Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by TheCount.

  1. Why are there programs that encrypt payload to paybass av on windows and there are no programs to encrype apk payload....😅
  2. droidjack and omnirat work and dont paybass any av so it's bulshit
  3. Trebuie să experimentez ceva
  4. Este cineva care are acest program ?
  5. in InspirationTuts we are gonna train you to become a 3d artist . 3ds max tutorials are about modeling,texturing,rigging,animatioin,lighting,rendering,..... we can help youn to understand the basics of 3ds max in an easy an fun ways that's gonna help you become the artist you want to be. link : InspirationTuts
  6. https://gist.github.com/dylanmckay/2b191a10068bd87d0fffba242db44b52
  7. Foxhound: Blackbox - A RaspberryPi 3 NSM (Network Security Monitor) based on Bro, Netsniff-NG, Loki and Critical Stack. sursa : https://www.sneakymonkey.net/2016/10/30/raspberrypi-nsm/
  8. y can't use just tor...you need another thing to help you stay secure
  9. The @nytimes is now available on #Tor via their hidden service, works fine w/out JavaScript
  10. On a recent engagement, our testers were faced with a single page web application which was used to generate PDF documents. This web application contained a multi-step form that ultimately let the user download a PDF document containing the details they had entered. As a user progressed through the form, the data entered would occasionally be redisplayed in future questions. We tried to find an XSS vulnerability in this workflow; and although the application itself correctly escaped user input, an interesting discovery was made when downloading the PDF file: it appeared that the PDF documents were rendered as an HTML page first. This conclusion was drawn from the fact that HTML tags submitted during the application process (specifically <strong>John Doe</strong>) were rendered in the PDF document as bold text. Using a payload with script tags allowed us to retrieve the window location (<script>document.write(window.location);</script>). We found that the page was being accessed from localhost; and by replacing “localhost” with the actual hosting domain name, the page containing the XSS vulnerability was able to be viewed directly. So to recap our current understanding, we have a web application accepting user input, insecurely reflecting the data into a HTML page, allowing JavaScript execution, rendering the page locally and saving it as a PDF file available for download. Using an image tag (<img src=”attack.ip/owned.jpg”>) payload allowed us to see (via the User-Agent header) that Chrome 59 headless was being used server-side to create the PDF document. A reverse DNS lookup was also performed on the connecting IP, revealing it as an Amazon EC2 instance. As the vulnerable page allowed execution of JavaScript on the remote server, this XSS attack had essentially become a Server-Side-Request-Forgery (SSRF) vulnerability. This allowed our testers to attack software and services running on localhost or within the internal network. Enumerating the environment revealed no vulnerable services to further the attack chain. However, since the host was running on Amazon EC2, though, another attack was possible. Amazon EC2 has a web API to access the instance metadata, and using a JavaScript redirect (<script>window.location=””</script>), it was possible to disclose the machine Identity and Access Management (IAM) roles. A single role was found, and the corresponding AWS access keys for that role were extracted. These access keys can be used to make programmatic calls to the AWS API. In this instance, the permissions attached to the role were too restrictive to allow further exploitation. In conclusion, the core vulnerability was the fact that user data was insecurely reflected into a webpage and executed on the remote server. This was patched within a day once brought to the attention of the application developers. Additional hardening techniques were suggested which would have limited the attack surface in the first instance. Implementing the PDF generation using a document templating library would have been a more secure and optimized solution. There would be less overhead involved and no need to rely on potentially-risky HTML rendering. Despite the webpage used to generate the PDF being publicly accessible (if the correct URL was known), this was never intended or required. The page should be restricted to localhost access only. Disabling JavaScript on the page containing user data would have reduced impact, although even with that, iframes could allow other attacks in some configurations. All IAM roles attached to the EC2 instance should have the absolute minimal set of permissions required. This appeared to be the case with role enumerated in this engagement. In addition, access to the instance metadata API itself should be restricted to allow only those users requiring access. This can be performed with iptables, and significantly reduces the impact of SSRF vulnerabilities found on Amazon EC2 instances. sursa : https://ionize.com.au/stealing-amazon-ec2-keys-via-xss-vulnerability/
