Jump to content


Active Members
  • Content Count

  • Joined

  • Days Won


Kev last won the day on May 28

Kev had the most liked content!

Community Reputation

52 Excellent

About Kev

  • Rank
    Active Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Kev


    observ ca nu este activ de prin martie, tot ce este posibil Aviz amantorilor, asta se intampla cand va "jucati cu focul" killer-ul oricum e "ca la el acas'
  2. Security researchers have discovered a new version of Sarwent malware that has new command functionality, such as executing PowerShell commands and preference for using RDP. Dating back to 2018, Sarwent has mostly been known as a dropper malware with a limited set of commands, such as download, update and vnc. Dropper malware is a kind of Trojan designed to install other malware on a target system. Researchers at SentinelOne warned that attackers are now using a new version of the Sarwent malware to target the Remote Desktop Protocol (RDP) port on Windows systems to execute backdoor commands. Reaves also said Sarwent uses the same binary signer as one or more TrickBot operators. Futhermore, Reaves pointed out that the “rdp” command and code execution looks to perform tasks, such as: Add users List groups and users Punch a hole in local firewall. These functions could forewarn actors are preparing to target systems for RDP access at a later time. Readers may also remember attackers have been known to exploit RDP-related vulnerabilities, such as the BlueKeep vulnerability CVE-2019-0708. In conclusion, cyber criminals likely will continue to leverage malware, like Sarwent, to leverage RDP for monetization such as selling access to systems. Via securezoo.com
  3. Kev

