Nytro

Administrators
  • Content count

    14976
  • Joined

  • Last visited

  • Days Won

    128

Nytro last won the day on June 7

Nytro had the most liked content!

Community Reputation

2377 Excellent

About Nytro

Profile Information

  • Gender

Recent Profile Visitors

9408 profile views
  1. "Cand zic cracker, nu ma refer la biscuitele ala." Epic.
  2. See you in November at DefCamp 2017 Want to experience a conference that offers outstanding content infused with a truly cyber security experience? For two days (November 9th-10th) Bucharest will become once again the capital of information security in Central & Eastern Europe hosting at DefCamp more than 1,300 experts, passionate and companies interested to learn the “what” and “how” in terms of keeping information & infrastructures safe. Now it’s getting really close: this year's conference is only months away, and that means very early bird tickets are now available. Register Now at DefCamp 2017 (50% Off) What can you expect from the 2017 edition? 2 days full of cyber (in)security topics, GDPR, cyber warfare, ransomware, malware, social engineering, offensive & defensive security measurements 3 stages hosting over 35 international speakers and almost 50 hours of presentations Hacking Village hosting more than 10 competitions where you can test your skills or see how your technology stands 1,300 attendees with a background in cyber security, information technology, development, management or students eager to learn How to get involved? Speaker: Call for Papers & Speakers is available here. Volunteer: Be part of DefCamp #8 team and see behind the scene the challenges an event like this can have. Partner: Are you searching opportunities for your company? Become our partner! Hacking Village: Do you have a great idea for a hacking or for a cyber security contest? Consider applying at the Hacking Village Call for Contests. Attendee: Register at DefCamp 2017 right now and you will benefit of very early bird discounts. Register Now at DefCamp 2017 (50% Off) Use the following code to get an extra 10% discount of the Very Early Bird Tickets by June 27th. This is the best price you will get for 2017 edition. Code: DEFCAMP_2017_VEB_10 Website: https://def.camp/
  3. Ceva mai simplu decat in C, dar nu e mare diferenta.
  4. Nu am citit despre vulnerabilitate, am vazut ca a scris el "Host header injection". Da, nasol, RCE pr GTFO.
  5. Ai modificat header-ul HTTP "Host" din request-ul pentru resetarea parolei? Daca da, in cazul in care Wordpress-ul e vulnerabil, probabil persoana careia incerci sa ii resetezi parola va primi un link de resetare de forma https://site-ul-tau.com/date-de-resetare-inclusiv-token/ si TREBUIE sa dea click pe acel link, iar tu vei primi request-ul pe site-ul tau si vei putea initia resetarea parolei.
  6. OWASP Bucharest AppSec Conference 2017 este o conferinta de o zi ce va avea loc pe 6 octombrie 2017. Ca si anul trecut vom avea training-uri/workshop-uri si o competitie capture the flag. Inregistrarea prezentarilor se realizeaza aici. Propunerile de training-uri se inregistreaza aici. Oportunitatile de sponsorizare sunt in acest document. Va puteti inscrie cu prezentari sau workshop-uri din urmatoarele arii si nu numai: Security aspects of new / emerging web technologies / paradigms / languages / frameworks Secure development: frameworks, best practices, secure coding, methods, processes, SDLC, etc. Security of web frameworks (Struts, Spring, ASP.Net MVC, RoR, etc) Vulnerability analysis (code review, pentest, static analysis etc) Threat modelling of applications Mobile security and security for the mobile web Cloud security Browser security and local storage Countermeasures for application vulnerabilities New technologies, paradigms, tools Application security awareness and education Security in web services, REST, and service oriented architectures Privacy in web apps, Web services and data storage Important: termenul limita pentru inscrierea prezentarilor este 28 august lista speakerilor confirmati va fi anuntata pe 1 septembrie conferinta va avea loc pe 6 octombrie prezentarile vor avea durata de 40 de minute fiecare va exista un speaker agreement Link: https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017
