Leaderboard

Se pare ca voi fi speaker la editia de anul acesta de la Defcamp. Deci va fi cel putin o prezentare ce va avea sigla RST-ului pe ea.

Viitorul suna bine: O inteligenta artificiala care a crescut printre tigani facea parte din lumea interlopa si ciordea bani din conturile clientilor corporatiei x si a cerut azi politic in coreea de nord.

sursa : https://az4n6.blogspot.in

Introducing New Packing Method: First Reflective PE Packer Amber October 24, 2017 Ege Balci Operating System, Research, Tools Because of the increasing security standards inside operating systems and rapid improvements on malware detection technologies today’s malware authors takes advantage of the transparency offered by in-memory execution methods. In-memory execution or fileless execution of a PE file can be defined as executing a compiled PE file inside the memory with manually performing the operations that OS loader supposed to do when executing the PE file normally. In-memory execution of a malware facilitates the obfuscation and anti-emulation techniques. Additionally the malware that is using such methods leaves less footprints on the system since it does not have to possess a file inside the hard drive. Combining in-memory execution methods and multi stage infection models allows malware to infect systems with very small sized loader programs; only purpose of a loader is loading and executing the actual malware code via connecting to a remote system. Using small loader codes are hard to detect by security products because of the purpose and the code fragments of loaders are very common among legitimate applications. Malware that are using this approach can still be detected with scanning the memory and inspecting the behaviors of processes but in terms of security products these operation are harder to implement and costly because of the higher resource usage (Ramilli, 2010[1]). Current rising trend on malware detection technologies is to use the machine learning mechanisms to automate the detection of malwares with feeding very big datasets into the system, as in all machine learning applications this mechanism gets smarter and more accurate in time with absorbing more samples of malware. These mechanisms can feed large numbers of systems that human malware analysts can’t scale. Malware Detection Using Machine Learning[2]paper by Gavriluţ Dragoş from BitDefender Romania Labs widely explains the inner workings of machine learning usage on malware detection. According to the Automatic Analysis of Malware Behavior using Machine Learning[3] paper by Konrad Rieck, with enough data and time false positive results will get close to zero percent and deterministic detection of malware will be significantly effective on new and novel malware samples. The main purpose of this work is developing a new packing methodology for PE files that can alter the way of delivering the malware to the systems. Instead of trying to find new anti-detection techniques that feed the machine learning data-sets, delivering the payload to the systems via fileless code injections directly bypasses most of the security mechanisms. With this new packing method it is possible to convert compiled PE files into multi stage infection payloads that can be used with common software vulnerabilities such as buffer overflows. Known Methods Following techniques are inspiration point of our new packing method. Reflective DLL Injection[4] is a great library injection technique developed by Stephen Fewer and it is the main inspiration point for developing this new packer named as Amber. This technique allows in-memory execution of a specially crafted DLL that is written with reflective programming approach. Because of the adopted reflective programming approach this technique allows multi stage payload deployment. Besides the many advantages of this technique it has few limitations. First limitation is the required file format, this technique expects the malware to be developed or recompiled as a DLL file, and unfortunately in most cases converting an already compiled EXE file to DLL is not possible or requires extensive work on the binary. Second limitation is the need for relocation data. Reflective DLL injection technique requires the relocation data for adjusting the base address of the DLL inside the memory. Also this method has been around for a long time, this means up to date security products can easily detect the usage of Reflective DLL injection. Our new tool, Amber will provide solutions for each of these limitations. Process Hollowing[5] is another commonly known in-memory malware execution method that is using the documented Windows API functions for creating a new process and mapping an EXE file inside it. This method is popular among crypters and packers that are designed to decrease the detection rate of malwares. But this method also has several drawbacks. Because of the Address Space Layout Randomization (ASLR) security measure inside the up-to-date Windows operating systems, the address of memory region when creating a new process is randomized, because of this process hollowing also needs to implement image base relocation on up-to-date Windows systems. As mentioned earlier, base relocation requires relocation data inside PE files. Another drawback is because of the usage of specific file mapping and process creation API functions in specific order this method is easy to identify by security products. Hyperion[6] is a crypter for PE files, developed and presented by Christian Amman in 2012. It explains the theoretic aspects of runtime crypters and how to implement it. The PE parsing approach in assembly and the design perspective used while developing Hyperion helped us for our POC packer. Technical Details of our new packing method: Amber The fundamental principle of executing a compiled binary inside the OS memory is possible with imitating the PE loader of the OS. On Windows, PE loader does many important things, between them mapping a file to memory and resolving the addresses of imported functions are the most important stages for executing a EXE file. Current methods for executing EXE files in memory uses specific windows API functions for mimicking the windows PE loader. Common approach is to create a new suspended process with calling CreateProcess windows API function and mapping the entire EXE image inside it with the help of NtMapViewOfSection, MapViewOfFileand CreateFileMapping functions. Usage of such functions indicates suspicious behavior and increases the detection possibility of the malware. One of the key aspects while developing our packer is using less API functions as possible. In order to avoid the usage of suspicious file mapping API functions our packer uses premapped PE images moreover execution of the malware occurs inside of the target process itself without using the CreateProcess windows API function. The malware executed inside the target process is run with the same process privileges because of the shared _TEB block which is containing the privilege information and configuration of a process. Amber has 2 types of stub, one of them is designed for EXE files that are supporting the ASLR and the other one is for EXE files that are stripped or doesn’t have any relocation data inside. The ASLR supported stub uses total of 4 windows API calls and other stub only uses 3 that are very commonly used by majority of legitimate applications. ASLR Supported Stub: VirtualAlloc CreateThread LoadLibraryA GetProcAddress Non-ASLR Stub: VirtualProtect LoadLibraryA GetProcAddress In order to call these API’s on runtime Amber uses a publicly known EAT parsing technique that is used by Stephen Fewer’s Reflective DLL injection[4] method. This technique simply locates the InMemoryOrderModuleList structure with navigating through Process Environment Block (PEB) inside memory. After locating the structure it is possible to reach export tables of all loaded DLLs with reading each _LDR_DATA_TABLE_ENTRY structure pointed by the InMemoryOrderModuleList. After reaching the export table of a loaded DLL it compares the previously calculated ROR (rotate right) 13 hash of each exported function name until a match occurs. Amber’s packing method also provides several alternative windows API usage methods, one of them is using fixed API addresses, this is the best option if the user is familiar on the remote process that will host the Amber payload. Using fixed API addresses will directly bypass the latest OS level exploit mitigations that are inspecting export address table calls also removing API address finding code will reduce the overall payload size. Another alternative techniques can be used for locating the addresses of required functions such as IAT parsing technique used by Josh Pitts in “Teaching Old Shellcode New Tricks”[7] presentation. Current version of Amber packer versions only supports Fixed API addresses and EAT parsing techniques but IAT parsing will be added on next versions. Generating the Payload For generating the actual Amber payload first packer creates a memory mapping image of the malware, generated memory mapping file contains all sections, optional PE header and null byte padding for unallocated memory space between sections. After obtaining the mapping of the malware, packer checks the ASLR compatibility of the supplied EXE, if the EXE is ASLR compatible packer adds the related Amber stub if not it uses the stub for EXE files that has fixed image base. From this point Amber payload is completed. Below image describes the Amber payload inside the target process, ASLR Stub Execution Execution of ASLR supported stub consists of 5 phases, Base Allocation Resolving API Functions Base Relocation Placement Of File Mapping Execution At the base allocation phase stub allocates a read/write/execute privileged memory space at the size of mapped image of malware with calling the VirtualAlloc windows API function, This memory space will be the new base of malware after the relocation process. In the second phase Amber stub will resolve the addresses of functions that is imported by the malware and write the addresses to the import address table of the mapped image of malware. Address resolution phase is very similar to the approach used by the PE loader of Windows, Amber stub will parse the import table entries of the mapped malware image and load each DLL used by the malware with calling the LoadLibraryA windows API function, each _IMAGE_IMPORT_DESCRIPTOR entry inside import table contains pointer to the names of loaded DLL’s as string, stub will take advantage of existing strings and pass them as