Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 12/22/12 in all areas

  1. Retardatule, te-ai gasit sa comentezi ? marsh in pula mea, fa-ti temele ..
    1 point
  2. Vulnerabilitatea a fost reparata de catre facebook. Summary As a part of our study of various security critical Javascript SDKs we did an analysis of the Facebook Connect JS SDK. Since they use HTML5 based PostMessage API we were specifically interested in the way the origins were validated. We managed to bypass the origin validation by exploiting 3 different bugs in their SDK. These bugs in the Facebook's JavaScript SDK (specifically in the code loaded from xd_arbiter.php) allows a malicious website (M) that a user visits to obtain the user's access tokens for any other website (W) that she has previously authorized. All M needs to know is W's (public) client_id. The attacker M may subsequently use the access token to: (1) log in to W if it enables "login with Facebook" (2) read the user's Facebook profile offline (3) write to the user's Facebook profile feed (if W has this permission). Notably, using (3), M could post a link to itself on the user's profile feed, and thus spread the attack (like a worm) through the user's social network. The attack is widely applicable; it works whether or not W uses the JavaScript SDK. If W is one of Facebook's instant personalization partners like Bing, Yelp, and TripAdvisor, user does not even have to have previously authorize it, and M immediately gets the user's basic profile details. Background Websites such as Facebook, Google, and Live, protect API access to user data through the OAuth 2.0 authorization protocol. To access user data from any of these websites, a web application must first obtain an access token from an authorization server. The token is issued only if the user explicitly gives her permission. A typical use for such tokens is to authenticate a user, by retrieving her email address. This is the basis of single sign-on solutions provided by various social networks (e.g. Login with Facebook). More generally, the token may be used to retrieve user data for personalization, or to post a comment on a user's social profile (e.g. Like buttons). In its strongest server-side configuration (authorization code grant), the OAuth protocol requires each application to authenticate its token request with its identifier and secret key (obtained during registration), and requires that the authorization server only returns the token to a preregistered application URI. However, when returning tokens to JavaScript clients in the Implicit grant flow, authorization servers are more lax. They do not require application authentication, because storing or using long term secret keys in JavaScript is considered dangerous. They require only that the destination web page be on the same origin as the application's registered URI, because browsers do not offer a reliable way to distinguish one page on an origin from another. If a user authorizes a website to access her Facebook profile, she is authorizing every script on every page that will ever be loaded in that website's origin. Facebook JS SDK uses iFrames for Cross domain communication. It creates a proxy iFrame on initialization which basically serves as a communication channel between the 3rd party Client Website and Facebook.com. When a website uses the Facebook JavaScript SDK ("http://connect.facebook.net/en_US/all.js") to ask for an access token which is required to fetch the user's profile data (e.g. by calling FB.login), the SDK creates two iframes, the first "Proxy" iframe communicates with the current website, and the second "OAuth" frame communicates with Facebook. If the OAuth iframe gets an access token back from Facebook, it sends the token to the "Proxy" iframe, which then releases the token to the page. The goal of the whole exchange is that the access token should be given to the current website only if the user has authorized it. We show how this goal is broken. The Proxy iframe is sourced at: https://static.ak.facebook.com/connect/xd_arbiter.php ?version=11 #channel=...