  7. Era si cazul sa apara asa ceva, nu inteleg de ce a durat atat.
  8. O aplicaţie realizată de IT-iștii din Cluj, folosită de către NASA pe Staţia Spaţială Internaţională Mai mulţi IT-işti clujeni, dezvoltatori ai unei aplicaţii de back-up, au ajuns cu produsul lor chiar pe Staţia Spaţială Internaţională, după ce americanii de la NASA au cumpărat 20 de licenţe ale soft-ului lor, aflat în prezent deja la a şasea versiune, cu vânzări pe întreg mapamondul, scrie News.ro. NASA a achiziţionat 20 de licenţe ale soft-ului Backup4all, o aplicaţie dezvoltată de o echipă de programatori clujeni care deţin compania Softland. Începând cu luna mai, aplicaţia este folosită pe Staţia Spaţială Internaţională pentru activităţile de backup realizate de către agenţie. O licenţă pentru această aplicaţie costă 49,99 dolari, dar pentru că NASA a cumpărat o cantitate mai mare de licenţă, a primit şi o reducere, astfel încât preţul total a fost de 770 de dolari. De asemenea, pentru că este folosită într-un mediu în care nu există conexiune la internet, aplicaţia a trebuit modificată. "În ianuarie anul acesta am primit un mail de la NASA în care ne spuneau că şi-ar dori să instaleze Backup4all într-un mediu foarte securizat, fără acces la internet. Ne-au explicat că modalitatea noastră de activare nu va funcţiona în environment-ul lor şi atunci am aflat că vor să instaleze aplicaţia pe Staţia Spaţială Internaţională. A urmat o lună întreagă de teste şi configuraţii pentru ceea ce aveau nevoie şi în 31 mai a început să fie utilizată. Astfel, acum rulează pe opt laptopuri de pe Staţia Spaţială Internaţională”, a explicat Lóránt Barla, din partea companiei Softland. Clujenii, care au ajuns cu Backup4all la a şasea versiune, au explicat că mai ţin legătura cu cei de la NASA, în cazul în care aceştia au nevoie de ajutor pe partea de suport. "Cei de la NASA au cumpărat aplicaţia de pe site-ul nostru ca orice client normal. Nici măcar nu am ştiut. Poate mai avem şi alţi clienţi la fel de importanţi, dar nu ştim. Ar fi avut şi alte opţiuni pentru că este destul de mare concurenţa pe partea de backup. De ce au ales aplicaţia noastră? Pentru că li s-a părut că este cea mai bună soluţie pe care o pot configura conform nevoilor lor. În ceea ce îi priveşte pe clienţii noştri de la NASA, mai comunicăm profesional cu ei şi dacă vor avea nevoie de suport, pot conta pe ajutorul nostru. Dar, de regulă, Backup4all se configurează şi îşi face back-up automat fără să fie nevoie de altă interacţiune cu dezvoltatorii”, a precizat Lóránt Barla. Ca firmă, Softland funcţionează din 1999, la început desfăşurând activităţi de outsourcing. Din 2002 însă, echipa s-a concentrat să dezvolte şi să vândă propriile programe. În prezent, Softland are 13 angajaţi care se ocupă inclusiv de marketing, relaţia cu clienţii şi vânzări. Sursa: http://www.digi24.ro/stiri/externe/o-aplicatie-realizata-de-it-istii-din-cluj-folosita-de-catre-nasa-pe-statia-spatiala-internationala-737922
  9. Nu imi aduc aminte sa fi dat 10 lire (50 RON) pe o bere aici in tara. Nici un abonament lunar la metrou nu cred ca este 13 lire. Cat despre chirie, gasisem apartament cu doua camere (1 flat room sau cum ii zic ei, nu mai stiu) cu 1200 lire (1300 EUR) in zona 8. Cu banii astia stau in penthouse pe Dorobanti.
