Leaderboard

Hello, In Python, it's really easy to work with API calls using the requests module. To install it, just do: pip install requests Unfortunately, depending on your version, the API is largely SOAP based. The simplest way to consume VMWare's API is via one of the existing SDKs. Now, moving further and looking at a newer version of VMWare docs, we can see that there's an already developed module to interfere with it named pyvmomi. You can follow the instructions from the github to set everything up. If you follow carefully those steps you will find this https://github.com/vmware/pyvmomi-community-samples/blob/master/samples/ which contains tons of examples. Now, literally speaking, if you specifically need to play a bit with requests, you can do the following: 1. Import the needed modules 2. Make GET requests 3. Process the data 4. POST processed data 1. Import the needed modules import requests 2. Make GET requests GET_URL = 'https://httpbin.org/get' POST_URL = 'https://httpbin.org/post' data = requests.get(GET_URL).json() # this will be a json data structure containing the data you need The output of the above is: {'args': {}, 'headers': {'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'Connection': 'close', 'Host': 'httpbin.org', 'User-Agent': 'python-requests/2.18.1'}, 'origin': '86.120.146.226', 'url': 'https://httpbin.org/get'} 3. Process the data Let's suppose you want to modify the origin value into something else: data['origin'] = 'something else' 4. POST processed data r = requests.post(POST_URL, data=data) print(r.text) Now, the output of the above will be: { "args": {}, "data": "", "files": {}, "form": { "headers": [ "Accept", "Accept-Encoding", "Connection", "Host", "User-Agent" ], "origin": "something else", "url": "https://httpbin.org/get" }, "headers": { "Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Content-Length": "147", "Content-Type": "application/x-www-form-urlencoded", "Host": "httpbin.org", "User-Agent": "python-requests/2.18.1" }, "json": null, "origin": "86.120.146.226", "url": "https://httpbin.org/post" } Now, regarding your unicode issue, the error was raised because the data is a unicode/str variable, which means that you first have to make it a JSON object (which is basically a dict). In my example, you can see that I already called .json() which makes sure the data is a JSON object. But, if the returned data is a string, you won't be able to do that. To do that, you can use the json module: import json data = json.loads(data)

