Nytro

You are za best! Thanks!

Nu stiu daca s-a mai postat: Criza refugia?ilor e de fapt o invazie musulman? organizat? | NapocaNews

O sa fie si un workshop de web security: https://www.owasp.org/index.php/OWASP_EEE_Bucharest_Event_2015#tab=Agenda Daca sunteti interesati, sau aveti prieteni care lucreaza pe web, vi-l recomand.

Asta as vrea si eu sa inteleg. Ce as putea face cu un astfel de cont?

My first Defcon experience Defcon is a meta-conference which anyone passionate by IT security should attend. It is more than a conference, it is the heaven of hackers and security professionals, a place where definitely you will find something both cool and useful, even if you are interested in web security, reverse engineering, social engineering, hardware, lock-picking, Internet of Things or car-hacking topics. Articol: My first Defcon experience – Security Café Cate poze si pareri despre conferinta. Din pacate, nu am apucat sa vad tot ce era acolo. Sper sa ajung si la anul.

Lame.

Daca e adevarat, e doar un motiv in plus sa il folosesc. Oricum, din declaratiile lor, am inteles ca diverse firme de AV le foloseau semnaturile. Le furau. Deci mi s-ar parea o razbunare geniala.

[h=1]IP.Board 4.X - Stored XSS[/h] # Exploit Title: IP.Board 4.X Stored XSS # Date: 27-08-2015 # Software Link: https://www.invisionpower.com/ # Exploit Author: snop. # Contact: http://twitter.com/rabbitz_org # Website: http://rabbitz.org # Category: webapps 1. Description A registered or non-registered user can create a calendar event including malicious JavaScript code who will be permanently stored in the pages source. 2. Proof of Concept http://URL_TO_FORUM/calendar/submit/?calendar=1 POST: Affected Paramter: event_location[address][] 3. Solution Update to version 4.0.12.1 https://community.invisionpower.com/release-notes/40121-r22/ Disclosure Timeline 27.07.15: Vendor notified 05.08.15: Fix released 27.08.15: Public disclosure Sursa: https://www.exploit-db.com/exploits/37989/

bot/gate.php Doesn't look like "educational purposes".

Beleth - Dictionary based SSH cracker Usage: ./beleth [OPTIONS] -c [payload] Execute payload on remote server once logged in -h Display this help -l [threads] Limit threads to given number. Default: 4 -p [port] Specify remote port -P [password] Use single password attempt -t [target] Attempt connections to this server -u [user] Attempt connection using this username -v -v (Show attempts) -vv (Show debugging) -w [wordlist] Use this wordlist. Defaults to wordlist.txt Example: $ ./beleth -l 15 -t 127.0.0.1 -u stderr -w wordlist.txt ?????????????????????????????????????????? ? Beleth ? ? www.chokepoint.net ? ?????????????????????????????????????????? [*] Read 25 passwords from file. [*] Starting task manager [*] Spawning 15 threads [*] Starting attack on root@127.0.0.1:22 [*] Authentication succeeded (root:jesus@127.0.0.1:22) [*] Executing: uname -a [*] Linux eclipse 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1+deb7u1 i686 GNU/Linux [*] Cleaning up child processes. Sursa: https://github.com/chokepoint/Beleth

