Leaderboard

Ca o completare a https://rstforums.com/forum/74965-colectie-linkuri-utile.rst am sa vin si eu cu o lista. Malware Auto-Analysis PeStudio MASTIFF Comodo VirusTotal THREATANALYZR VIRSCAN EUREKA XECSCAN MALWAREVIZ XANDORA VICHECK METASCAN Document Analysis tools OFFICE MAL SCANNER OFFVIS CRYPTAM PDF EXAMINER PDF TOOLS PDF X-RAY PDF X-RAY LITE PEEPDF ORIGAMI PDF STREAMDUMPER JavaScript Analysis tools FIREBUG JSUNPACK-N JS BEAUTIFY JS BEAUTIFIER JavaScript Beautifier JS DEOBFUSCATOR RHINO SPIDERMONKEY 24 MALZILLA System & File Monitoring SYSINTERNALS REGSHOT CAPTUREBAT SYSANALYZER PROCESS HACKER PROCDOT Windows & Linux RADIOGRAPHY RUNSCANNER NORIBEN API MONITOR SWF analysis tools SWFTOOLS Windows & Linux SWF INVESTIGATOR OSX & Windows SWF DECOMPILER OSx & Windows SWFRETOOLS FLASM Linux & OSX & Windows FLARE Linux & OSX & Windows XXXSWF PE tools PE INSIDER CFF EXPLORER LORDPE PEVIEW PE EXPLORER CHIMPREC MALCODE ANALYSIS PACK (MAP) ShellCode analysis tools SHELLDETECT LIBEMU SHELLCODE2EXE CONVERTSHELLCODE SHELLCODE (MALWARE-TRACKER) JMP2IT Source & Download Packer analysis & detection RDG PACKER DETECTOR PEiD PACKERID WINDOWS PACKER DETECTOR LANGUAGE 2000 EXESCAN Q-UNPACK Hex editors HEXPLORER 010 EDITOR Trial-Windows & Purchase & Trial-Linux * Trial-OSX BINTEXT HACKMAN HEX EDITOR HXD Network analysis tools WIRESHARK OSX & Windows FAKENET INETSIM NCAT OSX & Windows APT PROTOCOL DECODERS Custom Base64 & Comment crew des & Joy Trojan &Binanen & Mini ASP Trijan FAKE DNS APATE DNS FAKE SMTP HONEYD TCP DUMP FIDDLER ]BURP SUITE NETWORK MINER NGREP NETWITNESS Memory Forensics tools VOLATILITY VOLATILITUX LINUX MEMORY EXTRACTOR (LIME) MEMORYANALYSIS BULK EXTRACTOR MEMORYZE REDLINE Debuggers OLLYDBG Custom & OLLYDBG 2.0 IMMUNITY DEBUGGER WINDBG GDB EDB URL analysis tools Rex Swain's HTTP Viewer URLQUERY UNMASK CONTENT URL VOID URL VOID Mask BRIGHTCLOUD NORTON SAFE WEB VURL SPONDULAS PHISHTANK SOURCE-CODE-VIEWER NETRENDERER DNS & IP lookup tools CYBER-INTELLIGENCE MXTOOLBOX DOMAIN TOOLS ROBTEX NETWOK-TOOLS DOMAIN DOSSIER DOMAIN QUERIES myDNStools ULTRA TOOLS Disassemblers IDA PRO 6.3 Demo & IDA 5.0 HOPPER Fedora & Ubuntu & OSX CAPSTONE PROFILER Linux & OSX & Windows Malware-Analyzer

