Leaderboard

Black Hat Arsenal USA 2017 On June 1, 2017 @toolswatch announced the tools selected for Black Hat Arsenal USA 2017. Most of the selected tools are already present on GitHub and some are yet to be uploaded. This article contains the links to their respective repositories. The tools are arranged according to their tracks. If you like the tool, go to its repository and click Watch to keep updated on the latest commits and pushes. Some tools will be updated during/after the Arsenal event. Links to the GitHub repositories of those tools will be eventually updated in this article. Android, iOS and Mobile Hacking Android Tamer https://github.com/AndroidTamer DiffDroid https://github.com/antojoseph/diff-droid Kwetza https://github.com/sensepost/kwetza Needle https://github.com/mwrlabs/needle NoPE Proxy (Non-HTTP Proxy Extension) https://github.com/summitt/Burp-Non-HTTP-Extension Code Assessment Puma Scan https://github.com/pumasecurity/puma-scan Tintorera: Source Code Intelligence (Code not yet uploaded) https://github.com/vulnex/Tintorera Cryptography Hashview https://github.com/hashview/hashview Gibber Sense https://github.com/smxlabs/gibbersense Data Forensics and Incident Response PcapDB: Optimized Full Network Packet Capture for Fast and Efficient Retrieval https://github.com/dirtbags/pcapdb SCOT (Sandia Cyber Omni Tracker) Threat Intelligence and Incident Response Management System https://github.com/sandialabs/scot Security Monkey https://github.com/Netflix/security_monkey ThreatResponse: An Open Source Toolkit for Automating Incident Response in AWS https://github.com/ThreatResponse Yalda — Automated Bulk Intelligence Collection (Code not yet uploaded) https://github.com/gitaziabari/Yalda Exploitation and Ethical Hacking AVET — AntiVirus Evasion Tool https://github.com/govolution/avet GDB Enhanced Features (GEF) https://github.com/hugsy/gef Leviathan Framework https://github.com/leviathan-framework/leviathan MailSniper https://github.com/dafthack/MailSniper Seth https://github.com/SySS-Research/Seth Hardware/Embedded ChipWhisperer https://github.com/newaetech/chipwhisperer DYODE, a DIY, Low-Cost Data Diode for ICS https://github.com/arnaudsoullie/dyode FTW: Framework for Testing WAFs https://github.com/fastly/ftw The Bicho: An Advanced Car Backdoor Maker https://github.com/UnaPibaGeek/CBM Internet of Things Hacker Mode https://github.com/xssninja/Alexa-Hacker-Mode Universal Radio Hacker: Investigate Wireless Protocols Like a Boss https://github.com/jopohl/urh Malware Defense Aktaion v2 — Open Source Machine Learning and Active Defense Tool https://github.com/jzadeh/Aktaion Cuckoo Sandbox https://github.com/cuckoosandbox/cuckoo LimaCharlie https://github.com/refractionPOINT/limacharlie Malboxes https://github.com/GoSecure/malboxes Network Attacks BloodHound 1.3 https://github.com/BloodHoundAD/BloodHound CrackMapExec v4 https://github.com/byt3bl33d3r/CrackMapExec DELTA: SDN Security Evaluation Framework https://github.com/OpenNetworkingFoundation/DELTA eaphammer https://github.com/s0lst1c3/eaphammer gr-lora: An Open-Source SDR Implementation of the LoRa PHY https://github.com/BastilleResearch/gr-lora Yasuo https://github.com/0xsauby/yasuo Network Defense Assimilator https://github.com/videlanicolas/assimilator Noddos https://github.com/noddos/noddos Sweet Security https://github.com/TravisFSmith/SweetSecurity OSINT — Open Source Intelligence Datasploit — Automated Open Source Intelligence (OSINT) Tool https://github.com/DataSploit/datasploit Dradis: 10 Years Helping Security Teams Spend More Time Testing and Less Time Reporting https://github.com/dradis/dradis-ce OSRFramework: Open Sources Research Framework https://github.com/i3visio/osrframework Reverse Engineering BinGrep https://github.com/m4b/bingrep Vulnerability Assessment Aardvark and Repokid https://github.com/square/Aardvark SERPICO https://github.com/SerpicoProject/Serpico SimpleRisk https://github.com/simplerisk/code Web AppSec BurpSmartBuster: A Smart Way to Find Hidden Treasures https://github.com/pathetiq/BurpSmartBuster CSP Auditor https://github.com/GoSecure/csp-auditor Easily Exploit Timing Attacks in Web Applications with the ‘timing_attack’ Gem https://github.com/ffleming/timing_attack Fuzzapi — Fuzzing Your RESTAPIs Since Yesterday https://github.com/lalithr95/fuzzapi Offensive Web Testing Framework (OWASP OWTF) https://github.com/owtf/owtf PyMultiTor https://github.com/realgam3/pymultitor ThreadFix Web Application Attack Surface Calculation https://github.com/denimgroup/threadfix WaToBo — The Web Application Toolbox https://github.com/siberas/watobo WSSiP: A WebSocket Manipulation Proxy https://github.com/nccgroup/wssip If you haven’t looked at the selected tools, check the below embed to view the complete details of the tools and its presenters. The Black Hat Arsenal USA 2017 Phenomenal Line-Up Announced Just a BIG w00w !! Over 90 tools covering hardware/embedded, IoT, Malware defense, exploitations and more ! We had…www.toolswatch.org Sursa: https://medium.com/hack-with-github/black-hat-arsenal-usa-2017-3fb5bd9b5cf2