& origin=& channel_path=..." Note the parameter "origin", it contains the origin for the current website. The code downloaded from "xd_arbiter.php" exports a function "proxyMessage"; when this function is called with an access token, it sends it to its parent frame as a postMessage with targetOrigin set to the "origin" parameter. Hence, only a website with this "origin" will get access to the token. The OAuth iframe is sourced at: https://www.facebook.com/dialog/oauth ?client_id=& response_type=token code& domain=& redirect_uri=https://static.ak.facebook.com/connect/xd_arbiter.php ?version=11 &cb=... &origin= &relation=parent Here, the "domain" parameter is unimportant, it seems to be optional and typically ignored by all parties. However, the "origin" parameter in the "redirect_uri" must match the "client_id" for which the access token is requested. If they match, and the user has previously authorized an app with this "origin", the Facebook OAuth server will issue an access token and redirect this frame to the location: https://static.ak.facebook.com/connect/xd_arbiter.php ?version=11 &cb=... &origin= &relation=parent #access_token=AAABBBCCC...& code=XXYYZZ Now, the JavaScript code downloaded from "xd_arbiter.php" looks for the Proxy iframe in the parent page and calls its "proxyMessage" function with the access token. (Since both frames are now on the same origin, they can directly call each other's functions.) We found three different ways of confusing the Proxy iframe into releasing its access token to an unauthorized website: Attack 1 Important Dates November 1, 2012: date of report November 2-3, 2012: old bugfix pushed out to CDN Details The first attack relies on the fact that although the OAuth iframe only obtains access tokens for an authorized origin W and the Proxy iframe only releases access tokens to the origin in its fragment identifier, there is no check guaranteeing that these origins are the same. The main flaw in the above flow is that the "origin" parameters passed to the two frames are never compared with each other. By using different origin parameters for the two, a malicious website may steal an authorized website's access token. The attack proceeds as follows: U logs into Facebook and has previously authorized W U visits an attacker-owned website M M starts a Proxy iframe with "origin=M" and an OAuth iframe with "origin=W" The OAuth iframe successfully gets a token for W and passes it to the Proxy iframe The Proxy iframe sends the token to M Attack 2 Important Dates November 5, 2012: date of report November 6, 2012: bug fixed Details This attack was due to a bug in the function called to compare the origins of the two iframes before the Proxy iframe released the access token to the hosting page: function q(z, aa) { if (!z || z.length === 0) return true; if (typeof z === 'string' && z === aa) return true; /* ADDED by the BUGFIX on November 3, 2012 */ var ba = '.' + (/https?:\/\/(.*)$/).exec(aa)[1], ca = z.length; while (ca--) { var da = '.' + z[ca]; if (da == ba.substring(ba.length - da.length)) return true; } i.error('Failed proxying to %s, expected %s', ba, z.toString()); return false; } If (typeof z === 'string' && z !== aa), the code above continues, treating z as an array. Hence, in this case it will take each character c of z and check whether "."+c is a suffix of aa The correct fix would have been: if (typeof z === 'string') if (z === aa) return true; else return false; else {...} The suffix-matching code starting from the third line of q assumes that both z and aa are origins, that is, that they do not have any query params or fragment identifiers. This is a mistaken assumption. Since the value aa is set by the home page, it can have the form "http://whatever.com/?q=.yahoo.com" . This URL should not match the origin "yahoo.com" but it will. Function q is happy to return true for q("yahoo.com","http://whatever.com/?q=.m") Attack 3 Important Dates November 9, 2012: date of report November 10, 2012: bug fixed Details The third attack was a parameter pollution attack where you pass two values of a parameter and different values are processed on the clientside and the server side. We exploit this bug by passing two values of origin in the redirect uri to the OAuth endpoint as given below: