Jump to content

_XaXaXa_

Members
  • Posts

    25
  • Joined

  • Last visited

About _XaXaXa_

  • Birthday 01/01/1987

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

_XaXaXa_'s Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. Introduction In a previous post, I presented the main techniques used to hack Tor networks and de-anonymize Tor users. Law enforcement and intelligence agencies consider “de-anonymization” of Tor users a primary goal. Authorities can try to implement techniques to break the encryption used to anonymize the traffic or to exploit vulnerabilities in one of the software modules that allows anonymizing the user’s online experience. There is also another option for authorities: to try secretly to destroy the overall Tor architecture or attack the hidden services to interfere with the traffic that flows to them. Operation Onymous Since the publication of the last post, a blow was dealt by the authorities to the cybercriminals that use the Tor network for illegal purposes. Police and intelligence agencies in a joint effort conducted the takedown of several illegal marketplaces as part of Operation Onymous. Coordinated by Europol’s European Cybercrime Centre (EC3), Operation Onymous hit the criminal organization that exploited the Tor network to manage black markets. The operation is considered an important success in the fight agaisnst cybercrime, but many experts have begun to question how law enforcement was able to locate the servers hosting hidden services and operators who ran the illegal activities. The developers of the Tor Project published an interesting blog post titled “Thoughts and Concerns about Operation Onymous“, in which they have explained the possible techniques adopted by authorities to locate the hidden services and de-anonymize the operators that managed the most popular black markets, including Silk Road 2.0. “Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used,” states the post. The principal assumptions that law enforcement has made on the possible attack scenarios implemented by the law enforcement are: Lack of operational security of hidden services Exploitation of bugs in the web application Bitcoin de-anonymization Attacks on the Tor network The members of the Tor Project highlighted that the police has compromised the anonymity of the location of the servers behind the hidden services due to the lack of one of the following conditions: The hidden service must be properly configured. The web server should be not vulnerable: this means that it must be not affected by any flaw and must be properly configured. The web application should have no flaws. An attacker that is able to exploit a vulnerability in the web server or in the web application (e.g. the e-commerce system exposed by the operators to propose the illegal products) could easily hack the targeted hidden service. Resuming, to de-anonymize Tor users it is possible to compromise a poorly configured server or the web application it exposes, and there is no need to search and exploit an alleged vulnerability in Tor architecture. By exploiting a vulnerability in a third-party application used by a dark marketplace, it is possible to install a backdoor on the server, revealing its location and the identities of its operators. Another possibility for law enforcement is to infect the machine of one of the alleged administrators with a spyware. The computer could be localized through ordinary investigations. Whole Article at: Hacking the Tor Network: Follow Up - InfoSec Institute
  2. Article PDF: http://www.secniche.org/blackhat-2014/blackhat_2014_briefings_whitepaper_exp_cc_flaws_adityaks.pdf
  3. Facenama - Itanian Facebook clone. Source + link to dump data: ?? ??? ??? ??? Language: Persian Enjoy!
  4. XBox SDK Download link: https://mega.co.nz/#!iEhAETgQ!EUMxhVRGl4ENGfGmWIPmLEPNieuA5Z5TzNOxhkrFjaA XBox SDK Doc: https://mega.co.nz/#!fMwl1JII!WGYUzY64RMNe1I1f_xszEBQYIZTSf9wY1z8LCffdOi4 Enjoy!
  5. _XaXaXa_

