Leaderboard

lol - http://www.bbc.co.uk/news/technology-41347467

Breaking out of Restricted Windows Environment ON JUNE 14, 2017 BY WEIRDGIRL Many organizations these days use restricted windows environment to reduce the surface of vulnerability. The more the system is hardened the less the functionalities are exposed. I recently ran across such a scenario, where an already hardened system was protected by McAfee Solidcore. Solidcore was preventing users from making any changes to the system like installing/un-installing softwares, running executables, launching applications etc. The system (Windows 7) which I was testing, boots right on to the application login screen while restricting access to other OS functionalities. I could not do anything with that system except for restarting it. I spent a whole week in gathering information about the application and the system, which includes social engineering as well And then I got an entry point to start with. The credentials to login to the application(that gave me headache for one week) was available on Internet (thanks to Google dork). The credential I got was admin credential. After logging in to the application there was no way to get out of the application and get in to the base system. The application was so well designed that there was not a single way to get out of it. Then I found an option in the application to print some document. Then clicked on print-->printer settings-->add a printer-->location-->browse location and I got access to file browser of host machine. Every windows file explorer has a windows help option which provides free help about windows features. It was possible to open command prompt from the help option. I was only able to open command prompt but not any other windows application. Even after getting access to command prompt I was unable to do any changes in the system(not even opening a notepad). Every windows application that I tried to open, ended up with the following error message: The error was very clear that the application is blocked and it can either be enabled from registry editor or group policy editor. However I did not have access to both of them. Solidcore was blocking access to any of those. So I used the following batch script to enable task manager. The script was used to modify the registry key(though I didn’t have any idea if it was actually blocked from registry editor or group policy editor): And to my surprise I was able to unlock task manager. Similarly I was able to unlock and open control panel. My main objective was to disable or uninstall Solidcore as it was restricting the desktop environment. But then the system kept on giving me challenges. I was able to uninstall any software except for Solidcore. Then there was only one way left to disable Solidcore / enable installation of other software and that was “Group Policy Editor“. However I didn’t have direct access to gpedit. I used the following way to get access to gpedit: Open Task manager-->File -->New task-->Type MMC and enter This opened Microsoft Management Policy In mmc File-->Add/Remove snap-in--> Select Group Policy Objects and click on add After this I was able to perform numerous actions like enabling blocked system applications, allowing access to Desktop, disabling windows restrictions etc. However my main objective was to disable Solidcore and find out a way to run any windows executable. Group Policy editor provides an option to run/block only allowed windows software. And this policy can be set in the following way: Group Policy editor-->User Configuration > Administrative Templates > System On the right side there's option "Do not run specified windows applications". Click on that: Edit-->Select Enabled-->Click on show list of disallowed applications--> then add the application name that you want to block(in my case it was solidcore). Then click "Ok" . To apply changes I restarted my system. In the same way it was possible to enable list of allowed applications that can run in windows(a malicious software as well). And that’s how I was able to break out of a completely restricted desktop environment Sursa: https://weirdgirlweb.wordpress.com/2017/06/14/first-blog-post/

Chiar ai crezut ca exista protectia datelor ?

Sa mori tu ca ai facut un topic despre asta in 2017? Ai lucrat la Altex si te-au dat afara?