Acest tutorial prezinta un mijloc de a limita privilegiile unui user doar pentru folderul sau. Daca avem un server cu un numar foarte mare de useri, care folosesc pentru access, sftp/ssh, ar fi bine folosit ssh jail. [in caz ca sunt probleme de autentificare la internet, pentru un utilizator, copiaza /etc/resolv.conf pentru cei in jailed sau adauga netbasics pentru jk_init. 1) Instalare, compilare wget http://olivier.sessink.nl/jailkit/jailkit-2.17.tar.gz tar -xzf jailkit-2.17.tar.gz cd jailkit-2.17 ./configure make sudo make install // Nota : [sa aveti development tools instalat#] 2) Configurare cd /mnt/jailuseri # [chown root:root pe /mnt/jailuseri] mkdir -p jail/sleed jk_init -v -j /mnt/dex/jail/sleed basicshell adduser sleed passwd salam ... jk_jailuser -m -s /bin/bash -j /mnt/jailuseri/jail/sleed sleed mkdir jail/sleed/tmp chmod a+rwx jail/sleed/tmp [h=2]### Sa adaugati alti useri, faceti ca la pasul II.[/h] Ajutor:... jk_init --help jk_jailuser --help jk_cp --help

https://creativemarket.com/bundle/12days Download Link: (Size:2.24 GB) DQpodHRwczovL21lZ2EuY28ubnovI0YhN1IxQ2tLalIhaGZGYWN6d0NaRjY5OU1MeTFMWjJMdw== b64

Nu îmi e clar dac? cau?i în Bucure?ti sau nu

CACTI = Mediu Grafic pentru monitorizarea retelei Cacti este o solu?ie completa pentru a face grafice ale retelei folosind RRDTool Mai multe detalii gasiti pe site-ul oficial : Cacti® - The Complete RRDTool-based Graphing Solution Testat pe Debian Wheezy. ___________________________ 1) Se ne asiguram ca avem privilegii de root! [su...] [whoami = root !=ok] 2) Facem un update : apt-get update root@sld:~# apt-get update Hit http://dl.google.com stable Release.gpg ..... Reading package lists... Done 3) root@sld:~# apt-get install cacti[/B] Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: dbconfig-common libdbi1 libjs-jquery-cookie libphp-adodb librrd4 php5-snmp rrdtool Suggested packages: php5-ldap moreutils php5-adodb librrds-perl The following NEW packages will be installed: cacti dbconfig-common libdbi1 libjs-jquery-cookie libphp-adodb librrd4 php5-snmp rrdtool 0 upgraded, 8 newly installed, 0 to remove and 13 not upgraded. Need to get 4,046 kB of archives. After this operation, 10.2 MB of additional disk space will be used. Do you want to continue [Y/n]? Y Ne pune sa selectam un web-server, in cazul meu : apache2. Apoi vom ajunge la db si ne va afisa : -> Configure database for cacti with dbconfig-common? [/B][/I][B]Click pe YES[/B] [B] -> Password of the database's administrative user: ce vreti voi, eu am pus aici ca test: mataigrasa -> MySQL application password for cacti: ce vreti voi, eu am pus ca test : mataigrasa -> Password confirmation: mataigrasa [ sau parola voastra aleasa] verifying access for cacti@localhost: success. creating database cacti: success. verifying database cacti exists: success. populating database via sql.. Daca totul este in regula si functioneaza corect mysql & apache, intram aici : http://localhost/cacti/install/ -> Click pe Next, ->Ca type of installation dam select pe New-Install, apoi next.. -> RECOMAND SA LASATI CONFIGURATIILE CA AICI (AR TREBUIA SA FIE TOTUL FOUND) : ->CLICK PE FINISH. 4) Login : user: admin , parola admin *** Forced Password Change *** Va trebui sa adaugam alta parola : exemplul meu : mataigrasa PENTRU ALTE DETALII : R.T.F.M [I]http://www.cacti.net/downloads/docs/pdf/manual.pdf[/I] Other Info's : Cacti® - The Complete RRDTool-based Graphing Solution

