Leaderboard

De-a lungul timpului am observat foarte des intrebarea: “Cum sa incep cu domeniul security?”. Exista atat persoane la inceput de drum care isi doresc o cariera pe aceasta cale cat si persoane cu experienta in domeniul IT dornice sa inteleaga ce presupune acest domeniu. Voi incerca sa raspund acestei intrebari din perspectiva personala, oferind sugestii celor care nu stiu cu ce sa inceapa si cum sa porneasca pe acest drum.

Have you considered that in certain situations the way hackers exploit vulnerabilities over the network can be predictable? Anyone with access to encrypted traffic can reverse the logic behind the exploit and thus obtain the same data as the exploit. Various automated tools have been analyzed and it has been found that these tools operate in an unsafe way. Various exploit databases were analyzed and we learned that some of these are written in an insecure (predictable) way. This presentation will showcase the results of the research, including examples of exploits that once executed can be harmful. The data we obtain after exploitation can be accessible to other entities without the need of decrypting the traffic. The SSL/TLS specs will not change. There is a clear reason for that and in this presentation I will argue this, but what will change for sure is the way hackers will write some of the exploits.

Adica s-a rupt receiverul de la tastatura. Microsoft All-In-One este RF (Wireless), nicidecum Bluetooth. Nu iti va functiona cu niciun alt receiver wireless pentru ca vin special facute asa (fiecare dongle functioneaza doar cu tastatura din acel set).

Asta e lumea post pandemica.