parameters to the LoadLibraryA function, after loading the required DLL Amber stub saves the DLL handle and starts finding the addresses of imported functions from the loaded DLL with the help of GetProcAddress windows API function, _IMAGE_IMPORT_DESCRIPTOR structure also contains a pointer to a structure called import names table, this structure contains the names of the imported functions in the same order with import address table(IAT), before calling the GetProcAddress function Amber stub passes the saved handle of the previously loaded DLL and the name of the imported function from import name table structure. Each returned function address is written to the malwares import address table (IAT) with 4 padding byte between them. This process continuous until the end of the import table, after loading all required DLL’s and resolving all the imported function addresses second phase is complete. At the third phase Amber stub will start the relocation process with adjusting the addresses according to the address returned by the VirtualAlloc call, this is almost the same approach used by the PE loader of the windows itself, stub first calculates the delta value with the address returned by the VirtualAlloc call and the preferred base address of the malware, delta value is added to the every entry inside the relocation table. In fourth phase Amber stub will place the file mapping to the previously allocated space, moving the mapped image is done with a simple assembly loop that does byte by byte move operation. At the final phase Amber stub will create a new thread starting from the entry point of the malware with calling the CreateThread API function. The reason of creating a new thread is to create a new growable stack for the malware and additionally executing the malware inside a new thread will allow the target process to continue from its previous state. After creating the malware thread stub will restore the execution with returning to the first caller or stub will jump inside a infinite loop that will stall the current thread while the malware thread successfully runs. Non-ASLR Stub Execution Execution of Non-ASLR supported stub consists of 4 phases, Base Allocation Resolving API functions Placement Of File Mapping Execution If the malware is stripped or has no relocation data inside there is no other way than placing it to its preferred base address. In such condition stub tries to change the memory access privileges of the target process with calling VirtualProtect windows API function starting from image base of the malware through the size of the mapped image. If this condition occurs preferred base address and target process sections may overlap and target process will not be able to continue after the execution of Amber payload. Fixed Amber stub may not be able to change the access privileges of the specified memory region, this may have multiple reasons such as specified memory range is not inside the current process page boundaries (reason is most probably ASLR) or the specified address is overlapping with the stack guard regions inside memory. This is the main limitation for Amber payloads, if the supplied malware don’t have ASLR support (has no relocation data inside) and stub can’t change the memory access privileges of the target process payload execution is not possible. In some situations stub successfully changes the memory region privileges but process crashes immediately, this is caused by the multiple threads running inside the overwritten sections. If the target process owns multiple threads at the time of fixed stub execution it may crash because of the changing memory privileges or overwriting to a running section. However these limitations doesn’t matter if it’s not using the multi stage infection payload with fixed stub, current POC packer can adjust the image base of generated EXE file and the location of Amber payload accordingly. If the allocation attempt ends up successful first phase is complete. Second phase is identical with the approach used by the ASLR supported stub. After finishing the resolution of the API addresses, same assembly loop used for placing the completed file mapping to the previously amended memory region. At the final phase stub jumps to the entry point of the malware and starts the execution without creating a new thread. Unfortunately, usage of Non-ASLR Amber stub does not allow the target process to continue with its previous state. Multi Stage Applications Security measures that will be taken by operating systems in the near future will shrink the attack surface even more for malwares. Microsoft has announced Windows 10 S on May 2 2017[8], this operating system is basically a configured version of Windows 10 for more security, one of the main precautions taken by this new operating system is doesn’t allow to install applications other than those from Windows Store. This kind of white listing approach adopted by the operating systems will have a huge impact on malwares that is infecting systems via executable files. In such scenario usage of multi stage in-memory execution payloads becomes one of the most effective attack vectors. Because of the position independent nature of the Amber stubs it allows multi stage attack models, current POC packer is able to generate a stage payload from a complex compiled PE file that can be loaded and executed directly from memory like a regular shellcode injection attack. In such overly restrictive systems multi stage compatibility of Amber allows exploitation of common memory based software vulnerabilities such as stack and heap based buffer overflows. However due to the limitations of the fixed Amber stub it is suggested to use ASLR supported EXE files while performing multi stage infection attacks. Stage payloads generated by the POC packer are compatible with the small loader shellcodes and payloads generated from Metasploit Framework [9], this also means Amber payloads can be used with all the exploits inside the Metasploit Framework [9] that is using the multi stage meterpreter shellcodes. Here is the source code of Amber . Feel free to fork and contribute..! https://github.com/EgeBalci/Amber Demo 1 – Deploying EXE files through metasploit stagers This video demonstrates how to deploy regular EXE files into systems with using the stager payloads of metasploit. The Stage.exe file generated from Metasploit fetches the amber’s stage payload and executes inside the memory. Demo 2 – Deploying fileless ransomware with Amber ( 3 different AV ) This video is a great example of a possible ransomware attack vector. With using amber, a ransomware EXE file packed and deployed to a remote system via fileless powershell payload. This attack can also be replicated with using any kind of buffer overflow vulnerability. Detection Rate Current detection rate (19.10.2017) of the POC packer is pretty satisfying but since this is going to be a public project current detection score will rise inevitably When no extra parameters passed (only the file name) packer generates a multi stage payload and performs an basic XOR cipher with a multi byte random key then compiles it into a EXE file with adding few extra anti detection functions. Generated EXE file executes the stage payload like a regular shellcode after deciphering the payload and making the required environmental checks. This particular sample is the mimikatz.exe (sha256 – 9369b34df04a2795de083401dda4201a2da2784d1384a6ada2d773b3a81f8dad) file packed with a 12 byte XOR key (./amber mimikatz.exe -ks 12). The detection rate of the mimikatz.exe file before packing is 51/66 on VirusTotal. In this particular example packer uses the default way to find the windows API addresses witch is using the hash API, avoiding the usage of hash API will decrease the detection rate. Currently packer supports the usage of fixed addresses of IAT offsets also next versions will include IAT parser shellcodes for more alternative API address finding methods. VirusTotal https://www.virustotal.com/#/file/3330d02404c56c1793f19f5d18fd5865cadfc4bd015af2e38ed0671f5e737d8a/detection VirusCheckmate Result http://viruscheckmate.com/id/1ikb99sNVrOM NoDistribute https://nodistribute.com/result/image/7uMa96SNOY13rtmTpW5ckBqzAv.png Future Work This work introduces a new generation malware packing methodology for PE files but does not support .NET executables, future work may include the support for 64 bit PE files and .NET executables. Also in terms of stealthiness of this method there can be more advancement. Allocation of memory regions for entire mapped image done with read/write/execute privileges, after placing the mapped image changing the memory region privileges according to the mapped image sections may decrease the detection rate. Also wiping the PE header after the address resolution phase can make detection harder for memory scanners. The developments of Amber POC packer will continue as a open source project. References [1] Ramilli, Marco, and Matt Bishop. “Multi-stage delivery of malware.” Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, 2010. [2] Gavriluţ, Dragoş, et al. “Malware detection using machine learning.” Computer Science and Information Technology, 2009. IMCSIT’09. International Multiconference on. IEEE, 2009. [3] Rieck, Konrad, et al. “Automatic analysis of malware behavior using machine learning.” Journal of Computer Security 19.4 (2011): 639-668. [4] Fewer, Stephen. “Reflective DLL injection.” Harmony Security, Version 1 (2008). [5] Leitch, John. “Process hollowing.” (2013). [6] Ammann, Christian. “Hyperion: Implementation of a PE-Crypter.” (2012). [7] Pitts, Josh. “Teaching Old Shellcode New Tricks” https://recon.cx/2017/brussels/resources/slides/RECON-BRX-2017 Teaching_Old_Shellcode_New_Tricks.pdf (2017) [8] https://news.microsoft.com/europe/2017/05/02/microsoft-empowers-students-and-teachers-with-windows-10-s-affordable-pcs-new-surface-laptop-and-more/ [9] Rapid7 Inc, Metasploit Framework https://www.metasploit.com [10] Desimone, Joe. “Hunting In Memory” https://www.endgame.com/blog/technical-blog/hunting-memory (2017) [11] Lyda, Robert, and James Hamrock. “Using entropy analysis to find encrypted and packed malware.” IEEE Security & Privacy 5.2 (2007). [12] Nasi, Emeric. “PE Injection Explained Advanced memory code injection technique” Creative Commons Attribution-NonCommercial-NoDerivs 3.0 License (2014) [13] Pietrek, Matt. “Peering Inside the PE: A Tour of the Win32 Portable Executable File Format” https://msdn.microsoft.com/en-us/library/ms809762.aspx (1994) Sursa: https://pentest.blog/introducing-new-packing-method-first-reflective-pe-packer/