    Țeapă Winston

    DA!, am dovezi, figurez în lista castigatorilor, iar in tracker apare alta semnatura
  4. Salut, am castigat cateva produse in promotia Winston Romania, am castigat cateva produse care nu mi-au ajuns (pandemie), astept de 50 zile, au fost livrate prin dpd.com, sun raspunde robotul, sun la info-line youtfreedom.ro, se eschiveaza, sun curierii de la dpd.ro, se eschiveaza, tinand cont ca e vorba de Smartwatch, boxa portabila, netbook, baterie externa Sa ma fut in plamanii lor /edit: am verificat AWB, apare livrat cu o semnatura in forma de X //Cancerul sa va manance
  5. Claimed as the fastest internet speed that has been tested and recorded in the world. Image: Monash University A group of researchers from Monash, Swinburne, and RMIT universities have claimed that they have successfully tested and recorded the world's fastest internet data speed of 44.2Tbps using a single optical chip known as a micro-comb. The findings, published in the Nature Communications journal, revealed how the data speed achieved has the capacity to support high-speed internet connections of 1.8 million households in Melbourne, and users can download 1,000 HD movies in seconds. According to the researchers, the micro-comb, which is touted to be a smaller and lighter device than existing telecommunications hardware, was used to replace 80 infrared lasers and load-tested in infrastructure that mirrored networks used by the National Broadband Network. They did this by placing the micro-comb in 76.6km of installed dark optical fibres between RMIT's Melbourne city campus and Monash University's Clayton campus. The micro-comb was used to mimic a rainbow of infrared lasers so that each 'laser' has the capacity to be used as a separate communications channel. To simulate peak internet usage during testing, the researchers sent maximum data through each channel across 4THz of bandwidth. RMIT's Arnan Mitchell said the future ambition for the project is to scale up the current transmitters from hundreds of gigabytes per second towards tens of terabytes per second without increasing size, weight, or cost. A sample of some of the perovskite cells used in the experiment. Image: UNSW Elsewhere, scientists from the University of Sydney have tested how to improve the thermal stability of perovskite solar cells so that it could potentially be used as an alternate to silicon-based solar cells. The scientists used a polymer-glass blanket with a pressure-tight seal to suppress the decomposition of the perovskite cells, a process known as outgassing. The test was also able to determine if the perovskite solar cells could survive more than 1,800 hours of 85% relative humidity and 75 cycles of temperatures between -40 degrees and 85 degrees. Via zdnet.com
  6. Speaker: Jorge Orchilles Abstract: Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations will be covered shortly. Adversary emulation Red Team Exercises emulate an end-to-end attack against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack. This will be the main focus of SANS SEC564 Red Team Exercises and Adversary Emulation. Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls. The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decisions making when called upon to emulate and adversary TTPs. It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls. Learn how Red Teams and Blue Teams work together in virtual Purple Teams -Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures Perform adversary emulations in Red or Purple Team Exercises Choose which command and control to use for the assessment to provide the most value -Measure and improve people, process, and technology Source
  7. Microsoft has patented a cryptocurrency mining system that leverages human activities, including brain waves and body heat, when performing online tasks such as using search engines, chatbots, and reading ads. “A user can solve the computationally difficult problem unconsciously,” the patent reads. Crypto System Leveraging Body Activity Data Microsoft Technology Licensing, the licensing arm of Microsoft Corp., has been granted an international patent for a “cryptocurrency system using body activity data.” The patent was published by the World Intellectual Property Organization (WIPO) on March 26. The application was filed on June 20 last year. “Human body activity associated with a task provided to a user may be used in a mining process of a cryptocurrency system,” the patent reads, adding as an example: Microsoft has patented a “cryptocurrency system using body activity data” with the World Intellectual Property Organization (WIPO), the agency of the United Nations responsible for treaties involving copyright, patent, and trademark laws. Noting that the method described may “reduce computational energy for the mining process as well as make the mining process faster,” the patent details: Patent Suggests Alternative Way to Mine Cryptocurrencies The patent describes a system where a device can verify whether “the body activity data satisfies one or more conditions set