Nytro

Da, nu se merita. Nu e pentru noi.

9:2 A Sermon on Newton and Turing 9:3 Globalstar Satellite Communications 9:4 Keenly Spraying the Kernel Pools 9:5 The Second Underhanded Crypto Contest 9:6 Cross VM Communications 9:7 Antivirus Tumors 9:8 A Recipe for TCP/IPA 9:9 Mischief with AX.25 and APRS 9:10 Napravi i ti Ra?cunar „Galaksija“ 9:11 Root Rights are a Grrl’s Best Friend! 9:12 What If You Could Listen to This PDF? 9:13 Oona’s Puzzle Corner! Link: https://www.alchemistowl.org/pocorgtfo/pocorgtfo09.pdf

Android 5.x Lockscreen Bypass (CVE-2015-3860) Posted on September 15, 2015 by jgor A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein. September 2015: Elevation of Privilege Vulnerability in Lockscreen (CVE-2015-3860) The attack requires the following criteria: Attacker must have physical access to the device User must have a password set (pattern / pin configurations do not appear to be exploitable) Proof-of-concept – Nexus 4 factory image 5.1.1 (build LMY48I): Sursa: Android 5.x Lockscreen Bypass (CVE-2015-3860) | UT Austin Information Security Office

Ce va mai place sa comentati aiurea... Daca nu va intereseaza, nu postati. Ramaneti la McDonalds.

Da, e smechera dracia aia, web shell rapid

You are za best! Thanks!

Nu stiu daca s-a mai postat: Criza refugia?ilor e de fapt o invazie musulman? organizat? | NapocaNews

O sa fie si un workshop de web security: https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015#tab=Agenda Daca sunteti interesati, sau aveti prieteni care lucreaza pe web, vi-l recomand.

Asta as vrea si eu sa inteleg. Ce as putea face cu un astfel de cont?

My first Defcon experience Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics. Articol: My first Defcon experience – Security Café Cate poze si pareri despre conferinta. Din pacate, nu am apucat sa vad tot ce era acolo. Sper sa ajung si la anul.

Lame.

Daca e adevarat, e doar un motiv in plus sa il folosesc. Oricum, din declaratiile lor, am inteles ca diverse firme de AV le foloseau semnaturile. Le furau. Deci mi s-ar parea o razbunare geniala.

[h=1]IP.Board 4.X - Stored XSS[/h] # Exploit Title: IP.Board 4.X Stored XSS # Date: 27-08-2015 # Software Link: https://www.invisionpower.com/ # Exploit Author: snop. # Contact: http://twitter.com/rabbitz_org # Website: http://rabbitz.org # Category: webapps 1. Description A registered or non-registered user can create a calendar event including malicious JavaScript code who will be permanently stored in the pages source. 2. Proof of Concept http://URL_TO_FORUM/calendar/submit/?calendar=1 POST: Affected Paramter: event_location[address][] 3. Solution Update to version 4.0.12.1 https://community.invisionpower.com/release-notes/40121-r22/ Disclosure Timeline 27.07.15: Vendor notified 05.08.15: Fix released 27.08.15: Public disclosure Sursa: https://www.exploit-db.com/exploits/37989/

bot/gate.php Doesn't look like "educational purposes".

Beleth - Dictionary based SSH cracker Usage: ./beleth [OPTIONS] -c [payload] Execute payload on remote server once logged in -h Display this help -l [threads] Limit threads to given number. Default: 4 -p [port] Specify remote port -P [password] Use single password attempt -t [target] Attempt connections to this server -u [user] Attempt connection using this username -v -v (Show attempts) -vv (Show debugging) -w [wordlist] Use this wordlist. Defaults to wordlist.txt Example: $ ./beleth -l 15 -t 127.0.0.1 -u stderr -w wordlist.txt ?????????????????????????????????????????? ? Beleth ? ? www.chokepoint.net ? ?????????????????????????????????????????? [*] Read 25 passwords from file. [*] Starting task manager [*] Spawning 15 threads [*] Starting attack on root@127.0.0.1:22 [*] Authentication succeeded (root:jesus@127.0.0.1:22) [*] Executing: uname -a [*] Linux eclipse 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1+deb7u1 i686 GNU/Linux [*] Cleaning up child processes. Sursa: https://github.com/chokepoint/Beleth