____ _ _ _ / ___|__ _ _ __ __ _(_) |__ _ __(_)_ __ __ _ | | / _` | '_ \ / _` | | '_ \| '__| | '_ \ / _` | | |__| (_| | | | | (_| | | |_) | | | | | | | (_| | \____\__,_|_| |_|\__, |_|_.__/|_| |_|_| |_|\__,_| |___/ Beta - v0.8.7 Dashboard Finder Cangibrina is a multi platform tool which aims to obtain the Dashboard of sites using brute-force over wordlist, google, nmap, and robots.txt Requirements: Python 2.7 mechanize PySocks beautifulsoup4 html5lib Nmap (--nmap) TOR (--tor) Install: Linux git clone http://github.com/fnk0c/cangibrina.git cd cangibrina pip install -r requirements.txt Usage: usage: cangibrina.py [-h] -u U [-w W] [-t T] [-v] [--ext EXT] [--user-agent] [--tor] [--search] [--dork DORK] [--nmap [NMAP]] Fast and powerful admin finder optional arguments: -h, --help show this help message and exit -u U target site -w W set wordlist (default: wl_medium) -t T set threads number (default: 5) -v enable verbose --ext EXT filter path by target extension --user-agent modify user-agent --tor set TOR proxy --search use google and duckduckgo to search --dork DORK set custom dork --nmap [NMAP] use nmap to scan ports and services Examples: python cangibrina.py -u facebook.com python cangibrina.py -u facebook.com -v python cangibrina.py -u facebook.com -w /root/diretorios.txt -t 10 -v python cangibrina.py -u facebook.com --search -v python cangibrina.py -u facebook.com --search --dork 'site:facebook.com inurl:login' python cangibrina.py -u facebook.com -v --nmap python cangibrina.py -u facebook.com -v --nmap 'sudo nmap -D 127.0.0.1 -F facebook.com' python cangibrina.py -u facebook.com --user-agent python cangibrina.py -u facebook.com --ext php [IMPORTANT] DORK MUST BE WRITE BETWEEN QUOTES ! [Example] 'inurl:login.php' Download .zip Source: https://github.com/fnk0c/cangibrina

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats (e.g. new malware). Features Uses multiple public blacklists (alientvault, autoshun, badips, sblam etc) Has extensive static trails for identification (domain names, URLs, IP addresses or User-Agent values) Optional heuristic mechanisms for detection of unknown threats Based on Traffic -> Sensor <-> Server <-> Client Architecture Web reporting interface Installation sudo apt-get install git python-pcapy git clone https://github.com/stamparm/maltrail.git cd maltrail sudo python sensor.py Download .zip Sources: darknet.org.uk github.com

Du-te ma in pula noastra de tigan cu nickname de italian :)))))) Va face omu cu pula mare si va vreti banii inapoi. Iauz' la el ma, el ruleaza ads cu id-ul ala si spune ca nu merge.

Mi-e lene sa citesc, spuneti-mi cui sa dau ban.