How to protect RDP Posted: March 18, 2022 by Pieter Arntz You didn’t really think that the ransomware wave was coming to an end, did you? You may be tempted to think so, given the decline in reports about massive ransomware campaigns. Don’t be fooled. Over the last five years, one of the primary attack vectors for ransomware attacks has been the Remote Desktop Protocol (RDP). Remote desktop is exactly what the name implies, a tool for remotely controlling a PC that gives you all the power and control you would have if you were actually sitting behind it—which is what makes it so dangerous in the wrong hands. Bruce-force attacks Threat actors use brute-force password guessing attacks to find RDP login credentials. These attacks use computer programs that will try password after password until they guess one correctly, or run out of passwords. The passwords they guess can be sold via criminal markets to ransomware gangs that use them to breach their victims’ networks. Once they have RDP access, ransomware gangs can deploy specialized tools to: Elevate their privileges (when needed) Leave backdoors for future use Gain control over wider parts of the infiltrated network Deploy ransomware and leave payment instructions The first three steps are most important for businesses to pay attention to, as they need to be examined after a breach has been noticed. The easiest and cheapest way to stop a ransomware attack is to prevent the initial breach of the target, and in many cases that means locking down RDP. Securing RDP If you want to deploy software to remotely operate your work computers, RDP is essentially a safe and easy-to-use protocol, with a client that comes pre-installed on Windows systems and is also available for other operating systems. There are a few things you can do to make it a lot harder to gain access to your network over unauthorized RDP connections: Decide if you really need RDP. This is an important question and you should not be afraid to ask it. Even if you are hardened against brute-force attacks, there is always the chance that attackers will find a remote vulnerability in RDP and exploit it. Before you enable RDP for anyone, be sure that you need it. Limit access to the users who need it. Reduce the number of opportunities an attacker has to guess a weak password by following the principle of least privilege. This cannot be done from the Remote Desktop settings but requires security policies. We have included a guide on how to do this later in this article. Limit access to specific IP addresses. This is another form of following the principle of least privilege. There is simply no need for many IP addresses to have access to your RDP clients. Rather than banning the IP addresses that don’t need access, allow only those that do. Use strong passwords. Even the most persistent attacker will only ever guess very weak passwords because it is more cost effective to make a few guesses on a lot of computers than it is to make lots of guesses on one. So the first and most basic form of defence is to have users choose even moderately strong passwords—meaning passwords that don’t appear in lists of the most commonly used passwords, and aren’t based on dictionary words. Of course, getting users to actually do that is notoriously difficult, so you need to use other hardening measures as well. Use rate limiting. Rate limiting (such as Malwarebytes Brute Force Protection) has the effect of significantly strengthening the defenses of weak passwords. It works by reducing the speed at which attackers can make login attempts, typically by shutting them out for a period of time after a small number of incorrect guesses. This represents a huge barrier for a computer program looking to race through tens or even hundreds of thousands of password attempts. Use multi-factor authentication (MFA). MFA can stop password guessing in its tracks but it can be difficult to roll out and support. Any second authentication factor will make attacks significantly more difficult, but factors that don’t require user interaction—such as hardware keys and client certificates—are the most robust. Put RDP behind a VPN. Forcing users to connect to a VPN before they can log in to RDP effectively takes RDP off the Internet and away from password guessing attacks. This can be extremely effective but it comes at the cost of maintaining a VPN, and simply shifts the burden of securing your users’ point of access from RDP to the VPN. Diligent patching is essential. In the last few years ransomware gangs and other cybercriminals have made extensive use of vulnerabilities in popular, corporate VPNs. Use a Remote Desktop Gateway Server. This provides additional security and operational benefits, like MFA. The logs it takes of RDP sessions can prove very useful if you find yourself trying to figure out what might have happened after a breach. Because the logs are not on the compromised machine, they are harder for intruders to modify or delete. Do not disable Network Level Authentication (NLA). NLA offers an extra authentication level. Enable it, if it wasn’t already. Other things that might help The things in the list below aren’t effective enough to constitute genuine hardening, but might help reduce the volume of attacks you see. They are easy to do but they are not a substitute for the list above. Changing the RDP port. Some hardening guides recommend changing the RDP port so that it does not use the default port number, 3389. Although this might reduce the number of scans that find your RDP clients, our research suggests that plenty of attackers will still find you. Retire the Administrator username. Although some password guessing attacks use a variety of usernames, including automatically generated ones, many of them simply try to guess the password for the user named Administrator (or the local equivalent). However, because usernames are not treated as secrets by either users or systems, unlike passwords, you should not rely on the obscurity of your usernames to protect you. Limiting access to the users that need it The first step in this process is to create a user group that will be allowed remote access. You can do this in the Group Policy Management Console (GPMC.MSC). In this console, select Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Right-click Restricted Groups and then click Add Group. Click Browse > type Remote > click Check Names and you should see “REMOTE DESKTOP USERS.” Click OK in the Add Groups dialog. Click Add beside the MEMBERS OF THIS GROUP box and click Browse. Type the name of the domain group, then click Check Names > click OK > OK. On the PC, run an elevated command prompt and type GPUPDATE/FORCE to refresh the GPolicy. You should see the group added under the SELECT USERS button on the REMOTE tab of the PC’s SYSTEM PROPERTIES. Now you can open the related local policies by opening Control Panel > System and Security > Administrative Tools > Local Security Policy > User Rights Assignment. Remove the “Administrators” group from the “Allow log on through Remote Desktop Services” policy and certainly do not grant access to the account with the username “Administrator.” That account is perfect for the intruders—they would love to take it over. Also remove the “Remote Desktop Users Group” as contradictory as that may seem. Because by default, the user group “Everyone” is a member of the “Remote Desktop Users” group. Now, add the user(s) that you specifically want to have remote access to this system, and make sure that they have the rights they need—but nothing more. Restrict the actions they can perform to limit the damage that they can do if the account should ever become compromised. Secure your network resources In the context of RDP attacks, it is also important that you apply some internal safety measures. PCs that can be used remotely should be able to use network resources, but not be able to destroy them. Use restrictive policies to keep the possible damage at bay that any user, not just a remote one, can do. Aftermath of an attack If you have been impacted by a ransomware attack via RDP, you’ll need to take some steps to better secure your network and endpoints. After you have recovered your files from a backup or by forking over the ransom, you need to check your systems for any changes the attackers have made that would make a future visit easier for them—especially if you decided to pay the ransom. By paying the threat actors, you have essentially painted a bulls-eye on your own back. You are now a desirable target, because they know you will pay to get your files back, if necessary. To be sure there are no artifacts left behind, check the computer that was used to access the network via RDP for Trojans and hacking tools, and also any networked devices that could have been accessed from the compromised machine. Sursa: https://blog.malwarebytes.com/security-world/business-security-world/2022/03/protect-rdp-access-ransomware-attacks/