Hai sa iti povestesc ceva, poate o sa te opresti cu postarile astea. Am apreciat in multe din postarile tale trecute (legate de programare in general) ca incercai. Pula mea, nu iesea ceva, postai aici. Parea ca o sa ajungi undeva si ca o iei pe un drum okay. Acum daca ma uit in istoricu' postarilor tale, ai asa (ordine aleatoare): - fitness - PPI (sau cum pula mea se cheama cacatu' ala cu click-uri) - stomatologie - off-shores / dropshipping - forex - contabilitate - site de iteme cs-go - etc... Toate cele de mai sus intr-un interval super scurt. Acu' na, nu e nevoie sa ma asculti, majoritatea de aici stiu ca fac multa caterinca, stiu ca sunt un retardat, handicapat, prost si ca ma doare-n pula de absolut orice exista pe planeta asta in special tigani, biserica si politica. Unde vreau sa ajung cu asta? Cois, treziti-va "an" pula mea! Terminati cu forex / ppi / fbi / nsa / plm / fmm etc. Sau tineti-va in moloz de una din ele si bagati pana vedeti ca iese banu' sau ca esuati. Mai ales astia care aveti cate ceva la mansarda si puteti sa profitati de pe urma asta. Mi-aduc aminte ca si eu eram asa: - mama ce idee de aplicatie am. Devin milionar. - sa-mi bag pula ce idee mi-a venit, gata rup google apps - bag pula-n ea programare, ma apuc de poker. - ma fac futangiu pe macarale Si am tinut-o asa vreun an ca sa realizez ca eram un lache de doi lei (bine, si acum sunt) care nu facuse nimic, pierdea timpu' in pula cu satelitu' si cam atat. M-am oprit, m-am axat pe progra & stuff si acum ma doare in pula, fac ce-mi place si fac misto cu @fallen_angel @Gecko @badluck @aelius etc... pe chat cat sunt la birou pentru ca totu' mi se pare lejer si usor si fain. Unde sunt trilionarii ? Sunt peste tot man, doar ca ei nu deschid 9 topicuri pe luna, fiecare din ele avand un subiect total diferit. Baga-ti mintile in cap si revin-o in pula mea cu picioarele pe pamant. //PS: e misto sa pui intrebari, sa vrei sa stii chestii s.a.m.d... insa asta o poti face pe chat, in timpu' liber, cand iei o pauza de la ceea ce conteaza cu adevarat. In viata nu le poti avea pe toate //PS2: Pentru cei plictisiti de postarea mea, luati aici:

Salut, Un curs introductiv despre Machine Learning, predat de Andrew Ng: https://www.coursera.org/learn/machine-learning Can I take this course for free? You can access all videos, readings, and discussions, free of charge. You can also submit assignments and earn a grade for free. If you want to earn a Course Certificate, you can subscribe or apply for financial aid. About Andrew Ng: Andrew was a professor at Stanford University Department of Computer Science. He taught students and undertook research related to data mining and machine learning. From 2011 to 2012, he worked at Google, where he founded and led the Google Brain Deep Learning Project. In 2012, he co-foundedCoursera to offer free online courses for everyone. In 2014, he joinedBaidu as Chief Scientist, and carried out research related to big data and A.I. In March 2017, he announced his resignation from Baidu. - https://en.wikipedia.org/wiki/Andrew_Ng About this course: Machine learning is the science of getting computers to act without being explicitly programmed. In the past decade, machine learning has given us self-driving cars, practical speech recognition, effective web search, and a vastly improved understanding of the human genome. Machine learning is so pervasive today that you probably use it dozens of times a day without knowing it. Many researchers also think it is the best way to make progress towards human-level AI. In this class, you will learn about the most effective machine learning techniques, and gain practice implementing them and getting them to work for yourself. More importantly, you'll learn about not only the theoretical underpinnings of learning, but also gain the practical know-how needed to quickly and powerfully apply these techniques to new problems. Finally, you'll learn about some of Silicon Valley's best practices in innovation as it pertains to machine learning and AI. This course provides a broad introduction to machine learning, datamining, and statistical pattern recognition. Topics include: (i) Supervised learning (parametric/non-parametric algorithms, support vector machines, kernels, neural networks). (ii) Unsupervised learning (clustering, dimensionality reduction, recommender systems, deep learning). (iii) Best practices in machine learning (bias/variance theory; innovation process in machine learning and AI). The course will also draw from numerous case studies and applications, so that you'll also learn how to apply learning algorithms to building smart robots (perception, control), text understanding (web search, anti-spam), computer vision, medical informatics, audio, database mining, and other areas.

