Jump to content

Leaderboard


Popular Content

Showing content with the highest reputation since 06/17/17 in all areas

  1. 17 points
    M-a tot văzut ca bântui pe aici pe forum si na, totuși e prea tare. Cel mai tare cadou de ziua mea https://imgur.com/a/Xv1DU
  2. 16 points
    Având puțin timp liber seara, am decis să mă destind cu acest challenge. La rugămintea lui @Usr6 în continuare postez rezolvarea problemei. 1. Descărcăm imaginea, verificând ca aceasta să fie integră $ curl -s https://rstforums.com/forum/uploads/monthly_2017_09/OldGarage.jpg.cdab3e6485face558cb330baf13519cf.jpg --output OldGarage.jpg && md5sum OldGarage.jpg 2. Folosind un hex editor, căutăm biții de sfârșit ai jpg-ului, aceștia fiind FF D9. Dacă după acești biți începe analiza noastră. Dacă după acești biți mai există ceva care ne-ar putea da de bănuit, iar în acest caz putem observa un nume de fișier, anume "The_eye_of.jpg". De începem să bănuim că aici vom găsi următoarea sub-problemă. Verificăm dacă la sfârșitul acelui bloc de biți găsim grupul de litere PK (inițialele lui Phil Katz, creatorul formatului zip) 3.1.0 Folosind dd sau un extractor, extragem arhiva din imagine. Îi vom da valoarea parametrului skip valoarea în format decimal a blocului unde se termină jpg-ul (unde am găsit blocul FF D9), în cazul nostru: dd if=OldGarage.jpg bs=1 skip=47168 of=imaginea_din_arhiva.zip 3.1.1 Dezarhivăm imaginea_din_arhiva.zip PS: Am prezentat acest pas pentru a se putea observa cum funcționează lucrurile. 3.2 Probabil aveți un extractor care e destul de deștept și puteți extrage direct: 4. Analizăm imaginea obținută analog cu pasul 3, unde observăm același procedeu, dar, la extragerea arhivei suntem întâmpinați de cererea unei parole. Pentru un rezultat mai obiectiv, căutăm imaginea pe Google împreună cu numele acesteia fără "_". Găsim astfel parola Horus 5. Analog pasului anterior, la dezarhivare trebuie să introducem o parolă pentru a ajunge la următorul sub-challenge: Căutând pe Google după "the code of holy bible" ajungem pe pagina de Wikipedia a acestuia, iar la al doilea paragraf găsim asta: Decidem să spargem textul în bucăți de câte 50 de caractere. Pentru asta, eu am folosit site-ul http://www.dcode.fr/text-splitter care are o mulțime de tool-uri de criptanaliză. Obținem asta: Deci, avem parola: GoodDataIsCryptedData 6. În urma tuturor indiciilor am ajuns să avem fișierul cu numele "Divide ET Impera.56" La prima vedere pare o înșiruire de hash-uri MD5, cel puțin pentru mine. Dar, ca să folosim indiciul, vom împărți textul în 56 de blocuri. Pe fiecare linie avem câte 32 de caractere, ceea ce corespunde unui hash MD5. Deci, să trecem la treabă. Căutăm un site unde putem introduce mai multe hash-uri odată. Eu am găsit https://hashkiller.co.uk/md5-decrypter.aspx Rezultatul este: 92eb5ffee6ae2fec3ad71c777531578f MD5 : b 4b43b0aee35624cd95b910189b3dc231 MD5 : r 0cc175b9c0f1b6a831c399e269772661 MD5 : a 9e3669d19b675bd57058fd4664205d2a MD5 : v d95679752134a2d9eb61dbd7b91c4bcc MD5 : o 5058f1af8388633f609cadb75a75dc9d MD5 : . 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] e358efa489f58062f10dd7316b65649e MD5 : t e1671797c52e15f763380b45e841ec32 MD5 : e 336d5ebc5436534e61d16e63ddfca327 MD5 : - 0cc175b9c0f1b6a831c399e269772661 MD5 : a 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 83878c91171338902e0fe0fb97a8c47a MD5 : p 4b43b0aee35624cd95b910189b3dc231 MD5 : r 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7b8b965ad4bca0e41ab51de7b31363a1 MD5 : n 03c7c0ace395d80182db07ae2c30f034 MD5 : s 5058f1af8388633f609cadb75a75dc9d MD5 : . 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 800618943025315f869e4e1f09471012 MD5 : F e1671797c52e15f763380b45e841ec32 MD5 : e 2db95e8e1a9267b7a1188556b2013b33 MD5 : l 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 4a8a08f09d37b73795649038408b5f33 MD5 : c 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i e358efa489f58062f10dd7316b65649e MD5 : t 0cc175b9c0f1b6a831c399e269772661 MD5 : a 4b43b0aee35624cd95b910189b3dc231 MD5 : r 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 9033e0e305f247c0c3c80d0c7848c8b3 MD5 : ! 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 44c29edb103a2872f519ad0c9a0fdaaa MD5 : P 5058f1af8388633f609cadb75a75dc9d MD5 : . 5dbc98dcc983a70728bd082d1a47546e MD5 : S 5058f1af8388633f609cadb75a75dc9d MD5 : . 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] d20caec3b48a1eef164cb4ca81ba2587 MD5 : L 0cc175b9c0f1b6a831c399e269772661 MD5 : a 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 69691c7bdcc3ce6d5d8a1361f22d04ac MD5 : M 7b774effe4a349c6dd82ad4f4f21d34c MD5 : u 2db95e8e1a9267b7a1188556b2013b33 MD5 : l e358efa489f58062f10dd7316b65649e MD5 : t 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] 7fc56270e7a70fa81a5935b72eacbe29 MD5 : A 7b8b965ad4bca0e41ab51de7b31363a1 MD5 : n 865c0c0b4ab0e063e5caa3387c1a8741 MD5 : i 7215ee9c7d9dc229d2921a40e899ec5f MD5 : [space] b2f5ff47436671b6e533d8dc3614845d MD5 : g 0cc175b9c0f1b6a831c399e269772661 MD5 : a 4b43b0aee35624cd95b910189b3dc231 MD5 : r 0cc175b9c0f1b6a831c399e269772661 MD5 : a 363b122c528f54df4a0446b6bab05515 MD5 : j e1671797c52e15f763380b45e841ec32 MD5 : e Cam acesta a fost challenge-ul. Mulțumiri @Usr6și la mulți ani cu întârziere @MrGrj, că am uitat :"> Resurse utile: https://ctfs.github.io/resources/topics/steganography/file-in-image/README.html https://gchq.github.io/CyberChef/ http://www.dcode.fr/ http://security.cs.pub.ro/hexcellents/wiki/kb/crypto/home http://ridiculousfish.com/hexfiend/
  3. 14 points
    @M4T3! Nu am vandut niciodata linkuri pe blog, nici nu vand si am grija de trimiterile pe care le fac. Am doar doua site-uri in blogroll: un blogger si RST. Oferta mea: un an de zile, dofollow, index, blogroll, gratis. In semn de multumire ca l-ai ajutat pe tatal meu. Nu v-am uitat, va am in lista. Daca pot sa ajut, ajut. Daca esti de acord, da-mi un mesaj privat cu site-ul. Sunt sigur ca este in regula, insa vreau sa arunc o privire pe el, sa ma asigur eu.
