposure Edition Download - RAR Format | PDF Format Issue 02 | May 2011 | Social Engineering Edition Download - RAR Format | PDF Format Issue 01 | April 2011 | Anonymous Hackers Edition Download - RAR Format | PDF Format

Security have fun

It seems that every time the topic of password cracking comes up, there is a question that quickly follows: "do you have a dictionary?" There are a number of websites that maintain lists of default passwords for equipment. Two that seem to receive a bit of attention are SearchLores and Liquid Matrix. However, Skull Security took things a bit further and have provided links to various leaked databases that have appeared in the last year. These are real passwords used at live sites. I decided to take all three and combine them into a single master list. I have also included the leaked account names from the recent #OpDarknet. While not passwords, these account names are descriptive for a particular niche lending to the possibility that they may also be passwords. Either way, they are included. If someone believes there is a better way to distribute this, please comment. The original files are separated, but were consolidated for this post. The file WholeLottaPasswords.7z weighs in at 36.6 MB compressed and 150 MB uncompressed. It contains 14,504,798 unique lines. Enjoy. As a counter-point to this article, if you find yourself using the same password at multiple sites, weak passwords, or you find your password in this list ... you may want to read Password Management. Download: WholeLottaPasswords.7z CRC32: BA824EDF MD5: ABC5C4999D35DAEE6457E76E6CAFBBB9 SHA-1: 42796B41B8A801C3AAAAD25F5917299E943D0004 SURSA Nu prea gasesti asa ceva pt bruteforce....si baietii astia au fost draguti sa le imparta si cu noi