Jump to content

Leaderboard

Popular Content

Showing content with the highest reputation on 10/07/20 in all areas

  1. Romanian Cyber Security Challenge (ROCSC) is an yearly CTF event organised in Romania to reward local best talents in cyber security, available for juniors (16-20 yo) & seniors (21-25 yo). At this stage can participate: For prizes: the 31 contestants who won the qualification phase For fun: anyone interested to sharpen their cyber skills. The best competitors of the national competition will have the opportunity to join other young cyber talents from 20 countries (EU Member States and EFTA countries) to represent Team Europe at the International Cyber Security Challenge in 2021. They have to prove their abilities in web and mobile security, crypto puzzles, reverse engineering, forensics and escape room. Format: Jeopardy Play format: Individual Genres: Crypto, Pwning, Reversing, Web, Miscellaneous … Language: English Access: Available for everybody, prizes only for the finalists of ECSC 2020 RO Qualification Phase. Difficulty: Medium - Hard Website: CyberSecurityChallenge.ro The event is organised by SRI, CERT-RO, ANSSI with the support of Orange Romania, Bit Sentinel, CertSIGN, Cisco. The challenges are provided by Bit Sentinel and CertSIGN. Sursa: https://rocsc20.cyberedu.ro/
    4 points
  2. Sincer, cred ca ai sanse mai mari sa gasesti pe cineva care poate sa fure curent pentru tine decat sa gasesti pe cineva care sa-ti ofere energie electrica ieftina, si mai ales produsa eficient. De asta ai tu nevoie!
    2 points
  3. The disk-wiping feature is present in the code but has not been used yet. Image: Netlab A newly discovered botnet contains code that can wipe all data from infected systems, such as routers, servers, and Internet of Things (IoT) devices. Named HEH, the botnet spreads by launching brute-force attacks against any internet-connected system that has its SSH ports (23 and 2323) exposed online. If the device uses default or easy-to-guess SSH credentials, the botnet gains access to the system, where it immediately downloads one of seven binaries that install the HEH malware. This HEH malware doesn't contain any offensive features, such as the ability to launch DDoS attacks, the ability to install crypto-miners, or code to run proxies and relay traffic for bad actors. The only features present are a function that ensnares infected devices and coerces them to perform SSH brute-force attacks across the internet to help amplify the botnet; a feature that lets attackers run Shell commands on the infected device; and a variation of this second feature that executes a list of predefined Shell operations that wipe all the device's partitions. BOTNET IS IN ITS EARLY STAGES OF DEVELOPMENT HEH was discovered by security researchers from Netlab, the network security division of Chinese tech giant Qihoo 360, and detailed for the first time in a report published today. Because this is a relatively new botnet, Netlab researchers can't tell if the device-wiping operation is intentional or if it's just a poorly coded self-destruction routine. But regardless of its purpose, if this feature ever gets triggered, it could result in hundreds or thousands of bricked and non-functioning devices. This could include home routers, Internet of Things (IoT) smart devices, and even Linux servers. The botnet can infect anything with a weakly-secured SSH ports, even Windows systems, but the HEH malware only works on *NIX platforms. Since wiping all partitions also wipes the device's firmware or operating system, this operation has the potential to temporarily brick devices — until their firmware or operating systems are reinstalled. However, in some cases, this could mean permanently bricked systems, as some device owners may not have the knowledge to reinstall firmware on their IoT equipment and may just choose to throw away the old and buy a new device instead. Currently, Netlab said it detected HEH samples that can run on the following CPU architectures x86(32/64), ARM(32/64), MIPS(MIPS32/MIPS-III) and PPC. The botnet is still spreading. HEH, while it hasn't bricked any devices yet, wouldn't be the first botnet that wipes IoT devices. The first two were BirckerBot and Silex. Via zdnet.com
    2 points
  4. Cu IDA Pro, new project, fara sa atasam fisier, rulam MFC, atasam debugg Windows pe procesul MFC, dupa trebuie pus breakpoint pe functia de set password. Dupa trebuie gandita o metoda de read/write memory pe variabila de parola. Cu Process Hacker 2 poti face dump la executabilul ce ruleaza, am reusit sa desfac cu ghidra dar sunt multe functii... are 160 de mb dump-ul pana la urma... plus ca dureaza sa mapezi functia de parola pe zip, sa intelegi cum functioneaza si parca vezi ca e random string ce se salveaza pe un server si e nasol... Dar cu live debug cred ca putem reusi sa ne jucam cu memoria, ideea e ca, eu nu stiu cum sa ajung sa folosesc softul, pentru a obtine acele fisiere zip...