Inca 7 zile ban, de la nasu mare

When reversing embedded code, it is often the case that completely different devices are built around a common code base, either due to code re-use by the vendor, or through the use of third-party software; this is especially true of devices running the same Real Time Operating System. For example, I have two different routers, manufactured by two different vendors, and released about four years apart. Both devices run VxWorks, but the firmware for the older device included a symbol table, making it trivial to identify most of the original function names: The older device with the symbol table is running VxWorks 5.5, while the newer device (with no symbol table) runs VxWorks 5.5.1, so they are pretty close in terms of their OS version. However, even simple functions contain a very different sequence of instructions when compared between the two firmwares: strcpy from the VxWorks 5.5 firmware strcpy from the VxWorks 5.5.1 firmware Of course, binary variations can be the result of any number of things, including differences in the compiler version and changes to the build options. Despite this, it would still be quite useful to take the known symbol names from the older device, particularly those of standard and common subroutines, and apply them to the newer device in order to facilitate the reversing of higher level functionality. Existing Solutions The IDB_2_PAT plugin will generate FLIRT signatures from the IDB with a symbol table; IDA’s FLIRT analysis can then be used to identify functions in the newer, symbol-less IDB: Functions identified by IDA FLIRT analysis With the FLIRT signatures, IDA was able to identify 164 functions, some of which, like os_memcpy and udp_cksum, are quite useful. Of course, FLIRT signatures will only identify functions that start with the same sequence of instructions, and many of the standard POSIX functions, such as printf and strcmp, were not found. Because FLIRT signatures only examine the first 32 bytes of a function, there are also many signature collisions between similar functions, which can be problematic: ;--------- (delete these lines to allow sigmake to read this file) ; add '+' at the start of a line to select a module ; add '-' if you are not sure about the selection ; do nothing if you want to exclude all modules div_r 54 B8C8 00000000000000000085001A0000081214A00002002010210007000D2401FFFF ldiv_r 54 B8C8 00000000000000000085001A0000081214A00002002010210007000D2401FFFF proc_sname 00 0000 0000102127BDFEF803E0000827BD0108................................ proc_file 00 0000 0000102127BDFEF803E0000827BD0108................................ atoi 00 0000 000028250809F52A2406000A........................................ atol 00 0000 000028250809F52A2406000A........................................ PinChecksum FF 5EB5 00044080010440213C046B5F000840403484CA6B010400193C0ECCCC35CECCCD wps_checksum1 FF 5EB5 00044080010440213C046B5F000840403484CA6B010400193C0ECCCC35CECCCD wps_checksum2 FF 5EB5 00044080010440213C046B5F000840403484CA6B010400193C0ECCCC35CECCCD _d_cmp FC 1FAF 0004CD02333907FF240F07FF172F000A0006CD023C18000F3718FFFF2419FFFF _d_cmpe FC 1FAF 0004CD02333907FF240F07FF172F000A0006CD023C18000F3718FFFF2419FFFF _f_cmp A0 C947 0004CDC2333900FF241800FF173800070005CDC23C19007F3739FFFF0099C824 _f_cmpe A0 C947 0004CDC2333900FF241800FF173800070005CDC23C19007F3739FFFF0099C824 m_get 00 0000 00803021000610423C04803D8C8494F0................................ m_gethdr 00 0000 00803021000610423C04803D8C8494F0................................ m_getclr 00 0000 00803021000610423C04803D8C8494F0................................ ... Alternative Signature Approaches Examining the functions between the two VxWorks firmwares shows that there are a small fraction (about 3%) of unique subroutines that are identical between both firmware images: bcopy from the VxWorks 5.5 firmware bcopy from the VxWorks 5.5.1 firmware Signatures can be created over the entirety of these functions in order to generate more accurate fingerprints, without the possibility of collisions due to similar or identical function prologues in unrelated subroutines. Still other functions are very nearly identical, as exemplified by the following functions which only differ by a couple of instructions: A function from the VxWorks 5.5 firmware The same function, from the VxWorks 5.5.1 firmware A simple way to identify these similar, but not identical, functions in an architecture independent manner is to generate “fuzzy” signatures based only on easily identifiable actions, such as memory accesses, references to constant values, and function calls. In the above function for example, we can see that there are six code blocks, one which references the immediate value 0xFFFFFFFF, one which has a single function call, and one which contains two function calls. As long as no other functions match this “fuzzy” signature, we can use these unique metrics to identify this same function in other IDBs. Although this type of matching can catch functions that would otherwise go unidentified, it also has a higher propensity for false positives. A bit more reliable metric is unique string references, such as this one in gethostbyname: gethostbyname string xref Likewise, unique constants can also be used for function identification, particularly subroutines related to crypto or hashing: Constant 0x41C64E6D used by rand Even identifying functions whose names we don’t know can be useful. Consider the following code snippet in sub_801A50E0, from the VxWorks 5.5 firmware: Function calls from sub_801A50E0 This unidentified function calls memset, strcpy, atoi, and sprintf; hence, if we can find this same function in other VxWorks firmware, we can identify these standard functions by association. Alternative Signatures in Practice I wrote an IDA plugin to automate these signature techniques and apply them to the VxWorks 5.5.1 firmware: Output from the Rizzo plugin This identified nearly 1,300 functions, and although some of those are probably incorrect, it was quite successful in locating many standard POSIX functions: Functions identified by Rizzo Like any such automated process, this is sure to produce some false positives/negatives, but having used it successfully against several RTOS firmwares now, I’m quite happy with it (read: “it works for me”!). Source