Hacking an aircraft: is it already real? August 26, 2015 Ilja Shatilin In-flight security made quite a lot of headlines earlier this summer, but this time at unusual angle. Aviation has always been focused on safety and had remained the most secure industry that ever existed. However, the buzz was about another aspect of security — the one quite surprising for an average passenger and quite expected for an IT specialist. It’s not a secret that today’s aircraft are one huge computer, with the pilot being more of a PC operator rather than of an actual ‘ace’ pilot — he handles a single task of supervising smart machinery. An orientation pilot and a panel operator are no more, fully replaced by computers. As it turned out that those computers are as hackable as the rest. The potential impact of a hacker attack on a plane is devastating: just think of a terrorist who would no longer have to hold passengers hostages, or break into the cockpit. The only thing the culprit would need for him to wreak havoc is a laptop. The wave of panic emerged in spring with the report on on-board Wi-Fi security published by US Government Accountability Office. The relevance between aviation, cybersecurity and GAO remains unclear, yet some media outlets managed to invent a lot of dreadful stories for the common folk: according to a number of publications, terrorists now would be able to hijack planes while sitting with a tablet in the backyard and making target aircrafts land in the same yard. The @USGAO has 168 #security recommendations to improve FAA network security. http://t.co/IwyzS55anS — Threatpost (@threatpost) March 3, 2015 Obviously no one bothered to read the full report: aerophobic people craved for another reason to believe airplanes were the most dangerous means of transportation. At the same time, the report is a terrific bore: it contains pages and pages of claims that since Internet is accessible on board through Wi-Fi and satellite, it’s time the industry thought of securing this channel. An unencrypted 802.11 network is insecure per se, and in this very application it serves as a local network, like the one you have at home or in the office, so someone could log in and hack other devices connected to this on-board network. The possibility of getting access to flight management systems through on-board Wi-Fi is referenced as theoretically plausible, since no one even managed to do that. However, then an extravagant and, obviously, hungry for fame aviation security researcher popped up out of nowhere. Chris Roberts boarded onto a United flight and tweeted: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? ” Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? — Chris Roberts (@Sidragon1) April 15, 2015 As a result, upon landing in the destination airport he was approached by strangers who urged him to follow them, as it later turned out, into a dimly lit room with FBI agents. His laptop and tablet were confiscated for further investigation and he was held for questioning for hours. The airline, meanwhile, cancelled his return ticket. The tweet was a joke that was supposed to attract attention to Roberts: he had been dealing with in-flight systems security for a number of years, without particular attention from the industry players. Later during investigation, Roberts admitted he managed to gain control over flight management system for a brief period of time and even was able to change the direction of the flight. Moreover, he revealed the details of the ‘hack': he tampered with in-flight entertainment system by connecting to its bus through a custom adapter. Except for the hacker’s word, there is no proof he actually managed to hijack control over the flight management system. Drawing a different course on the maps broadcasted on the passengers’ multimedia displays and really changing is not the same thing. If the course had really been changed, it would not go unnoticed by pilots and dispatches, which would provide reason enough for a very serious investigation. Hacking an #aircraft: is it already real? #infosec #aviation #security Tweet Digital Security, a Russian security firm, studied 500 flights of 30 different airlines during five years and found out that there are security vulnerabilities on planes, and hackers have tried to exploit them in order to discover the potential of such hacks. If briefly summarized, there are certain entry points in the aircraft’s IT systems which are of interest for culprits: Flight Management System Router of another networking appliance which facilitates communication between systems, for instance, SATCOM, a satellite communication server Multimedia server Terminal multimedia devices An easy target would be a multimedia device, which is built into the seat in front of the passenger. Once it is attacked, a hacker is able to infiltrate its operation system and use it to compromise other systems. There are several ways to execute such an attack. One could leverage a vulnerable USB port to plug in a keyboard emulator and send commands into the system. Or, or instance, it’s possible to exploit a bug in the software responsible for multimedia playback from a thumb drive. Some aircrafts, in addition to USB, have complementary RJ-45 ports, which enable a wider arsenal of hacking tricks on a connected laptop. A savvy hacker would be able to gain control over the entire in-flight multimedia system and even get hold of a multimedia server, which is challenging but feasible. The main thing: some aircrafts feature RJ-45 ports marked as “Private use only.” It’s possible that once connected through this port, a hacker would be able to access critical system elements. There is no evidence of such attack offering access to flight management systems, though. At the same time, there were cases of malfunctioning due to software bugs. Recently, three of four engines of a cargo Airbus failed during takeoff because the calibration data was lost due to incorrect software update, resulting in a crash. Airbus confirms software configuration error caused plane crash http://t.co/cw6IRPZUUW by @thepacketrat — Ars Technica (@arstechnica) June 1, 2015 This happened because programmers did not think of an alert for these types of failures. They did not even think that those configuration files would go amiss: software updates are supposed to check whether configuration files are there. Due to this flaw, the sensor data was interpreted incorrectly; the main computer thought that the affected engines failed and turned them off – software developers did not consider simultaneous failure of more than two engines: with only two functional engines the plane would have continued the flight and successfully performed an emergency landing. A bug was also discovered in Boeing planes: Boeing 787 Dreamliner may suffer from the complete electrical shutdown during the flight: if all four power generators are launched simultaneously and operate incessantly during 248 days, they’d shut down in an emergency mode, leaving the plane in a blackout. US aviation authority: Boeing 787 software bug could cause 'loss of control' http://t.co/fFUqjlR3DX — The Guardian (@guardian) May 1, 2015 The reason of the failure is simple: stack overflow in the internal timer. It’s understandable that such a coincidence is hardly plausible in real life scenarios, but this case may serve the reminder that an aircraft managed by a computer is susceptible to the same flaws as any other computer, including your desktop. So, don’t be surprised once you learn about Kaspersky Inflight Security’s availability on the market. Sursa: https://blog.kaspersky.com/hacking-aircraft-is-it-real/9659/