by the cryptocurrency system, and award cryptocurrency to the user whose body activity data is verified.” Microsoft patents a cryptocurrency system leveraging different types of sensors to “measure or sense body activity or scan human body,” such as heart rate monitors, thermal sensors, and optical sensors. Different types of sensors can be used to “measure or sense body activity or scan human body,” the patent explains. They include “functional magnetic resonance imaging (fMRI) scanners or sensors, electroencephalography (EEG) sensors, near infrared spectroscopy (NIRS) sensors, heart rate monitors, thermal sensors, optical sensors, radio frequency (RF) sensors, ultrasonic sensors, cameras, or any other sensor or scanner” that will do the same job. The system may reward cryptocurrency to an owner or a task operator “for providing services, such as, search engines, chatbots, applications or websites, offering users access for free to paid contents (e.g. video and audio streaming or electric books), or sharing information or data with users,” the patent details. The idea of mining cryptocurrencies using human body heat has previously been explored by other organizations. For example, Manuel Beltrán, founder of the Dutch Institute of Human Obsolescence, set up an experiment in 2018 to mine cryptocurrencies with a special bodysuit that harvested the human body heat into a sustainable energy source. The electricity generated was then fed to a computer to mine cryptocurrencies. What do you think of Microsoft’s new cryptocurrency mining system? Let us know in the comments section below. Via news.bitcoin.com
  8. Ping Castle Introduction The risk level regarding Active Directory security has changed. Several vulnerabilities have been made popular with tools like mimikatz or sites likes adsecurity.org. Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise. |:. PingCastle (Version | #:. Get Active Directory Security at 80% in 20% of the time # @@ > End of support: 31/07/2020 | @@@: : .# Vincent LE TOUX (contact@pingcastle.com) .: https://www.pingcastle.com Using interactive mode. Do not forget that there are other command line switches like --help that you can use What you would like to do? 1-healthcheck-Score the risk of a domain 2-graph -Analyze admin groups and delegations 3-conso -Aggregate multiple reports into a single one 4-nullsession-Perform a specific security check 5-carto -Build a map of all interconnected domains 6-scanner -Perform specific security checks on workstations Check https://www.pingcastle.com for the documentation and methodology Build PingCastle is a c# project which can be build from Visual Studio 2012 to Visual Studio 2017 Support & lifecycle For support requests, you should contact support@pingcastle.com The support for the basic edition is made on a best effort basis and fixes delivered when a new version is delivered. The Basic Edition of PingCastle is released every 6 months (January, August) and this repository is updated at each release. If you need changes, please contact contact@pingcastle.com for support packages. License PingCastle source code is licensed under a proprietary license and the Non-Profit Open Software License ("Non-Profit OSL") 3.0. Except if a license is purchased, you are not allowed to make any profit from this source code. To be more specific: It is allowed to run PingCastle without purchasing any license on for profit companies if the company itself (or its ITSM provider) run it. To build services based on PingCastle AND earning money from that, you MUST purchase a license. Ping Castle uses the following Open source components: Bootstrap licensed under the MIT license JQuery licensed under the MIT license vis.js licensed under the MIT license Author Author: Vincent LE TOUX You can contact me at vincent.letoux@gmail.com Download pingcastle-master.zip or git clone https://github.com/vletoux/pingcastle.git Source
  9. OBLIGATORY INTRO Howdy! This is the first post in a multi-part series detailing steps taken, and exploits written, as part of my OSCE exam preparation. I intend to use these practice sessions to refine my exploit development process while sharing any knowledge gained. I originally wanted to take this course a few years ago, but could never quite lock it in. Recently, I was fortunate enough to have work fund the course. Since then, I’ve been spending my free time listening to Muts’ dulcet tones and working through the modules. I wrapped up the official course material yesterday and plan to work through some additional work recommended by some OSCE graduates. What makes the timing awesome for me is that I just finished up CSC 748 - Software Exploitation for my graduate course work. The course dealt with Windows x86 exploitation, fuzzing, and shellcoding. Sound familiar? It dove into some topics that OSCE doesn’t cover such as using ROP to bypass DEP. I’m incredibly happy to have been able to do both of them one right after the other. I’ll be including some of the shellcoding tricks I learned from the course in this series at some