https://www.facebook.com/dialog/oauth?client_id[...]origin=1&redirect_uri=http[...]xd_arbiter.php%3Fversion%3D15%[...] origin%3D [ORIGIN 1] %26 origin%3D [ORIGIN 2] %26 relation%3Dparent&sdk=joey While the PHP code on the server validates the second value of the Origin and ignores the first one and redirects to the Redirect URI with both the origins in the query string, JS SDK parses the returned query string in such a way so that the first value is validated. Impact All Facebook users were vulnerable to privacy breaches; a malicious website can get the same information about them as Facebook's instant personalization partners.All Facebook users who have ever authorized "Login with Facebook" on a website were vulnerable to impersonation attacks on that website. All Facebook users who have ever authorized "Facebook Sharing" on a website were vulnerable to privacy breaches and profile spamming; a malicious website can read their profile and write any message on their wall. Notably it could have propagated the attack through Facebook as a worm by posting a link to itself. Sursa
    1 point
  3. Beginning Python: From Novice to Professional, Second Edition (Beginning from Novice to Professional) [2008] Beginning Python: Using Python 2.6 and Python 3.1 [2010] Building Skills in Python - Release 2.6.5 [2010] Core Python Programming (2nd Edition) [2006] Dive Into Python 3 [2009] Expert Python Programming [2008] Exploring Python [2009] Foundations of Agile Python Development (Expert's Voice in Open Source) [2008] Fundamentals of Python: From First Programs through Data Structures [2009] Head First Python [2010] Learning Python, 4th Edition [2009] Learn Python the hard way [2010] Making Use of Python [2002] Practical Programming - An Introduction to Computer Science Using Python [2009] Programming in Python 3: A Complete Introduction to the Python Language (2nd Edition) [2010] Programming Python, 4th Edition [2010] Pro Python (Pro Series) [2010] Python 3 for Absolute Beginners [2009] Python 3 Object Oriented Programming: Harness the power of Python 3 objects [2010] Python Algorithms: Mastering Basic Algorithms in the Python Language [2010] Python Cookbook [2005] Python: Create - Modify - Reuse [2008] Python Essential Reference (3rd Edition) Python for Software Design: How to Think Like a Computer Scientist [2009] Python Phrasebook (Developer's Library) [2006] Python Power!: The Comprehensive Guide [2007] Python Programming for the Absolute Beginner (Absolute Beginner) [2003] Python Standard Library (Nutshell Handbooks) [2001] Python Testing: Beginner's Guide [2010] Python Testing Cookbook [2011] The Quick Python Book, 2nd Edition [2010] Thinking in Python - Design Patterns and Problem-Solving Techniques (draft) [2001 Think Python: An Introduction to Software Design: How To Think Like A Computer Scientist [2009] Tutorial Python (versiune 2.2) request download ticket | ifile.it --- Beginning Game Development with Python and Pygame: From Novice to Professional (Beginning from Novice to Professional) [2007] Invent Your Own Computer Games with Python [2010] Python and Tkinter Programming [2000] Rapid GUI Programming with Python and Qt (Prentice Hall Open Source Software Development) [2007] wxPython 2.8 Application Development Cookbook [2010] wxPython in Action [2006] Beginning Python Visualization Crafting Visual Transformation Scripts [2009] Financial Modelling in Python (The Wiley Finance Series) [2009] Foundations of Python Network Programming, Second Edition [2010] Gray Hat Python [2009] Matplotlib for Python Developers [2009] Mercurial: The Definitive Guide [2009] Mobile Python: Rapid prototyping of applications on the mobile platform (Symbian Press) [2007] Real World Instrumentation with Python: Automated Data Acquisition and Control Systems [2010] Python & XML [2001] Python 2.6 Text Processing Beginners Guide [2010] Python Geospatial Development [2010] Text Processing in Python [2003] Twisted Network Programming Essentials [2005] request download ticket | ifile.it --- IronPython in Action [2009] Professional IronPython [2010] Pro IronPython [2009] Introduction to Media Computation: A Multimedia Cookbook in Python [2002] Python 2.6 Graphics Cookbook [2010] Python Multimedia: Beginner's Guide [2010] A Primer on Scientific Programming with Python (Texts in Computational Science and Engineering) [2009] Bioinformatics Programming Using Python (Animal Guide) [2009] Natural Language Processing with Python [2009] Numerical Methods in Engineering with Python [2010] Python for Bioinformatics (Chapman & Hall/CRC Mathematical & Computational Biology) [2009] Python Scripting for Computational Science, 3rd Edition [2008] Python Text Processing with NLTK 2.0 Cookbook [2010] Scientific Data Analysis using Jython Scripting and Java (Advanced Information and Knowledge Processing) [2010] Pro Python System Administration [2010] Python for Unix and Linux System Administration [2008] request download ticket | ifile.it --- CherryPy Essentials: Rapid Python Web Application Development: Design, develop, test, and deploy your Python web applications easily [2007] Django 1.0 Template Development [2008] Django 1.0 Website Development [2009] Django 1.1 Testing and Debugging [2010] Django 1.2 e-commerce: Build powerful e-commerce applications using Django, a leading Python web framework [2010] Django JavaScript Integration: AJAX and JQuery [2011] Essential SQLAlchemy [2008] Grok 1.0 Web Development [2010] Learning Website Development with Django [2008] Mining the Social Web Analyzing Data from Facebook, Twitter, LinkedIn, and Other Social Media Sites [2011] MySQL for Python [2010] Next-Generation Web Frameworks in Python [2007] Practical Django Projects, Second Edition [2009] Pro Django (The Expert's Voice in Web Development) [2008] Professional Python Frameworks: Web 2.0 Programming with Django and Turbogears (Programmer to Programmer) [2007] Programming Collective Intelligence Building Smart Web 2.0 Applications [2007] Python 3 Web Development Beginner's Guide [2011] Rapid Web Applications with TurboGears: Using Python to Create Ajax-Powered Sites [2006] Sams Teach Yourself Django in 24 Hours (Sams Teach Yourself) [2008] The Book of Zope [2001] The Definitive Guide to Django: Web Development Done Right [2007] The Definitive Guide to Plone [2004] The Definitive Guide to Pylons (Expert's Voice in Web Development) [2008] request download ticket | ifile.it
    -1 points
  4. Cred ca reportajul realizat de digi, in mare, poate da cateva idei in contextul actual. Ignorati latura tehnica pentru ca subiectul e facut sa fie inteles de toata lumea, nu de noi. http://www.digi24.ro/stire/DIN-INTERIOR-In-lumea-hackerilor-Noi-nu-facem-fraude-cu-carduri_65491
    -1 points
  5. Introduction GGGooglescan is a Google scraper which performs automated searches and returns results of search queries in the form of URLs or hostnames. Datamining Google’s search index is useful for many applications. Despite this, Google makes it difficult for researchers to perform automatic search queries. The aim of GGGooglescan is to make automated searches possible by avoiding the search activity that is detected as bot behaviour. Please note that using this software may be in violation of Google’s terms of service. Antibot Avoidance Features * To appear more like a human, it does not search beyond a page with the text: “In order to show you the most relevant results, we have omitted some entries very similar” * When Google detects bot-type activity, it redirects to this page which contains a captcha: http://sorry.google.com/sorry/?continue=. gggooglescan will detect this and wait for 60 minutes before re-attempting the search query. * Horizontal searching is a technique to harvest a large number of search results without appearing like a bot. Deep query searching is requesting high numbers of search result pages, eg. requesting result pages 1 through 50 which is detected as bot activity by Google. Horizontal searching allows you to query a large search result space without deep query searching. It works by combining your search query with each word in a word list to create a large quantity of shallow depth search queries. For example, if you wanted to gather a list of forums powered by the myBB software you could use the following search query, “MyBB Group. Copyright”. Google reports there are 79,500 results however it is not easy to obtain those results. Let’s try the following command which searches 200 pages of 10 results which will hopefully net 2000 results. ./gggooglescan -l mybb-forum.log -d 200 ‘”powered by mybb”‘ After just 46 pages and 464 results Google does not display a link to the next page and reports “In order to show you the most relevant results, we have omitted some entries very similar to the 457 already displayed.”