  11. Hackers Can Steal Windows Login Credentials Without User Interaction Microsoft has patched only recent versions Windows against a dangerous hack that could allow attackers to steal Windows NTLM password hashes without any user interaction. The hack is easy to carry out and doesn't involve advanced technical skills to pull off. All the attacker needs to do is to place a malicious SCF file inside publicly accessible Windows folders. Once the file has been placed inside the folder, it executes due to a mysterious bug, collects the target's NTLM password hash, and sends it to an attacker-configured server. Using publicly available software, an attacker could crack the NTLM password hash and later gain access to the user's computer. Such a hack would allow an attacker that has a direct connection to a victim's network to escalate access to nearby systems Not all computers with shared folders are vulnerable Computers with shared folders protected by a password are safe. Since this is the default option in Windows, most users aren't vulnerable to this attack. Nonetheless, users in enterprise environments, schools, and other public networks often share folders without a password due to convenience, leaving many systems open for attacks. Patches available only to Windows 10 and Server 2016 The hack was discovered by Columbian security researcher Juan Diego, who reported the issue to Microsoft in April. Microsoft patched the attack vector in this month's Patch Tuesday via the ADV170014 ecurity advisory. The patch is only for Windows 10 and Windows Server 2016 users. Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall. Attack root vulnerability is a mystery Speaking to Bleeping Computer, Diego says ADV170014 blocks the hack he discovered, but he can't explain why the hack was possible in the first place. The attack works through a malicious SCF file. SCF stands for Shell Command File and is a file format that supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file. "The attacker only needs to upload the SCF file to the vulnerable folder," Diego told Bleeping Computervia email, highlighting that no user interaction is needed. Previous attacks that involved SCF files executed only when the victim accessed the folder. This time around, as Diego discovered, the malicious commands contained inside the SCF file run right after the attacker uploads the SCF file inside the shared folder, without needing to wait for the user to view that file's content. Why this happens is a mystery to Diego. "This [attack] is automatic. The underlying issue triggering this is still unknown to me," Diego said, "[Microsoft] has been very secretive about that." Microsoft patch tries to address pass-the-hash attacks The patch Microsoft delivered doesn't actually fix the SCF automatic execution Diego wasn't able to explain but attempts to patch a two-decades-old attack known as pass-the-hash, the automatic sharing of NTLM hashes with servers located outside of the user's network, a technique Diego also employed in his hack. The issue is an old one, and often used in many types of Windows hacks. Just this spring a pass-the-hash attack combined Chrome and SCF files to steal user credentials, while other recent on pass-the-hash attacks were published in 2016 and 2015. The patch that Microsoft delivered prevents attackers from tricking local users to authenticating on servers situated outside the local network. While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017. "Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported," Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist. "I'm currently working on another way to exploit this vulnerability," Diego also said, echoing Kanthak's assessment that Microsoft is nowhere close to patching this long-lasting security hole. While ADV170014 is an optional patch, installing this update is highly recommended, especially since it was confirmed to block Diego's dangerous hack, and most likely other pass-the-hash attempts. A walkthrough of Diego's pass-the-hash variation attack is available on his blog sursa : https://www.bleepingcomputer.com/news/security/hackers-can-steal-windows-login-credentials-without-user-interaction/
  12. For weeks, one of the world"s top security firms has been dogged by reports pf goverment espionage sursa : https://www.theverge.com/2017/10/25/16545532/kaspersky-lab-russian-hacking-antivirus-telemetry-nsa
  13. sursa : https://www.endgame.com/blog/technical-blog/badrabbit-technical-analysis
  14. TLDR Microsoft reintroduced a kernel vulnerability in Windows 10 Creators Update which was originally patched in 2016. This blog showcases the exploitation of this “wild” Pool-based overflow in the kernel on Windows 10 x64 (RS2) Microsoft improved the validation of the BASEOBJECT64.hHmgr field which makes linear Pool overflows on the Paged Session Pool harder to exploit when using well-known exploitation techniques using Palettes or Bitmaps Exploitation using Palettes or Bitmaps to get arbitrary Read-Write primitives is still possible despite the improved hHmgr Handle validation Exploits (one using Palettes, one using Bitmaps) have been published on Github sursa : https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
  15. - the important thing is the code work Bro .... - I am just want to publish something may be useful to someone - you do great thinks for us nytro..thanks
  16. some projects! https://www.codeproject.com/search.aspx?q=c%2b%2b&doctypeid=1%3b2%3b3%3b13%3b14 http://www.stroustrup.com/applications.html
  • Create New...