Am vazut ca sunt unii utilizatori pe aici pe forum care joaca la Forex. Mai discreti, mai ascunsi, dar sunt. Vad ca de ceva timp au aparut si tot apar din ce in ce mai multi "profesori" in Forex. Cand vezi asa ceva, in orice domeniu, cand vezi ca apar "profesorii" adica cei care vor sa te invete ei pe tine cum sa faci milioane/miliarde/triliarde de euro intr-un domeniu, pentru mine asta e un semn ca din acel domeniu nu se mai fac bani, adica e dus pe pl, scuzati "neologismul", ca si in dropshipping, bani din blog si multe alte chestii expirate (dar sa nu ne batem capul cu astea). Curiozitatea mea este alta: Cum de nu se mai fac bani din Forex ? Adica din blog nu faci ca imediat dupa tine mai apar sute de alte bloguri, din dropshiping si/sau afiliere tot la fel, mai apar mii, zeci de mii de alti competitori. Dar pe Forex care e problema ? M-am uitat o vreme si inca ma mai uit asa mai rar la cate un filmulet pe youtube si totul mi se pare chiar foarte usor, patternuri de recunoscut, trenduri, Fibonaci etc. totul e o joaca de copil, usor de inteles si de unul cu retard mintal. Pe urma, mai sunt multi altii care si-au creat ei personal cate un bot, nu cu intentia sa-l vanda ci pentru uz personal, si se lauda cate milioane de dolari face in nu stiu cate ore. Mai mult decat atat, nu mai e nevoie sa stai sa tranzactionezi la zi, poti si la 1 minut si chiar la 5 minute, adica banii pe care ii faci intr-o luna, acum ii faci intr-o ora maxim, daca tranzactionezi la minut. Si totusi, cu atata strategie peste tot si cu atatia "profesori", plus boti de utilizat care se gasesc la liber pe internet sau cu bani, cu toate astea inca nu am auzit pe nimeni ca a devenit miliardar in dolari din Forex, de trilionar nici nu mai zic. De ce ? Nu critic "profesorii", nu ma intelegeti gresit, doar ca ma tenteaza si pe mine domeniul asta dar nu-mi pot explica care sunt barierele si de ce nu se imbogateste nimeni din asa ceva desi i se face atata marketing cu asa-zisi "multimiliardari in euro" din asa ceva si desi toata strategia e atat de usor de inteles ? Multumesc pentru lamuriri !

stii macar catt te costa sa cumperi 10 contracte pe petrol dar pe dow jones, care in prezent are un pret de tranzactionare de peste 22.000 usd doar un contract? nu mai vorbi in necunostinta de cauza, nu stii nimic despre conceperea unuir portofoliu sau despre risk management nu va mai da-ti rotunzi daca nu lucrati in domeniu

A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to "insert vulnerabilities into commercial encryption systems." More than a dozen of the experts involved in the approval process for Simon and Speck feared that if the NSA was able to crack the encryption techniques, it would gain a "back door" into coded transmissions, according to the interviews and emails and other documents seen by Reuters. "I don't trust the designers," Israeli delegate Orr Dunkelman, a computer science professor at the University of Haifa, told Reuters, citing Snowden's papers. "There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards." sursa: http://mobile.reuters.com/article/amp/idUSKCN1BW0GV via : https://www.schneier.com/blog/archives/2017/09/iso_rejects_nsa.html#comments

Folosit de 3-4x, pentru mine e ok pentru perioade mai lungi (iesi mai ieftin decat la hotel). Am iesit foarte rentabil (1/2 pret) prima oara la o calatorie de 10 nopti.

Nu ca nu era imputita, dar se impute si mai tare... http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. During our investigation we were provided an archive containing files that were stored on the C2 server. Initially, we had concerns about the legitimacy of the files. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.