. This query returned 374 unique hostnames. After this search completed, the IP address used was restricted from further searching due to bot detection. Using the horizontal search technique we can gain a larger list of mybb forums. ./gggooglescan -l mybb-forum-horizontal.log -d 1 -e ./wordlist ‘”powered by mybb”‘ This search was detected as bot activity after 47 combined dictionary words (a,aachen,aachen’s,aaliyah,…) and obtained 8236 results and 1231 unique hostnames. ./gggooglescan -l mybb-forum-horizontal2.log -d 4 -e ./wordlist ‘”powered by mybb”‘ This search got as far as ‘abbreviates’, the 62nd word in the list and yielded 2389 results, 721 unique hostnames Here are some results I got, your mileage may vary: ./gggooglescan -l mybb-forum-horizontal.log -d 1 -e ./wordlist ‘”powered by mybb”‘ Detected as a bot. Got 8236 results ./gggooglescan -l mybb-forum-horizontal2.log -d 4 -e ./wordlist ‘”powered by mybb”‘ Detected as a bot. Got 2389 results ./gggooglescan -s 2 -l mybb-forum-horizontal3.log -d 1 -e ./wordlist ” ” Avoided detection. Got over 10,000 results before i stopped it. ./gggooglescan -s 2 -l mybb-forum-horizontal4.log -d 1 -e ./wordlist ” ” Avoided detection. Got over 100,000 results before i stopped it ./gggooglescan -s 2 -l mybb-forum-horizontal5.log -d 1 -e ./wordlist ‘”powered by mybb”‘ Detected as a bot. Got 4612 results. ./gggooglescan -s 2 -l phpbb-forums2.log -d 1 -e ./wordlist “memberlist goto page” Avoided detection. Got over 6279 results. Search within a country Are you only interested in results in Australia? You can restrict your searches to a country with the -c parameter ./gggooglescan -c au hello Perhaps you want a large set of Australian hostnames. Try the following: ./gggooglescan -c au -d 5 -v -l aussie.log -e ./wordlist a Using Proxies Use the -x option to pass curl command line parameters. The following curl options control proxy usage: -x/–proxy Use HTTP proxy on given port –proxy-anyauth Pick “any” proxy authentication method (H) –proxy-basic Use Basic authentication on the proxy (H) –proxy-digest Use Digest authentication on the proxy (H) –proxy-negotiate Use Negotiate authentication on the proxy (H) –proxy-ntlm Use NTLM authentication on the proxy (H) -U/–proxy-user Set proxy user and password –socks4 SOCKS4 proxy on given host + port –socks4a SOCKS4a proxy on given host + port –socks5 SOCKS5 proxy on given host + port –socks5-hostname SOCKS5 proxy, pass host name to proxy –socks5-gssapi-service SOCKS5 proxy service name for gssapi –socks5-gssapi-nec Compatibility with NEC SOCKS5 server For example: gggooglescan -x “–socks5 localhost:1234? hax0r gggooglescan -x “–proxy localhost:8080 –proxy-user bob:12345? hax0r You can also specify proxy settings with environment variables which will be used by curl, for example: export ALL_PROXY=http://localhost:8118/ ./gggooglescan foo Making a Wordlist You can make a wordlist on a Unix system with a command such as: cat /usr/share/dict/words| tr ‘[:upper:]‘ ‘[:lower:]‘ | egrep “[a-z']” | sort -u > wordlist There are more wordlists at openwall.com Download gggooglescan-0.4.tar.gz Latest Version o.4, 18th April 2011 License GPLv3 Author urbanadventurer aka Andrew Horton gggooglescan
    -1 points
  6. Pai trebuie sa-ti iei o cagula, mai ales daca ai webcam la PC. Dupa iti iei Havij si scrii pe google : "inurl:index.php?id=1" dai pe siteuri si pui la sfarsit "'" daca apare o eroare baga-l in Havij, congrats you're a true "haker"
    -1 points