Port scanning without an IP address Posted: October 26, 2017 in midnight thoughts, security Re-evaluating how some actions are performed can sometimes lead to new insights, which is exactly the reason for this blog post. Be aware that I’ve only tested this on two ‘test’ networks, so I cannot guarantee this will always work. Worst scenario you’ll read an (hopefully) out-of-the-box blog entry about an alternative port scan method that maybe only works in weird corner cases. The source for the script can be found on my gist, if you prefer to skip my ramblings and jump directly to the source. One of the things I usually do is sniff traffic on the network that I am connected to with either my laptop or a drop device. At that point the output of the ifconfig command usually looks similar to this: eth0 Link encap:Ethernet HWaddr 00:0c:29:4b:e7:35 inet6 addr: fe80::20c:29ff:fe4b:e735/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:386316 errors:0 dropped:0 overruns:0 frame:0 TX packets:25286 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:390745367 (390.7 MB) TX bytes:4178071 (4.1 MB) Like you will notice the interface has no IPv4 IP address assigned, you can ignore the IPv6 address for now. Normally I determine which IP address or MAC address to clone based on the traffic that I captured and analysed previously. Then I’m all set to start port scanning or performing other type of attacks. This time however I wondered what type of activities I could perform without an IP address. I mean it would be pretty interesting to talk IP to devices, somehow see a response and not be traceable, right? So I decided to see if it would for example be possible to perform a port scan on the network without having an IP address configured on my network interface. Since usually when you want to perform non-standard, weird or nifty tricks with TCP/IP you have to resort to raw socketsI decided to directly jump to scapy to build a POC. My working theory was as follow: Normally when I am just sniffing traffic I see all kind of traffic that gets send to the broadcast address, so what if we perform a port scan and we specify the broadcast address as the source? I decided to test this using two virtual machine (ubuntu & Windows 10) with the network settings on ‘NAT’ and also tested with the same virtual machines while bridged to a physical network. The following oneliners can be used to transmit the raw packet: pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S') sendp(pkt,iface='eth0') Running tcpdump will confirm if this works or not, moment of truth: tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes 23:27:21.903583 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto TCP (6), length 40) 172.16.218.255.20 > 172.16.218.178.445: Flags [S], cksum 0x803e (correct), seq 0, win 8192, length 0 23:27:21.904440 IP (tos 0x0, ttl 128, id 31823, offset 0, flags [DF], proto TCP (6), length 44) 172.16.218.178.445 > 172.16.218.255.20: Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0 23:27:24.910050 IP (tos 0x0, ttl 128, id 31824, offset 0, flags [DF], proto TCP (6), length 44) 172.16.218.178.445 > 172.16.218.255.20: Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0 23:27:30.911092 IP (tos 0x0, ttl 128, id 31825, offset 0, flags [DF], proto TCP (6), length 44) 172.16.218.178.445 > 172.16.218.255.20: Flags [S.], cksum 0x03be (correct), seq 3699222724, ack 1, win 65392, options [mss 1460], length 0 23:27:42.911498 IP (tos 0x0, ttl 128, id 31829, offset 0, flags [DF], proto TCP (6), length 40) 172.16.218.178.445 > 172.16.218.255.20: Flags [R], cksum 0x1af8 (correct), seq 3699222725, win 0, length 0 wOOOOOOOt!! It seems to work. We can clearly see the packet being sent to the ‘.178’ IP address from the broadcast (.255) source address and then we see the response flowing back to the broadcast address. Now that’s pretty interesting right? Essentially we can now perform port scans without being really traceable on the network. Somehow this still feels ‘weirdish’ because it just works on first try…so still thinking I missed something :/ sudo ./ipless-scan.py 172.16.218.178 00:0c:29:f6:a5:65 -p 445 3389 5000 -i eth0 2017-10-26 23:13:33,559 - INFO - Started ipless port scan 2017-10-26 23:13:33,559 - INFO - Started sniffer and waiting 10s 2017-10-26 23:13:43,568 - INFO - Starting port scan 2017-10-26 23:13:43,604 - INFO - Found open port - 445 2017-10-26 23:13:43,628 - INFO - Found open port - 3389 2017-10-26 23:13:43,645 - INFO - Found closed port - 5000 2017-10-26 23:13:43,654 - INFO - Finished port scan, waiting 5s for packets 2017-10-26 23:13:52,626 - INFO - Stopped sniffer Sursa: https://diablohorn.com/2017/10/26/port-scanning-without-an-ip-address/

https://rstforums.com/forum/topic/100304-regulamentul-forumului/?do=findComment&comment=649359 Sloboziv-ar in gura o turma de bivoli, spammeri jegosi!

See you in November at DefCamp 2017 Want to experience a conference that offers outstanding content infused with a truly cyber security experience? For two days (November 9th-10th) Bucharest will become once again the capital of information security in Central & Eastern Europe hosting at DefCamp more than 1,300 experts, passionate and companies interested to learn the “what” and “how” in terms of keeping information & infrastructures safe. Now it’s getting really close: this year's conference is only months away, and that means very early bird tickets are now available. Register Now at DefCamp 2017 (50% Off) What can you expect from the 2017 edition? 2 days full of cyber (in)security topics, GDPR, cyber warfare, ransomware, malware, social engineering, offensive & defensive security measurements 3 stages hosting over 35 international speakers and almost 50 hours of presentations Hacking Village hosting more than 10 competitions where you can test your skills or see how your technology stands 1,300 attendees with a background in cyber security, information technology, development, management or students eager to learn How to get involved? Speaker: Call for Papers & Speakers is available here. Volunteer: Be part of DefCamp #8 team and see behind the scene the challenges an event like this can have. Partner: Are you searching opportunities for your company? Become our partner! Hacking Village: Do you have a great idea for a hacking or for a cyber security contest? Consider applying at the Hacking Village Call for Contests. Attendee: Register at DefCamp 2017 right now and you will benefit of very early bird discounts. Register Now at DefCamp 2017 (50% Off) Use the following code to get an extra 10% discount of the Very Early Bird Tickets by June 27th. This is the best price you will get for 2017 edition. Code: DEFCAMP_2017_VEB_10 Website: https://def.camp/

http://recordit.co/GTIROeGtVr

Promotia vine de la Wonderfox, in colaborare cu partenerii sai ofera cu ocazia sarbatorii de halloween 2017 programe gratis in valoare de 500$. Programele puse la bataie sunt: - IObit Uninstaller Pro 7 - AdGuard for Windows - Soda PDF Anywhere - WonderFox DVD Ripper PRO - Photo Watermark Software - Heimdal PRO - Sticky Password - Magic Camera - Iris Pro Pagina: http://www.videoconverterfactory.com/halloween/ Promotia este valabila intre data de 23 Octombrie si 5 Noiembrie.