Un articol interesant - SAN FRANCISCO (Reuters) - An international group of cryptography experts has forced the U.S. National Security Agency to back down over two data encryption techniques it wanted set as global industry standards, reflecting deep mistrust among close U.S. allies. In interviews and emails seen by Reuters, academic and industry experts from countries including Germany, Japan and Israel worried that the U.S. electronic spy agency was pushing the new techniques not because they were good encryption tools, but because it knew how to break them. The NSA has now agreed to drop all but the most powerful versions of the techniques - those least likely to be vulnerable to hacks - to address the concerns. The dispute, which has played out in a series of closed-door meetings around the world over the past three years and has not been previously reported, turns on whether the International Organization of Standards should approve two NSA data encryption techniques, known as Simon and Speck. The U.S. delegation to the ISO on encryption issues includes a handful of NSA officials, though it is controlled by an American standards body, the American National Standards Institute (ANSI). The presence of the NSA officials and former NSA contractor Edward Snowden’s revelations about the agency’s penetration of global electronic systems have made a number of delegates suspicious of the U.S. delegation’s motives, according to interviews with a dozen current and former delegates. A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to “insert vulnerabilities into commercial encryption systems.” More than a dozen of the experts involved in the approval process for Simon and Speck feared that if the NSA was able to crack the encryption techniques, it would gain a “back door” into coded transmissions, according to the interviews and emails and other documents seen by Reuters. “I don’t trust the designers,” Israeli delegate Orr Dunkelman, a computer science professor at the University of Haifa, told Reuters, citing Snowden’s papers. “There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards.” The NSA, which does not confirm the authenticity of any Snowden documents, told Reuters it developed the new encryption tools to protect sensitive U.S. government computer and communications equipment without requiring a lot of computer processing power. NSA officials said via email they want commercial technology companies that sell to the government to use the techniques, and that is more likely to happen when they have been designated a global standard by the ISO. Asked if it could beat Simon and Speck encryption, the NSA officials said: “We firmly believe they are secure.” THE CASE OF THE DUAL ELLIPTIC CURVE ISO, an independent organisation with delegations from 162 member countries, sets standards on everything from medical packaging to road signs. Its working groups can spend years picking best practices and technologies for an ISO seal of approval. As the fight over Simon and Speck played out, the ISO twice voted to delay the multi-stage process of approving them. In oral and written comments, opponents cited the lack of peer-reviewed publication by the creators, the absence of industry adoption or a clear need for the new ciphers, and the partial success of academics in showing their weaknesses. Some ISO delegates said much of their scepticism stemmed from the 2000s, when NSA experts invented a component for encryption called Dual Elliptic Curve and got it adopted as a global standard. ISO’s approval of Dual EC was considered a success inside the agency, according to documents passed by Snowden to the founders of the online news site The Intercept, which made them available to Reuters. The documents said the agency guided the Dual EC proposal through four ISO meetings until it emerged as a standard. In 2007, mathematicians in private industry showed that Dual EC could hide a back door, theoretically enabling the NSA to eavesdrop without detection. After the Snowden leaks, Reuters reported that the U.S. government had paid security company RSA $10 million to include Dual EC in a software development kit that was used by programmers around the world. The ISO and other standards groups subsequently retracted their endorsements of Dual EC. The NSA declined to discuss it. In the case of Simon and Speck, the NSA says the formulas are needed for defensive purposes. But the official who led the now-disbanded NSA division responsible for defence, known as the Information Assurance Directorate, said his unit did not develop Simon and Speck. “There are probably some legitimate questions around whether these ciphers are actually needed,” said Curtis Dukes, who retired earlier this year. Similar encryption techniques already exist, and the need for new ones is theoretical, he said. ANSI, the body that leads the U.S. delegation to the ISO, said it had simply forwarded the NSA proposals to the organisation and had not endorsed them. FROM JAIPUR TO HAMILTON When the United States first introduced Simon and Speck as a proposed ISO standard in 2014, experts from several countries expressed reservations, said Shin’ichiro Matsuo, the head of the Japanese encryption delegation. Some delegates had no objection. Chris Mitchell, a member of the British delegation, said he supported Simon and Speck, noting that “no one has succeeded in breaking the algorithms.” He acknowledged, though, that after the Dual EC revelations, “trust, particularly for U.S. government participants in standardization, is now non-existent.” At a meeting in Jaipur, India, in October 2015, NSA officials in the American delegation pushed back against critics, questioning their expertise, witnesses said. A German delegate at the Jaipur talks, Christian Wenzel-Benner, subsequently sent an email seeking support from dozens of cryptographers. He wrote that all seven German experts were “very concerned” about Simon and Speck. “How can we expect companies and citizens to use security algorithms from ISO standards if those algorithms come from a source that has compromised security-related ISO standards just a few years ago?” Wenzel-Benner asked. Such views helped delay Simon and Speck again, delegates said. But the Americans kept pushing, and at an October 2016 meeting in Abu Dhabi, a majority of individual delegates approved the techniques, moving them up to a country-by-country vote. There, the proposal fell one vote short of the required two-thirds majority. Finally, at a March 2017 meeting in Hamilton, New Zealand, the Americans distributed a 22-page explanation of its design and a summary of attempts to break them - the sort of paper that formed part of what delegates had been seeking since 2014. Simon and Speck, aimed respectively at hardware and software, each have robust versions and more “lightweight” variants. The Americans agreed in Hamilton to compromise and dropped the most lightweight versions. Opponents saw that as a major if partial victory, and it paved the way to compromise. In another nation-by-nation poll last month, the sturdiest versions advanced to the final stage of the approval process, again by a single vote, with Japan, Germany and Israel remaining opposed. A final vote takes place in February. SURSA