point. EXPLOIT DEVELOPMENT ENVIRONMENT This post will cover setting up a lab environment. While this may not be the most interesting topic, we’ll cover some setup tips that may be helpful. Don’t worry, we won’t go step by step through setting up all these things unless it’s warranted. OPERATING SYSTEM For these practice sessions, we’ll attempt to stick reasonably close to an OSCE environment by using a 32bit Windows 7 VM. Unfortunately, Microsoft has taken down the IE/Edge Virtual Machine images from their site. You can only get the Windows 10 images nowadays. Fear not! If you find yourself in need of an older version, they’re archived and can still be downloaded at the link below. Windows VM Images SCRIPTING LANGUAGE We’ll be writing all proof of concepts using Python 3. Python 2 still gets a lot of use in PoCs for exploits and exploit-centric tooling, however, I strongly prefer 3 as a language overall and will stick to it throughout these posts. The latest version of Python (3.8.2 at the time of this writing) can be found here. HEX EDITOR There are times we’ll need a hex editor. I prefer 010 when working on windows. NASMSHELL Part of creating shellcode is janking™ around with the instructions to find what works in the smallest amount of space without known bad characters. nasmshell makes it incredibly easy to check which opcodes are generated by which instructions. Of note, nasmshell requires python2. FUZZER For network fuzzing, we’ll be using boofuzz. It’s a fork of and the successor to the venerable Sulley fuzzing framework. Sulley has been the preeminent open source fuzzer for some time, but has fallen out of maintenance. Installation consists of a simple pip command. pip install boofuzz --user AUTOMATIC CRASH DETECTION & PROCESS RESTART This part is totally optional. Boofuzz offers a utility called process_monitor.py that detects crashes and restarts the target binary automatically. It requires a few additional libraries to run and must run on the target machine itself. As we’ll be doing all coding and fuzzing from the same windows environment, this is fine. The install steps are located here. I won’t copy and paste them here, however I will note something that I was forced to do during installation. All of the libraries for process_monitor.py are installed into my Python2.7 environment. Whereas boofuzz is installed into my Python3.8 environment. This is because pydasm requires Python2.7. The end result is that we’ll be scripting fuzzers in Python3, and executing process_monitor.py with Python2. Also, there is a note on the install page: I didn’t need to do anything to satisfy this requirement, as my flare-vm install script pulled it down for me. DEBUGGER The topic of which debugger to use seems to be pretty contentious in the OSCE forums/chats. We’ll be using WinDbg. The reason is that I spent 4 months using it for college and have come to like it. FLARE-VM To install WinDbg (and some other tools), I used the Flare-VM install script. Flare-VM will take a Windows 7-10 machine and install a plethora of RE tools. I modified the flare’s profile.json for a relatively light-weight installer. Flare-VM install instructions Customizing Installed Packages And if you’re feeling lazy, here’s my profile.json. { "env": { "TOOL_LIST_DIR": "%ProgramData%\\Microsoft\\Windows\\Start Menu\\Programs\\FLARE", "TOOL_LIST_SHORTCUT": "%UserProfile%\\Desktop\\FLARE.lnk", "RAW_TOOLS_DIR": "%SystemDrive%\\Tools", "TEMPLATE_DIR": "flarevm.installer.flare" }, "packages": [ {"name": "dotnetfx"}, {"name": "powershell"}, {"name": "vcbuildtools.fireeye"}, {"name": "vcpython27"}, { "name": "python2.x86.nopath.flare", "x64Only": true, "args": "--package-parameters \'/InstallDir:C:\\Python27.x86\'" }, {"name": "libraries.python2.fireeye"}, {"name": "libraries.python3.fireeye"}, {"name": "windbg.flare"}, {"name": "windbg.kenstheme.flare"}, {"name": "windbg.ollydumpex.flare"}, {"name": "windbg.pykd.flare"}, {"name": "ghidra.fireeye"}, {"name": "vbdecompiler.flare"}, {"name": "010editor.flare"}, {"name": "resourcehacker.flare"}, {"name": "processdump.fireeye"}, {"name": "7zip.flare"}, {"name": "putty"}, {"name": "wget"}, {"name": "processhacker.flare"}, {"name": "sysinternals.flare"}, {"name": "ncat.flare"}, {"name": "shellcode_launcher.flare"}, {"name": "xorsearch.flare"}, {"name": "xorstrings.flare"}, {"name": "lordpe.flare"}, {"name": "googlechrome.flare"}, {"name": "nasm.fireeye"} ] } MONA.PY Even after using Flare-VM’s installer, we’re still missing a key tool, mona.py. Mona.py is an incredible tool; it’s bonkers how many facets of exploit dev on windows are made easier with mona. To get mona up and running with WinDbg, we’ll just need to follow these steps. We can confirm everything works by opening up WinDbg, attaching to some benign process, and running the following commands: .load pykd.pyd ══════════════ Processing initial command '.load pykd.pyd' !py mona ════════ [+] Command used: !py C:\Program Files\Windows Kits\10\Debuggers\x86\mona.py 'mona' - Exploit Development Swiss Army Knife - WinDBG (32bit) Plugin version : 2.0 r605 Python version : 2.7.18 (v2.7.18:8d21aa21f2, Apr 20 2020, 13:19:08) [MSC v.1500 32 bit (Intel)] PyKD version Written by Corelan - https://www.corelan.be Project page : https://github.com/corelan/mona |------------------------------------------------------------------| | _ __ ___ ___ _ __ __ _ _ __ _ _ | | | '_ ` _ \ / _ \ | '_ \ / _` | | '_ \ | | | | | | | | | | | || (_) || | | || (_| | _ | |_) || |_| | | | |_| |_| |_| \___/ |_| |_| \__,_|(_)| .