Reverse Engineering resources A curated list of awesome reversing resources Awesome Reversing Books Courses Practice Hex Editors Binary Format Disassemblers Binary Analysis Bytecode Analysis Import Reconstruction Dynamic Analysis Debugging Mac Decrypt Document Analysis Scripting Android Yara Books Reverse Engineering Books The IDA Pro Book Radare2 Book Reverse Engineering for Beginners The Art of Assembly Language Practical Reverse Engineering Reversing: Secrets of Reverse Engineering Practical Malware Analysis Malware Analyst's Cookbook Gray Hat Hacking Access Denied The Art of Memory Forensics Hacking: The Art of Exploitation Fuzzing for Software Security Art of Software Security Assessment The Antivirus Hacker's Handbook The Rootkit Arsenal Windows Internals Part 1 Part 2 Inside Windows Debugging iOS Reverse Engineering Courses Reverse Engineering Courses Lenas Reversing for Newbies Open Security Training Dr. Fu's Malware Analysis Binary Auditing Course TiGa's Video Tutorials Legend of Random Modern Binary Exploitation RPISEC Malware Course SANS FOR 610 GREM REcon Training Blackhat Training Offensive Security Corelan Training Offensive and Defensive Android Reversing Practice Practice Reverse Engineering. Be careful with malware. Crackmes.de OSX Crackmes ESET Challenges Flare-on Challenges Github CTF Archives Reverse Engineering Challenges xorpd Advanced Assembly Exercises Virusshare.com Contagio Malware-Traffic-Analysis Malshare Malware Blacklist malwr.com vxvault Hex Editors Hex Editors HxD 010 Editor Hex Workshop HexFiend Hiew hecate Binary Format Binary Format Tools CFF Explorer Cerbero Profiler // Lite PE Insider Detect It Easy PeStudio PEiD MachoView nm - View Symbols file - File information codesign - Code signing information usage: codesign -dvvv filename Disassemblers Disassemblers IDA Pro GHIDRA Binary Ninja Radare Hopper Capstone objdump fREedom Binary Analysis Binary Analysis Resources Mobius Resources z3 bap angr Bytecode Analysis Bytecode Analysis Tools dnSpy Bytecode Viewer Bytecode Visualizer JPEXS Flash Decompiler Import Reconstruction Import Reconstruction Tools ImpRec Scylla LordPE Dynamic Analysis Dynamic Analysis Tools ProcessHacker Process Explorer Process Monitor Autoruns Noriben API Monitor iNetSim SmartSniff TCPView Wireshark Fakenet Volatility Dumpit LiME Cuckoo Objective-See Utilities XCode Instruments - XCode Instruments for Monitoring Files and Processes User Guide dtrace - sudo dtruss = strace dtrace recipes fs_usage - report system calls and page faults related to filesystem activity in real-time. File I/O: fs_usage -w -f filesystem dmesg - display the system message buffer Debugging Debugging Tools WinDbg OllyDbg v1.10 OllyDbg v2.01 OllySnD Olly Shadow Olly CiMs Olly UST_2bg x64dbg gdb vdb lldb qira unicorn Mac Decrypt Mac Decrypting Tools Cerbero Profiler - Select all -> Copy to new file AppEncryptor - Tool for decrypting Class-Dump - use deprotect option readmem - OS X Reverser's process dumping tool Document Analysis Document Analysis Tools Ole Tools Didier's PDF Tools Origami Scripting Scripting IDA Python Src IDC Functions Doc Using IDAPython to Make your Life Easier Introduction to IDA Python The Beginner's Guide to IDA Python IDA Plugin Contest onehawt IDA Plugin List pefile Python Library Android Android tools Android Studio APKtool dex2jar Bytecode Viewer IDA Pro JaDx Yara Yara Resources Yara docs Cheatsheet yarGen Yara First Presentation Please have a look at Top Hacking Books Top Reverse Engineering Books Top Machine learning Books Top 5 books Programming Books Top Java Books Sursa: https://github.com/wtsxDev/reverse-engineering

Pare ceva ce necesita si cunostiinte hardware si "finete", eu nu m-as baga. Ultima oara cand am incercat sa repar o tastatura (de laptop) a iesit urat.

Asa cum e indicat si aici, eu il pun in spate la un VPN. Blocat pt public prin Firewall, lasat doar Private si pt Domain. Daca cineva vrea sa faca pasii de mai sus pe PC-ul propriu din whatever reason, sa ajungeti la Group Policy folositi "gpedit.msc", "GPMC.MSC" e doar pentru servere care au AD (sunt Domain Controllers).