Salut, probabil ati folosit pana acum sqlmap. Am facut un script in php care l-am atacat cu sqlmap (vulnerabil la sql injection) sa vad cum lucreaza sqlmap cand tu i comanzi, va las aici rezultatele: http://sprunge.us/PFXI Scriptul php: <?php mysql_connect("localhost","root",""); mysql_select_db("information_schema"); $query = mysql_query("SELECT * FROM CHARACTER_SETS where maxlen = '".$_GET['id']."'"); while($rez = mysql_fetch_array($query)){ echo $rez[0]; } $file = fopen("results.txt","a+"); $content = $_GET['id']."\n"; fwrite($file,$content); ?>

API hooking is a technique by which we can instrument and modify the behavior and flow of API calls. API hooking can be done using various methods on Windows. Techniques include memory break point and .DEP and JMP instruction insertion. We will briefly discuss the trampoline insertion techniques. Hooking can be used to introspect calls in a Windows application or can be used to capture some information related to the API Calls. Let us consider the following application making some basic Win32 API calls. /************************************************* Simple WIN32 APP making some API calls ************************************************/ #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> int main(int argc, char **argv) { MessageBox(NULL, "Hello world", "Hello World!", MB_OK); return EXIT_SUCCESS; } Running this program will lead us to this message box: Now let us consider the situation that we want to monitor the call to the message. The following diagram illustrates the procedure. The code which is responsible for the jump to the hooked dll is known as trampoline. So the basic idea is to redirect the call at the base of the API function. For injection related purposes, we will create an injector. Following is the code for the injector exe that will be used to create a process in suspended mode or will try to inject in a running process. int main(int argc, char **argv) { char* pName = 0; unsigned int type = 0, PID; unsigned char psDLLname [MAX_PATH] = {0}; LPVOID pvMem = NULL; LPDWORD rc; PROCESS_INFORMATION ProcessInfo; STARTUPINFO StartupInfo; HANDLE hProcess, hProcess2, hThread; if (argc < 3) { printf("...[] Usage %s <ProcessName> / <process ID> <type = 1 for injection , 2 for creation>...", argv[0]); exit(0); } type = atoi(argv[2]); EnableDebugPriv(); printf("n [].......... Type = %d , Process Name = %sn", type, argv[1]); ZeroMemory(&StartupInfo, sizeof(StartupInfo)); StartupInfo.cb = sizeof StartupInfo ; //Only compulsory field if (type == 1) // Injection { PID = atoi(argv[1]); hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, PID ); if (!hProcess ) { printf("Open Process Failed.."); } } else // creation { pName = argv[1]; CreateProcess(pName, NULL, NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&StartupInfo,&ProcessInfo); hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, ProcessInfo.dwProcessId ); } GetModuleFileName(NULL, psDLLname, MAX_PATH); sprintf(psDLLname, "%s.dll", psDLLname); pvMem = VirtualAllocEx( hProcess, 0, MAX_PATH, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); WriteProcessMemory( hProcess, pvMem, psDLLname, MAX_PATH, NULL ); hThread = CreateRemoteThread( hProcess, 0, 