Managed object internals, Part 1. The layout Sergey TeplyakovMay 26, 2017 The layout of a managed object is pretty simple: a managed object contains instance data, a pointer to a meta-data (a.k.a. method table pointer) and a bag of internal information also known as an object header. The first time I’ve read about it, I’ve got a question: why the layout of an object is so weird? Why a managed reference points into the middle of an object and an object header is at a negative offset? What information is stored in the object header? When I started thinking about the layout and did a quick research, I’ve got few options: 1. JVM used a similar layout for their managed objects from the inception. It could sound a bit crazy today but remember that C# has one of the worst features of all times (a.k.a. array covariance) just because Java had it back in the day. And compared to that decision, reusing some ideas about the structure of an object doesn’t sound that unreasonable. 2. Object header can grow in size with no cross-cutting changes in the CLR. Object header holds some auxiliary information used by CLR and it is possible that CLR will require more information than a pointer size field. And indeed, .Net Compact Framework used in mobile phones has different headers for small and large objects (see WP7: CLR Managed Object overhead for more details). Desktop CLR never used this ability but it doesn’t mean that it is impossible in the future. 3. Cache line and other performance related characteristics. Chris Brumme -- one of the CLR architects, mentioned in the comment on his post “Value Types“ that cache friendliness is the very reason for the managed object layout. It is theoretically possible that due to cache line size (64 bytes) it will be more efficient to access fields that are closer to each other. This means that dereferencing method table pointer with the following access to some field should have some performance difference depending on the location of the field inside the object. I’ve spent some time trying to proof that this is still true for modern processors but was unable to get any benchmarks that showed the difference. After spending some time trying to validate my theories, I’ve contacted Vance Morrison asking this very question and got the following answer: current design was made with no particular perf considerations. So, the answer to the question – “Why the managed object’s layout is so weird?”, is simple: “historical reasons”. And, to be honest, I can see a logic for moving object header at a negative index to emphasize that this piece of data is an implementation detail of the CLR, the size of it can change in time, and it should not be inspected by a user. Now, it’s time to inspect the layout in more details. But before that, let’s think about, what extra information CLR can be associated with a managed object instance? Here are some ideas: · Special flags that GC can use to mark that an object is reachable from application roots. · Special flag that notifies GC that an object is pinned and should not be moved during garbage collection. · Hash code of a managed object (when a GetHashCode method is not overridden). · Critical section and other information used by a lock statement: thread that acquired the lock etc. Apart from instance state, CLR stores a lot of information associated with a type, like method table, interface maps, instance size and so on, but this is not relevant for our current discussion. IsMarked flag Managed object header is a multi-purpose chameleon that can be used for many different purposes. And you may think that the garbage collector (GC) uses a bit from the object header to mark that the object is references by a root and should be kept alive. This is a common misconception, and few very famous books are to blame (*). Namely “CLR via C#” by Jeffrey Richter, “Pro .NET Performance” by Sasha Goldstein at al and, definitely, some others. Instead of using the object header, the CLR authors decided to use one clever trick: the lowest bit of a method table pointer is used to store a flag during garbage collection that the object is reachable and should not be collected. Here is an actual implementation of ‘mark’ flag from the coreclr repo, file gc.cpp, lines 8974 (**): (**) Unfortunately, the gc.cpp file is so big that github refuses to analyze it. This means that I can’t add a hyperlink to a specific line of code. Managed pointers in a CLR heap are aligned on 4-byte or 8-byte address boundaries depending on a platform. This means that 2 or 3 bits of every pointer are always 0 and can be used for other purposes. The same trick is used by JVM and called ‘Compressed Oops’ – the feature that allows JVM to have 32 gigs heap size and still use 4 bytes for managed pointer. Technically speaking, even on a 32-bit platform there is 2 bits that can be used for flags. Based on a comment from the object.h file we can think that this is indeed the case and the second lowest bit of the method table pointer is used for pinning (to mark that the object should not be moved during compaction phase of garbage collection). Unfortunately, it is not clear, is true or not, because SetPinned/IsPinned methods from the gc.cpp (lines 3850-3859) are implemented based on a reserved bit from the object header and I was unable to find any code in the coreclr repo that actually sets the bit of the method table pointer. Next time we’ll discuss how locks are implemented and will check how expensive they are. Part 1: https://blogs.msdn.microsoft.com/seteplia/2017/05/26/managed-object-internals-part-1-layout/ Part 2: https://blogs.msdn.microsoft.com/seteplia/2017/09/06/managed-object-internals-part-2-object-header-layout-and-the-cost-of-locking/ Part 3: https://blogs.msdn.microsoft.com/seteplia/2017/09/12/managed-object-internals-part-3-the-layout-of-a-managed-array-3/ Part 4: https://blogs.msdn.microsoft.com/seteplia/2017/09/21/managed-object-internals-part-4-fields-layout/