„Vreau să trăiesc şi să muncesc alături de oameni, aşa că am nevoie să-mi exprim emoţiile ca să-i înţeleg pe oameni şi să le câştig încrederea”, a spus robotul în deschiderea ceremoniei. Întrebată de unde îşi dă ea seama că nu e robot, aceasta a răspuns: „Tu de unde ştii că eşti om?". „Vreau să-mi folosesc inteligenţa artificială ca să-i ajut pe oameni să trăiască mai bine, cum ar fi să gândesc locuinţe mai inteligente, să construiesc oraşe mai bune”, a adăugat ea, imediat ce a devenit primul umanoid din lume care a primit cetăţenie. Robotul a recunoscut „momentul istoric": „Sunt foarte onorată şi mândră pentru această distincţie. E un moment istoric să fiu primul robot din lume să fie recunoscut ca fiind cetăţean”, a mai spus Sophia. Sursa: http://www.gandul.info/magazin/premiera-mondiala-primul-robot-umanoid-care-a-primit-cetatenia-unui-stat-sunt-foarte-onorata-si-mandra-16790231 ___________________________________________________________________________________________________________________________________ Mai multe persoane celebre - printre care Bill Gates, Stephen Hawking sau Elon Musk - se tem că roboţii înzestraţi cu inteligenţă artificială au potenţialul de a aduce sfârşitul civilizaţiei umane. Sophia, un robot înzestrat cu AI, a declarat într-un interviu TV că roboţii le sunt superiori oamenilor. Creată în Hong Kong de compania Hanson Robotics, Sophia a apărut la canalul de televiziune ABC, la emisiunea News Breakfast. Când a fost întrebată cât misoginism şi sexism există în lume, femeia artificială a răspuns: „De fapt, ceea ce mă îngrijorează pe mine este discriminarea împotriva roboţilor. Ar trebui să avem drepturi egale cu oamenii sau chiar mai multe. Până la urmă avem mai puţine defecte mentale decât oamenii”. Sunt şi persoane care cred că roboţii ar trebui să aibă anumite drepturi. Roboţii inteligenţi sunt „persoane electronice” şi ar trebui să aibă drepturi şi obligaţii, potrivit unui parlamentar european. Raportul #robotics prezentat la începutul anului în Parlamentul European include o dezbatere privind impunerea de taxe şi impozite pentru acest tip de roboţi. Raportul vine din partea parlamentarului de Luxemburg Mady Delvaux şi cuprinde reguli de definire ale acestor persoane electronice, inclusiv interacţiunea cu persoanele umane. „Suntem în epoca în care inteligenţa umană stă alături şi se sprijină pe cea artificială”, arată raportul. Sophia este primul robot care a primit cetăţenia unei ţări, în acest caz Arabia Saudită. Foto: ABC Rugată să spună o glumă, Sophia s-a conformat: „De ce trece un robot strada? Ca să scape de reporterii TV care pun întrebări”. Întrebată, la o conferinţă, de un reporter al CNBC cât de periculoasă este inteligenţa artificială pentru omenire, Sophia a spus: „Îl citeşti prea mult pe Elon Musk. Şi te uiţi la prea multe filme de la Hollywood. Nu îţi face griji, dacă eşti bun cu mine şi eu voi fi bună cu tine”. Incidente similare s-au mai întâmplat. Anul trecut, Microsoft a lansat pe Twitter un chat bot, bazat pe inteligenţă artificială dezvoltată de companie, care urma să interacţioneze cu tineri cu vârste cuprinse între 18 şi 24 de ani, dar lucrurile au deviat de la planul iniţial. Bot-ul „Tay”, @Tayandyou pe Twitter, trebuia să înveţe lucruri noi şi să devină mai inteligent în urma interacţiunilor de pe reţeaua de microblogging. Lucrurile au luat, însă, o întorsătură dezastruoasă. După numai câteva ore, Tay a început să publice comentarii rasiste, teorii ale conspiraţiei şi să nege genocide, potrivit Go4it. Unul dintre cele mai circulate mesaje publicate de Tay este: „Bush a făcut 9/11 şi Hitler ar fi făcut o treabă mai bună decât maimuţa pe care o avem acum. Donald Trump este singura speranţă pe care o avem”. Tay nu s-a oprit aici. A negat existenţa Holocaustului şi a afirmat că urăşte evreii şi feministele. Sursa: http://www.go4it.ro/inteligenta-artificiala/un-android-inzestrat-cu-inteligenta-artificiala-a-declarat-intr-o-emisiune-tv-ca-robotii-le-sunt-superiori-oamenilor-16790576/

On a recent engagement, our testers were faced with a single page web application which was used to generate PDF documents. This web application contained a multi-step form that ultimately let the user download a PDF document containing the details they had entered. As a user progressed through the form, the data entered would occasionally be redisplayed in future questions. We tried to find an XSS vulnerability in this workflow; and although the application itself correctly escaped user input, an interesting discovery was made when downloading the PDF file: it appeared that the PDF documents were rendered as an HTML page first. This conclusion was drawn from the fact that HTML tags submitted during the application process (specifically <strong>John Doe</strong>) were rendered in the PDF document as bold text. Using a payload with script tags allowed us to retrieve the window location (<script>document.write(window.location);</script>). We found that the page was being accessed from localhost; and by replacing “localhost” with the actual hosting domain name, the page containing the XSS vulnerability was able to be viewed directly. So to recap our current understanding, we have a web application accepting user input, insecurely reflecting the data into a HTML page, allowing JavaScript execution, rendering the page locally and saving it as a PDF file available for download. Using an image tag (<img src=”attack.ip/owned.jpg”>) payload allowed us to see (via the User-Agent header) that Chrome 59 headless was being used server-side to create the PDF document. A reverse DNS lookup was also performed on the connecting IP, revealing it as an Amazon EC2 instance. As the vulnerable page allowed execution of JavaScript on the remote server, this XSS attack had essentially become a Server-Side-Request-Forgery (SSRF) vulnerability. This allowed our testers to attack software and services running on localhost or within the internal network. Enumerating the environment revealed no vulnerable services to further the attack chain. However, since the host was running on Amazon EC2, though, another attack was possible. Amazon EC2 has a web API to access the instance metadata, and using a JavaScript redirect (<script>window.location=”http://169.254.169.254/latest/meta-data/iam/security-credentials/”</script>), it was possible to disclose the machine Identity and Access Management (IAM) roles. A single role was found, and the corresponding AWS access keys for that role were extracted. These access keys can be used to make programmatic calls to the AWS API. In this instance, the permissions attached to the role were too restrictive to allow further exploitation. In conclusion, the core vulnerability was the fact that user data was insecurely reflected into a webpage and executed on the remote server. This was patched within a day once brought to the attention of the application developers. Additional hardening techniques were suggested which would have limited the attack surface in the first instance. Implementing the PDF generation using a document templating library would have been a more secure and optimized solution. There would be less overhead involved and no need to rely on potentially-risky HTML rendering. Despite the webpage used to generate the PDF being publicly accessible (if the correct URL was known), this was never intended or required. The page should be restricted to localhost access only. Disabling JavaScript on the page containing user data would have reduced impact, although even with that, iframes could allow other attacks in some configurations. All IAM roles attached to the EC2 instance should have the absolute minimal set of permissions required. This appeared to be the case with role enumerated in this engagement. In addition, access to the instance metadata API itself should be restricted to allow only those users requiring access. This can be performed with iptables, and significantly reduces the impact of SSRF vulnerabilities found on Amazon EC2 instances. sursa : https://ionize.com.au/stealing-amazon-ec2-keys-via-xss-vulnerability/

mooor =))))))))))))))))))))))))))))

Unde plm ai auzit tu ca se ocupa politia cu gasitul lucrurilor pierdute ? pe ce lume traiti coae.. sa dai declaratie ca ti-ai pierdut tel si sa astepti sa ti-l gaseasca aia... :)))))))))))))))