  10. Mi-e lene sa citesc, spuneti-mi cui sa dau ban.
  11. MS-17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver Posted on:June 2, 2017 at 1:10 am Author: William Gamazo Sanchez (Vulnerability Research) The EternalBlue exploit took the spotlight last May as it became the tie that bound the spate of malware attacks these past few weeks—the pervasive WannaCry, the fileless ransomware UIWIX, the Server Message Block (SMB) worm EternalRocks, and the cryptocurrency mining malware Adylkuzz. EternalBlue (patched by Microsoft via MS17-010) is a security flaw related to how a Windows SMB 1.0 (SMBv1) server handles certain requests. If successfully exploited, it can allow attackers to execute arbitrary code in the target system. The severity and complexity of EternalBlue, alongside the other exploits released by hacking group Shadow Brokers, can be considered medium to high. We further delved into EternalBlue’s inner workings to better understand how the exploit works and provide technical insight on the exploit that wreaked havoc among organizations across various industries around the world. Vulnerability Analysis The Windows SMBv1 implementation is vulnerable to buffer overflow in Large Non-Paged kernel Pool memory through the processing of File Extended Attributes (FEAs) in the kernel function, srv!SrvOs2FeaListToNt. The function srv!SrvOs2FeaListToNt will call srv!SrvOs2FeaListSizeToNt to calculate the received FEA LIST size before converting it to NTFEA (Windows NT FEA) list. The following sequence of operations happens: srv!SrvOs2FeaListSizeToNt will calculate the FEA List size and update the received FEA List size The resulting FEA size is greater than the original value because a wrong WORD cast When the FEA List is iterated to be converted to NTFEA LIST, there will be an overflow in the non-page pool because the original total size of list is miscalculated Overflow Analysis Our analysis of the overflow applies to srv.sys 6.1.7601.17514_x86. The vulnerable code can be triggered using srv!SrvSmbOpen2. The trace is as follows: 00 94527bb4 82171149 srv!SrvSmbOpen2 ➜ SrvOs2FeaListSizeToNt() 01 94527bc8 821721b8 srv!ExecuteTransaction+0x101 02 94527c00 8213b496 srv!SrvSmbTransactionSecondary+0x2c5 03 94527c28 8214a922 srv!SrvProcessSmb+0x187 04 94527c50 82c5df5e srv!WorkerThread+0x15c 05 94527c90 82b05219 nt!PspSystemThreadStartup+0x9e 06 00000000 00000000 nt!KiThreadStartup+0x19 To be able to analyze the overflow, we set the break points to: bp srv!SrvSmbOpen2+0x79 “.printf \”feasize: %p indatasize: %p fealist addr: %p\\n\”,edx,ecx,eax;g;” When the break point is hit we have the following (in hex and decimal values): feasize: 00010000 (65536) indatasize: 000103d0 (66512) fealist addr: 89e980d8 From here we can see that the IN-DATA size 66512—the same value of the Total Data Count in the NT Trans Request—is bigger that the FEA list size 65536. Figure 1: Snapshot of code showing IN-DATA size (highlighted) What’s notable here is that the pointer to IN-DATA will be cast to the FEA List structure, as shown below: Figure 2: FEA List structure After casting the IN-DATA buffer, we will have the FEA size 00010000 (65536) stored in FEALIST ➜ cbList. The next step in the SMB driver will be to allocate a buffer to convert the FEA List to NT FEA List. This means it is required to calculate the NTFEA list size, which is done by calling the srv!SrvOs2FeaListSizeToNt function. To see the returned values for this function, we put the following break point: bp srv!SrvOs2FeaListToNt+0x10 “.printf \”feasize before: %p\\n\”,poi(edi);r $t0 = @edi;g;” bp srv!SrvOs2FeaListToNt+0x15 “.printf \”NTFEA size: %p feasize after: %p\\n\”,eax,poi(@$t0);g;” After breaking we get: feasize before: 00010000 feasize after: 0001ff5d NTFEA size: 00010fe8 Accordingly, we found that FEALIST ➜ cbList was updated from 0x10000 to 0x1ff5d. But what part of the code is making the wrong calculation? The code below shows how the error happens: Figure 3: Code snapshot showing error in calculating FEALIST ➜ cbList In the code snapshot above, list 40 onwards showed an example of the calculation error. Because the Original FEA list size was updated, the iteration to copy the values to the NTLIST will go beyond the NTFEA size returned in v6 (which was 00010fe8). Note that if the function returns at line 28 or at line 21 the FEA list is not updated. The other condition that leads to the update of v1 other than the one used by EternalBlue is if there is trail data at the end of