O solutie low-cost interesanta... The Marvell MacchiatoBIN is a first-of-its-kind Cost-Effective and High-Performance networking community board targeting OpenDataPlane (ODP), OpenFastPath (OFP) and ARM network functions virtualization (NFV) ecosystem communities. With a software offering that include a fully open source ODP implementation, U-Boot 2015.x, mainline U-Boot, UEFI EDK2, Linux LTS kernel 4.4.x, mainline Linux, Yocto 2.1 and netmap, the Marvell MacchiatoBIN is an optimal platform that community developers and Independent Software Vendors (ISVs) can use for development around ODP and OFP and for delivering ARM based VNFs. https://www.solid-run.com/marvell-armada-family/armada-8040-community-board/

MS-17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver Posted on:June 2, 2017 at 1:10 am Author: William Gamazo Sanchez (Vulnerability Research) The EternalBlue exploit took the spotlight last May as it became the tie that bound the spate of malware attacks these past few weeks—the pervasive WannaCry, the fileless ransomware UIWIX, the Server Message Block (SMB) worm EternalRocks, and the cryptocurrency mining malware Adylkuzz. EternalBlue (patched by Microsoft via MS17-010) is a security flaw related to how a Windows SMB 1.0 (SMBv1) server handles certain requests. If successfully exploited, it can allow attackers to execute arbitrary code in the target system. The severity and complexity of EternalBlue, alongside the other exploits released by hacking group Shadow Brokers, can be considered medium to high. We further delved into EternalBlue’s inner workings to better understand how the exploit works and provide technical insight on the exploit that wreaked havoc among organizations across various industries around the world. Vulnerability Analysis The Windows SMBv1 implementation is vulnerable to buffer overflow in Large Non-Paged kernel Pool memory through the processing of File Extended Attributes (FEAs) in the kernel function, srv!SrvOs2FeaListToNt. The function srv!SrvOs2FeaListToNt will call srv!SrvOs2FeaListSizeToNt to calculate the received FEA LIST size before converting it to NTFEA (Windows NT FEA) list. The following sequence of operations happens: srv!SrvOs2FeaListSizeToNt will calculate the FEA List size and update the received FEA List size The resulting FEA size is greater than the original value because a wrong WORD cast When the FEA List is iterated to be converted to NTFEA LIST, there will be an overflow in the non-page pool because the original total size of list is miscalculated Overflow Analysis Our analysis of the overflow applies to srv.sys 6.1.7601.17514_x86. The vulnerable code can be triggered using srv!SrvSmbOpen2. The trace is as follows: 00 94527bb4 82171149 srv!SrvSmbOpen2 ➜ SrvOs2FeaListSizeToNt() 01 94527bc8 821721b8 srv!ExecuteTransaction+0x101 02 94527c00 8213b496 srv!SrvSmbTransactionSecondary+0x2c5 03 94527c28 8214a922 srv!SrvProcessSmb+0x187 04 94527c50 82c5df5e srv!WorkerThread+0x15c 05 94527c90 82b05219 nt!PspSystemThreadStartup+0x9e 06 00000000 00000000 nt!KiThreadStartup+0x19 To be able to analyze the overflow, we set the break points to: bp srv!SrvSmbOpen2+0x79 “.printf \”feasize: %p indatasize: %p fealist addr: %p\\n\”,edx,ecx,eax;g;” When the break point is hit we have the following (in hex and decimal values): feasize: 00010000 (65536) indatasize: 000103d0 (66512) fealist addr: 89e980d8 From here we can see that the IN-DATA size 66512—the same value of the Total Data Count in the NT Trans Request—is bigger that the FEA list size 65536. Figure 1: Snapshot of code showing IN-DATA size (highlighted) What’s notable here is that the pointer to IN-DATA will be cast to the FEA List structure, as shown below: Figure 2: FEA List structure After casting the IN-DATA buffer, we will have the FEA size 00010000 (65536) stored in FEALIST ➜ cbList. The next step in the SMB driver will be to allocate a buffer to convert the FEA List to NT FEA List. This means it is required to calculate the NTFEA list size, which is done by calling the srv!SrvOs2FeaListSizeToNt function. To see the returned values for this function, we put the following break point: bp srv!SrvOs2FeaListToNt+0x10 “.printf \”feasize before: %p\\n\”,poi(edi);r $t0 = @edi;g;” bp srv!SrvOs2FeaListToNt+0x15 “.printf \”NTFEA size: %p feasize after: %p\\n\”,eax,poi(@$t0);g;” After breaking we get: feasize before: 00010000 feasize after: 0001ff5d NTFEA size: 00010fe8 Accordingly, we found that FEALIST ➜ cbList was updated from 0x10000 to 0x1ff5d. But what part of the code is making the wrong calculation? The code below shows how the error happens: Figure 3: Code snapshot showing error in calculating FEALIST ➜ cbList In the code snapshot above, list 40 onwards showed an example of the calculation error. Because the Original FEA list size was updated, the iteration to copy the values to the NTLIST will go beyond the NTFEA size returned in v6 (which was 00010fe8). Note that if the function returns at line 28 or at line 21 the FEA list is not updated. The other condition that leads to the update of v1 other than the one used by EternalBlue is if there is trail data at the end of the FEA list, but not enough to store another FEA structure. We also analyzed what happens in the kernel memory during a buffer overflow on LARGE NON-PAGE Kernel Pool. When the SrvOs2FeaListSizeToNt returns, the size required to store the NTFEA LIST is 00010fe8. This will require a Large Kernel POOL Allocation in SRV.sys. Using the following breakpoints helps track exactly what happens when the FEA list is converted to NTFEA list: bp srv!SrvOs2FeaListToNt+0x99 “.printf \”NEXT: FEA: %p NTFEA: %p\\n\”,esi,eax;g;” bp srv!SrvOs2FeaToNt+04d “.printf \”MOV2: dst: %p src: %p size: %p\\n\”,ebx,eax,poi(esp+8);g;” bp srv!SrvOs2FeaListToNt+0xd5 To sum it up, once SrvOs2FeaListSizeToNt is called and the Pool allocated, the function SrvOs2FeaToNt is used while iterating over the FEA list to convert the elements of the list. Inside SrvOs2FeaToNt, there are two _memmove operations where all the buffer copy operations will happen. With