__/ \__, | | | |_| |___/ | | | |------------------------------------------------------------------| SQLITE BROWSER We’ll need a way to look at boofuzz’s results. They’re stored in a database, and the provided web interface leaves something to be desired. As we’ll be working on windows, we’ll need to grab a sqlite database browser. One can be found here. WINDBG - QUALITY OF LIFE TWEAKS We’re going to be spending a ton of time in the debugger, so it should be a debugger that sparks joy! Typing .load pykd.pyd isn’t terribly hard, but doing it every time you restart your debugger can be irksome. We can automatically load the file with a pretty simple trick. right-click on the windbg icon in the toolbar (assuming flare-vm put it there for you) right-click on the windbg (x86) menu item select properties Once we’re in the properties menu, perform the following click on the Shortcut tab add the following command-line option to the Target field: -c ".load pykd.pyd" SANE LOGGING LOCATION Without any configuration, mona.py stores command results beside the debugger’s exe. The exe is stored six levels deep under Program Files and isn’t exactly accessible. The command below will get the logging location squared away for us. !py mona config -set workingfolder c:\monalogs\%p_%i The %p will get populated with the debuggee’s name and the %i will be replaced by the debuggee’s pid. Ex. C:\monalogs\TFTPServerSP_1300 PERSONALIZED WORKSPACE W/ SCRATCHPAD You can personalize WinDbg quite a bit. There are a few themes shipped with WinDbg, and some others can be found with google, though it’s not obvious how to work with them. WinDbg will read Workspace settings from the registry or a .wew file. If you’re loading a .reg file, you can simply double-click the file and it will load. However, we’ll be creating our own .wew file. CREATE THE LAYOUT We’ll take a look at my setup, which is pretty much default, with a slight modification. I like having WinDbg’s scratchpad open. It’s a convenient place for simple notes (usually addresses/offsets). It’s not open in the default configuration, so let’s fix that. Open WinDbg Press alt+8 to open the scratchpad Position it wherever you like My setup looks like this, with the scratchpad positioned to the right of the assembly window. ASSOCIATE THE SCRATCHPAD If the scratchpad isn’t associated to a file on disk, the information disappears when the debugger exits. Fortunately, making the scratchpad persistent is easy. First, right-click the scratchpad’s top bar and select Associate with file.... After that, simply pick a location (I store mine in C:\monalogs) SAVE THE WORKSPACE With a new layout created, we need to save it to disk. There are four different options to save a workspace… We want to use the Save Workspace to File... option. Store it wherever you like. AUTOLOAD THE WORKSPACE With the scratchpad setup and the workspace file saved somewhere, we need to configure windbg to load the workspace on startup. The premise is the same as what we used to autoload pykd. We just need to add the following command-line option to the Target field in WinDbg’s properties. -WF "C:\Users\vagrant\Desktop\with_scratchpad.WEW" FURTHER CONFIGURATION In case you want to go further, you could use some of the themes listed below as a starting point and tweak until you’re content. https://github.com/lololosys/windbg-theme https://github.com/Stolas/WinDBG-DarkTheme C:\ProgramData\chocolatey\lib\windbg.kenstheme.flare\tools\ken.reg https://www.zachburlingame.com/2011/12/customizing-your-windbg-workspace-and-color-scheme/ OBLIGATORY OUTRO The next post in this series will cover exploiting VulnServer’s TRUN command. Check it out here. Source epi052.gitlab.io
  10. exista, in laboratoarele de biologie/anatomie sunt avortoni, reptile, ficati, rinichi, etc; in recipiente cu formol, pentru a eviscera studentii (viitori medici care opereaza) Exclux faptul ca mai sunt si unii imbecili cu obiecte ciudate +prostituatele (morcovi, castraveti, lumanari, s.a.m.d)