[h=1]DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle[/h] Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks. Charlie Miller is a security engineer at Twitter, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated". Twitter: @0xcharlie Christopher Valasek is the Director of Vehicle Security Research at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh. Twitter: @nudehaberdasher

You have the code that does this here: https://github.com/NytroRST/NetRipper Read and understand.

A aplicat cineva la Call for Papers/Presentations?

No. You declare a pointer, an uninitialized pointer, and allocate space based on "strlen(uninitialized pointer)"? @StoneIce: char fname[35] ="Shawn Little"; NOT char* fname[35] ="Shawn Little"; char namez[50]; namez = (char*) malloc(50*sizeof(char)); It is either char namez[50] OR char *namez=(char *)malloc(...) but NOT both. Come on, C is not that complicated. Just RTFM.

In sfarsit un tutorial pe care chiar il citeste lumea. Sau cel putin se uita la poze.

Such security. Much wow. Pentest.

Hacking DefCon 23’s IoT Village Samsung fridge Posted on Tuesday, August 18th, 2015 by Pedro Venda. As well as running the Hacking You Fat: The FitBit Aria workshop at DefCon 23’s IoT Village this year (more on that later) we also thought we’d take on their big fridge challenge: “Can you own our #IoT #Samsung - RF28HMELBSR fridge ::] @_defcon_”. As a team we’re doing more and more IoT research and hacking so this was a great opportunity to work on something we can’t get our hands on in the UK yet. It was a full-on team effort over the course of a day, so I’ve gathered everyone’s notes here. What’s the fridge? In the summer of last year Samsung brought out their RF28HMELBSR smart fridge, the successor to the RF4289HARS from two year previous. The fridge is part of Samsung’s line-up of Smart Home appliances which can be controlled via their Smart Home app. Man in the middle attack Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google's servers to download Gmail calendar information for the on-screen display. So, MITM the victim’s fridge from next door, or on the road outside and you can potentially steal their Google credentials. The notable exception to the rule above is when the terminal connects to the update server - we were able to isolate the URL https://www.samsungotn.net which is the same used by TVs, etc. We generated a set of certificates with the exact same contents as those on the real website (fake server cert + fake CA signing cert) in the hope that the validation was weak but it failed. The terminal must have a copy of the CA and is making sure that the server's cert is signed against that one. We can't hack this without access to the file system where we could replace the CA it is validating against. Long story short we couldn't intercept communications between the fridge terminal and the update server. Google Calendar service The fridge runs Google calendar, so you can set events and generally boss your family around from the fridge screen! It’s a usable feature and one that hasn’t gone without its own share of API update bugs This should have been an excellent route to get content on to the fridge; attaching tags and more to calendar entries. However, as HTML and other mark-up is not interpreted we couldn’t get a foot hold there either. Firmware attack We also looked at the possibility of faking a firmware update to compromise the unit via malicious custom update. We found the URL scheme to download the file, but we still need to find out a number of parameters to complete the URL. These are not secret things, just difficult to guess, like a code name for the model of the device, likely a serial number, etc. TCP services and certificate challenges The fridge's terminal has at least 2 listening services. One on port 4444 (SSL) and one on port 8888. The service on port 4444 requires a client side certificate for most requests, though not all are validated against the client side cert. We suspect this is used by the mobile app and therefore the cert must be located in the mobile app code. The mobile app We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We “believe” we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the password that opens the key store. We think we’ve found the password to the certificate in the client side code, but it’s obfuscated and we haven’t got round to reversing it, yet. Conclusion …and that's how far we got. We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out time. However, we still found some interesting bugs that definitely merit further investigation. The MITM alone is enough to expose a user’s Gmail creds. The fridge STILL isn’t shipping in the UK, nor can we find any other Samsung smart fridges on the market here. Sursa: http://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/