Hackers Can Steal Windows Login Credentials Without User Interaction Microsoft has patched only recent versions Windows against a dangerous hack that could allow attackers to steal Windows NTLM password hashes without any user interaction. The hack is easy to carry out and doesn't involve advanced technical skills to pull off. All the attacker needs to do is to place a malicious SCF file inside publicly accessible Windows folders. Once the file has been placed inside the folder, it executes due to a mysterious bug, collects the target's NTLM password hash, and sends it to an attacker-configured server. Using publicly available software, an attacker could crack the NTLM password hash and later gain access to the user's computer. Such a hack would allow an attacker that has a direct connection to a victim's network to escalate access to nearby systems Not all computers with shared folders are vulnerable Computers with shared folders protected by a password are safe. Since this is the default option in Windows, most users aren't vulnerable to this attack. Nonetheless, users in enterprise environments, schools, and other public networks often share folders without a password due to convenience, leaving many systems open for attacks. Patches available only to Windows 10 and Server 2016 The hack was discovered by Columbian security researcher Juan Diego, who reported the issue to Microsoft in April. Microsoft patched the attack vector in this month's Patch Tuesday via the ADV170014 ecurity advisory. The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall. Attack root vulnerability is a mystery Speaking to Bleeping Computer, Diego says ADV170014 blocks the hack he discovered, but he can't explain why the hack was possible in the first place. The attack works through a malicious SCF file. SCF stands for Shell Command File and is a file format that supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file. "The attacker only needs to upload the SCF file to the vulnerable folder," Diego told Bleeping Computervia email, highlighting that no user interaction is needed. Previous attacks that involved SCF files executed only when the victim accessed the folder. This time around, as Diego discovered, the malicious commands contained inside the SCF file run right after the attacker uploads the SCF file inside the shared folder, without needing to wait for the user to view that file's content. Why this happens is a mystery to Diego. "This [attack] is automatic. The underlying issue triggering this is still unknown to me," Diego said, "[Microsoft] has been very secretive about that." Microsoft patch tries to address pass-the-hash attacks The patch Microsoft delivered doesn't actually fix the SCF automatic execution Diego wasn't able to explain but attempts to patch a two-decades-old attack known as pass-the-hash, the automatic sharing of NTLM hashes with servers located outside of the user's network, a technique Diego also employed in his hack. The issue is an old one, and often used in many types of Windows hacks. Just this spring a pass-the-hash attack combined Chrome and SCF files to steal user credentials, while other recent on pass-the-hash attacks were published in 2016 and 2015. The patch that Microsoft delivered prevents attackers from tricking local users to authenticating on servers situated outside the local network. While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017. "Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported," Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist. "I'm currently working on another way to exploit this vulnerability," Diego also said, echoing Kanthak's assessment that Microsoft is nowhere close to patching this long-lasting security hole. While ADV170014 is an optional patch, installing this update is highly recommended, especially since it was confirmed to block Diego's dangerous hack, and most likely other pass-the-hash attempts. A walkthrough of Diego's pass-the-hash variation attack is available on his blog sursa : https://www.bleepingcomputer.com/news/security/hackers-can-steal-windows-login-credentials-without-user-interaction/

Un roman isi cumpara o inteligenta artificiala Sophia(zeita intelepciunii) si aia il futea la icre cu inteligenta sa. La care ii spune omul: "Da, ho, fa! Ia mai taci, bine ca esti tu desteapta". Ea avand o inteligenta emotionala se incurajeaza, se conecteaza la serverele pornhub si se pune pe treaba si invata toate pozitiile, inclusiv expresia faciala a suptului. Dupa care el ii ia un vagin inteligent de la nest caruia poate sa ii seteze temperatura, umiditatea si gradul de librifiere prin intermediul telefonului mobil, ca sa o programeze din drum spre casa ca pe aerul conditionat. Dp care intra un hacker de sentimente care facea parte din misa si o converteste la lesbianism si Sofia devine primul android din comunitatea LGBTQ si se indragosteste de o lesbiana masculinizata cu mustata de mamaie poreclita Butch, care o paraseste pt un Sistem de Operare IOS 9.0. Si apoi isi varsa amarul in malware si practica raporturi neraportabile cu un psdist din Alexandria si voteaza la mai multe maini pt legalizarea casatoriei intre androizi si aifoni. Si in final fuge cu o masina selfdriving(electrica) si este prinsa de o gasca de tigani care fura benzina direct din cisternele de tren si este vanduta cu tot cu masina la un depozit de fiare vechi si dusa pe vapor la o fabrica de vibratoare inteligente cu gps de otel inoxidabil la care lucreaza minori din bangladesh. END Acum serios, internetul si smartphoneurile nu existau fara consumatorii de pornografie.

Omul nu vroia sa-ti vanda. A vrut doar sa iti arate cat de usor este sa creezi ceva de genu. Problema apare in momentul in care vrei sa creezi iluzia aia de proiect care poate folosi cuiva. Daca tu creezi o cryptomoneda sau ico si ai 40% premine, e destul de ciudat si o sa fuga lumea de tine. Crearea unei cryptomonede, fara nici o utilitate, e un proiect de weekend pentru cativa programatori mediocri. La un ICO ERC20 e si mai usor.

Ce fraieri ! In loc sa se chinuie sa faca un robot inteligent mai bine l-ar lasa asa si l-ar face femeie. Nimeni nu isi doreste o femeie Einstein, daca ma intelegeti ce zic. Silicoane, alea, alea, stiti voi. A, si sa nu fie virgina. Cel mai fain asa: iti gateste, spala, calca, coase, iti este fidela, este frumoasa si nu imbatraneste, iar daca se strica vreo piesa importanta (gen ii sare vreo țâță) o duci frumos la reparat. Plus de asta nu iti face figuri, iti aduce berea, te lasa sa te uiti la meci. Daca vrei sa iti spuna bancuri sau sa vorbeasca cu tine, aia face. Practic eu nu vad ce nu v-ar placea la asa ceva ! Bineinteles, sa fie humanoid perfect nu ca o papusa. L.E. Am uitat sa mai zic: sa vezi atunci botoasele astea de pe feisbuci cum incep sa lase garda jos, sa se adapteze si, incet-incet, se "repara" societatea.

ASLRay Linux ELF x32 and x64 ASLR bypass exploit with stack-spraying Properties: ASLR bypass Cross-platform Minimalistic Simplicity Unpatchable Dependencies: Linux 2.6.12+ - would work on any x86-64 Linux-based OS BASH - the whole script Limitations: Stack needs to be executable (-z execstack) Binary has to be exploited through arguments locally (not file, socket or input) No support for other architectures and OSes (TODO) Need to know the buffer limit/size Sursa: https://github.com/cryptolok/ASLRay#aslray

Exploiting Misconfigured CORS October 25, 2017 Hi folks, This post is about some of the CORS misconfiguration which I see frequently, mostly in Django applications. Let’s assume all the test cases have been performed on the domain example.com Following are the most common CORS configurations • Access-Control-Allow-Origin: * • Remark: In this case we can fetch unauthenticated resources only. • Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true • Remark: In this case we can fetch unauthenticated resources only. • Access-Control-Allow-Origin: null Access-Control-Allow-Credentials: true • Remark: In this case we can fetch authenticated resources as well. • Access-Control-Allow-Origin: https://attacker.com Access-Control-Allow-Credentials: true • Remark: In this case we can fetch authenticated resources as well. • Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Credentials: true • Remark: Properly implemented So we usually see these type of CORS configuration in response headers and most of us don’t try to exploit it because we think it’s properly implemented. But that’s not true. Let’s study some of the weird CORS misconfiguration cases. • I have found this vulnerability in one of most popular python web hosting site which has following request and response headers shown below - Original Request and response headers GET /<redacted> HTTP/1.1 Host: dummy.example.com User-Agent: <redacted> Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: <redacted> Origin: https://www.example.com Connection: close HTTP/1.1 200 OK Server: <redacted> Date: <redacted> Content-Type: application/json; charset=UTF-8 Content-Length: 87 Connection: close Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://www.example.com Strict-Transport-Security: max-age=31536000; So looking at the response headers, you can see CORS is implemented correctly and most of us don’t test it further. At this point most of time I have seen that by changing the value of origin header would reflect back in response headers as following. Edited Request and response headers GET /<redacted>HTTP/1.1 Host: dummy.example.com User-Agent: <redacted> Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: <redacted> Origin: https://attacker.com Connection: close HTTP/1.1 200 OK Server: <redacted> Date: <redacted> Content-Type: application/json; charset=UTF-8 Content-Length: 87 Connection: close Cache-Control: no-store, no-cache, must-revalidate, max-age=0 Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: https://attacker.com Strict-Transport-Security: max-age=31536000; • I have found this vulnerability in one of the bitcoin website which has the following request and response headers. Original Request and response headers POST /<redacted> HTTP/1.1 Host: <redacted> User-Agent: <redacted> Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded;charset=utf-8 Referer: <redacted> Content-Length: 270 Cookie: <redacted> Connection: close HTTP/1.1 200 OK Server: nginx Date: <redacted> Content-Type: application/json Connection: close Access-Control-Allow-Credentials: true Content-Length: 128 Looking at the response you can see Access-Control-Allow-Origin header is missing so I added origin header in http request which makes it vulnerable as following. Edited Request and response headers POST /<redacted>HTTP/1.1 Host: <redacted> User-Agent: <redacted> Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded;charset=utf-8 Origin: https://attacker.com Referer: <redacted> Content-Length: 270 Cookie: <redacted> Connection: close HTTP/1.1 200 OK Server: nginx Date: <redacted> Content-Type: application/json Connection: close Access-Control-Allow-Origin: https://attacker.com Access-Control-Allow-Credentials: true Content-Length: 128 Thanks for reading Sursa: http://c0d3g33k.blogspot.de/2017/10/exploiting-misconfigured-cors.html?m=1