How to detect IMSI catchers Defending against the most effective mobile attacks. HOME BLOG HOW TO DETECT IMSI CATCHERS IMSI catchers are one of the most effective surveillance techniques of all time. They’re used by police, governments and criminals to spy on victim’s phones. This spy tech is rarely deployed with a warrant. Western governments buy commercial products from US companies like the “Stingray” from Harris Corp. Criminals can also buy IMSI catchers, from unregulated online Chinese and Israeli vendors. These IMSI catchers have been used for corporate espionage and blackmail. They’ve been found at embassies, airports, political protests and sports events. IMSI catchers work by intercepting the traffic from all phones in an area. Operators can track a victim’s location, read their SMS, listen to phone calls and intercept data. An attacker can target thousands of devices. IMSI catchers can be mounted on people, cars or airplanes that can spy on entire cities at once. Apple and Google seem unwilling to help their users against IMSI catchers. However, if you have the right tools you can at least catch them spying on you. The “BlackFin” IMSI catcher from leaked NSA catalogues. Radio Sentinel Radio Sentinel is an app that’s included with Armadillo Phone. It’s capable of detecting cellular attacks over 2G, 3G, 4G and 5G. Besides IMSI catchers, Radio Sentinel can also detect silent SMS and some SS7 attacks. It works offline, without needing to upload data to a third-party server. Radio Sentinel requires extensive modifications to Android, so unfortunately it can’t easily be ported to other devices. Radio Sentinel will trigger a notification when a warning is detected. If that attack is high severity, you will automatically be disconnected from the cellular network. By default, while Radio Sentinel is active only 4G and 5G networks are allowed. This is to prevent “downgrade attacks”, caused when an IMSI catcher forces the victim to use an older or weaker network so it can be attacked. Radio Sentinel has a wide range of warnings to detect different attacks. This includes warnings about incorrect frequencies, unknown networks, frequent location updates, empty paging requests, TAU rejects, silent SMS, cell reselect offsets and other behaviours that indicate a cellular attack. Radio Sentinel was tested extensively in Vancouver during development. It has been tested by early adopters against real attack equipment successfully. Now that it’s been released, we are continuing to improve it using the bug reports customers send us. We’re in the process of arranging a formal third-party audit to test Radio Sentinel against more attack equipment. If you have an IMSI catcher and would like to attack an Armadillo Phone, please contact us. Phone apps There are apps you can download that claim to detect IMSI catchers. These include “Android IMSI-Catcher Detector”, “Cell Spy Catcher”, “Darshak”, “SnoopSnitch” and others. Many are fake or useless. Some can detect IMSI catchers, however there are caveats. Most importantly, these apps can’t work on a normal phone. Apple and Google have restricted access to radio information that’s needed to detect attacks. To bypass this, these detection apps require a rooted phone, which weakens security protections. This means your phone is more vulnerable to hackers. Every app we tested had at least two of the following problems: Can’t detect the attacks they claim to Only detect attacks on one type of network ( i.e: only 3G and not 4G ) Only detect one type of attack ( i.e: only silent SMS ) Very old and don’t work on modern versions of Android Generates constant false positives, making them impractical Rely on crowdsourced data, which can be easily compromised Uploads data to a third-party server Only runs on a specific brand and model of phone Required a rooted phone ( less security ) SnoopSnitch is one of the best apps… but that’s not saying much. It’s nearly a decade old, requires root, and only works on ancient devices like the Nexus 5X. SnoopSnitch also requires an internet connection to their server. This means you could track people who are using SnoopSnitch. Although some of the uploaded data is anonymized, there is still lots of sensitive data like build properties and radio infromation being sent. These problems could open you up to new privacy and security concerns besides IMSI catchers. First Point FirstPoint is a company based in Israel that sells special SIM cards that can be inserted into any device. They developed an applet on the SIM that sends information over to their backend network. This information from the device combined with their backend infrastructure allows them to detect IMSI catchers. Although their heuristics appear to be great, the approach uploads a lot of sensitive data to FirstPoint’s servers, which could be problematic for organizations that want to control their own data. Crocodile Hunter Crocodile Hunter is a tool developed by the EFF to detect IMSI catchers. It requires an SDR ( software defined radio ) along with a dedicated Linux laptop or Raspberry Pi. Crocodile Hunter is a relatively simple project. It first gets the GPS location, then looks up cell tower IDs from the same location in the crowdsourced website WiGLE. WiGLE uses data uploaded by ordinary people. It compares the cell towers from WiGLE to the nearby cell towers and sees if they match. If there is a nearby tower that is not in WiGLE, it detects it as a potential IMSI catcher. Unfortunately Crocodile Hunter has many flaws: It relies on WiGLE data which can be easily compromised. Attackers could simply upload their malicious tower ID to WiGLE’s database. They could also search WiGLE for an existing tower ID in the same location and use that instead. Average people can’t use it. It requires expert knowledge and assembling electronics. Its bulky and impractical. You could probably fit this in a backpack but not your pocket ( and definitely not on an airplane, unless you want to be cavity searched ). It sends the user’s GPS location to WiGLE The future of IMSI catchers A popular IMSI catcher capable of monitoring 10,000 people at once. You cannot truly “prevent” an attack, only react to it. This is because IMSI catchers exploit vulnerabilities at the protocol level. The best you can do is detect the attack afterwards and disconnect from the network. Although 4G and 5G have brought increased network security, IMSI catchers will continue to pose a threat for decades. Some researchers are already speculating on new security for 6G networks. Detecting cellular attacks requires information that Google and Apple do not want to give to consumers. So solutions to mitigate the attacks are expensive, bulky or limited to a narrow selection of devices. There are many fake or ineffective solutions that rely on false positives to fool consumers The global cellular network is so diverse and anomalous to make many heuristic detection difficult, but not impossible. Deep investigation is required to actually track down if an IMSI catcher was ever used. Although boutique solutions can detect IMSI catchers it remains limited to specific devices or come with other drawbacks. Radio Sentinel is the most effective solution we are aware of for detecting IMSI catchers. It’s our hope eventually more solutions will emerge that become commonplace enough to deter IMSI catcher use. Sursa: https://armadillophone.com/blog/how-to-detect-imsi-catchers