  4. 13 points
    Cand am citit titlul credeam ca vii sa ceri sfaturi de gonoree, sifilis, chlamydia, etc.
  5. 13 points
    Trebuie sa alegi, Arta sau lautarie. Fotbalul este o ocupatie pentru labagii spargatori de seminte si bautori de bere.
  6. 12 points
    @tjt " De ce sa nu iti dea ? " - Tu daca ai avea firma ta i-ai da unuia care nu a muncit o zi pe ceea ce ai nevoie 5000 RON? Desi omul poate a mai citit cate ceva, daca nu a lucrat macar 1-2 ani cu ceea ce se cere, nu o sa se compare cu unul care a lucrat. De exemplu, cand m-am angajat ca C++ developer acum 6 ani, stiam limbajul extrem de bine. Dar ca sa vezi, nu prea era deajuns. Nu lucrasem cu sockets, multi-threading, STL, semaphores si mai stiu eu ce, pe cand cineva cu experienta probabil se lovise de cel putin o parte dintre ele. Nu cred ca cineva care nu a lucrat la o companie pe ceva anume, indiferent de ce, a petrecut aproape zilnic cateva ore sa isi dezvolte cunostiintele. Un alt exemplu, e ca inainte sa ma angajez prima oara am vrut sa lucrez ca PHP developer. Scrisesem peste 20.000 de linii de cod, aveam ceva proiecte DAR: nu scrisesem cod MVC (evident), nu lucrasem cu OOP (proiecte mici, evident), nu lucrasem cu niciun framework (la fel). Asadar, de ce sa imi dea 5000 RON pe luna cand eu ar trebui sa stau luni de zile sa invat cum trebuie lucrurile astea? " cineva care a investit timpul personal chiar si bani ca sa isi imbunatateasca cunostinte, sa obtina certificari " - Nu a investit nimeni destul din timpul personal pentru a fi la fel de bun ca cineva care a facut acel lucru 8 ore pe zi timp de 1-2 ani. Si nici nu o sa o faca nimeni. Ca mai citesti zilnic cate un articol, ca din cand in cand citesti o carte, e OK, dar nu e de ajuns. Da, dovedeste entuziasm si conteaza mult, dar nu e de ajuns. Pune-te in locul angajatorului. Cat despre HR, sau "Professional Linkedin browser", din pacate, nu au capacitatea de a trece peste anumite lucruri si de a intelege anumite lucruri. Intotdeauna o sa te lovesti de probleme cu ei si poti pierde locuri de munca bune din cauza ca ei vor considera poate ca "nu are facultate de IT, nu poate sa lucreze pe security", pentru ca ei nu inteleg ca nu exista facultate pentru asa ceva de exemplu. @Philip.J.Fry Nu stiu daca RON sau EUR, nu cred ca EUR in Romania. Da, diploma nu ar trebui sa conteze, ca nu stiu pe nimeni sa fi terminat Facultatea de Reverse Engineering si Analiza Malware in Romania, insa fara experienta mi se pare greu de crezut. Adica serios, ai da cuiva 3.7 EUR pe luna in Romania cuiva care probabil are ceva cunostiinte tehnice dobandite in timpul liber, in locul unuia care a facut asta luni de zile la cine stie ce companie care face antivirus? @gigiRoman Acum vreo 4 ani cred, am avut si eu interviu la Avira pe C++ Developer. Am avut de facut o aplicatie client-server, multithreading si cu nu stiu mai ce functionalitati in 3 ore. Am facut-o si a mers foarte bine, si ziceau cei de acolo ca majoritatea nu o fac in cele 3 ore. Apoi am avut o discutie tehnica. Toate bune si frumoase, pana sa vorbim despre antivirus. Le-am zis ca am facut un crypter, un program care ia un fisier detectabil si il face nedetectabil. Au zis ca "nu se poate, antivirusul nostru il prinde". Le-am explicat cum functioneaza si de ce nu l-ar prinde, ca se incarca in memorie bla-bla, dar nu au parut sa inteleaga. Apoi m-au intrebat: "De ce te-am angaja, de unde stim ca avand acces la codul sursa al antivirusului, nu ai dezvolta in continuare astfel de lucruri?". Am inceput sa rad si le-am zis ca nu am nevoie de codul sursa sa fac asa ceva. Nu m-au mai contactat deloc. Asadar, ca idee generala, de care m-am lovit si eu acum vreo 6 ani cand m-am angajat pe 1600 RON: NU va asteptati sa sara cu banii pe voi, pentru ca nu au de ce. In plus, nu sunteti singurele persoane care isi cauta un loc de munca in IT. Desi sunt destule job-uri, pentru pozitiile de inceput sunt foarte multi care aplica. De asemenea, banuiesc ca daca cineva lucreaza la un proiect in timpul personal, sau face ceva ca sa invete, poate mai posteaza si pe aici. Nu am vazut de ani de zile astfel de lucruri postate. Am fost si eu tanar student, si ce crezi, preferam sa stau sa scriu cod, sau sa beau pana picam din picioare?
  7. 12 points
  8. 11 points
    See you in November at DefCamp 2017 Want to experience a conference that offers outstanding content infused with a truly cyber security experience? For two days (November 9th-10th) Bucharest will become once again the capital of information security in Central & Eastern Europe hosting at DefCamp more than 1,300 experts, passionate and companies interested to learn the “what” and “how” in terms of keeping information & infrastructures safe. Now it’s getting really close: this year's conference is only months away, and that means very early bird tickets are now available. Register Now at DefCamp 2017 (50% Off) What can you expect from the 2017 edition? 2 days full of cyber (in)security topics, GDPR, cyber warfare, ransomware, malware, social engineering, offensive & defensive security measurements 3 stages hosting over 35 international speakers and almost 50 hours of presentations Hacking Village hosting more than 10 competitions where you can test your skills or see how your technology stands 1,300 attendees with a background in cyber security, information technology, development, management or students eager to learn How to get involved? Speaker: Call for Papers & Speakers is available here. Volunteer: Be part of DefCamp #8 team and see behind the scene the challenges an event like this can have. Partner: Are you searching opportunities for your company? Become our partner! Hacking Village: Do you have a great idea for a hacking or for a cyber security contest? Consider applying at the Hacking Village Call for Contests. Attendee: Register at DefCamp 2017 right now and you will benefit of very early bird discounts. Register Now at DefCamp 2017 (50% Off) Use the following code to get an extra 10% discount of the Very Early Bird Tickets by June 27th. This is the best price you will get for 2017 edition. Code: DEFCAMP_2017_VEB_10 Website: https://def.camp/
  9. 11 points
    La noi astia cu carnea, ne lasa gura apa cand vedem ce a dat albastrel. La voi astia vegani, cand vedeti stadioane cu gazon, va saliveaza gura ?