    2 points
  5. Asta e tot: Rectangle bounds = Screen.GetBounds(Point.Empty); using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics g = Graphics.FromImage(bitmap)) { g.CopyFromScreen(Point.Empty, Point.Empty, bounds.Size); } bitmap.Save(fullpath, format); }
    2 points
  6. Ba ce hater. Lasa ma omu sa faca 4 litere, daca el asa vrea :). E nevoie si de muncitori, nu doar de oameni eficienti.
    1 point
  7. am reusit si eu dupa cum ai zis ... cu process hacker si cu ida pro ... am gasit si un dll ce cred ca il foloseste pentru decryptarea parolei ... am folosit inclusiv fiddler si foloseste multe apeluri https catre siteul lor in timp ce restaureaza firmwareul ... daca vrei poti folosi un program de remote pentru a intra pe calculatorul meu si de a il vedea in actiune ... am salvat un preview din fiddler https://dropmefiles.com/6iOJ5 si un dump la executabil in timp ce restaura https://dropmefiles.com/fdGd5 ce folosesti pentru live debug?
    1 point
  8. Da, tot ce face util e ce a postat gigiRoman. In rest e o porcarie. Foloseste wmiexec si smbclient sa trimita screenshot? Mai bine luati acea bucata de cod si o folositi in orice alt mod.
    1 point
  9. Super, era nevoie de asa ceva. Toate mizeriile astea care vin cu acces la Internet sunt scrise cu picioarele.
    1 point
  10. Why We see ransomware delete all shadow copies using vssadmin pretty often. What if we could just intercept that request and kill the invoking process? Let's try to create a simple vaccine. How it works We register a debugger for vssadmin.exe (and wmic.exe), which is our compiled raccine.exe. Raccine is a binary, that first collects all PIDs of the parent processes and then tries to kill all parent processes. Avantages: The method is rather generic We don't have to replace a system file (vssadmin.exe or wmic.exe), which could lead to integrity problems and could break our raccination on each patch day The changes are easy to undo Should work on all Windows versions from Windows 2000 onwards No running executable or additional service required (agent-less) Disadvantages / Blind Spots: The legitimate use of vssadmin.exe delete shadows (or any other blacklisted combination) isn't possible anymore It even kills the processes that tried to invoke vssadmin.exe delete shadows, which could be a backup process This won't catch methods in which the malicious process isn't one of the processes in the tree that has invoked vssadmin.exe (e.g. via schtasks) The Process Invocation of vssadmin.exe (and wmic.exe) gets intercepted and passed to raccine.exe as debugger (vssadmin.exe delete shadows becomes raccine.xe vssadmin.exe delete shadows) We then process the command line arguments and look for malicious combinations. If no malicious combination could be found, we create a new process with the original command line parameters. If a malicious combination could be found, we collect all PIDs of parent processes and the start killing them (this should be the malware processes as shown in the screenshots above). Raccine shows a command line window with the killed PIDs for 5 seconds and then exits itself. Malicious combinations: delete and shadows (vssadmin) resize and shadowstorage (vssadmin) delete and shadowcopy (wmic) delete and catalog and -quiet (wbadmin) Warning !!! USE IT AT YOUR OWN RISK! You won't be able to run commands that use the blacklisted commands on a raccinated machine anymore until your apply the uninstall patch raccine-reg-patch-uninstall.reg. This could break various backup solutions that run that specific command during their work. It will not only block that request but kills all processes in that tree including the backup solution and its invoking process. If you have a solid security monitoring that logs all process executions, you could check your logs to see if vssadmin.exe delete shadows or vssadmin.exe resize shadowstorage ... is frequently or sporadically used for legitimate purposes in which case you should refrain from using Raccine. Version History 0.1.0 - Initial version that intercepted & blocked all vssadmin.exe executions 0.2.0 - Version that blocks only vssadmin.exe executions that contain delete and shadows in their command line and otherwise pass all parameters to a new process that invokes vssadmin with its