the aforementioned break points, it is possible to track what happens during the FEA list conversion. The trace will take quite some time, however. Figure 4: Code snapshot showing copy operations After the trace, the break point srv!SrvOs2FeaListToNt+0xd5 will hit and we can get all data required to analyze the buffer overflow. There are 605 copy operations with size 0 because in the beginning of the payload, the FEA list will have a 0 bytes value, which corresponds to 605 FEA structs. The next FEA size will be F3B3 (copy 606) and the resulting copy will end in 85915ff0. After the copy operation 606 we will see the buffer at the end: 85905008 + 10FE8 = 85915FF0. However, another FEA iteration will happen, and the size will be A8 in this case. That will overwrite the next memory area. Note how after overwriting the data, it will be in a different POOL—in this case, the SRVNET.sys pool. After copy operation 607 is a corrupted FEA and the server return, STATUS_INVALID_PARAMETER (0xC000000D). The last FEA that is in the final NT Transaction sent to the server. Figure 5: Code snapshot showing the corrupted FEA and server return EternalBlue’s Exploration Capabilities The overflow happens in NON-PAGED Pool memory—and specifically in Large NON-PAGED Pool. Large non-page pool do not have a POOL Header. Because of this, after the large POOL buffer, another POOL Buffer can be allocated—one that is owned by a driver with specific DRIVER data. Therefore, the attack has to manipulate the POOL buffer coming after the overflowed buffer. EternalBlue’s technique is to control the SRVNET driver buffer structures. To achieve this, both buffers should be aligned in memory. To create the NON-PAGED POOL alignment, the kernel pool should sprayed. The technique is as follows: Create multiple SRVNET buffers (grooming the pool) Free some of the buffers to create some holes where the SRV buffer will be copied Send the SRV buffer to overflow the SRVNET buffer. Exploitation Mechanism The vulnerable code for the buffer overflow works on KERNEL NON-PAGED memory. It also works in LARGE NON-PAGED POOL. Those kinds of pools do not have any POOL headers embedded at the beginning of the page, so special techniques are required to exploit them. The technique requires reversing some Structure that can be allocated in the overflow area, as shown below: Figure 6: EternalBlue’s exploit mechanism The creation of multiple SRVNET buffers (Kernel Grooming) approximates what happens in memory and simply used to represent the idea. Note that we’ve also intentionally omitted other details to prevent our analysis from being misused. Figure 7: EternalBlue’s exploit chain EternalBlue’s Exploit Chain EternalBlue goes through a chain of processes in order to successfully exploit a vulnerable system or network, as shown above. EternalBlue first sends an SRV buffer except the last packet. This is because the Large NON-PAGED POOL buffer will be created when the last data in the transaction arrives at the server. The SMB server will then accumulate the DATA in an Input buffer until all transaction data are read. The total transaction data will be specified in the initial TRANS packet. Once all transaction data have arrived, the SMB server will process the data. In this case, the data is dispatched to the SrvOpen2 function to read the data via Common Internet File System (CFIS). At this point, EternalBlue ensures that all sent data is received by the server and sent to an SMB ECHO packet. Because the attack can be implemented over a slow network, this echo command is important. In our analysis, even if we sent the initial data, the “Vulnerable Buffer” isn’t created in memory yet. Kernel grooming tries to allocate an SRV vulnerable buffer just before the SRVNET buffer. Kernel grooming employs these steps: FreeHole_A: EternalBlue will start creating a kernel hole A by sending SMBv1 packet SMBv2_1n: Send a group of SMBv2 packets FreeHole_B: Send another free hole buffer; this one should be sent before the previous hole is free to make sure another one is created FreeHole_A_CLOSE: close the connection to make the buffer free, after which close A in order to create free hole SMBv2_2n: Send a group of SMBv2 packets FreeHole_B_CLOSE: close the connection to make the buffer free FINAL_Vulnerable_Buffer: Send the last packet of the vulnerable buffer A Vulnerable Buffer will be created in memory just before the SRVNET buffer and part of the SRVNET is overwritten. The conversion from FEA List to NTFEA List will return an error because FEA structs are invalid after a certain point, in which case the server will return with STATUS_INVALID_PARAMETER (0xC000000D). Patch your systems Given how EternalBlue served as the doorway for many of the malware that severely impacted end users and enterprises worldwide, it also serves as a lesson on the importance of applying the latest patches and keeping your systems and networks updated. EternalBlue has already been issued a fix for Windows systems, including unsupported operating systems. Apart from implementing regular patch management to systems and networks, IT/system administrators are also recommended to adopt best practices such as enabling intrusion detection and prevention systems, disabling outdated or unnecessary protocols and ports (like 445), proactively monitoring network traffic, safeguarding the endpoints, and deploying security mechanisms such data categorization and network segmentation to mitigate damage in case of exposure. Employing virtual patching can also help against unknown vulnerabilities. Trend Micro Solutions Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats such as fileless infections and those that abuse unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update. More in-depth information on Trend Micro’s solutions for EternalBlue and the malware that leverage the exploit can be found in these technical support pages: https://success.trendmicro.com/solution/1117192 https://success.trendmicro.com/solution/1117391 Sursa: http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/