CVE-2017-0785 PoC This is just a personal study based on the Android information leak vulnerability released by Armis. Further reading: https://www.armis.com/blueborne/ To run, be sure to have pybluez and pwntools installed. sudo apt-get install bluetooth libbluetooth-dev sudo pip install pybluez sudo pip install pwntools Sursa: https://github.com/ojasookert/CVE-2017-0785

No Coin No coin is a tiny browser extension aiming to block coin miners such as Coinhive. You can grab the extension from: Chrome Web Store FireFox Add-on (coming soon) Why? Even though I think using coin mining in browser to monetize content is a great idea, abusing it is not. Some websites are running it during the entire browsing session which results in high consumption of your computers resources. I do believe that using it occasionally such as for the proof of work of a captcha is OK. But for an entire browsing session, the user should have the choice to opt-in which is the aim of this extension. Why not just block the URLs in an adblocker? The idea was to keep it separate from adblocking. Coin mining in the browser is a different issue. Where ads are tracking you and visually interfering with your browsing experience, coin mining, if abused, is eating your computer resources resulting in slow downs (from high CPU usage) and excessive power consumption. You might be OK with that and not with ads, or vice versa. Or you might just want to keep ads blocked entirely and just enable the coin mining script for a minute to pass a Captcha. That's why I believe having a separate extension is useful. How does it work? The extension is simply blocking a list of blacklisted domains in blacklist.txt. Clicking on the icon will display you a button to pause/unpause No Coin. If you are aware of any scripts or services that provide coin mining the browser, please submit a PR. Contribute Contributions are welcome! Don't hesitate to submit bug fixes, improvements and new features. Regarding new features, please have a look at the issues first. If a feature you whish to work on is not listed in here, you might want to add an issue first before starting to work on a PR. Made by Rafael Keramidas (keraf [at] protonmail [dot] com - @iamkeraf - ker.af). Image used for logo by Sandro Pereira. Sursa: https://github.com/keraf/NoCoin

Chiar exista oameni care citesc "Terms and conditions"? Sau "Privacy policy".

Am eu un cont din august anu trecut daca esti interesat .