Bitcracker BitCracker is the first open source password cracking tool for memory units encrypted with BitLocker (using the password authentication method). Introduction BitLocker (formerly BitLocker Drive Encryption) is a full-disk encryption feature available in recent Windows versions (Ultimate and Enterprise editions of Windows Vista and Windows 7, the Pro and Enterprise editions of Windows 8, 8.1 and 10). BitCracker is a mono-GPU (OpenCL and CUDA) password cracking tool for memory units encrypted with the password authentication method of BitLocker (see picture below). Our attack has been tested on several memory units encrypted with BitLocker running on Windows 7, Window 8.1, Windows 10 (compatible and no-compatible mode) and BitLocker To Go. Requirements Minimum requirements for CUDA implementation: CUDA 7.5 NVIDIA GPU with CC 3.5 or later NVIDIA GPU with Kepler architecture or later Minimum memory requirement is 256 Mb; it may increase depending on the number of passwords processed by each kernel. How To: Use the build.sh script to build 3 executables: Hash extractor BitCracker CUDA version BitCracker OpenCL version The executables are stored in the build directory. Before starting the attack, you need to run bitcracker_hash to extract the hash describing the encrypted memory unit. It also verifies if the input memory unit satisfies BitCracker's requirements. > ./build/bitcracker_hash -h Usage: ./build/bitcracker_hash -i <Encrypted memory unit> -o <output file> Options: -h, --help Show this help -i, --image Path of memory unit encrypted with BitLocker -o, --outfile Output file The extracted hash is fully compatible with the John The Ripper format (see next Section). Then you can use the output hash file to run the BitCracker attack. > ./build/bitcracker_cuda -h Usage: ./build/bitcracker_cuda -f <hash_file> -d <dictionary_file> Options: -h, --help Show this help -f, --hashfile Path to your input hash file (HashExtractor output) -s, --strict Strict check (use only in case of false positives) -d, --dictionary Path to dictionary or alphabet file -g, --gpu GPU device number -t, --passthread Set the number of password per thread threads -b, --blocks Set the number of blocks Note: In case of false positives you can use the -s option, that is a more restrictive check on the correctness of the final result. Altough this check is empirically verified and it works with all the encrypted images in this repo, we can't guarantee that it doesn't lead to false negatives. Use -s option only if BitCracker returns several false positives. In the the run_test.sh script there are several attack examples using the encrypted images provided in this repo: imgWin7: memory unit encrypted with BitLocker using Windows 7 Enteprise edition OS imgWin8: memory unit encrypted with BitLocker using Windows 8 Enteprise edition OS imgWin10Compatible.vhd: memory unit encrypted with BitLocker (compatible mode) using Windows 10 Enteprise edition OS, imgWin10NotCompatible.vhd: memory unit encrypted with BitLocker (not compatible mode) using Windows 10 Enteprise edition OS, imgWin10NotCompatibleLong27.vhd: memory unit encrypted with BitLocker (not compatible mode) using Windows 10 Enteprise edition OS with the longest possible password (27 characters) Currently, BitCracker accepts passwords between 8 (minimum password length) and 27 characters (implementation reasons). BitCracker doesn't provide any mask attack, cache mechanism or smart dictionary creation; therefore you need to provide your own input dictionary. Performance Here we report the best performance of BitCracker implementations tested on different GPUs. GPU Acronim GPU Arch CC # SM Clock CUDA GFT GeForce Titan Kepler 3.5 14 835 7.0 GTK80 Tesla K80 Kepler 3.5 13 875 7.5 GFTX GeForce Titan X Maxwell 5.2 24 1001 7.5 GTP100 Telsa P100 Pascal 6.1 56 1328 8.0 AMDM Radedon Malta - - - - - Performance: Version GPU -t -b Passwords x kernel Passwords/sec Hash/sec CUDA GFT 8 13 106.496 303 635 MH/s CUDA GTK80 8 14 114.688 370 775 MH/s CUDA GFTX 8 24 106.608 933 1.957 MH/s CUDA GTP100 8 56 458.752 1.363 2.858 MH/s OpenCL AMDM 32 64 524.288 241 505 MH/s OpenCL GFTX 8 24 196.608 884 1.853 MH/s John The Ripper We released the OpenCL version as a plugin of John The Ripper (bleeding jumbo): Wiki page: http://openwall.info/wiki/john/OpenCL-BitLocker JtR source code: https://github.com/magnumripper/JohnTheRipper Next Release In the next relese: The maximum password lenght will be dynamic Improve strict check with optional MAC verification to avoid any false positive References, credits and contacts This is a research project in collaboration with the National Research Council of Italy released under GPLv2 license. Copyright (C) 2013-2017 Elena Ago (elena dot ago at gmail dot com) and Massimo Bernaschi (massimo dot bernaschi at gmail dot com) We will provide some additional info about BitCracker's attack in a future paper. Although we use the GPLv2 licence, we are open to collaborations. For any additional info, collaborations or bug report please contact elena dot ago at gmail dot com Download: bitcracker-master.zip or git clone https://github.com/e-ago/bitcracker.git Source: https://github.com/e-ago/bitcracker

Author: Stefan Sabin Nicula Link: https://securitycafe.ro/2017/09/22/robot-hacking-research/ Summary:

Could you give some examples of what your code is, what you are trying to parse so on and so forth? Not all of us know what the API looks like... And I for one did not pass the psychic exam...