PASSIVE GSM SNIFFING WITH SOFTWARE DEFINED RADIO 02/06/2017 0 Comments in Blog by Rashid Feroze I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts. Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR. WHAT IS A SDR? According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc. We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM. GSM FREQUENCY BANDS Before getting into details, let’s first have a look on different GSM frequency bands. GSM operates on a set of pre-defined frequencies designated by International Telecommunication union for the operation of GSM mobile phones. GSM frequency bands In India, we use two bands which are shaded in yellow in the above picture. A dual-band 900/1800 phone is required to be compatible with most networks around the world. For sniffing, first we need to identify the GSM downlink channels. Here we would be sniffing GSM data for our own phone so we would need to know upon what frequency it is operating on. We can do this by getting the ARFCN no. from our phone. In GSM cellular networks, an absolute radio-frequency channel number (ARFCN) is a code that specifies a pair of physical radio carriers used for transmission and reception in a land mobile radio system, one for the uplink signal and one for the downlink signal. I am using Motorola G4 and in this phone we can get to the service mode by dialing *#*#4636#*#* on our phone keypad. I have switched the phone to 2G mode as analysis of 2G is much easier than 3G/4G. They are using different encoding and encryption schemes and we can cover them later. Our ARFCN no. is 672. We can calculate exact frequency on which this phone is operating by using the ARFCN number. By using a simple ARFCN calculator we got to know the frequency our phone is operating in. ARFCN Calculator Now. Let’s tune our RTL-SDR to that particular frequency and find out what we can see. Gqrx tool We can clearly see the GSM Stream bits on that frequency. Let’s also scan for all the GSM channels around us. This will give us confirmation about our downlink channel. We can use kalibrate-rtl tool to scan GSM frequencies around us. kalibrate-rtl Here also we can see our downlink channel and it also gives us the offset value which will help us calibrate our SDR better. Whatever data which the SDR is receiving is just raw data which makes no sense. We can use GR-GSM to decode this raw data and process this into meaningful information. grgsm_livemon running Now start wireshark simultaneously and we would start seeing the GSM data packets in the wireshark. We can also filter out Gsmtap packets. This is a system Information type 3 packet. Information needed by the MS for cell selection and reselection is broadcasted with the help of this. Location Update message CAN WE LISTEN TO VOICE CALLS THEN? All the data channels are almost always encrypted using a stream cipher (A5) used to provide over-the-air communication privacy in the GSM cellular telephone standard. We can only see some of the control channels above which were not encrypted. All the calls and messages are encrypted using an encryption key (Kc) which is generated after an authentication mechanism by Authentication Center (AUC) which follows a challenge-response authentication model. The SIM card stores an encryption key called as Ki which is also stored by AUC/HLR. The Ki or Kc is never exchanged over network, therefore making it impossible to sniff encryption keys over the air. Moreover, the Kc changes before each call is setup. It means for every call, there would be a different encryption key. However, older version of A5 can be cracked if we have enough computation power. Researches have cracked A5/1 encryption by setting up the entire process in cloud which has huge computation power. Kraken is the tool that can be used for this. We cannot capture voice data with RTL-SDR because during a call, channel hopping takes place and the bandwidth of the RTL-SDR is not enough to capture the whole range at a time. We would need a better SDR with more bandwidth like a HackRF or any SDR device above that. HOW DOES INTELLIGENCE AGENCIES INTERCEPT OUR CALLS THEN? 1. DOWNGRADING THE ENCRYPTION ALGORITHM USED Even if the operator is using new and strong encryption algorithm, sometimes It is possible to force the operator to switch to a weaker encryption algorithm. Operators have to enable support for older encryption algorithms because many older phones doesn’t have enough computation power to use new encryption algorithms. 2. SOME OF THE OPERATORS DOESN’T USE ANY ENCRYPTION AT ALL During telecom security vulnerability assessments, it was found that, sometimes operators turn off encryption schemes completely when the load on the network increases so that they can reduce overhead traffic and can accommodate more users easily. 3. MITM ATTACK This is the most common attack vector that have been used since years by different hacker groups and Intelligence agencies. One can create fake cell towers and fool a mobile station in the vicinity to connect to that fake cell tower. All the mobile station data now would be going through that fake cell tower and the person in control could force the MS to use no encryption at all. 4. GETTING THE SIM CARD ENCRYPTION KEYS In 2015, It was in the news that some spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys (Ki) used to protect the privacy of cellphone communications across the globe. This key could be used to decrypt the GSM data. WHAT NEXT? We will talk more about security analysis of GSM networks using Osmocom-BB, we will setup our own GSM Network using OpenBTS and discuss about the attacks possible over Um and Abis interfaces in the upcoming blogposts related to telecom security. Stay Tuned. Sursa: http://payatu.com/passive-gsm-sniffing-software-defined-radio/