the FEA list, but not enough to store another FEA structure. We also analyzed what happens in the kernel memory during a buffer overflow on LARGE NON-PAGE Kernel Pool. When the SrvOs2FeaListSizeToNt returns, the size required to store the NTFEA LIST is 00010fe8. This will require a Large Kernel POOL Allocation in SRV.sys. Using the following breakpoints helps track exactly what happens when the FEA list is converted to NTFEA list: bp srv!SrvOs2FeaListToNt+0x99 “.printf \”NEXT: FEA: %p NTFEA: %p\\n\”,esi,eax;g;” bp srv!SrvOs2FeaToNt+04d “.printf \”MOV2: dst: %p src: %p size: %p\\n\”,ebx,eax,poi(esp+8);g;” bp srv!SrvOs2FeaListToNt+0xd5 To sum it up, once SrvOs2FeaListSizeToNt is called and the Pool allocated, the function SrvOs2FeaToNt is used while iterating over the FEA list to convert the elements of the list. Inside SrvOs2FeaToNt, there are two _memmove operations where all the buffer copy operations will happen. With the aforementioned break points, it is possible to track what happens during the FEA list conversion. The trace will take quite some time, however. Figure 4: Code snapshot showing copy operations After the trace, the break point srv!SrvOs2FeaListToNt+0xd5 will hit and we can get all data required to analyze the buffer overflow. There are 605 copy operations with size 0 because in the beginning of the payload, the FEA list will have a 0 bytes value, which corresponds to 605 FEA structs. The next FEA size will be F3B3 (copy 606) and the resulting copy will end in 85915ff0. After the copy operation 606 we will see the buffer at the end: 85905008 + 10FE8 = 85915FF0. However, another FEA iteration will happen, and the size will be A8 in this case. That will overwrite the next memory area. Note how after overwriting the data, it will be in a different POOL—in this case, the SRVNET.sys pool. After copy operation 607 is a corrupted FEA and the server return, STATUS_INVALID_PARAMETER (0xC000000D). The last FEA that is in the final NT Transaction sent to the server. Figure 5: Code snapshot showing the corrupted FEA and server return EternalBlue’s Exploration Capabilities The overflow happens in NON-PAGED Pool memory—and specifically in Large NON-PAGED Pool. Large non-page pool do not have a POOL Header. Because of this, after the large POOL buffer, another POOL Buffer can be allocated—one that is owned by a driver with specific DRIVER data. Therefore, the attack has to manipulate the POOL buffer coming after the overflowed buffer. EternalBlue’s technique is to control the SRVNET driver buffer structures. To achieve this, both buffers should be aligned in memory. To create the NON-PAGED POOL alignment, the kernel pool should sprayed. The technique is as follows: Create multiple SRVNET buffers (grooming the pool) Free some of the buffers to create some holes where the SRV buffer will be copied Send the SRV buffer to overflow the SRVNET buffer. Exploitation Mechanism The vulnerable code for the buffer overflow works on KERNEL NON-PAGED memory. It also works in LARGE NON-PAGED POOL. Those kinds of pools do not have any POOL headers embedded at the beginning of the page, so special techniques are required to exploit them. The technique requires reversing some Structure that can be allocated in the overflow area, as shown below: Figure 6: EternalBlue’s exploit mechanism The creation of multiple SRVNET buffers (Kernel Grooming) approximates what happens in memory and simply used to represent the idea. Note that we’ve also intentionally omitted other details to prevent our analysis from being misused. Figure 7: EternalBlue’s exploit chain EternalBlue’s Exploit Chain EternalBlue goes through a chain of processes in order to successfully exploit a vulnerable system or network, as shown above. EternalBlue first sends an SRV buffer except the last packet. This is because the Large NON-PAGED POOL buffer will be created when the last data in the transaction arrives at the server. The SMB server will then accumulate the DATA in an Input buffer until all transaction data are read. The total transaction data will be specified in the initial TRANS packet. Once all transaction data have arrived, the SMB server will process the data. In this case, the data is dispatched to the SrvOpen2 function to read the data via Common Internet File System (CFIS). At this point, EternalBlue ensures that all sent data is received by the server and sent to an SMB ECHO packet. Because the attack can be implemented over a slow network, this echo command is