  7. Pentru cei care nu stiu, sa aducem cateva lamuriri. Ce s-a intamplat? Totul a inceput asa: http://webtv.realitatea.net/gruparea-de-hackeri-rst-center-anihilata_904638.html Mai multe persoane au fost arestate pentru carding si vina a picat pe RST. De ce? Unele dintre persoanele arestate aveau cont aici. Aveti aici si videoclipul baietilor veseli: http://www.diicot.ro/images/videos/articles/28.11.2012.mp4 Ce e important: "efectuarea de opera?iuni frauduloase cu instrumente de plat? electronic?". Mai multe detalii in comunicatul lor de presa: http://www.diicot.ro/index.php/arhiva/782-comunicat-de-presa-27-11-2012 Screenshot: http://defcamp.ro/wp-content/uploads/2012/11/rst_poc.png Dupa cum puteti vedea si in comunicatul celor de la DIICOT, RST nu are nicio legatura directa cu acest sir de arestari. RST nu e un grup criminalistic (informational) organizat ci o comunitate publica destinata tinerilor pasionati de securitate IT. Tot ce are legatura cu frauda informationala, furtul cardurilor de credit, scam/phishing, skimming, licitatii false si multe altele, este STRICT INTERZIS pe RST. Problema a aparut deoarece printre persoanele arestate a fost si o victima colaterala, care hosta atat RST, cat si multe alte site-uri importante, printre care si zoso: http://defcamp.ro/wp-content/uploads/2012/11/zoso.ro_.png . Este penibil sa arestezi o persoana care gazduieste niste servere, nu avea cum sa stie ce se intampla pe fiecare server in parte, dar la cum functioneaza "justitita" in Romania ne putem astepta la orice. De ce un alt domeniu? Singura persoana care avea acces la vechiul domeniu, www.rstcenter.com, era tex, administrator RST si persoana care isi pierdea timpul hostand RST. Fiind arestat preventiv pentru 29 de zile, nu puteam avea acces la vechiul domeniu si am fost nevoiti sa alegem unul nou. Aceasta este o modificare temporara, speram ca tex sa fie eliberat, apoi vom vedea ce este de facut in continuare. Am revenit Era pacat ca o intreaga comunitate sa sufere din cauza unor "carderi", asadar am revenit. Vreau insa sa va atrag atentia asupra unor aspecte mai putin cunoscute de voi, mai exact asupra legilor din Romania. Stiu, nu sunt bine definite, se pot interpreta, dar e important ca exista, si mai important este ca din cauza lor puteti avea probleme si incercam sa evitam acest lucru. Legea 161/2003, "Prevenirea si combaterea criminalitatii informatice": http://www.legi-internet.ro/legislatie-itc/criminalitate-informatica/prevederi-legislative-privind-prevenirea-si-combaterea-criminalitatii-informatice.html , printre altele, spune si: CAPITOLUL III Infrac?iuni ?i contraven?ii SEC?IUNEA 1 Infrac?iuni contra confiden?ialit??ii ?i integrit??ii datelor ?i sistemelor informatice Art. 42. - (1) Accesul, f?r? drept, la un sistem informatic constituie infrac?iune ?i se pedepse?te cu închisoare de la 3 luni la 3 ani sau cu amend?. (2) Fapta prev?zut? la alin. (1), s?vâr?it? în scopul ob?inerii de date informatice, se pedepse?te cu închisoare de la 6 luni la 5 ani. (3) Dac? fapta prev?zut? la alin. (1) sau (2) este s?vâr?it? prin înc?lcarea m?surilor de securitate, pedeapsa este închisoarea de la 3 la 12 ani. Art. 43. - (1) Interceptarea, f?r? drept, a unei transmisii de date informatice care nu este public? ?i care este destinat? unui sistem informatic, provine dintr-un asemenea sistem sau se efectueaz? în cadrul unui sistem informatic constituie infrac?iune ?i se pedepse?te cu închisoare de la 2 la 7 ani. (2) Cu aceea?i pedeaps? se sanc?ioneaz? ?i interceptarea, f?r? drept, a unei emisii electromagnetice provenite dintr-un sistem informatic ce con?ine date informatice care nu sunt publice. Art. 44. - (1) Fapta de a modifica, ?terge sau deteriora date informatice ori de a restric?iona accesul la aceste date, f?r? drept, constituie infrac?iune ?i de pedepse?te cu închisoare de la 2 la 7 ani. (2) Transferul neautorizat de date dintr-un sistem informatic se pedepse?te cu închisoare de la 3 la 12 ani. (3) Cu pedeapsa prev?zut? la alin. (2) se sanc?ioneaz? ?i transferul neautorizat de date dintr-un mijloc de stocare a datelor informatice. Art. 45. - Fapta de a perturba grav, f?r? drept, func?ionarea unui sistem informatic, prin introducerea, transmiterea, modificarea, ?tergerea sau deteriorarea datelor informatice sau prin restric?ionarea accesului la aceste date constituie infrac?iune ?i se pedepse?te cu închisoare de la 3 la 15 ani. Art. 46. - (1) Constituie infrac?iune ?i se pedepse?te cu închisoare de la 1 la 6 ani: a) fapta de a produce, vinde, de a importa, distribui sau de a pune la dispozi?ie, sub orice alt? form?, f?r? drept, a unui