  11. Hackers taking advantage of the video conferencing apps like Zoom to infect systems with malicious routines. Security researchers from Trend Micro observed two malware samples that pose as Zoom installers but when decoded it contains malware. The malicious fake installer not distributed through official distribution channels. Fake Zoom Installers With the two malware samples, one found installing a backdoor that allows attackers to gain access remotely, another one is the Devil Shadow botnet in devices. The malicious installer resembles closer to the official version, it contains encrypted files that will decrypt the malware version. The malware kills all the running remote utilities upon installation and opens TCP port 5650 to gain remote access to the infected system. Another sample observed by researchers installs Devil Shadow Botnet, the infection starts with the malicious installer with the file named pyclient.cmd which contains malicious commands. With this sample also the threat actors include a copy of the official Zoom installer to deceive the victims. The tampered app installer deploys malicious archive and codes, and the commands for persistence and communication. The malware used to send gathered information to its C&C every 30 seconds every time the computer is turned on. In another campaign, attackers repackaged the legitimate zoom installer with WebMonitor RAT. The infection starts with downloading the malicious file ZoomIntsaller.exe from malicious sources. Due to coronavirus pandemic, many companies around the world asked employees to work from home, which increases the usage of video conferencing apps and it is heavily targeted by attackers. Via gbhackers.com
  12. Never-before-seen PipeMon hit one developer's build system, another's game servers. One of the world’s most prolific hacking groups recently infected several Massively Multiplayer Online game makers, a feat that made it possible for the attackers to push malware-tainted apps to one target’s users and to steal in-game currencies of a second victim’s players. Researchers from Slovakian security company ESET have tied the attacks to Winnti, a group that has been active since at least 2009 and is believed to have carried out hundreds of mostly advanced attacks. Targets have included Chinese journalists, Uyghur and Tibetan activists, the government of Thailand, and prominent technology organizations. Winnti has been tied to the 2010 hack that stole sensitive data from Google and 34 other companies. More recently, the group has been behind the compromise of the CCleaner distribution platform that pushed malicious updates to millions of people. Winnti carried out a separate supply-chain attack that installed a backdoor on 500,000 ASUS PCs The recent attack used a never-before-seen backdoor that ESET has dubbed PipeMon. To evade security defenses, PipeMon installers bore the imprimatur of a legitimate Windows signing certificate that was stolen from Nfinity Games during a 2018 hack of that gaming developer. The backdoor—which gets its name for the multiple pipes used for one module to communicate with another and the project name of the Microsoft Visual Studio used by the developers—used the location of Windows print processors so it could survive reboots. Nfinity representatives weren't immediately available to comment.. A strange game In a post published early Thursday morning, ESET revealed little about the infected companies except to say they included several South Korea- and Taiwan-based developers of MMO games that are available on popular gaming platforms and have thousands of simultaneous players. The ability to gain such deep access to at least two of the latest targets is one testament to the skill of Winnti members. Its theft of the certificate belonging to Nfinity Games during a 2018 supply-chain attack on a different crop of game makers is another. Based on the people and organizations Winnti targets, researchers have tied the group to the Chinese government. Often, the hackers target Internet services and software and game developers with the objective of using any data stolen to better attack the ultimate targets. Certified fraud Windows requires certificate signing before software drivers can access the kernel, which is the most security-critical part of any operating system. The certificates—which must be obtained from Windows-trusted authorities after purchasers prove they are providers of legitimate software—can also help to bypass antivirus and other end-point protections. As a result, certificates are frequent plunder in breaches. Despite the theft coming from a 2018 attack, the certificate owner didn’t revoke it until ESET notified it of the abuse. Tudor Dumitras, co-author of a 2018 paper that studied code certificate compromises, found that it wasn’t unusual to see long delays for revocations, particularly when compared with those of TLS certificates used for websites. With requirements that Web certificates be openly published, it’s much easier to track and identify thefts. Not so with code-signing certificates. Dumitras explained in an email: The number of MMO game developers in South Korea and Taiwan is high, and beyond that, there’s no way to know if attackers used their access to actually abuse software builds or game servers. That means there’s little to nothing end users can do to know if they were affected. Given Winnti’s previous successes, the possibility can’t be ruled out. Via arstechnica.com
  13. Kev

    Amanet aur

    unde spanac amanet ai fost tu? pana si in ultimul sat din fundul curtii, ti-l da cu pila si acid, semnezi contract, vrei tu sa faci ceva si nu stii cum
  • Create New...