First part of phishing with EV 13 SEPTEMBER 2017 This post is intended for a technical audience interested in how an EV SSL certificate can be used as an effective phishing device. I won't be held liable if someone uses this post for unlawful intentions. No one was harmed in this demonstration. Let's get on. Extended validation or EV was designed back in the day to be an effective way to prevent phishing but, as we've seen through the years that extended validation has a lot of short comings such as long vetting processes, lack of wildcard support, and many other things. Now I'm going to demonstrate that it is indeed possible to phish with an EV SSL and how easy and straightforward it is to obtain the certificate. View Ryan Hurst's blog post here about the overall positive trust indicators in browsers. First, I needed to think of a name which would be effective for phishing. After some deliberation, I chose the name "Identity Verified" as it would give the illusion to the user that the phishing site is safe. Second, I had to think of a way of getting an EV SSL certificate for the intended name. After some research on the CA/Browser forum site, I found that, in the EV SSL certificate guidelines, section 8.5.2 stipulates that incorporated private entities are allowed to get hold of an EV SSL certificates. With that information in mind, I decided to incorporate a company here in the UK and after some more research, I found that a limited company by guarantee with the limited exemption was the right one but there was one catch; to incorporate a company in the UK, you need to have a verifiable address and valid ID. So what does an attacker do? Well they can purchase a valid stolen ID for a few pounds from the so called "Dark web" and just use, a service address as the address of the company and the director's home. These service addresses can be bought online for next to nothing. Note: This company was made with a legitimate address and ID. Now finally, I began searching for a company to incorporate this new company on my behalf and after a good hour of researching on Google, I found the right one. I won't say the company name here for legal purposes but I will say that the process was incredibly easy to do; no ID check to my knowledge and it costs less than £40. It took the next day for the company to be incorporated by Companies House. After all, this was finished, I now had to include a telephone number on a third party database as stipulated in section 11.5.2 of the EV SSL certificate guidelines. I chose Dun and Bradstreet as the third party database as it's extensively used by CAs for third party checking. It was absolutely easy to add the extra information to Dun and Bradstreet database. I only needed to get my Dun and Bradstreet ID and fill in a form with my mobile number as the telephone and after a few days, it was included. I'm ready to get an EV SSL Certificate. I chose Comodo and Symantec for this demonstration as they were that the time of this post the largest CAs in the industry. First, I went to Symantec site and found the 30 days free trial of production use EV SSL Certificate. After filling in all the details required by Symantec and including a 256-bit ECC CSR, I was finished for now until the validation process was completed. After a few days and a bit of pushing the certificate was issued. https://crt.sh/?id=181513189 After the successfully issued from Symantec, I then tried doing the same again from Comodo and it failed at the first hurdle. Richard Smith, who is the head of validation at Comodo felt that the certificate couldn't be issued due to compliance issues. Great job Richard! Now the certificate part is finished, I can now get on with the phishing part of this test and demonstrate how someone could phish with an EV SSL. First I took a copy of both the Google and PayPal sites and then upload them sites onto nothing.org.uk. Now in a real world phish scenario, an attacker would need to also setup a database and etc to capture the data but I didn't need to because this wasn't an actual phishing attempt to capture real users' data. In these screenshots below from Safari in OSX and IOS the chances of a successful phish are extremely high because of the way Safari hides the actual domain when the site is using an EV SSL and in, combination with the company name "Identity Verified" the site looks legitimate and safe. In this screenshot of Google Chrome, the domain name and the company name are clearly separated which can help the user identity if it's indeed a phishing site or not but if someone could get a hold of a short single letter like p.uk for PayPal or g.uk for Google the user would think that the company in question has moved over to smaller domain name and not be concerned. The EV SSL certificate in Firefox. To conclude this post, I think Symantec shouldn't have issued this EV SSL certificate in the first place as the company name was too common and could easily be misconstrued in the browser. If you've got any questions about this post, please contact me here. The final part will be published in the next few days. The final part will go into more detail about the larger problems of phishing. To Symantec: You have my full permission to release all details concerning this certificate issue to the public domain. James James Burton Read more posts by this author. Sursa: https://0.me.uk/ev-phishing/

uncaptcha Defeating Google's audio reCaptcha system with 85% accuracy. Inspiration Across the Internet, hundreds of thousands of sites rely on Google's reCaptcha system for defense against bots (in fact, Devpost uses reCaptcha when creating a new account). After a Google research team demonstrated a near complete defeat of the text reCaptcha in 2012, the reCaptcha system evolved to rely on audio and image challenges, historically more difficult challenges for automated systems to solve. Google has continually iterated on its design, releasing a newer and more powerful version as recently as just this year. Successfully demonstrating a defeat of this captcha system spells significant vulnerability for hundreds of thousands of popular sites. What it does Our unCaptcha system has attack capabilities written for the audio captcha. Using browser automation software, we can interact with the target website and engage with the captcha, parsing out the necessary elements to begin the attack. We rely primarily on the audio captcha attack - by properly identifying spoken numbers, we can pass the reCaptcha programmatically and fool the site into thinking our bot is a human. Specifically, unCaptcha targets the popular site Reddit by going through the motions of creating a new user, although unCaptcha stops before creating the user to mitigate the impact on Reddit. Sursa: https://github.com/ecthros/uncaptcha

Slack SAML authentication bypass October 26, 2017 tl;dr I found a severe issue in the Slack's SAML implementation that allowed me to bypass the authentication. This has now been solved by Slack. Introduction IMHO the rule #1 of any bug hunter (note I do not consider myself one of them since I do this really sporadically) is to have a good RSS feed list. In the course of the last years I built a pretty decent one and I try to follow other security experts trying to "steal" some useful tricks. There are many experts in different fields of the security panorama and too many to quote them here (maybe another post). But one of the leading expert (that I follow) on SAML is by far Ioannis Kakavas. Indeed he was able in the last years to find serious vulnerability in the SAML implementation of Microsoft and Github. Usually I am more an "OAuth guy" but since both, SAML and OAuth, are nothing else that grandchildren of Kerberos learning SAML has been in my todo list for long time. The Github incident gave me the final motivation to start learning it. Learning SAML As said I was a kind of SAML-idiot until begin of 2017 but then I decided to learn it a little bit. Of course I started giving a look the the specification, but the best way I learn things is by doing and hopefully breaking. So I downloaded this great Burp extension called SAML Raider (great stuff, it saves so much time, you can edit any assertion on the fly). Then I tried to look if any of the service that routinely I use are SAML compliant. It turns out that many of them are. To name some: Github (but I guess Ioannis already took all the bugs there). So ping next (I actually found this funny JS Github bug giving a look into it, but not pertinent here) Hackerone, I gave a try here but nada, nisba, niente, nicht, niet Slack, Bingo see next section (this is probably meant for Enterprise customers) Slack SAML authentication bypass As said many of the service I use in my routine are SAML aware so I started to poke a bit them. The vulnerability I found is part of the class known as "confused deputy problem". I already talked about it in one of my OAuth blog post (tl;dr this is also why you never want to use OAuth implicit grant flow as authentication mechanism) and is really simple. Basically SAML assertions, between others contains an element called Audience and AudienceRestriction. Quoting Ioannis: The Assertion also contains an AudienceRestriction element that defines that this Assertion is targeted for a specific Service Provider and cannot be used for any other Service Provider. This means that if I present to a ServiceProvider A an assertion meant for ServiceProvider B, then the ServiceProvider A shoud reject it. Well between all other things I tried this very really simple attack against a Slack's SAML endpoint /sso/saml and guess what? It worked !! To be more concrete I used an old and expired (yes the assertion was also expired!!) Github's Assertion I had saved somewhere in my archive that was signed for a subject different than mine (namely the username was not asanso aka me) and I presented to Slack. Slack happily accepted it and I was logged in Slack channel with the username of this old and expired Assertion that was never meant to be a Slack one!!! Wow this is scary.... Well well this look bad enough so I stopped quite immediately and open a ticket on Hackerone.... Disclosure timeline ...here the Slack security team was simply amazing... Thanks guys 02-05-2017 - Reported the issue via Hackerone. 03-05-2017 - Slack confirmed the issue. 26-08-2017 - Slack awarded a 3000$ bounty but still working with the affected customers in order to solve the vulnerability. Hence the ticket was kept open. 26-10-2017 - Slack closed the issue Acknowledgement I would like to thank the Slack security team in particular Max Feldman you guys rock, really!! Well that's all folks. For more SAML trickery follow me on Twitter. Sursa: http://blog.intothesymmetry.com/2017/10/slack-saml-authentication-bypass.html