  10. 10 points
    Hai sa iti povestesc ceva, poate o sa te opresti cu postarile astea. Am apreciat in multe din postarile tale trecute (legate de programare in general) ca incercai. Pula mea, nu iesea ceva, postai aici. Parea ca o sa ajungi undeva si ca o iei pe un drum okay. Acum daca ma uit in istoricu' postarilor tale, ai asa (ordine aleatoare): - fitness - PPI (sau cum pula mea se cheama cacatu' ala cu click-uri) - stomatologie - off-shores / dropshipping - forex - contabilitate - site de iteme cs-go - etc... Toate cele de mai sus intr-un interval super scurt. Acu' na, nu e nevoie sa ma asculti, majoritatea de aici stiu ca fac multa caterinca, stiu ca sunt un retardat, handicapat, prost si ca ma doare-n pula de absolut orice exista pe planeta asta in special tigani, biserica si politica. Unde vreau sa ajung cu asta? Cois, treziti-va "an" pula mea! Terminati cu forex / ppi / fbi / nsa / plm / fmm etc. Sau tineti-va in moloz de una din ele si bagati pana vedeti ca iese banu' sau ca esuati. Mai ales astia care aveti cate ceva la mansarda si puteti sa profitati de pe urma asta. Mi-aduc aminte ca si eu eram asa: - mama ce idee de aplicatie am. Devin milionar. - sa-mi bag pula ce idee mi-a venit, gata rup google apps - bag pula-n ea programare, ma apuc de poker. - ma fac futangiu pe macarale Si am tinut-o asa vreun an ca sa realizez ca eram un lache de doi lei (bine, si acum sunt) care nu facuse nimic, pierdea timpu' in pula cu satelitu' si cam atat. M-am oprit, m-am axat pe progra & stuff si acum ma doare in pula, fac ce-mi place si fac misto cu @fallen_angel @Gecko @badluck @aelius etc... pe chat cat sunt la birou pentru ca totu' mi se pare lejer si usor si fain. Unde sunt trilionarii ? Sunt peste tot man, doar ca ei nu deschid 9 topicuri pe luna, fiecare din ele avand un subiect total diferit. Baga-ti mintile in cap si revin-o in pula mea cu picioarele pe pamant. //PS: e misto sa pui intrebari, sa vrei sa stii chestii s.a.m.d... insa asta o poti face pe chat, in timpu' liber, cand iei o pauza de la ceea ce conteaza cu adevarat. In viata nu le poti avea pe toate //PS2: Pentru cei plictisiti de postarea mea, luati aici:
  11. 10 points
  12. 9 points
    http://recordit.co/GTIROeGtVr
  13. 9 points
    Cu ocazia aniversarii a zece ani de FileList, au decis sa lanseze mai multe surprize, unda dintre acestea fiind: Toate bune si frumoase, doar ca, daca esti tampit ca mine si ai gasit prima data giftbox-ul la ora 5 dimineata (sau pentru oamenii normali, esti ocupat) si nu ai cum sa verifici la 24 de ore, vei pierde din premii*. Si cum suntem cu totii 0xH4X0R1 pe aici am decis sa fac un mic script in PowerShell (daca am chef/rabdare il voi face si in Python) care sa se ocupe de problema: Mod de utilizare: Copy - Paste la cod intr-o fereastra de PowerShell apoi rulati Invoke-FileListGetGift. Salvati codul intr-un fisier *.ps1 apoi din PowerShell ii faceti source: adica scrieti in consola ". .\NumeFisier.ps1" (atentie la punctul din fata - e ca la bash) apoi rulati Invoke-FileListGetGift. Daca doriti sa vedeti mesajele de debug setati $DebugPreference = "Continue" in consola din care rulati apoi apelati Invoke-FileListGetGift.
  14. 9 points
  15. 9 points
    Hello everyone. I joined this community a while ago; I have/had been a lurker for even longer. A huge part of what made the hacker community what it was (and what it is here) involves a willingness to share knowledge (without spoonfeeding). I would feel remiss if I gained so much from so many of you and did not give something back on occasion. What follows are anecdotes, opinions and observations I can share after almost 7 years working professionally in the InfoSec/Netsec field. Most of my work in this sphere has been anchored in Penetration Testing. Even when my official designation was Network Security Analyst, I spent most of those 3 years in engagements against PCI environments utilized for subcontracting work from Comcast, Verizon, Time Warner, Sprint and AT&T (to name a few of my former employers clients). Currently, I manage the Cybersecurity Lab of an International company that employees over 200,000 employees. Most of my work in my current position involves Penetration Testing (every type imaginable, including focused blackbox testing against embedded devices and the network/control structures surrounding them). I am also a lead point of contact for our international teams during remediation and triage of major security threats, incidents and breaches. For example, I was the my company’s head analyst for the recent Shamoon 2.0 attacks (W32.DisttrackB/W97M.Downloader) last February, as well as the recent Wannacry outbreak. I also serve in a Security Engineer capacity, as I am regularly asked to evaluate facets of our products and provide feedback and opinions on the security ramifications involved. I am extremely busy and wanted to give back what I have taken thus far, so this is going to be long... Here goes nothing: 1) I am completely self taught (meaning I acquired no college/formal education to get where I am). That being said, a solid Computer Science degree is invaluable as a base (I would generally avoid Cybersecurity degrees and go for CS ), and even the degree itself will open doors into this business. Also, I work alongside high-level engineers (CS and Electrical Engineering PhDs); what they can do in a short period of time once they take an interest in InfoSec/NetSec is frightening. 2) That leads me to this: to be great in this industry ( or great for this industry), I believe that InfoSec/NetSec has to become a lifestyle,not just a job. I easily work 80+ hours a week (every week) between work, further study and skills building. And I love just about every minute of it. There is a huge need for InfoSec/NetSec professionals,which I feel is going to lead to a flood of low knowledge, low passion, low skill hiring. Anyone trying to get into this industry for the cash alone is going to have a rude awakening: there are probably lower pressure, lower work hour ways to earn the same money doing something that actually interests you.. Also, those of us really invested in these arts can pretty easily spot our own. 3) Learn to study, and learn to love the act of studying. Much of this job is continual study; eventually, when presented with an issue youare ignorant of, you will feel confident in knowing that you can find the answers you need. Break the issue into small, manageable pieces (goals really), and put the pieces together until you can view the whole answer. 4) Most of my success in this industry has been due to a willingness to work hard, persevere and never give up. Ever. Most of this job is the creative solving of problems that do not or may not have any easy answer (or any answer at all…yet). You have to build a no retreat, no surrender, obsessive need to conquer problems. 