Basics Draggable is a modular drag & drop library, allowing you to start small and build up with the features you need. At its most basic, Draggable gives you drag & drop functionality, fast DOM reordering, accessible markup, and a bundle of events to grab on to. Swappable The classic switcheroo. Drag one element over another and watch them trade places in the DOM. The ideal functionality for when layout dimensions need to be retained. Sortable Sort DOM nodes with style. Drag items in a collection from one spot to another and watch everything snap into place. Fast and responsive sorting that won’t leave your performance wallet strapped for frames. Collidable Start your game dev career and inject some collision detection. Collidable will prevent draggable elements from overlapping each other, firing collision events when the dragged source element enters and exits a restricted zone. Accesible Drag & drop accessibility is a delicate flower. While browsers continue to work on a reliable native solution, Draggable lends a helping hand by providing all the proper aria attributes in all the right places. Extensible Draggable is easy to extend – write a custom module that provides the functionality you need, then submit it to our Github repo for review. If you needed a feature that wasn’t already available, chances are the community needs it to. Sharing is caring. Interaction Draggable supports most of the interaction events we could think of – mouse, touch, and force touch are all available out of the box, with accessible keyboard support coming soon! Animation Let’s face it, its annoying when plugins get in the way of your personal design touch. Draggable isn’t going to try and steal the show by forcing any unruly animation styles on you. Simply take your pick from our healthy serving of CSS selectors and style to your heart’s desire. Download v1.0.0-beta.zip or git clone https://github.com/Shopify/draggable.git Sources: https://shopify.github.io/draggable/ https://github.com/Shopify/draggable/

grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"

Cracking the Lens: Targeting HTTP's Hidden Attack Surface James Kettle - james.kettle@portswigger.net - @albinowax Modern websites are browsed through a lens of transparent systems built to enhance performance, extract analytics and supply numerous additional services. This almost invisible attack surface has been largely overlooked for years. In this paper, I'll show how to use malformed requests and esoteric headers to coax these systems into revealing themselves and opening gateways into our victim's networks. I'll share how by combining these techniques with a little Bash I was able to thoroughly perforate DoD networks, trivially earn over $30k in vulnerability bounties, and accidentally exploit my own ISP. While deconstructing the damage, I'll also showcase several hidden systems it unveiled, including not only covert request interception by the UK's largest ISP, but a substantially more suspicious Colombian ISP, a confused Tor backend, and a system that enabled reflected XSS to be escalated into SSRF. You'll also learn strategies to unblinker blind SSRF using exploit chains and caching mechanisms. Finally, to further drag these systems out into the light, I'll release Collaborator Everywhere - an open source Burp Suite extension which augments your web traffic with a selection of the best techniques to harvest leads from cooperative websites. Outline Introduction Methodology Listening Research Pipeline Scaling Up Misrouting Requests Invalid Host Investigating Intent - BT Investigating Intent - Metrotel Input Permutation Host Override Ambiguous Requests Breaking Expectations Tunnels Targeting Auxiliary Systems Gathering Information Remote Client Exploits Preemptive Caching Conclusion Download: https://www.blackhat.com/docs/us-17/wednesday/us-17-Kettle-Cracking-The-Lens-Exploiting-HTTPs-Hidden-Attack-Surface-wp.pdf

Video:

Ida Pro 7.0 + All Decompilers Full Leak-Pass Links: http://1024rd.com/ida-pro-7-0-all-decompilers-full-leak-pass (via: https://twitter.com/riusksk/status/913254688488792065) https://forum.reverse4you.org/showthread.php?t=2627 (via: https://twitter.com/malwareunicorn/status/913441973511454720) As always, use with caution, it has not been checked.

Cadourile nu inseamna mare lucru intr-o relatie, cel putin cele materiale. Traiti expriente noi impreuna, vizitati locuri noi etc. Asa o sa formati o legatura stransa, nu printr-un schimb de cadouri. Si pe langa asta, ia initiativa, fii hotarat si sigur pe tine. Mentine-i atentia si curiozitatea, n-o lasa sa se plictiseasca. Asta e doar parerea mea.

Asking the real question. Mi se pare mie sau chiar nu ai futut-o inca?

Ceva in genu' asta vrei ?

// Spam