    Salut

    Recomanda si tu la baiat 2 3 carti
  6. Foloseste tooluri adevarate ) nu kiddie stuff )))) Si am uitat sa specific merge doar sa iei traficul lui bunica din 44 cand nu era SSL/TLS. ))) Daca intra traffic SSL/TLS in el isi ia buffer overflow ))) Are 1 mil de ani aplicatia aia )))))
  7. Testat inca merge Enjoy Source: Exploit Monday: Windows File Confusion: Masquerading Unsigned Binaries as Signed Ones Could it be? A non-PowerShell related blog post? A while ago, Mark Baggett (@MarkBaggett) tipped me off to a technique that he had seen malware using in the wild. He explained that if you could manage to execute an unsigned binary with the same name as a signed binary (but with trailing white space) that it would take on the code signature of the legitimate binary. I was obviously intrigued. This posed a bit of a challenge though because Windows automatically strips trailing white space from file names. I eventually figured out how to bypass this slight restriction by echoing the contents of my binary using `type` to a path prefixed with \\?\. For example, to name the file "evil.exe" to "calc.exe " (note the three trailing spaces), you would do the following: type evil.exe > "\\?\C:\Windows\System32\calc.exe " Great. We now have an unsigned binary with trailing white space. Now how does one execute it? As is demonstrated by the following screenshot, there is no longer a file association with the binary and Windows doesn't know how to load it. I asked some friends for ideas on how to execute it and Chris Campbell (@obscuresec) had the genius idea to execute it via its 8.3 file name. Trying to call it directly from cmd.exe with its 8.3 file name unfortunately opened the original, signed calc. However, executing it with the Create method of the Win32_Process WMI class worked like a champ! This was accomplished with the following WMIC command: wmic process call create C:\Windows\System32\CALC~1.exe The following screenshot demonstrates the steps necessary to create a binary with trailing white space and consequently execute it: Upon executing the unsigned file masquerading as the original calc.exe, you notice something amusing - when viewed in Process Explorer, the signed calc.exe is mistaken for the unsigned one and Process Explorer mistakenly reports the unsigned calc as having a valid code signature both in the process and module listings. It doesn't take long to see that something isn't right though. For example: the following differences are evident: The file sizes differ The unsigned binary is a .NET executable. The original calc is not. The unsigned binary is lacking the company name of "Microsoft Corporation". I tried to replicate the company name by modifying the assembly information of my unsigned binary but it caused Process Explorer to no longer say that it was '(Verified) Microsoft Windows'. Another peculiarity I witnessed was that depending upon how you referenced the file names, the hash of the unsigned binary differed. Its true hash would only be manifested by referring to its 8.3 file name. All in all, I would consider this technique to be more of a novelty than a serious vulnerability. For example, sigcheck detects the unsigned binary. Also, if code integrity checks are enforced (as Windows RT does), the kernel will prevent the unsigned binary from being executed. The underlying logic flaw is that Microsoft made the assumption that an executable would not have any trailing white space. As a result, the file information of the original executable (with no trailing white space) is processed rather than that of the one with trailing white space. You can download the binary I used in the screenshots here. All it is is a basic Windows Forms .NET executable with the calc.exe icon and assembly information.
  8. ) Nu incercam sa rezolv ) poate dupa sarbatori cand o sa am mintea limpede ) doar am cautat deunde ai luat: "Do you see the L?" "Yes, we see the L," came the response. "We typed the O, and we asked, "Do you see the O." "Yes, we see the O." "Then we typed the G, and the system crashed"... Yet a revolution had begun"...