5) I specialize in network penetration, though I have become fairly well rounded. To me, network penetration is the art of acquiring advantages. During an engagement, I am always looking to acquire advantages. I study and train to better recognize and maximize the resources within an environment that allow me to gain those advantages. Gaining these advantages are more a product of knowledge and experience then an application of tools. 6) I am also looking to be efficient; the best penetration tests replicate real world attacks. In that vein, each action you take raises the probability that you will be detected. For hackers and freedom fighters engaged in illegal activity,you may want to consider the latter a bit. Once you make ingress and launch any manner of offensive action, you have escalated the legal ramifications of your trespass by multiple magnitudes. Also remember that the probability of you getting caught and prosecuted is never 0.00%: you have to be prepared, you have to be careful, you have to be patient and you have to prepare contingencies. 7) I use a measurement/assessment of risk vs. reward to make each action within the network as efficient as possible; by percentages,losing a queen to take a rook is generally a loser’s bet. The best way I’ve learned to temper a careful approach is with an old sales slogan (“ Always be closing the deal”, which I modified to “Always be advancing your position(s)”). 7) I try as much as possible to engage a target as a stalking, ambush predator: I move carefully and try to use the environment to hide myself as I seek to exploit the target/objectives lack of awareness. I work to remain patient and identify/quantify as many of the variables of the current environment/situation as possible. Sometimes the best decision you can make is to slow down or hold your current position for a bit; watching Tcpdump or Wireshark while thinking on a better move is still advancing your position. 8) To lower the probability of detection (whenever possible) I attempt to attack, enumerate or probe from an obfuscated position. Configuring your attack host/node for the highest probability of situational anonymity (using tunneling, proxies, encapsulation ,etc.) is infinitely useful in pentesting, hacking and/or general security/privacy. Mastering the manipulation of proxy, tunneling and encapsulation protocols (which involves a deep understanding of networking/TCP/UDP) almost lends you quasi-magical invisibility and teleportation powers when involved in network penetration. Obfuscation itself is one of 10,000 reasons why experience/knowledge in the disciplines of networking, OS and programming combined with security research are such huge advantages (and another reason why if you take up this path you may never stop learning). 9) Learn to use every tool you can, but more importantly, learn why the tool works. If you work in/at exploitation long enough, the principles governing the tools will help you exploit a box someday,regardless of whether you use that particular tool to get the wanted/needed result.. 9) Knowledge/experience over tool use is especially important today: regardless of what many sites say, you will not find many enterprise/corporate networks today (as a professional penetration tester at least) where there are gross configurations/deployments leading to an easy, out of the box (deploy tool== Meterpreter) exploitation. 10) When training for a fight, professional mixed martial artists put themselves in the worst possible positions so they react properly when the fight is underway. Eventually, training/practicing your exploitation/research techniques the same way will be a huge boon in engagements, POCs (or in the wild). I especially like to round difficulty up during research; it is difficult for someone else to minimize your findings if you have added (and circumvented) greater security measures than the norm (rather than having reduced them). 11) Most of my exploitation of networks in the last couple years have been a process of discovering network misconfigurations and weaknesses (especially in Windows firewall, Programs and Features, LGPO/GPO policies and/or IE/Internet Options within Window Domains/Networks) or information leaks that I locate online or through DNS enumeration that ultimately leads to my gaining access to a host. From there, remote exploitation (toward post exploitation/privilege escalation/pivoting) will often occur This is largely when knowledge of things such as Powershell (leveraged by itself or tools like Powersploit/CrackMapExec/PsExec/Empire) become invaluable (in Windows networks). I have actually been finding easier remote exploits when attacking Linux/Unix boxes in enterprise networks (finding Solaris with Apache Tomcat during enumeration still springs hope eternal in my human breast). Many (actually, maybe all) of these companies are/were new at deploying Unix/Linux boxes in their networks and were making some serious mistakes with deployment. 12) Enumeration is the most important part of an engagement to me. You should get used to enumeration without automated tools; I love Nmap, but many times it is not feasible to usewithin the customer’s network (network overhead issues, the chance of detection by IIDS, the chance of breaking PLCs or other embedded devices, etc.). In cases where you are on the customer’s network, tools like Wireshark, Tcpdump, knowledge of networking protocols/ports and banner grabbing are your friends. 13) For those engagements where you first need to gain access to the network, you definitely have more room for running some louder tools: I love Fierce (and DNS enumeration in general) as it often presents my way in. Google dorking is still also an incredible tool, as is Firefox with the right set of extensions (Hackbar, Tamperdata, Wappalyzer, BuiltWIth, Uppity, IP Address and DOmain Information, etc,.). Who loves Dirbuster in these cirumstances? This carbon/caffeine based lifeform right here. Whether you are pentesting, bughunting or hacking/freedom fighting, a paid Shodan subscription will($50) is worth every cent. The capacity to make exacting, accurate searches for greater than five pages has helped me in more engagements/bughunts than I can remember. 14) When I am explaining why a config/setting/LGPO /GPO (etc.) is a security risk to a client or my fellow employees, I like to explain that many of the advantages I look for in my environment are most often advantages that are needlessly provided to me. If it does not break key functionality or seriously impede efficiency/development time, than it is in their best interest to deny me as many advantages as possible, even when the advantages appear as if they are minutia. When dealing with a client or non-security fellow employees,you should work to create a relationship of mutual help and teamwork. I am not there to rub their noses in there crap; I am there to help improve their security so the company can prosper. This is partially a customer service gig where solutions (remediation/counter measures) are more beneficial to the customer than the exploitation itself. Whenever possible, I like to end the post-exploitation/penetration test conversation/meeting/presentation with the attitude that I am here to help fix these issues , how can WE best close these gaps? How can I help make your (or our) company safer, so that we can become more prosperous? 