important. In our analysis, even if we sent the initial data, the “Vulnerable Buffer” isn’t created in memory yet. Kernel grooming tries to allocate an SRV vulnerable buffer just before the SRVNET buffer. Kernel grooming employs these steps: FreeHole_A: EternalBlue will start creating a kernel hole A by sending SMBv1 packet SMBv2_1n: Send a group of SMBv2 packets FreeHole_B: Send another free hole buffer; this one should be sent before the previous hole is free to make sure another one is created FreeHole_A_CLOSE: close the connection to make the buffer free, after which close A in order to create free hole SMBv2_2n: Send a group of SMBv2 packets FreeHole_B_CLOSE: close the connection to make the buffer free FINAL_Vulnerable_Buffer: Send the last packet of the vulnerable buffer A Vulnerable Buffer will be created in memory just before the SRVNET buffer and part of the SRVNET is overwritten. The conversion from FEA List to NTFEA List will return an error because FEA structs are invalid after a certain point, in which case the server will return with STATUS_INVALID_PARAMETER (0xC000000D). Patch your systems Given how EternalBlue served as the doorway for many of the malware that severely impacted end users and enterprises worldwide, it also serves as a lesson on the importance of applying the latest patches and keeping your systems and networks updated. EternalBlue has already been issued a fix for Windows systems, including unsupported operating systems. Apart from implementing regular patch management to systems and networks, IT/system administrators are also recommended to adopt best practices such as enabling intrusion detection and prevention systems, disabling outdated or unnecessary protocols and ports (like 445), proactively monitoring network traffic, safeguarding the endpoints, and deploying security mechanisms such data categorization and network segmentation to mitigate damage in case of exposure. Employing virtual patching can also help against unknown vulnerabilities. Trend Micro Solutions Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats such as fileless infections and those that abuse unpatched vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these kinds of attacks even without any engine or pattern update. More in-depth information on Trend Micro’s solutions for EternalBlue and the malware that leverage the exploit can be found in these technical support pages: https://success.trendmicro.com/solution/1117192 https://success.trendmicro.com/solution/1117391 Sursa: http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/
  12. Black Hat Arsenal USA 2017 On June 1, 2017 @toolswatch announced the tools selected for Black Hat Arsenal USA 2017. Most of the selected tools are already present on GitHub and some are yet to be uploaded. This article contains the links to their respective repositories. The tools are arranged according to their tracks. If you like the tool, go to its repository and click Watch to keep updated on the latest commits and pushes. Some tools will be updated during/after the Arsenal event. Links to the GitHub repositories of those tools will be eventually updated in this article. Android, iOS and Mobile Hacking Android Tamer https://github.com/AndroidTamer DiffDroid https://github.com/antojoseph/diff-droid Kwetza https://github.com/sensepost/kwetza Needle https://github.com/mwrlabs/needle NoPE Proxy (Non-HTTP Proxy Extension) https://github.com/summitt/Burp-Non-HTTP-Extension Code Assessment Puma Scan https://github.com/pumasecurity/puma-scan Tintorera: Source Code Intelligence (Code not yet uploaded) https://github.com/vulnex/Tintorera Cryptography Hashview https://github.com/hashview/hashview Gibber Sense https://github.com/smxlabs/gibbersense Data Forensics and Incident Response PcapDB: Optimized Full Network Packet Capture for Fast and Efficient Retrieval https://github.com/dirtbags/pcapdb SCOT (Sandia Cyber Omni Tracker) Threat Intelligence and Incident Response Management System https://github.com/sandialabs/scot Security Monkey https://github.com/Netflix/security_monkey ThreatResponse: An Open Source Toolkit for Automating Incident Response in AWS https://github.com/ThreatResponse Yalda — Automated Bulk Intelligence Collection (Code not yet uploaded) https://github.com/gitaziabari/Yalda Exploitation and Ethical Hacking AVET — AntiVirus Evasion Tool https://github.com/govolution/avet GDB Enhanced Features (GEF) https://github.com/hugsy/gef Leviathan Framework