O sa exploram impreuna viata unui blue-teamer. O sa vedem exemple despre cum nimic nu e niciodata sigur, despre cursa de-a soarecele si pisica intre blue-team si atackatori dar si despre cum userii gasesc mereu cate ceva nou si interesant care strica planurile de securitate ale unei firme.

Pe parcursul prezentarii, vom aborda o tema ce se invarte mai mult in jurul Red Teaming-ului, ci anume – BadUSB. Ce este, cum il putem folosi, cateva real-life use case-uri, payload development, si bypass-uri cu acesta (UAC, CLM, AMSI, etc.).

Acest studiu se concentreaza pe analizarea unui exploit recent publicat in luna Ianuarie 2022 ce afecteaza componenta de sistem win32k din Windows kernel si rezulta intr-o vulnerabilitate de tipul elevare de privilegii. Analiza exploiturilor de tipul 1day ne poate ajuta atat pe plan defensiv, prin crearea de detectii relevante asupra celor mai noi tehnicilor de exploatare, cat si in identificare si prevenirea unor noi vulnerabilitati similare in aceleasi componente. Totodata, cercetarea acestui CVE reprezinta un bun exemplu in care patch-urile aplicate initial nu mitigheaza in profunzime problema. In cadrul prezentarii, vom discuta despre notiuni de Windows internals, atacuri de tip data-only, WinDbg kernel debugging si indicatori de detectie, cu un focus principal pe analiza defensiva si intelegerea procesului de exploatare.

Prezentarile video sunt disponibile pe site: https://rstcon.com/prezentari/ Le puteti accesa direct de pe canalul de Youtube: https://www.youtube.com/channel/UCs-oJJm7A4VmwBtezIOn0JQ Si exista si un playlist RSTCon #2: https://www.youtube.com/watch?v=MTYdX2hGVXY&list=PLTaLvwriPW8zi3pkblN8yAqbZDZur992d

Trebuie sa se alinieze astrele ca sa poata fi folosita vulnerabilitatea. Mare parte din aplicatiile care genereaza PDF-uri iau totul din baza de date. Singura chestie unde as vedea asta e intr-o aplicatie care iti pune semnatura pe un PDF existent generat tot prin dompdf, asta in cazul in care cine a facut aplicatia nu a stiut sa puna validare pe input, macar ceva de genul ^[a-zA-Z -]{6,50}$ O alternativa buna, folosita, testata la dompdf e tcpdf. Face minuni pe shared hosting.

Programele pe care le gasiti aici sunt postate de catre utilizatori si in general nu trec printr-o verificare preliminara. Ruland pe computerul personal un executabil descarcat de la aceasta rubrica va expuneti riscului de a va fi furate parolele cu care va logati pe conturile personale, de a va fi accesate fisierele fara voia voastra sau puteti deveni parte a unui botnet folosit la spam, flood, socksuri etc. In toate aceste cazuri efectul este unul foarte neplacut. Pentru a rula aceste programe fara a risca sa va compromiteti conturile puteti folosi o solutie de virtualizare ca: VMWare, VirtualBox, VirtualPC. Va recomandam ca in cazul in care linkul de download este un site de file sharing sa cautati cu ajutorul Google sursa originala de download a programului daca aceasta exista. In cazul in care gasiti un site oficial al unui program postat aici, iar in topic este pus un link de download de pe un site de filesharing aveti dreptul sa postati in acel topic o cerere pentru a fi schimbat linkul cu cel al site-ului oficial. Daca linkul nu va fi schimbat in urmatoarele 12 ore puteti contacta un membru al staffului pentru a cere inlocuirea linkului. Pentru cei care posteaza: folositi linkurile oficiale de download daca acestea exista! P.S.: Raportati linkurile cu survey!