15) I personally despise Microsoft (and many proprietary products/companies) on many levels, but when it comes to work, I am platform agnostic. Whatever tool is needed to complete the mission is the tool I am going to employ. However, whenever possible without jeopardizing the mission, I am going to employ an Open Source/Unix/Linux-centric solution. I work hard to show my company the value in Open Source. The way to show that value isn’t to be the super Unix/Linux/GPL neckbeard who constantly bemoans proprietary software./platforms. The best way (for me), is to show how effective the strategy involving the Open Source tool is. Then, in my report, I explain the business hook of using Open Source (if the tool is free for commercial use). I am sensitive to companies taking Open Source tools and turning them into something proprietary. However, if I can make my company (which is both huge and almost universally recognized as ethical, which is rare) see the value in Open Source, I know they will eventually incorporate Open Source into the support packages for their products (which they have while keeping the tools ad the license in tact). This than spreads the value of Open Source to smallercompanies who see it being trusted by a much larger company. 16) I have tens of thousands of dollars worth of licenses atmy disposal. However, I will never use tools like Nexpose, Nessus, Canvas orMetasploit Pro unless the project, client, or a governing body specificallyrequire them. I believe these tools develop poor habits. Obviously, if a project such as evaluating an entire domain of IP/hosts for vulnerabilities is my task, I am going to use Nessus. However, (whenever a time/project permits, which they most often do) I am going to evaluate the findings (and search for other vulnerabilities) manually. 17) The ultimate goal should be reliance on nothing more than a Linux/Unix Terminal, some manner of network access and a programming language. One of my favorite exploitation tools is my Nexus 7 2013 flo tablet (running a modified version of Nethunter) and a Bluetooth folio keyboard ( I got the idea from n-o-d-e, https://www.youtube.com/watch?v=hqG8ivP0RkQ44) as the final product is a netbook that fits in a jacket pocket). I have exploited some seriously huge clients with thislittle rig (for ingress and a quick root shell, WPS on network/enterpriseprinters and knowledge PCL/PJL/Postscript are often your friend). I have also exploited other customers with a cheap UMX smartphone with 5 gigs of storage, 1 gb of memory and GNUroot Debian (Guest Wifi access from the parking lot or an onsite public restroom, human nature, and Responder.py analyze mode, followed by WPAD, LLMNR and NetBios poisoning with NTLMv1 and LM authorization downgradefor the win). 18) During (red team, onsite, etc.) engagements, even when the ultimate target of the engagement is located on a hardwired network with heavy segmentation/compartmentalization (such as the conduit/zone based layouts that are general best practice in Industrial sectors), it is always worthgaining a host/node with corporate WIFI access. One thing WIFI access provides is reach: an Administrator’s (or other privileged user’s) dedicated workstation may be out of reach, but his other devices (if in scope) may be connected to Corp. WIFI for reasons such as saving data on a plan. Also, WIFI allows me attacks of opportunity even when I am doing other things. Running Responder.py on a misconfigured network’s WIFI while I am elsewise engaged is gaining me advantages (maybe clear text creds, maybe hashes, maybe NTLMv1 and LM hashes) at little cost to my time or attention. When I employ this, I like to spoof the poisoning machines hostname/mac address to something familiar on the network. If you see a bunch of hosts named “Apple” during your recon, and all of those hosts are not online, spoof the hostname/MAC to match one of the Apple machines (this will not withstand close scrutiny, but will often suffice with a little work). It always helps to watch and take note on the norms of the network traffic and protocols. Try to match this as much as possible (this will likely help you avoid IDS/IPS, firewall rules, etc.) and whatever traffic would seriously stand out, try to tunnel or encapsulate with normal network traffic/protocols. 19) This leads to two other points: A) Be prepared for the majority of people within a company who do not care about, or will minimize security issues. Do not get frustrated; I find that showing the parties involved what they stand to lose as a company from a vuln to be more effective than focusing on the vuln itself. This is where the Nexus and cheap smartphone come into play: taking the client’s domain with a laptop may scare up some results, but showing s customer that an attacker could cost them tens of millions with a $20 dollar smartphone or a $100 dollar tablet (from the parking lot) works wonders. C) I have an interest in learning to exploit everything and anything. This has served me well during network penetration tests, as many targets will defend their DCs, file servers and hosts, but not pay much attention to the printers and IoT devices within the network. D) To this end, learn to work with uncommon protocols. UPnP. NTLDNA and SSDP have been serving me well for the last couple years. Many file servers (and company smartphones/tablets when they are in scope) keep the UPnP door (and associated protocols) wide open. I once grabbed SNMP and other default network appliance creds from a fileserver through UPnP. 20) If you are going to pay for certs with your own cash, I recommend the OSCP. Yes, some of the machines/exploits are outdated. You won’t find many of the SMB remote exploits used for the course in the wild very often anymore (unless an Admin leaves a test server up, which happens occasionally). However, the overall experience, breakdown on enumeration methodology, self reliance and mindset the entire experience teaches you are invaluable. I have seen some sites peddling garbage certs with no industry recognition. Save your money for the OSCP; its profile in the industry is high and growing. Certs are no replacement for experience, but starting out with a IT/CS related degree or some general IT experience (even Helpdesk work) along with the OSCP will get you hired somewhere. 21) For persistence, I prefer adding innocuous user accounts/Remote Desktop accounts. If I am going to add some manner of privileged user account early to mid engagement, I usually try to add a more low profile account (if I have the option) such as Server Operator; these type of accounts allow privileged access you can build from, but generally are not watched with the scrutiny of an Administrator account. When I do create Administrator accounts (I try to wait until I begin my endgame), I will try to match the naming convention to similar accounts in within the network. if a For example, if the Administrator accounts within the network are named USsupervisor, I will name the added account something like USupervisor. If I know the clear text password of the account I have mimicked, I will use the same password. 