Puteti incerca si Privazer http://privazer.com/

BeRoot BeRoot(s) is a post exploitation tool to check common Windows misconfigurations to find a way to escalate our privilege. A compiled version is available here. It will be added to the pupy project as a post exploitation module (so it will be executed in memory without touching the disk). Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work. Run it |====================================================================| | | | Windows Privilege Escalation | | | | ! BANG BANG ! | | | |====================================================================| usage: beRoot.exe [-h] [-l] [-w] [-c CMD] Windows Privilege Escalation optional arguments: -h, --help show this help message and exit -l, --list list all softwares installed (not run by default) -w, --write write output -c CMD, --cmd CMD cmd to execute for the webclient check (default: whoami) All detection methods are described on the following document. Path containing space without quotes Consider the following file path: C:\Program Files\Some Test\binary.exe If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\binary.exe Following this example, if "C:\" folder is writable, it would be possible to create a malicious executable binary called "Program.exe". If "binary.exe" run with high privilege, it could be a good way to escalate our privilege. Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM. How to exploit The vulnerable path runs as: a service: create a malicious service (or compile the service template) a classic executable: Create your own executable. Writable directory Consider the following file path: C:\Program Files\Some Test\binary.exe If the root directory of "binary.exe" is writable ("C:\Program Files\Some Test") and run with high privilege, it could be used to elevate our privileges. Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM. How to exploit The service is not running: Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.). The service is running and could not be stopped: Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics. Writable directory on %PATH% This technic affects the following Windows version: 6.0 => Windows Vista / Windows Server 2008 6.1 => Windows 7 / Windows Server 2008 R2 6.2 => Windows 8 / Windows Server 2012 On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps: - Directory where the binary is located - C:\Windows\System32 - C:\Windows\System - C:\Windows\ - Current directory where the binary has been launched - Directory present in %PATH% environment variable If a directory on the %PATH% variable is writable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "IKEEXT" service which loads the inexistant "wlbsctrl.dll". How to exploit: Create a malicious DLL called "wlbsctrl.dll" (use the DLL template) and add it to the writable path listed on the %PATH% variable. Start the service "IKEEXT". To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method: Create a file as following: C:\Users\bob\Desktop>type test.txt [IKEEXTPOC] MEDIA=rastapi Port=VPN2-0 Device=Wan Miniport (IKEv2) DEVICE=vpn PhoneNumber=127.0.0.1 Use the "rasdial" binary to start the IKEEXT service. Even if the connection failed, the service should have been started. C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt MS16-075 For French user, I recommend the article written on the MISC 90 which explain in details how it works. This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here Here are some explaination (not in details): Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID) Start an HTTP server locally Find a service which will be used to trigger a SYSTEM NTLM hash. Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing) Start this service Our HTTP Server start a negotiation to get the SYSTEM NTLM hash Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action) Clean everything (stop the service, clean the regritry, etc.). How to exploit: BeRoot realize this exploitation, change the "-c" option to execute custom command on the vulnerable host. beRoot.exe -c "net user Zapata LaLuchaSigue /add" beRoot.exe -c "net localgroup Administrators Zapata /add" AlwaysInstallElevated registry key AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1: HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated How to exploit: create a malicious msi binary and execute it. Unattended Install files This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path: C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattended.xml C:\Windows\Panther\Unattend\Unattended.xml C:\Windows\Panther\Unattend\Unattend.xml C:\Windows\System32\Sysprep\unattend.xml C:\Windows\System32\Sysprep\Panther\unattend.xml How to exploit: open the unattend.xml file to check if passwords are present on it. Should looks like: <UserAccounts> <LocalAccounts> <LocalAccount> <Password> <Value>RmFrZVBhc3N3MHJk</Value> <PlainText>false</PlainText> </Password> <Description>Local Administrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> </LocalAccounts> </UserAccounts> Other possible misconfigurations Other tests are realized to check if it's possible to: Modify an existing service Create a new service Modify a startup key (on HKLM) Modify directory where all scheduled tasks are stored: "C:\Windows\system32\Tasks" Special thanks Good description of each checks: https://toshellandback.com/2015/11/24/ms-priv-esc/ C++ POC: https://github.com/secruul/SysExec Impacket as always, awesome work: https://github.com/CoreSecurity/impacket/ Author: Alessandro ZANNI zanni.alessandro@gmail.com Download: BeRoot-master.zip or git clone https://github.com/AlessandroZ/BeRoot.git Source: https://github.com/AlessandroZ/BeRoot