0, LoadLibrary, pvMem, 0, &rc ); ResumeThread(hThread); ResumeThreads(ProcessInfo.dwProcessId, 1); } In order to give the application SE_DEBUG privileges, we have to elevate the privileges to SE_DEBUG PRIVILEGES. For that purpose we can use the following API calls. void EnableDebugPriv( void ) { HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if ( ! OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) { _debug(); return; } if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) { _debug(); CloseHandle( hToken ); return; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) ) _debug(); CloseHandle( hToken ); } Similar code can be found here: Enabling and Disabling Privileges in C++ (Windows) Inside the dll we need to code a handler and JMP replacer for the API call MessageBoxA. JMP instruction has the following OPCODE structure. JMP = {0xe9} ADDRESS = {0×00, 0×00, 0×00, 0×00, 0×00} where ADDRESS = Jump destination – (EIP + SIZEOF(OPCODE)) which can be simply calculated using the following code: unsigned char* JMP_OPCODE(unsigned int addr, unsigned int Hook) { static unsigned char OPCODE[0x06] = {0xe9, 0x00, 0x00, 0x00, 0x00, 0x00}; unsigned int Addr_RESX = addr - (Hook + 5); memcpy(&OPCODE[1], &Addr_RESX, sizeof(int)); return OPCODE; } A similar thing can be done for a call OPCODE: unsigned char* CALL_OPCODE(unsigned int addr, unsigned int Hook) { static unsigned char OPCODE[0x06] = {0xe8, 0x00, 0x00, 0x00, 0x00, 0x00}; unsigned int Addr_RESX = addr - (Hook + 5); memcpy(&OPCODE[1], &Addr_RESX, sizeof(int)); return OPCODE; } For example if we want to get the JMP opcode MessageBoxA function we will use this code in the following ways: Void hook_function_MessageBoxA { ….. Hook Code …. Jump back } unisgned char * trampoline = JMP_OPCODE(MessageBoxA, hook_function_MessageBoxA); http://resources.infosecinstitute.com/wp-content/uploads/042214_1534_APIHooking3.png Unsigned int org_buffer[5] = {0}; // This will save the original bytes at the function buffer = getAddr("MessageBoxA", "user32.dll"); VirtualProtect(buffer, 5, PAGE_EXECUTE_READWRITE, &x); MessageBox(NULL, "Hello word"!, "Hello world!", MB_OK); We also need to save the original instructions and when our hook is called we need to replace them again. memcpy(org_buffer, API_CALL, 5); We also need to modify the Hooked function to replace the original bytes afterwards: Void hook_function_MessageBoxA { ….. Hook Code memcmy(API_CALL, org_buffer, 5); __asm { JMP [API_CALL];<br/> } Source

Baiatu nu detine cunostine de baza despre OS si hardware. Si eu si tu si toti am fost in acel punct odata in viata nostra. Cu siguranta nu e cazu sa vorbesti despre proper tweaking si prostii. Cand esti copil si incerci sa devii barbat prea repede dai FAIL rapid. Dupa cum spune neamtu..."langsam langsma"...(usor usor).... ONTOPIC: APEIRON lasa calculatoru asa cum este,instaleaza windows XP...si invata putin hardware pe el.Indiferent ce ai sa profesezi este in avantajul tau,pentru ca nu o sa trebuiasaca sa depinzi de nimeni. Si eu am avut 1 gb ram...chiar si 256 MB ram..nu trebuie sa iti fie rusine..usor usor ca nu "arde" nicaieri. Aici pe forum avem o sectiune ""HArdware si help""..deci putem fi alaturi de tine in timp ce inveti. Stima.