Ai aici un tutorial gasit rapid pe YouTube. Burp e un proxy HTTP si Repeater (o componenta din Burp) iti permite sa faci un request si sa ii vezi raspunsul fara sa interactionezi cu un browser de exemplu. Asta iti da libertatea sa testezi chestii de genul, sa interactionezi cu servicii web, sau sa faci debugging can in cazul tau. Cat despre cum sa inchizi conexiunea, nu stiu. Vezi documentatia. De obicei foloses requests pentru HTTP in Python.

Atunci si tu si ala de mai sus sa ramaneti cu ideea ca se munceste pe 4-5k in pula mea , sfaturi sfaturi , ce pula mea de sfaturi ceri cand nu sti o boaba de programare in plm . Vorbeste spider care nu are nici o legatura cu IT , din cauza asta mi-e si scarba de tara asta , ca toti coinacii vor ceva bun din prima , dar nu fac nici cat negru` sub unghie . Nu-i adevarat ? Ok esti pe ramura it , imposibil sa nu-ti duci traiul ok , sunt atatea site-uri care iti ofera de munca si te scapa de taxe . DU-te la matura .

https://github.com/Leo-G/DevopsWiki#bash-guides-and-scripts

Bash. Spor: http://wiki.bash-hackers.org/

Salut, uite un canal de Youtube vechi: https://www.youtube.com/user/metalx1000 Tipul e pompier de meserie dar e linux-enthusiast in timpul liber. Ai shell scripting de la noobish stuff pana la chestii mai pro. Eu de la el am invatat acum ~4-5 ani.

parerea mea e ca toata treaba si`o face placebo