  9. 1969: The first LOGs: UCLA -- Stanford According toVinton Cerf: ...the UCLA people proposed to DARPA to organize and run a Network Measurement Center for the ARPANET project... Around Labor Day in 1969, BBN delivered an Interface Message Processor (IMP) to UCLA that was based on a Honeywell DDP 516, and when they turned it on, it just started running. It was hooked by 50 Kbps circuits to two other sites (SRI and UCSB) in the four-node network: UCLA, Stanford Research Institute (SRI), UC Santa Barbara (UCSB), and the University of Utah in Salt Lake City. fournode-2.gif (17482 bytes) The plan was unprecedented: Kleinrock, a pioneering computer science professor at UCLA, and his small group of graduate students hoped to log onto the Stanford computer and try to send it some data.They would start by typing "login," and seeing if the letters appeared on the far-off monitor. "We set up a telephone connection between us and the guys at SRI...," Kleinrock ... said in an interview: "We typed the L and we asked on the phone, "Do you see the L?" "Yes, we see the L," came the response. "We typed the O, and we asked, "Do you see the O." "Yes, we see the O." "Then we typed the G, and the system crashed"... Yet a revolution had begun"... History of the Internet & World Wide Web : 1) Internet Before Web
  10. De decryptat inca nu dar sunt multe alte metode de a afla ce fac anumite persoane de folosesc Tor
  11. New anti-APT tools are no silver bullets: An independent test of APT attack detection appliances » CrySyS Blog Asa ceva a fost folosit in Coreea de Sud in atacul de la centrala nucleara. Test sample 4 - BAB09 BAB0 is a custom designed sample written in C++ with a server side written in PHP. It was designed to be as stealthy as possible, and utilizes multiple methods to avoid detection. Actually, this test case simulates attackers with moderate resources and some understanding of the state-of-the-art 9 Babo means hobbit in Hungarian. We called this sample Babo, as its objective was to stealthily bypass all state-of-the-art defenses, while actually being very simple, and this situation shows a parallel to the story of the Lord of the Rings, where Frodo, the small hobbit managed to bypass all defenses of the fearsome Sauron, the Lord of Mordor, and reached Amon Amarth, where the One Ring was finally destroyed. ?7 detection tools and how advanced malware work. For example, this can simulate organized criminals when attacking high value targets. On the other hand, nation state attackers surely have more resources and knowledge to develop even stealthier malware. The executable of BAB0 is downloaded by the victim as part of an HTML page, where it is actually hidden in an image with steganography. Thus, the executable never appears in clear in the network traffic. The downloaded page also contains scripts that extract the executable from the image when the user clicks on it. To avoid extracting the executable in a sandbox environment on the detection tools, the website’s underlying HTML and JavaScript code is misleading for an automated analysis environment, but it has nothing special from a user’s perspective. On the other hand, the page does not use CAPTCHA or other Turing test methods that would be unfair from a testing perspective. The user has to simply click on something that appears to be a download button. Once the sample is running, it presents a decoy program to the user to appear as an ordinary program. It does not try to modify the registry or any configuration on the machine by itself. Persistence can be achieved later by sending commands that add the executable to the appropriate registry entries or making it start with the system in some other ways. To hide the C&C network traffic, the client simulates a user clicking on links in a web forum, and downloads full HTML pages with CSS style sheets and images. The real C&C traffic is hidden inside these HTTP requests using data hiding methods. In the tests, we hosted the C&C server on domains with some positive reputation. It helped to simulate a fairly common scenario when the malware author compromised domains without negative reputation to host (part of) the C&C infrastructure. The command types that can be sent to the client include: directory traversal, file download and upload, and command execution.
  12. Atata timp cat va bazati tot pe sistemul de semnaturi la care adaugati ceva predective si file behaviour scan tot amatorilor va adresati..........
  13. Give it a try ) Eu nu am avut inca timp sa probez, ce mi se pare foarte suspect este ca pare a fi un backdoor lasat intentionat. In urma cu aprox.10luni pe un forum onion se discuta despre "vulnerabilitate" si acelasi lucru spuneau, ca mai mult ca sigur a fost backdoor. Eu sunt foarte curios sa incerc zilele urmatoare pe niste routere.
  14. Interesant este ca e facut public abia dupa vreo 2 ani ) Article: Remotely Exploitable 'Bash Shell' Vulnerability Affects Linux, Unix and Apple Mac OS X Si the Goodie http://www.exploit-db.com/exploits/34766/ Enjoy
  15. Pentru posesorii de Nexus 5,7,10 Offensive Security a lansat NetHunter. Enjoy :D Kali Linux NetHunter - Kali NetHunter
×
×
  • Create New...