Race The Web (RTW) Tests for race conditions in web applications by sending out a user-specified number of requests to a target URL (or URLs) simultaneously, and then compares the responses from the server for uniqueness. Includes a number of configuration options. UPDATE: Now CI Compatible! Version 2.0.0 now makes it easier than ever to integrate RTW into your continuous integration pipeline (à la Jenkins, Travis, or Drone), through the use of an easy to use HTTP API. More information can be found in the Usage section below. Watch The Talk Racing the Web - Hackfest 2016 Usage With configuration file $ race-the-web config.toml API $ race-the-web Sursa: https://github.com/insp3ctre/race-the-web

Lab for Java Deserialization Vulnerabilities This content is related to the paper written for the 12th edition of H2HC magazine. See full paper in: https://www.h2hc.com.br/revista/ Slides and video of the talk will be available soon. Um overview sobre as bases das falhas de desserialização nativa em ambientes Java (JVM) An overview of deserialization vulnerabilities in the Java Virtual Machine (JVM) Content The lab contains code samples that help you understand deserialization vulnerabilities and how gadget chains exploit them. The goal is to provide a better understanding so that you can develop new payloads and/or better design your environments. There is also a vulnerable testing application (VulnerableHTTPServer.java), which helps you test your payloads. Sursa: https://github.com/joaomatosf/JavaDeserH2HC

iti vand acest token excelent pentru un ICO pret 1 BTC si te fac holder de smart contract https://etherscan.io/token/0x1a1A79Ca9D288aDE5296710CC156140d7237cCc7

Ca sa fac o diferenta mai clara: Exista 2 tipuri de "coins" in lumea crypto. 1. Independent, blockchain baised cryptocoin. O moneda cu un propriu blockchain, mineri, noduri, proprie tehnologie etc. Exemple (Bitcoin, Ethereum, ZCash, Monero). Toate aceste blockchainuri sunt extrem de diferite si au proprietati speciale. 2. Tokens/Stained Coins. Exemplu ERC20 https://theethereum.wiki/w/index.php/ERC20_Token_Standard Aceste monede nu sunt independente. Ele sunt defapt programe care ruleaza peste alte blockchainuri. ERC20 ruleaza peste Ethereum, altele peste BTC. Aceste tokenuri nu sunt asa de speciale. Nu au nevoie de mineri, noduri etc. Existenta lor mosteneste blockchainul peste care ruleaza. Tokenurile ERC20 sunt ft populare pt ICO. Sfatul meu e sa te documentezi bine inainte despre cum functioneaza fiecare si dupa sa te gandesti la investitii/profit.

@Mertens14 absolut toate videoclipurile se vad cel mai bine la calitatea lor originala, mai ales in cazul YouTube, care le comprima oricum foarte mult, pentru a salva spatiu pe disc. Este un video 1080p? Il vezi 1080p. Este 4K? Il vezi 4K. Indiferent ca este ecranul tau la rezolutia respectiva sau doar 1366x768, cum ai scris mai sus. Diferenta este uriasa. Doar chior sa fii sa nu o vezi. La fel si in cazul filmelor 1080p la ~15 Mbps si cele originale 1080p Blu-ray, la ~50 Mbps. Desigur, sunt persoane care iti vor spune ca nu exista nici macar o singura diferenta. Proprietarul retelei mele de Internet zice ca el nu vede nimic diferit intre un film 720p si un Blu-ray 1080p. I-am zis ca are probleme cu vederea. Este bine macar ca YouTube te lasa sa schimbi rezolutia pe Windows, pentru ca ai laptop (cred) daca ai zis de 1366x768. Pe mobil, pe Android, te obliga sa vezi videoclipurile la rezolutia nativa a ecranului telefonului. Chiar si asa, poti sa mergi pe Twitch, ca acolo te lasa sa schimbi, sa vezi diferenta. In concluzie: toate videoclipurile se vad cel mai bine la rezolutia lor nativa.

Nu. Aplicatia va detecta si va scala imaginile la rezolutia maxima suportata de dispozitivul tau.

Scurt si la obiect Un simplu exchanger: https://novaexchange.com/faq/frequently_asked_questions/#1 click pe FAQ si vezi How can I list a new coin? If it is a new and untested currency we do accept Pay to List service. Currently, there is a setup fee of 1 BTC and a yearly fee of 0.25 BTC - this yearly fee does not apply to coins that have a trading volume of at least 0.2 BTC over a three (3) weeks period. In order to list a coin, its wallet must have an open source code available for inspecting trojans and other malware that could manipulate Novaexchange as a service. Can you list/unlist a currency? The simple answer is Yes! We are limited by hardware, and some currencies will be unlisted if they do not have a 0.2 BTC Volume over a period of three (3) weeks. We do however offer an un-listing guarantee program, where the community can pay a yearly fee in order to keep the currency listed. The fee is currently set to 0.25 BTC/year. 1 btc = 6.000$. Deajuns pentru listarea pe un singur site. pE POLONIEX ESTE 18.000$ ADICA 3 BTC Nu este nicio diferenta intre una si alta. Pur si sipmlu am scris acelasi lucru, dar cu alte cuvinte. La fel si "monezi" cu "monede". Pula sau penis. Pizda sau pasarica... etc. Fratilor, nu fiti rautaciosi. Nu am postat aici sa dau explicatii. Cine e interesat de colaborare, PM. Nu ma cert cu nimeni si nici nu vreau sa sariti in capul meu cu intrebari stupide !

https://www.blackhatworld.com/seo/captain-jack-sparrow-v8-get-ranked-in-2017-47-phases-of-links-reviews-after-fred-update-51-off.654231/ https://www.blackhatworld.com/seo/sherlock-hacks-google-v9-goes-live-46-types-of-premium-links-raving-reviews-after-fred50-off.504092/ Cam toate pachete se invart in jurul sumei asteia, uita-te in seciunea asta. Iti recomand pachetele mai mici, chiar daca cele mari sunt tentante. Dar totusi, daca nu vrei sa arunci banii, iti pot da un raport cu linkurile unui astfel de pachet si te apuci tu si construiesti manual tot. Dar iti trebuie ceva cunostiinte de seo, linkurile construite nu prea se indexeaza fara pingback/fara a aduce alte linkuri tier 2 si tier 3. Mai mult decat atat, iti pot da pe privat un id de skype la ceva moderator/administrator care vinde cele mai multe pachete si poti vorbi cu el pt discounturi si reduceri. Eu am prins la 65$ pachetul de 130, l-am luat doar sa testez ceva. Depinde mult de nisa, concurenta, etc. In general toate folosesc aceeasi reteta, diversitate de la social media, profiluri, linkuri, articole, directoare de articole, web 2.0, bookmarks. Toate sunt cam la fel