original parameters 0.2.1 - Removed explorer.exe from the whitelist 0.3.0 - Supports the wmic method calling delete shadowcopy, no outputs for whitelisted process starts (avoids problems with wmic output processing) 0.4.0 - Supports logging to the Windows Eventlog for each blocked attempt, looks for more malicious parameter combinations 0.4.1 - Statically linked binaries 0.4.2 - Bugfixes provided by John Lambert 0.5.0 - Removed Eventlog logging (basic info was unnecessary; cuased higher complexity; can be achieved by process creation logging as well), support for wbadmin filtering Installation Apply Registry Patch raccine-reg-patch-vssadmin.reg to intercept invocations of vssadmin.exe Place Raccine.exe from the release section in the PATH, e.g. into C:\Windows (For i386 architecture systems use Raccine_x86.exe and rename it to Raccine.exe) Wmic Addon (Optional) About 10-30% of Ransomware samples use wmic to delete the local shadowcopies. However, wmic is used for administrative activity far more often than vssadmin. The output of wmic often gets processed by automated scripts. It is unknown how a proxied execution through Raccine affects these scripts and programs. We've removed all outputs for cases in which no malicious parameter combination gets detected, but who knows? Apply the raccine-reg-patch-wmic.reg patch to intercept invocations of wmic.exe Apply the raccine-reg-patch-wmic.reg patch to intercept invocations of wmic.exe Wbadmin Addon (Optional) Ransomware often uses the command wbadmin delete catalog -quiet to delete the backup catalog of the local computer. Apply the raccine-reg-patch-wbadmin.reg patch to intercept invocations of wbadmin.exe Uninstall Run raccine-reg-patch-uninstall.reg Remove Raccine.exe (optional) Screenshot Run raccine.exe and watch the parent process tree die (screenshot of v0.1) Pivot In case that the Ransomware that your're currently handling uses a certain process name, e.g. taskdl.exe, you could just change the .reg patch to intercept calls to that name and let Raccine kill all parent processes of the invoking process tree. Help Wanted I'd like to extend Raccine but lack the C++ coding skills, especially o the Windows platform. 1. Allow Certain Vssadmin Executions implemented by Ollie Whitehouse in v0.2.0 Since Raccine is registered as a debugger for vssadmin.exe the actual command line that starts raccine.exe looks like raccine.exe vssadmin.exe ... [params] If we were able to process the command line options and apply filters to them, we could provide the following features: Only block the execution in cases in which the parameters contains delete shadows Allow all other executions by passing the original parameters to a newly created process of vssadmin.exe (transparent pass-through) 2. Whitelist Certain Parents We could provide a config file that contains white-listed parents for vssadmin.exe. If such a parent is detected, it would also pass the parameters to a new process and skip killing the process tree. 3. Create Shim Instead of Image File Execution Options Hack The solution is outlined in this tweet and related talk. FAQs Why did it even kill explorer.exe during its run? Since malware tends to inject into explorer.exe, we thought it would be a good idea to kill even explorer.exe in order to avoid malicious code performing other operations on the system. What happens in real world examples is that a user that executed the Ransomware process would loose its windows task bar and desktop, while other programs like Microsoft Word or Outlook would still be running and the user would be able to save his work and close the respective programs before calling the helpdesk or simpy reboot the system. An expericend user could bring up task manager using CTRL+ALT+Del and start a new explorer.exe or just log off. Other Info The right pronounciation is "Rax-Een". Credits Florian Roth @cyb3rops Ollie Whitehouse @ollieatnccgroup Download Raccine-main.zip or git clone https://github.com/Neo23x0/Raccine.git Source
    1 point
  11. @M4T3! la o platforma avem o arhitectura pentru 1 server de productie, unul de UAT si unul de DEV la Google Cloud. Au uptime 100% din 2017. Factura anuala era peste £100k. Iti dau datele de contact la Account Manager? #pulencurdecarevrei 😁
    1 point
×
×
  • Create New...