22) Keep good notes during the engagement; too much information is better than to little information. Captured PCAPS of network traffic are great for examination during down time between engagements. 23) If you are a hacker, freedom fighter, or someone generally concerned about max privacy, this series of articles and configurations are for you: https://www.ivpn.net/blog/privacy-guides/advanced-privacy-and-anonymity-part-146 24) My favorite distro is Backbox; it starts out with a solid set of tools ninus the obscure bloat (and so far I have been able to add anything Kali has to Backbox). You can use Backbox's "Anonymous" option for a full transparent Tor proxy, Macchanger and host name changer and set RAM to overwrite on exit. I also keep Portable Virtualbox on a USB drive with a Kali Linux image... You could follow some of the advice here: http://www.torforum.org/viewtopic.php?f=2&t=1832020 And here: http://www.torforum.org/viewtopic.php?f=2&t=1832020 The articles above could help you create an encrypted USB with a Whonix gateway and Kali Linux workstation (you could probably exchange Kali OS in the Whonix Workstation for any Debian/Debian like OS). This configuration is disposable and concealable, and will run all of the Kali Workstation's (or other Debian/Debian like OS) through Tor. You could also create multiple other Vanilla Whonix Workstations/Gateways on the USB to create a type of local jumpbox sequencea to tunnel between/through SSH and/or VPN them before final Kali workstation. (Note: This is just a gut feeling, but for your own OpSec/security/anonymity, you are probably best replacing the Kali workstation with another Debian/Debian like distro. I have tried Katoolin in the Whonix Workstation, but I find that Katoolin often breaks i). 25) A VPS with your pentest tools installed is a valuable commodity; I call mine DeathStar, and I can call down some thunder from my Nexus 7 2013 flo (and a prepaid Wireless hotspot) from pretty much anywhere. There are some providers who do not give a damn about the traffic leaving your VM as long as you are using a VPN and a DMCA does not come their way. For hackers and freedom fighters, get your VPS from a country outside 14 Eyes countries (providers in Eastern European/former Soviet Block countries can be both dirt cheap and extremely honorable; just do your research and have tolerance for the occasional technical issue). You could pay with laundered/tumbled Bitcoin; even better are those providers who except gift cards (much like some VPN providers do)as payment. Have another party buy the gift cards a good distance away from you; you can find some of these providers who take gift cards on Low End Box. The VPS can be a valuable addition to the encrypted USB above (as you now have a host/node to catch your reverse shells without sacrificing Tor) when combined with SSH or IPsec (such as Strongswan, which is in the Debian repos). 26) Again, this post was long because I am busy, and Iwanted to make the contribution I felt I owed this site since shortly after it began. If you have technical questions concerning (or any questions in general), please post them as comments and I will definitely get you back an answer. https://0x00sec.org/t/shared-thoughts-after-6-years-in-pentesting/2492
  16. 8 points
    Salutări, Zilele trecute am făcut un audit pe o aplicaţie şi am descoperit o vulnerabilitate destul de interesantă, aşa că am zis să fac un web challenge pe partea asta. Scenariu Un programator a creat scriptul următor PHP care cere o parolă pentru a vedea conţinutul privat al site-ului: <?php $mysql = mysqli_connect("","","","") or die("Conexiune esuata la baza de date."); $par = htmlentities($_GET['par'],ENT_QUOTES); if(strlen($par) > 0) { $sql = $mysql->query("select * from passwords where password='$par'"); if($sql->num_rows > 0) { //continut privat }else{ echo "Parola nu a fost gasita in baza de date."; } }else{ echo "Se asteapta parola in parametrul GET <strong>par</strong>."; } După terminarea scriptului, el a adăugat în MySQL comanda următoare, uitând să completeze câmpul de parolă: INSERT INTO `passwords` (`ID`, `password`) VALUES (1, ''); În final, programatorul a făcut publică aplicaţia la adresa următoare: http://dragos.interinfo.ro/rst/chall/ Cerinţă Scopul exerciţiului este ca să treceţi de filtrările PHP şi să afişaţi conţinutul privat. Detalii tehnice scriptul este acelaşi şi pe host userul MySQL are doar drept de select şi are acces doar pe baza de date dedicată exerciţiului După ce aţi rezolvat Trimiteţi-mi un PM cu mesajul afişat în cadrul conţinutului privat şi linkul final şi vă voi adăuga în lista de mai jos. Cine a rezolvat până acum: - adicode - aleee - caii - dancezar - DLV - Gecko - Hertz - kandykidd - Matasareanu - Nytro - Pintilei - pr00f - Silviu - Sim Master - SirGod - theandruala - u0m3 - xenonxsc - yukti
  17. 8 points
    1. What the actual fuck?!? 2. Ai cerut pareri dar apoi te apuci sa contrazici omul. E parerea lui, take it or leave it (asa cum o ai pe a ta). 3. Daca te plictisesti mergi si taie frunze la caini. (couldn't resist!)
  18. 8 points
    @Gushterul Offtopic: Da. A avut o perioada pe la inceputul anului, cand nu prea s-a simtit bine, dar acum este in regula. Actualizez pe blog ce mai face, insa nu asa des ca inainte, pentru ca acum face tomografiile o data la 6 luni, nu la 3 luni ca inainte. De pe la inceputul lui 2016 am eu grija de el cu cheltuielile, asa cum este si normal, sa nu-i lipseasca vitamina C si alte lucruri care-i pot prelungi viata. Stateam si ma gandeam la o chestie: sunt persoane care s-au operat odata cu el, o singura data, nu de doua ori ca el si care intre timp nu mai sunt printre noi. Au urmat si ele acelasi tratament ca tata, insa, din pacate, nu a fost sa fie. Asta inseamna ca poate toate lucrurile alea pe care le-am discutat impreuna si le-am cumparat cu voi, baieti destepti, l-au ajutat sa fie in viata si acum. O sa va respect toata viata pentru ce ati facut pentru el si va mai multumesc inca o data acum.
  19. 8 points
    https://www.it-sec-catalog.info/ Available from https://it-sec-catalog.info/ and https://www.gitbook.com/book/arthurgerkis/it-sec-catalog. About this project This is a catalog of links to articles on computer security — software and hardware analysis and vulnerability exploitation, shellcode development and security mitigations, including computer security research, and malware stuff. Slides are not included (there is other project for that). Advisories without much details are also not included. All articles are only in English. Project is running since 2010. Author and contributors Author of this project: Arthur (ax330d) Gerkis, contributors: Nitay Artenstein, Joe (j0echip) Chip. Thanks to everyone who helped with the project.