https://github.com/leviathan-framework/leviathan MailSniper https://github.com/dafthack/MailSniper Seth https://github.com/SySS-Research/Seth Hardware/Embedded ChipWhisperer https://github.com/newaetech/chipwhisperer DYODE, a DIY, Low-Cost Data Diode for ICS https://github.com/arnaudsoullie/dyode FTW: Framework for Testing WAFs https://github.com/fastly/ftw The Bicho: An Advanced Car Backdoor Maker https://github.com/UnaPibaGeek/CBM Internet of Things Hacker Mode https://github.com/xssninja/Alexa-Hacker-Mode Universal Radio Hacker: Investigate Wireless Protocols Like a Boss https://github.com/jopohl/urh Malware Defense Aktaion v2 — Open Source Machine Learning and Active Defense Tool https://github.com/jzadeh/Aktaion Cuckoo Sandbox https://github.com/cuckoosandbox/cuckoo LimaCharlie https://github.com/refractionPOINT/limacharlie Malboxes https://github.com/GoSecure/malboxes Network Attacks BloodHound 1.3 https://github.com/BloodHoundAD/BloodHound CrackMapExec v4 https://github.com/byt3bl33d3r/CrackMapExec DELTA: SDN Security Evaluation Framework https://github.com/OpenNetworkingFoundation/DELTA eaphammer https://github.com/s0lst1c3/eaphammer gr-lora: An Open-Source SDR Implementation of the LoRa PHY https://github.com/BastilleResearch/gr-lora Yasuo https://github.com/0xsauby/yasuo Network Defense Assimilator https://github.com/videlanicolas/assimilator Noddos https://github.com/noddos/noddos Sweet Security https://github.com/TravisFSmith/SweetSecurity OSINT — Open Source Intelligence Datasploit — Automated Open Source Intelligence (OSINT) Tool https://github.com/DataSploit/datasploit Dradis: 10 Years Helping Security Teams Spend More Time Testing and Less Time Reporting https://github.com/dradis/dradis-ce OSRFramework: Open Sources Research Framework https://github.com/i3visio/osrframework Reverse Engineering BinGrep https://github.com/m4b/bingrep Vulnerability Assessment Aardvark and Repokid https://github.com/square/Aardvark SERPICO https://github.com/SerpicoProject/Serpico SimpleRisk https://github.com/simplerisk/code Web AppSec BurpSmartBuster: A Smart Way to Find Hidden Treasures https://github.com/pathetiq/BurpSmartBuster CSP Auditor https://github.com/GoSecure/csp-auditor Easily Exploit Timing Attacks in Web Applications with the ‘timing_attack’ Gem https://github.com/ffleming/timing_attack Fuzzapi — Fuzzing Your RESTAPIs Since Yesterday https://github.com/lalithr95/fuzzapi Offensive Web Testing Framework (OWASP OWTF) https://github.com/owtf/owtf PyMultiTor https://github.com/realgam3/pymultitor ThreadFix Web Application Attack Surface Calculation https://github.com/denimgroup/threadfix WaToBo — The Web Application Toolbox https://github.com/siberas/watobo WSSiP: A WebSocket Manipulation Proxy https://github.com/nccgroup/wssip If you haven’t looked at the selected tools, check the below embed to view the complete details of the tools and its presenters. The Black Hat Arsenal USA 2017 Phenomenal Line-Up Announced Just a BIG w00w !! Over 90 tools covering hardware/embedded, IoT, Malware defense, exploitations and more ! We had…www.toolswatch.org Sursa: https://medium.com/hack-with-github/black-hat-arsenal-usa-2017-3fb5bd9b5cf2
  13. PASSIVE GSM SNIFFING WITH SOFTWARE DEFINED RADIO 02/06/2017 0 Comments in Blog by Rashid Feroze I have been working on Telecom Security and Software defined radio since a few months and I noticed that there are very limited resources on the internet for beginners who want to get into telecom security. Not many people from security industry are into this and very less information has been shared online. I would be sharing here whatever I have gained in past few months in a series of blog posts. Now, before getting into active security analysis of GSM networks, let’s first see what we can do by just passively sniffing the airwaves around us. To sniff RF waves around us, the best way is get your hands on a SDR. WHAT IS A SDR? According to Wikipedia, Software-defined radio (SDR) is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded system. In simple terms, It refers to a technique in which all the processing is done in software. The processing mentioned include mixing, filtering, demodulation etc. We can use a SDR to capture airwaves when tuned to a particular frequency. The range of frequency it can capture and the bandwidth differs with different SDR devices. Here, we would be using RTL-SDR, the cheapest one available, to sniff over GSM. GSM FREQUENCY BANDS Before getting into details, let’s first have a look on