[h=1]Native Java Bytecode Debugging without Source Code[/h]12 Feb 2014 Jason Geffner At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be exported from the decompiler and then imported into a Java IDE like Eclipse as part of a new Java project. This allows us to build a project using the decompiled code and then dynamically debug it through the IDE. However, this all goes out the window when dealing with Java bytecode-based obfuscation, as most Java IDEs won’t compile raw JVM instructions, nor allow you to step through these instructions without the original source code. Decompiled Non-Obfuscated Java Decompiled Obfuscated Java The best solution we’ve found for debugging malware’s native Java bytecode is Dr. Garbage’s Bytecode Visualizer. We haven’t seen any thorough walkthroughs on installing and using Bytecode Visualizer, so this blog entry serves as a step-by-step guide on how to dynamically analyze native Java bytecode with Bytecode Visualizer: [h=2]1. Install the Java SE JDK[/h] The Java Standard Edition Development Kit can be downloaded from Oracle’s website at http://www.oracle.com/technetwork/java/javase/downloads/index.html. JDK 7 is currently the latest version and can be downloaded directly from http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html. During the JDK installation, be sure to have the JDK installer install the Public JRE as well if it isn’t already installed: Installation Options [h=2]2. Install Eclipse[/h] The Eclipse IDE for Java Developers can be downloaded from https://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/keplersr1 (the download links are on the right side of the page). [h=2]3. Install Bytecode Visualizer[/h] Run Eclipse and in the menu bar go to Help ? Eclipse Marketplace… In the Search tab of Eclipse Marketplace window, type “Dr. Garbage” into the Find textbox and press the Go button: Eclipse Marketplace Scroll to Bytecode Visualizer and press the Install button. Once installation is completed, restart Eclipse when prompted. [h=2]4. Load the JAR to be Analyzed[/h] Once Eclipse restarts, close the Welcome tab, and in the menu bar go to File ? New ? Java Project. Specify any project name you like and press the Next button: Create a Java Project In the Java Settings window, click the Libraries tab. In the Libraries tab, press the Add External JARs button and select the JAR file you want to debug, thereby adding it to the Java project’s build path: Java Settings Once the JAR has been added to the build path, press the Finish button. [h=2]5. Open the JAR’s Code with Bytecode Visualizer[/h] In the Package Explorer tab, expand your project’s Referenced Libraries to find your JAR file. Right-click on the class you want to debug and select Open with Bytecode Visualizer: Open with Bytecode Visualizer [h=2]6. Set Breakpoints[/h] With the JAR’s code now visible in Bytecode Visualizer, you can set breakpoints by double-clicking on the vertical gray bar to the left of the disassembled Java code: Setting a Breakpoint Note that Bytecode Visualizer only allows you to set breakpoints on method entrypoints (the first instruction of a method); you can’t set breakpoints on arbitrary instructions. [h=2]7. Debugging the Disassembled Code[/h] You can now run the disassembled code by right-clicking on the class you want to debug and choosing Debug As ? Java Application: Debug as Java Application In the Debug perspective view, there are buttons to Step Into Bytecode and Step Over Bytecode (circled in red below). Use the Step Over Bytecode button to perform standard single-stepping; use the Step Into Bytecode button only to step into calls. The Debug perspective also allows you to see local variable in the Variables tab, and to add your own watches in the Expressions tab (you can add this tab via Window ? Show View ? Expressions in the menu bar); you can see below that I added a watch/expression for variable b: Debug Perspective As far as we’ve seen, Bytecode Visualizer does not offer a view of the raw JVM stack, but even without it, tracing the code flow via single-stepping and examining memory with the Variables and Expressions tabs should typically allow you to successfully debug your target as needed. For more information on Java-based malware or the adversaries using it, including detection logic or any of the adversaries tracked by CrowdStrike, please contact: intelligence@crowdstrike.com and inquire about our Intelligence subscription. Sursa: http://blog.crowdstrike.com/native-java-bytecode-debugging-without-source-code/