  20. 8 points
    Magnificent app which corrects your previous console command https://github.com/nvbn/thefuck
  21. 8 points
    [h=2]Awesome Penetration Testing[/h] A collection of awesome penetration testing resources, tools, books, confs, magazines and other shiny things Online Resources Penetration Testing Resources Shell Scripting Resources Linux Resources Shellcode development Social Engineering Resources Lock Picking Resources [*] Tools Penetration Testing Distributions Basic Penetration Testing Tools Vulnerability Scanners Network Tools Hex Editors Crackers Windows Utils DDoS Tools Social Engineering Tools Anonimity Tools Reverse Engineering Tools [*] Books Penetration Testing Books Hackers Handbook Series Network Analysis Books Reverse Engineering Books Malware Analysis Books Windows Books Social Engineering Books Lock Picking Books [*]Vulnerability Databases [*]Security Courses [*]Information Security Conferences [*]Information Security Magazines [*]Awesome Lists [*]Contribution [*]License [h=3][/h][h=3]Online Resources[/h] [h=4]Penetration Testing Resources[/h] Metasploit Unleashed - Free Offensive Security metasploit course PTES - Penetration Testing Execution Standard OWASP - Open Web Application Security Project OSSTMM - Open Source Security Testing Methodology Manual [h=4]Shell Scripting Resources[/h] LSST - Linux Shell Scripting Tutorial [h=4]Linux resources[/h] Kernelnewbies - A community of aspiring Linux kernel developers who work to improve their Kernels [h=4][/h][h=4]Shellcode development[/h] Shellcode Tutorials - Tutorials on how to write shellcode Shellcode examples - Shellcodes database [h=4][/h][h=4]Social Engineering Resources[/h] Social Engineering Framework - An information resource for social engineers [h=4][/h][h=4]Lock Picking Resources[/h] Schuyler Towne channel - Lockpicking videos and security talks [h=3][/h][h=3]Tools[/h] [h=4][/h][h=4]Penetration Testing Distributions[/h] Kali - A Linux distribution designed for digital forensics and penetration testing NST - Network Security Toolkit distribution Pentoo - security-focused livecd based on Gentoo BackBox - Ubuntu-based distribution for penetration tests and security assessments [h=4]Basic Penetration Testing Tools[/h] Metasploit - World's most used penetration testing software Burp - An integrated platform for performing security testing of web applications [h=4]Vulnerability Scanners[/h] Netsparker - Web Application Security Scanner Nexpose - Vulnerability Management & Risk Management Software Nessus - Vulnerability, configuration, and compliance assessment Nikto - Web application vulnerability scanner OpenVAS - Open Source vulnerability scanner and manager OWASP Zed Attack Proxy - Penetration testing tool for web applications w3af - Web application attack and audit framework Wapiti - Web application vulnerability scanner [h=4][/h][h=4]Networks Tools[/h] nmap - Free Security Scanner For Network Exploration & Security Audits tcpdump/libpcap - A common packet analyzer that runs under the command line Wireshark - A network protocol analyzer for Unix and Windows Network Tools - Different network tools: ping, lookup, whois, etc netsniff-ng - A Swiss army knife for for network sniffing Intercepter-NG - a multifunctional network toolkit [h=4]SSL Analysis Tools[/h] SSLyze - SSL configuration scanner [h=4]Hex Editors[/h] HexEdit.js - Browser-based hex editing [h=4]Crackers[/h] John the Ripper - Fast password cracker Online MD5 cracker - Online MD5 hash Cracker [h=4]Windows Utils[/h] Sysinternals Suite - The Sysinternals Troubleshooting Utilities Windows Credentials Editor - security tool to list logon sessions and add, change, list and delete associated credentials [h=4]DDoS Tools[/h] LOIC - An open source network stress tool for Windows JS LOIC - JavaScript in-browser version of LOIC [h=4]Social Engineering Tools[/h] SET - The Social-Engineer Toolkit from TrustedSec [h=4]Anonimity Tools[/h] Tor - The free software for enabling onion routing online anonymity I2P - The Invisible Internet Project [h=4]Reverse Engineering Tools[/h] IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger WDK/WinDbg - Windows Driver Kit and WinDbg OllyDbg - An x86 debugger that emphasizes binary code analysis [h=3]Books[/h] [h=4]Penetration Testing Books[/h] The Art of Exploitation by Jon Erickson, 2008 Metasploit: The Penetration Tester's Guide by David Kennedy and others, 2011 Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014 Rtfm: Red Team Field Manual by Ben Clark, 2014 The Hacker Playbook by Peter Kim, 2014 The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013 Professional Penetration Testing by Thomas Wilhelm, 2013 Advanced Penetration Testing for Highly-Secured Environments by Lee Allen,2012 Violent Python by TJ O'Connor, 2012 Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton, Adam Greene, Pedram Amini, 2007 [h=4]Hackers Handbook Series[/h] The Shellcoders Handbook by Chris Anley and others, 2007 The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011 iOS Hackers Handbook by Charlie Miller and others, 2012 Android Hackers Handbook by Joshua J. Drake and others, 2014 The Browser Hackers Handbook by Wade Alcorn and others, 2014 [h=4]Network Analysis Books[/h] Nmap Network Scanning by Gordon Fyodor Lyon, 2009 Practical Packet Analysis by Chris Sanders, 2011 Wireshark Network Analysis by by Laura Chappell, Gerald Combs, 2012 [h=4]Reverse Engineering Books[/h] Reverse Engineering for Beginners by Dennis Yurichev (free!) The IDA Pro Book by Chris Eagle, 2011 Practical Reverse Engineering by Bruce Dang and others, 2014 Reverse Engineering for Beginners [h=4]Malware Analysis Books[/h] Practical Malware Analysis by Michael Sikorski, Andrew Honig, 2012 The Art of Memory Forensics by Michael Hale Ligh and others, 2014 [h=4]Windows Books[/h] Windows Internals by Mark Russinovich, David Solomon, Alex Ionescu [h=4]Social Engineering Books[/h] The Art of Deception by Kevin D. Mitnick, William L. Simon, 2002 The Art of Intrusion by Kevin D. Mitnick, William L. Simon, 2005 Ghost in the Wires by Kevin D. Mitnick, William L. Simon, 2011 No Tech Hacking by Johnny Long, Jack Wiles, 2008 Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010 Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014 [h=4][/h][h=4]Lock Picking Books[/h] Practical Lock Picking by Deviant Ollam, 2012 Keys to the Kingdom by Deviant Ollam, 2012 [h=3]Vulnerability Databases[/h] NVD - US National Vulnerability Database CERT - US Computer Emergency Readiness Team OSVDB - Open Sourced Vulnerability Database Bugtraq - Symantec SecurityFocus Exploit-DB - Offensive Security Exploit Database Fulldisclosure - Full Disclosure Mailing List MS Bulletin - Microsoft Security Bulletin MS Advisory - Microsoft Security Advisories Inj3ct0r - Inj3ct0r Exploit Database Packet Storm - Packet Storm Global Security Resource SecuriTeam - Securiteam Vulnerability Information CXSecurity - CSSecurity Bugtraq List Vulnerability Laboratory - Vulnerability Research Laboratory ZDI - Zero Day Initiative [h=3][/h][h=3]Security Courses[/h] Offensive Security Training - Training from BackTrack/Kali developers SANS Security Training - Computer Security Training & Certification Open Security Training - Training material for computer security classes CTF Field Guide - everything you need to win your next CTF competition [h=3]Information Security Conferences[/h] DEF CON - An annual hacker convention in Las Vegas Black Hat - An annual security conference in Las Vegas BSides - A framework for organising and holding security conferences CCC - An annual meeting of the international hacker scene in Germany DerbyCon - An annual hacker conference based in Louisville PhreakNIC - A technology conference held annually in middle Tennessee ShmooCon - An annual US east coast hacker convention CarolinaCon - An infosec conference, held annually in North Carolina HOPE - A conference series sponsored by the hacker magazine 2600 SummerCon - One of the oldest hacker conventions, held during Summer Hack.lu - An annual conference held in Luxembourg HITB - Deep-knowledge security conference held in Malaysia and The Netherlands Troopers - Annual international IT Security event with workshops held in Heidelberg, Germany Hack3rCon - An annual US hacker conference ThotCon - An annual US hacker conference held in Chicago LayerOne - An annual US security conerence held every spring in Los Angeles DeepSec - Security Conference in Vienna, Austria SkyDogCon - A technology conference in Nashville [h=3][/h][h=3]Information Security Magazines[/h] 2600: The Hacker Quarterly - An American publication about technology and computer "underground" Hakin9 - A Polish online, weekly publication on IT Security [h=3]Awesome Lists[/h] SecTools - Top 125 Network Security Tools C/C++ Programming - One of the main language for open source security tools .NET Programming - A software framework for Microsoft Windows platform development Shell Scripting - Command-line frameworks, toolkits, guides and gizmos Ruby Programming by @SiNdresorhus - JavaScript in command-line Node.js Programming by @vndmtrx - JavaScript in command-line Python tools for penetration testers - Lots of pentesting tools are written in Python Python Programming by @svaksha - General Python programming Python Programming by @vinta - General Python programming Andorid Security - A collection of android security related resources Awesome Awesomness - The List of the Lists [h=3][/h][h=3]Contribution[/h] Your contributions and suggestions are heartily? welcome. (????) [h=3][/h][h=3]License[/h] This work is licensed under a Creative Commons Attribution 4.0 International License Sursa: https://github.com/enaqx/awesome-pentest
  22. 8 points
    Am reusit sa fac rost de mai multe informatii de la o sursa sigura. Aparent baietii au reusit sa extraga date destul de importante dintr-un server MySQL. Informatia era destul de importanta deoarece turneul de Solitaire era in derulare iar baza de date ce au extras-o continea evidenta scorurilor angajatilor. Revin cu update-uri cand mai primesc informatii.