different GSM frequency bands. GSM operates on a set of pre-defined frequencies designated by International Telecommunication union for the operation of GSM mobile phones. GSM frequency bands In India, we use two bands which are shaded in yellow in the above picture. A dual-band 900/1800 phone is required to be compatible with most networks around the world. For sniffing, first we need to identify the GSM downlink channels. Here we would be sniffing GSM data for our own phone so we would need to know upon what frequency it is operating on. We can do this by getting the ARFCN no. from our phone. In GSM cellular networks, an absolute radio-frequency channel number (ARFCN) is a code that specifies a pair of physical radio carriers used for transmission and reception in a land mobile radio system, one for the uplink signal and one for the downlink signal. I am using Motorola G4 and in this phone we can get to the service mode by dialing *#*#4636#*#* on our phone keypad. I have switched the phone to 2G mode as analysis of 2G is much easier than 3G/4G. They are using different encoding and encryption schemes and we can cover them later. Our ARFCN no. is 672. We can calculate exact frequency on which this phone is operating by using the ARFCN number. By using a simple ARFCN calculator we got to know the frequency our phone is operating in. ARFCN Calculator Now. Let’s tune our RTL-SDR to that particular frequency and find out what we can see. Gqrx tool We can clearly see the GSM Stream bits on that frequency. Let’s also scan for all the GSM channels around us. This will give us confirmation about our downlink channel. We can use kalibrate-rtl tool to scan GSM frequencies around us. kalibrate-rtl Here also we can see our downlink channel and it also gives us the offset value which will help us calibrate our SDR better. Whatever data which the SDR is receiving is just raw data which makes no sense. We can use GR-GSM to decode this raw data and process this into meaningful information. grgsm_livemon running Now start wireshark simultaneously and we would start seeing the GSM data packets in the wireshark. We can also filter out Gsmtap packets. This is a system Information type 3 packet. Information needed by the MS for cell selection and reselection is broadcasted with the help of this. Location Update message CAN WE LISTEN TO VOICE CALLS THEN? All the data channels are almost always encrypted using a stream cipher (A5) used to provide over-the-air communication privacy in the GSM cellular telephone standard. We can only see some of the control channels above which were not encrypted. All the calls and messages are encrypted using an encryption key (Kc) which is generated after an authentication mechanism by Authentication Center (AUC) which follows a challenge-response authentication model. The SIM card stores an encryption key called as Ki which is also stored by AUC/HLR. The Ki or Kc is never exchanged over network, therefore making it impossible to sniff encryption keys over the air. Moreover, the Kc changes before each call is setup. It means for every call, there would be a different encryption key. However, older version of A5 can be cracked if we have enough computation power. Researches have cracked A5/1 encryption by setting up the entire process in cloud which has huge computation power. Kraken is the tool that can be used for this. We cannot capture voice data with RTL-SDR because during a call, channel hopping takes place and the bandwidth of the RTL-SDR is not enough to capture the whole range at a time. We would need a better SDR with more bandwidth like a HackRF or any SDR device above that. HOW DOES INTELLIGENCE AGENCIES INTERCEPT OUR CALLS THEN? 1. DOWNGRADING THE ENCRYPTION ALGORITHM USED Even if the operator is using new and strong encryption algorithm, sometimes It is possible to force the operator to switch to a weaker encryption algorithm. Operators have to enable support for older encryption algorithms because many older phones doesn’t have enough computation power to use new encryption algorithms. 2. SOME OF THE OPERATORS DOESN’T USE ANY ENCRYPTION AT ALL During telecom security vulnerability assessments, it was found that, sometimes operators turn off encryption schemes completely when the load on the network increases so that they can reduce overhead traffic and can accommodate more users easily. 