dispozitiv sau program informatic conceput sau adaptat în scopul s?vâr?irii uneia dintre infrac?iunile prev?zute la art. 42-45; fapta de a produce, vinde, de a importa, distribui sau de a pune la dispozi?ie, sub orice alt? form?, f?r? drept, a unei parole, cod de acces sau alte asemenea date informatice care permit accesul total sau par?ial la un sistem informatic în scopul s?vâr?irii uneia dintre infrac?iunile prev?zute la art. 42-45. (2) Cu aceea?i pedeaps? se sanc?ioneaz? ?i de?inerea, f?r? drept, a unui dispozitiv, program informatic, parol?, cod de acces sau dat? informatic? dintre cele prev?zute la alin. (1) în scopul s?vâr?irii uneia dintre infrac?iunile prev?zute la art. 42-45. Art. 47. - Tentativa infrac?iunilor prev?zute la art. 42-46 se pedepse?te. SEC?IUNEA a 2-a Infrac?iuni informatice Art. 48. - Fapta de a introduce, modifica sau ?terge, f?r? drept, date informatice ori de a restric?iona, f?r? drept, accesul la aceste date, rezultând date necorespunz?toare adev?rului, în scopul de a fi utilizate în vederea producerii unei consecin?e juridice, constituie infrac?iune ?i se pedepse?te cu închisoare de la 2 la 7 ani. Art. 49. - Fapta de a cauza un prejudiciu patrimonial unei persoane prin introducerea, modificarea sau ?tergerea de date informatice, prin restric?ionarea accesului la aceste date ori prin împiedicarea în orice mod a func?ion?rii unui sistem informatic, în scopul de a ob?ine un beneficiu material pentru sine sau pentru altul, constituie infrac?iune ?i se pedepse?te cu închisoare de la 3 la 12 ani. Art. 50. - Tentativa infrac?iunilor prev?zute la art. 48 ?i 49 se pedepse?te. Ce inseamna asta? Folositi in pula mea Tor, VPN sau orice altceva pentru a va ascunde IP-ul cand faceti ceva. De asemenea aveti grija de "privacy", nu faceti publice date personale, invatati sa va "ascundeti". In urmatoarele zile vom lua cateva decizii legate de acest aspect aici. Diseara vom pune si certificatul SSL, nu va faceti griji pentru asta. Si in acest post incercati sa va abtineti de la comentarii idioate. Postati aici eventuale probleme ale forumului, ca si "nu merge sa postezi imagini". Stay safe!
    -1 points
  8. Tutorialul este destinat celor care au internet prin pppoe. Solutia asta nu este nici cea mai buna si nici cea mai usoara, dar totusi este o solutie avand in vedere ca au fost destul de multe persoane care s-au plans ca nu le merge nmap ... Ce aveti nevoie: Virtual Box O imagine a windows xp sau linux dupa bunul plac. Pentru un plus de siguranta -> proxifier + tor. Ce avem de facut. Instalam in virtual box ce dorim windows/linux In windows nmap nu vine gata instalat, in schimb in majoritatea distributiilor linux pe care le-am incercat eu nmap era deja instalat. In cazul in care nu il aveti instalat instalati conform sistemului ales de voi. Instalati proxifier si tor in host(sistemul de instalare pe care il aveti instalat pe calculatorul vostru, nu in virtual box) Proxyfier il gasiti pe internet dar varianta gratuita este trial de 30 de zile. Tor il gasiti de asemenea gratuit. Dupa ce ati instalat proxyfier si tor deschideti proxyfier, mergeti la options, proxy settings. Apasati pe add, selectati socks version 5, la ip puneti 127.0.0.1 iar la port 9050, si dati ok. Proxyfier poate fi descarcat de aici Tor il puteti descarca de aici Virtual Box il puteti descarca de aici Acest tutorial este doar cu scop informational. Nu sunt responsabil pentru ce faceti cu aceste cunostiinte. Daca aveti de adaugat ceva va astept. Le: revin cu o adaugire, dupa inca ceva documentare se pare ca exista o modalitate pentru a putea utiliza nmap si pe pppoe si anume adaugarea "--unprivileged" dupa nmap inaintea celorlalte comenzi. Aviz, exista unele argumente care nu sunt compatibile cu "--unprivileged" unul dintre ele este "-A", experimentati si voi si vedeti care cum merg. De asemenea pentru ca multi s-au plans in acest topic de faptul ca nu merge, atunci editati blah.bat si adaugati argumentul "--unprivileged" acolo in bat si o sa mearga. adica in acel bat in loc de start "rdp" /HIGH nmap -n -Pn -p T:3389 -T5 --script rdp.nse -iR 0 adaugati start "rdp" /HIGH nmap --unprivileged -n -Pn -p T:3389 -T5 --script rdp.nse -iR 0
    -1 points
×
×
  • Create New...