  23. 8 points
    "Cu ocazia percheziţiilor efectuate au fost indentificate şi ridicate mai multe sisteme informatice, harduri interne şi externe, smartphone-uri, stick-uri şi carduri de memorie, suporţi optici de tip CD/DVD, utilizate în activitatea infracţională" "harduri", ce limbaj profesional. 2017, CD/DVD, atac informatic... Nu era tocmai muzica buna pe Țedeu. A.S.I.A. - Suna Periculos trebuia sa le dea de gandit...
  24. 8 points
    How to defend your website with ZIP bombs the good old methods still work today Posted by Christian Haschek on 2017-07-05 [update] I'm on some list now that I have written an article about some kind of "bomb", ain't I? If you have ever hosted a website or even administrated a server you'll be very well aware of bad people trying bad things with your stuff. When I first hosted my own little linux box with SSH access at age 13 I read through the logs daily and report the IPs (mostly from China and Russia) who tried to connect to my sweet little box (which was actually an old ThinkPad T21 with a broken display running under my bed) to their ISPs. Actually if you have a linux server with SSH exposed you can see how many connection attempts are made every day: grep 'authentication failures' /var/log/auth.log Hundreds of failed login attempts even though this server has disabled password authentication and runs on a non-standard port Wordpress has doomed us all Ok to be honest, web vulnerability scanners have existed before Wordpress but since WP is so widely deployed most web vuln scanners include scans for some misconfigured wp-admin folders or unpatched plugins. So if a small, new hacking group wants to gain some hot cred they'll download one of these scanner things and start testing against many websites in hopes of gaining access to a site and defacing it. Sample of a log file during a scan using the tool Nikto This is why all server or website admins have to deal with gigabytes of logs full with scanning attempts. So I was wondering.. Is there a way to strike back? After going through some potential implementations with IDS or Fail2ban I remembered the old ZIP bombs from the old days. WTH is a ZIP bomb? So it turns out ZIP compression is really good with repetitive data so if you have a really huge text file which consists of repetitive data like all zeroes, it will compress it really good. Like REALLY good. As 42.zip shows us it can compress a 4.5 peta byte (4.500.000 giga bytes) file down to 42 kilo bytes. When you try to actually look at the content (extract or decompress it) then you'll most likely run out of disk space or RAM. How can I ZIP bomb a vuln scanner? Sadly, web browsers don't understand ZIP, but they do understand GZIP. So firstly we'll have to create the 10 giga byte GZIP file filled with zeroes. We could make multiple compressions but let's keep it simple for now. dd if=/dev/zero bs=1M count=10240 | gzip > 10G.gzip Creating the bomb and checking its size As you can see it's 10 MB large. We could do better but good enough for now. Now that we have created this thing, let's set up a PHP script that will deliver it to a client. <?php //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); That's it! So we could use this as a simple defense like this: <?php $agent = lower($_SERVER['HTTP_USER_AGENT']); //check for nikto, sql map or "bad" subfolders which only exist on wordpress if (strpos($agent, 'nikto') !== false || strpos($agent, 'sqlmap') !== false || startswith($url,'wp-') || startswith($url,'wordpress') || startswith($url,'wp/')) { sendBomb(); exit(); } function sendBomb(){ //prepare the client to recieve GZIP data. This will not be suspicious //since most web servers use GZIP by default header("Content-Encoding: gzip"); header("Content-Length: ".filesize('10G.gzip')); //Turn off output buffering if (ob_get_level()) ob_end_clean(); //send the gzipped file to the client readfile('10G.gzip'); } function startsWith($haystack,$needle){ return (substr($haystack,0,strlen($needle)) === $needle); } This script obviously is not - as we say in Austria - the yellow of the egg, but it can defend from script kiddies I mentioned earlier who have no idea that all these tools have parameters to change the user agent. Sooo. What happens when the script is called? Client Result IE 11 Memory rises, IE crashes Chrome Memory rises, error shown Edge Memory rises, then dripps and loads forever Nikto Seems to scan fine but no output is reported SQLmap High memory usage until crash (if you have tested it with other devices/browsers/scripts, please let me know and I'll add it here) Reaction of the script called in Chrome If you're a risk taker: Try it yourself Sursa: https://blog.haschek.at/post/f2fda
  25. 8 points
    Salut, Am vrut sa lucrez ceva in .NET si fiind inspirat de encoderul de pe Crypo.com si de toolul lui Gecko am decis sa scriu aceasta aplicatie. E simplu de folosit si isi face treaba... Suporta urmatorii algoritmi: Reverse Hexadecimal Binary ASCII Base64 Caesar MD5 SHA RC4 AES ROT13 ATOM128 Aici aveti un screenshot cu aplicatia: http://i.imgur.com/XgxdTTL.png Download de pe site-ul meu: http://adrenalinetech.xyz/downloads/CipherGuru/ Sursa pe github: https://github.com/adrenalinetech/CipherGuru Daca aveti nemultumiri sau vreti sa adaug un algoritm va rog sa imi spuneti. Multumesc.
×