3. MITM ATTACK This is the most common attack vector that have been used since years by different hacker groups and Intelligence agencies. One can create fake cell towers and fool a mobile station in the vicinity to connect to that fake cell tower. All the mobile station data now would be going through that fake cell tower and the person in control could force the MS to use no encryption at all. 4. GETTING THE SIM CARD ENCRYPTION KEYS In 2015, It was in the news that some spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys (Ki) used to protect the privacy of cellphone communications across the globe. This key could be used to decrypt the GSM data. WHAT NEXT? We will talk more about security analysis of GSM networks using Osmocom-BB, we will setup our own GSM Network using OpenBTS and discuss about the attacks possible over Um and Abis interfaces in the upcoming blogposts related to telecom security. Stay Tuned. Sursa: http://payatu.com/passive-gsm-sniffing-software-defined-radio/
  14. Cât câştigă un programator şi cum ne raportăm la salariile programatorilor din alte țări? Marti, 23 Mai 2017 7594 vizualizari Sursa foto Potrivit datelor despre salarii provenite din contribuțiile utilizatorilor Undelucram.ro, postate în ultimii 4 ani, am identificat un salariu minim net care pornește de la 1.000 RON (o pozitie entry level, aferentă unei experiențe reduse), şi care ajunge până la un maxim de 16.000 RON. Excluzând extremele, puține la număr, utilizatorii noștri, care au împărtășit comunității date despre venitul lor salarial, câştigă în medie 4.418 RON sau aprox. 1000 EUR. Sursa: Undelucram.ro Cum arată aceasta medie în raport cu datele colectate de institutul de statistică? Ultima valoare înregistrată, aferentă lunii martie 2017, arată o medie a caştigului unui angajat in “Activitati de servicii în tehnologia informatiei; Activitati de servicii informatice”, egală cu 5.880 RON (aprox. 1.292 EUR). Facem totuși precizarea că datele colectate de INS se referă la un domeniu de activitate mai larg, în consecință putem avea incluse în medie şi salarii care nu au legătură directă cu activitatea de programare. În 2016, salariile angajaților din IT au crescut cu 22% față de anul precedent, în timp ce în primele 3 luni ale lui 2017 se înregistrează o creștere de 9% an vs. an. Cum ne raportam la salariile țărilor din regiune, Europa de Vest, dar si America de Nord? Sursa: Undelucram.ro, INS, Eurostat, Institute de Statistica Nationale – Europa de Vest si America de Nord Așa cum am precizat, datele provenite de la unele instituții de statistică naționale nu oferă valori exclusive activității de programare. În schimb se realizeaza o medie, pe baza tuturor salariilor din domeniul IT. În graficul de mai sus, avem această situație pentru datele oferite de INS, dar si pentru cele oferite de instituțiile de statistica din unele țări ale Europei Centrale. Per ansamblu, valorile în regiune sunt destul de apropiate, mai mult chiar, România se află în fața Europei Centrale pe aceasta medie agregata din sectorul IT: 1.251 EUR vs. 1.154 EUR in regiune. Situația se schimbă radical în comparație cu țări considerate dezvoltate, iar aici valorile sunt direct comparabile cu datele de pe Undelucram, pentru că se refera strict la activitățile de programare. Un programator din Europa de Vest câstigă în medie 3.155 EUR, iar unul din America de Nord 4.547 EUR, de aproximativ 3, respectiv 4 ori mai mult decât salariul din România. Cum arată datele în contextul unei comparații cu Indicele Cheltuielilor de zi cu zi, aferent locațiilor geografice respective? Sursa: Numbeo.com În Europa Centrală, indicele cheltuielilor curente este doar cu aprox. 15% mai mare decat in România. În schimb, în țările din Europa de Vest, precum si peste ocean, costul vieții este mai mult sau mai puțin DUBLU. Cum arată salariul programatorilor, ajustat la puterea de cumpărare aferentă regiunilor comparate? Sursa: Calcule Undelucram.ro, Numbeo.com Chiar si ajustate la puterea de cumpărare, în comparație cu țara noastră, salariile programatorilor sunt cu 60% mai mari in Europa de Vest si mai mult decât duble in America de Nord. Pe lângă salarii, ce alte beneficii mai primesc angajații care lucrează în PROGRAMARE? Asigurare medicala şi Program flexibil, marea majoritate: 61%, respectiv 67% Tichete de masă: mai puțin de jumatate, 42% Al 13-lea salariu şi pensie facultativă: foarte puțini: 30%,respectiv 10%. Spune comunității cât câştigi. Postarea ta este şi va rămâne anonimă. Sursa: https://www.undelucram.ro/stire/cat-castiga-un-programator-si-cum-ne-raportam-la-alte-tari-1105
  15. Super, arata bine.