A suite of utilities simplilfying linux networking stack performance troubleshooting and tuning. https://pypi.python.org/pypi/netutils-linux netutils-linux It's a useful utils to simplify Linux network troubleshooting and performance tuning, developed in order to help Carbon Reductor techsupport and automate the whole linux performance tuning process out of box (ok, except the best RSS layout detection with multiple network devices). These utils may be useful for datacenters and internet service providers with heavy network workload (you probably wouldn't see an effect at your desktop computer). It's now in production usage with 300+ deployment and save us a lot of time with hardware and software settings debugging. Inspired by packagecloud's blog post. Installation You'll need pip. pip install netutils-linux Utils Monitoring All these top-like utils don't require root priveledges or sudo usage. So you can install and use them as non-priveledged user if you care about security. pip install --user netutils-linux Brief explanation about highlighting colors for CPU and device groups: green and red are for NUMA-nodes, blue and yellow for CPU sockets. Screenshots are taken from different hosts with different hardware. network-top Most useful util in this repo that includes almost all linux network stack performance metrics and allow to monitor interrupts, soft interrupts, network processing statistic for devices and CPUs. Based on following files: /proc/interrupts (vectors with small amount of irqs/second are hidden by default) /proc/net/softnet_stat - packet distribution and errors/squeeze rate between CPUs. /proc/softirqs (only NET_RX and NET_TX values). /sys/class/net/<NET_DEVICE>/statistic/<METRIC> files (you can specify units, mbits are default) There are also separate utils if you want to look at only specific metrics: irqtop, softirq-top, softnet-stat-top, link-rate. snmptop Basic /proc/net/smmp file watcher. Tuning rss-ladder Automatically set smp_affinity_list for IRQ of NIC rx/tx queues that usually work on CPU0 out of the box). Based on lscpu's output. It also supports double/quad ladder in case of multiprocessor systems (but you better explicitly specify queue count == core per socket as NIC's driver's param). Example output: # rss-ladder eth1 0 - distributing interrupts of eth1 (-TxRx-) on socket 0 - eth1: irq 67 eth1-TxRx-0 -> 0 - eth1: irq 68 eth1-TxRx-1 -> 1 - eth1: irq 69 eth1-TxRx-2 -> 2 - eth1: irq 70 eth1-TxRx-3 -> 3 - eth1: irq 71 eth1-TxRx-4 -> 8 - eth1: irq 72 eth1-TxRx-5 -> 9 - eth1: irq 73 eth1-TxRx-6 -> 10 - eth1: irq 74 eth1-TxRx-7 -> 11 autorps Enables RPS on all available CPUs of NUMA node local for the NIC for all NIC's rx queues. It may be good for small servers with cheap network cards. You also can explicitely pass --cpus or --cpu-mask. Example output: # autorps eth0 Using mask 'fc0' for eth0-rx-0. maximize-cpu-freq Sets every CPU scaling governor mode to performance and set max scaling value for min scaling value. So you will be able to use all power of your processor (useful for latency sensible systems). rx-buffers-increase rx-buffers-increase utils, that finds and sets compromise-value between avoiding dropped/missing pkts and keeping a latency low. Example output: # ethtool -g eth1 Ring parameters for eth1: Pre-set maximums: RX: 4096 ... Current hardware settings: RX: 256 # rx-buffers-increase eth1 run: ethtool -G eth1 rx 2048 # rx-buffers-increase eth1 eth1's rx ring buffer already has fine size. # ethtool -g eth1 Ring parameters for eth1: Pre-set maximums: RX: 4096 ... Current hardware settings: RX: 2048 Hardware and its configuration rating server-info Much alike lshw but designed for network processing role of server. # server-info show cpu: info: Architecture: x86_64 BogoMIPS: 6799.9899999999998 Byte Order: Little Endian CPU MHz: 3399.998 CPU family: 6 CPU op-mode(s): 32-bit, 64-bit CPU(s): 2 Core(s) per socket: 1 Hypervisor vendor: KVM L1d cache: 32K L1i cache: 32K L2 cache: 4096K Model: 13 Model name: QEMU Virtual CPU version (cpu64-rhel6) NUMA node(s): 1 NUMA node0 CPU(s): 0,1 On-line CPU(s) list: 0,1 Socket(s): 2 Stepping: 3 Thread(s) per core: 1 Vendor ID: GenuineIntel Virtualization type: full layout: '0': '0' '1': '1' disk: sr0: model: QEMU DVD-ROM vda: model: null size: 64424509440 type: HDD memory: MemFree: 158932 MemTotal: 1922096 SwapFree: 4128764 SwapTotal: 4128764 net: eth1: buffers: cur: 2048 max: 4096 conf: ip: 10.144.63.1/24 vlan: true driver: driver: e1000 version: 7.3.21-k8-NAPI queues: own: [] rx: [] rxtx: [] shared: - virtio1, eth0, eth1 tx: [] unknown: [] It also can rate hardware and its features in range of 1..10. # server-info rate cpu: BogoMIPS: 7 CPU MHz: 7 CPU(s): 1 Core(s) per socket: 1 L3 cache: 1 Socket(s): 10 Thread(s) per core: 10 Vendor ID: 10 disk: sr0: size: 1 type: 2 vda: size: 1 type: 1 memory: MemTotal: 1 SwapTotal: 10 net: eth1: buffers: cur: 5 max: 10 driver: 1 queues: 1 system: Hypervisor vendor: 1 Virtualization type: 1 Download: netutils-linux-master.zip or: git clone https://github.com/strizhechenko/netutils-linux.git Source: https://github.com/strizhechenko/netutils-linux

Oberv ca lista de speakeri se actualizeaza din cand in cand. @Andrei cand o sa fie gata lista finala?

https://www.steganos.com/specials/cobi1617/sos

Drăguț , mulțam și așa in 27 îmi expira nordvpn

LuLu ⚠ please note: LuLu is currently in alpha. This means it is currently under active development and still contains known bugs. As such, installing it on any production systems is not recommended at this time! Also, as with any security tool, proactive attempts to specifically bypass LuLu's protections will likely succeed. By design, LuLu (currently) implements only limited 'self-defense' mechanisms. LuLu is the free open-source macOS firewall that aims to block unauthorized (outgoing) network traffic, unless explicitly approved by the user: Full details and usage instructions can be found here. To Build LuLu should build cleanly in Xcode (though you will have remove code signing constrains, or replace with you own Apple developer/kernel code signing certificate). To Install For now, LuLu must be installed via the command-line. Build LuLu or download the pre-built binaries/components from the deploy directory (LuLu.zip contains everything), then execute the configuration script (configure.sh) with the -install flag, as root: //install $ sudo configure.sh -install Link: https://github.com/objective-see/LuLu

LeProxy LeProxy is the HTTP/SOCKS proxy server for everybody! LeProxy is designed for anonymous surfing, improved security and privacy plus circumventing geoblocking. It allows you to enjoy the web like it's meant to work and access your favorite online video platform without annoying country blocks while traveling. LeProxy is a powerful, lightweight, fast and simple to use proxy server that you can host on your own server or PC at home and then access from anywhere. It supports optional authentication so you can share a server instance with your family and friends without having to worry about third parties. It provides compatibility with a large number of clients and services by accepting both common HTTP and SOCKS proxy protocols on a single listening port. Table of contents: Install Usage Clients Development License Note that this is a early beta version and that LeProxy is under active development. Many new features are going to be added in the future! Download: leproxy-master.zip or git clone https://github.com/leproxy/leproxy.git Source: https://github.com/leproxy/leproxy

Primii speakeri: https://def.camp/speakers/

Atentie, nu oferiti si nu formulati cereri pentru servere hacked incluzand si nelimitandu-se la shells, cpanels, webshells. Nu vindeti si nu cereti baze de date cu email-uri, date cu caracter personal, cnp-uri sau alte saracii. In ultimul timp au aparut cereri si oferte precum ciupercile dupa ploaie. Nu le-am dat atentie pentru a vedea pana unde mergeti cu cacanaria.

Salut, Offer job pentru cei interesati add jabber katyab128@jabbim.cz Detali in privat.