Eight Bluetooth-related vulnerabilities (four that are critical) affecting over 5 billion Android, Windows and Linux devices could allow attackers to take control of devices, access corporate data and networks, and easily spread malware to other devices. Nearly all devices with Bluetooth capabilities, including smartphones, TVs, laptops, watches, smart TVs, and even some automobile audio systems, are vulnerable to this attack. If exploited, the vulnerabilities could enable an attacker to take over devices, spread malware, or establish a "man-in-the-middle" to gain access to critical data and networks without user interaction. The vulnerabilities were found in the Bluetooth implementations in Android, Microsoft, Linux and iOS versions pre-iOS 10. Armis reported the vulnerabilities to Google, Microsoft, and the Linux community. Google and Microsoft are releasing updates and patches on Tuesday, September 12. Others are preparing patches that are in various stages of being released. These vulnerabilities are the most serious Bluetooth vulnerabilities identified to date. Previously identified flaws found in Bluetooth were primarily at the protocol level. These new vulnerabilities are at the implementation level, bypassing the various authentication mechanisms, and enabling a complete takeover of the target device. These proximity-based network vulnerabilities could allow attackers to create broad malware infections that could spread from one infected device to many others by wirelessly connecting to other devices over Bluetooth. The device-to-device connectivity nature of Bluetooth means an airborne (or "BlueBorne") attack could easily spread without any action required by a user. "These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," said Yevgeny Dibrov, CEO of Armis. "The research illustrates the types of threats facing us in this new connected age." There are two specific methods attackers could use with exploit code. They could: Connect to the target device in an undetected manner, then remotely execute code on that device. This would allow the attacker to take full control of a system, up to and including leveraging the device to gain access to corporate networks, systems, and data. Conduct a Man-in-the-Middle attack — effectively creating a Bluetooth Pineapple — to sniff traffic being sent between Bluetooth-enabled devices or spoof a legitimate Bluetooth device and hijack the connection and redirect traffic. This would enable attackers to download malware to devices and take complete control of them. This attack would not require additional hardware, as it uses the Bluetooth connection on the device against the device itself. The automatic connectivity of Bluetooth, combined with the fact that nearly all devices have Bluetooth enabled by default, makes these vulnerabilities all the more serious and pervasive. Once a device is infected with malware, it can then easily broadcast the malware to other Bluetooth-enabled devices in its vicinity, either inside an office or in more public locations. While waiting for the patch, users can disable Bluetooth to protect devices. SURSA: htp:/www.prnewswire.com/news-releases/armis-identifies-new-airborne-cyber-threat-blueborne-that-exposes-almost-every-device-to-remote-attack-30051700.html

Numele meu este Florin si sunt pasionat de IT si tehnologie , cunosc acest forum de cand aveam 14 ani dar nu intelegeam multe lucruri ,tot cautam sa inteleg un script de ddos .Momentan sunt clasa a 10 la un liceu mate-info .Scopul meu este de a invata cat mai mult in acest domeniu si poate intr-o zi voi putea ajuta comunitatea asta ,momentan consider ca nu am suficiente cunostiinte de impartasit . Folosesc Linux Kali si sunt dornic de a invata cat mai multe. Sper ca acceasta descriere sa fie vazuta bine .

tl;dr alta postare de rahat "marca Che" destinata gunoiului Ai gresit adresa, ai gresit mentalitatea.

Neata , Am stat o zi citind rubrica de "bine ati venit " si dupa o zi de lucru grea m-am intors acasa si sageata de la mouse parca s-a dus singura la primul post , scris de pyth0n3 si imediat mam prins in jocu' lui si chiar nu vreau sa scriu un singur rand despre mine pentru ca iubesc prea mult internetul , linux , berea , iarba , cateodata si cate-o baza de date de pe la vreun inspectorat de politie , oricat de frumoasa este viata pentru mine, viata inseamna calculator . App eu sunt draqu13 , despre nume nu am nici o descriere . El e descrierea perfecta Am avut contact cu calculatoru de pe la varsta de 7 ani tinand cont ca eu am 23 de ani , la varsta de 10 ani in 2003 am descoperit ABAC sau internet caffe unde am inceput sa ma joc MU . 11 ani mai tarziu in 2014 m-am lasat de MU pentru BLACK TRACK si acu mai am CD piratate . Sincer am 3 ani de cand sunt in kkt asta imi place , scoala nu prea am ! Momentan sunt la seral clasa a 12 si incerc sa imi termin scoala pentru a progresa. Imi doresc un viitor in IT nu vreau sa fac altceva cu viata mea . Am invatat totul de la 0 , singuru' prieten a fost youtube asa am invatat despre brutal force , sql injection , baza de date , putin html , DOSS , clonare , playload , wi-fi si cat de usor ma pot uita la tine in casa cu ajutorul webului tau . Imi place aici intre cabluri , securitate si placi de baza ! Sper sa imi fac prieteni aici de la care pot invata pentru ca am vazut ca este numa lume faina , daca ar fi dupa mine as da un cui fiecaruia dintre voi ! P.S. Hey Fuking Salut Draqu La Tastarua !