Hacking an aircraft: is it already real? August 26, 2015 Ilja Shatilin In-flight security made quite a lot of headlines earlier this summer, but this time at unusual angle. Aviation has always been focused on safety and had remained the most secure industry that ever existed. However, the buzz was about another aspect of security — the one quite surprising for an average passenger and quite expected for an IT specialist. It’s not a secret that today’s aircraft are one huge computer, with the pilot being more of a PC operator rather than of an actual ‘ace’ pilot — he handles a single task of supervising smart machinery. An orientation pilot and a panel operator are no more, fully replaced by computers. As it turned out that those computers are as hackable as the rest. The potential impact of a hacker attack on a plane is devastating: just think of a terrorist who would no longer have to hold passengers hostages, or break into the cockpit. The only thing the culprit would need for him to wreak havoc is a laptop. The wave of panic emerged in spring with the report on on-board Wi-Fi security published by US Government Accountability Office. The relevance between aviation, cybersecurity and GAO remains unclear, yet some media outlets managed to invent a lot of dreadful stories for the common folk: according to a number of publications, terrorists now would be able to hijack planes while sitting with a tablet in the backyard and making target aircrafts land in the same yard. The @USGAO has 168 #security recommendations to improve FAA network security. http://t.co/IwyzS55anS — Threatpost (@threatpost) March 3, 2015 Obviously no one bothered to read the full report: aerophobic people craved for another reason to believe airplanes were the most dangerous means of transportation. At the same time, the report is a terrific bore: it contains pages and pages of claims that since Internet is accessible on board through Wi-Fi and satellite, it’s time the industry thought of securing this channel. An unencrypted 802.11 network is insecure per se, and in this very application it serves as a local network, like the one you have at home or in the office, so someone could log in and hack other devices connected to this on-board network. The possibility of getting access to flight management systems through on-board Wi-Fi is referenced as theoretically plausible, since no one even managed to do that. However, then an extravagant and, obviously, hungry for fame aviation security researcher popped up out of nowhere. Chris Roberts boarded onto a United flight and tweeted: “Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? “PASS OXYGEN ON” Anyone ? ” Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? — Chris Roberts (@Sidragon1) April 15, 2015 As a result, upon landing in the destination airport he was approached by strangers who urged him to follow them, as it later turned out, into a dimly lit room with FBI agents. His laptop and tablet were confiscated for further investigation and he was held for questioning for hours. The airline, meanwhile, cancelled his return ticket. The tweet was a joke that was supposed to attract attention to Roberts: he had been dealing with in-flight systems security for a number of years, without particular attention from the industry players. Later during investigation, Roberts admitted he managed to gain control over flight management system for a brief period of time and even was able to change the direction of the flight. Moreover, he revealed the details of the ‘hack': he tampered with in-flight entertainment system by connecting to its bus through a custom adapter. Except for the hacker’s word, there is no proof he actually managed to hijack control over the flight management system. Drawing a different course on the maps broadcasted on the passengers’ multimedia displays and really changing is not the same thing. If the course had really been changed, it would not go unnoticed by pilots and dispatches, which would provide reason enough for a very serious investigation. Hacking an #aircraft: is it already real? #infosec #aviation #security Tweet Digital Security, a Russian security firm, studied 500 flights of 30 different airlines during five years and found out that there are security vulnerabilities on planes, and hackers have tried to exploit them in order to discover the potential of such hacks. If briefly summarized, there are certain entry points in the aircraft’s IT systems which are of interest for culprits: Flight Management System Router of another networking appliance which facilitates communication between systems, for instance, SATCOM, a satellite communication server Multimedia server Terminal multimedia devices An easy target would be a multimedia device, which is built into the seat in front of the passenger. Once it is attacked, a hacker is able to infiltrate its operation system and use it to compromise other systems. There are several ways to execute such an attack. One could leverage a vulnerable USB port to plug in a keyboard emulator and send commands into the system. Or, or instance, it’s possible to exploit a bug in the software responsible for multimedia playback from a thumb drive. Some aircrafts, in addition to USB, have complementary RJ-45 ports, which enable a wider arsenal of hacking tricks on a connected laptop. A savvy hacker would be able to gain control over the entire in-flight multimedia system and even get hold of a multimedia server, which is challenging but feasible. The main thing: some aircrafts feature RJ-45 ports marked as “Private use only.” It’s possible that once connected through this port, a hacker would be able to access critical system elements. There is no evidence of such attack offering access to flight management systems, though. At the same time, there were cases of malfunctioning due to software bugs. Recently, three of four engines of a cargo Airbus failed during takeoff because the calibration data was lost due to incorrect software update, resulting in a crash. Airbus confirms software configuration error caused plane crash http://t.co/cw6IRPZUUW by @thepacketrat — Ars Technica (@arstechnica) June 1, 2015 This happened because programmers did not think of an alert for these types of failures. They did not even think that those configuration files would go amiss: software updates are supposed to check whether configuration files are there. Due to this flaw, the sensor data was interpreted incorrectly; the main computer thought that the affected engines failed and turned them off – software developers did not consider simultaneous failure of more than two engines: with only two functional engines the plane would have continued the flight and successfully performed an emergency landing. A bug was also discovered in Boeing planes: Boeing 787 Dreamliner may suffer from the complete electrical shutdown during the flight: if all four power generators are launched simultaneously and operate incessantly during 248 days, they’d shut down in an emergency mode, leaving the plane in a blackout. US aviation authority: Boeing 787 software bug could cause 'loss of control' http://t.co/fFUqjlR3DX — The Guardian (@guardian) May 1, 2015 The reason of the failure is simple: stack overflow in the internal timer. It’s understandable that such a coincidence is hardly plausible in real life scenarios, but this case may serve the reminder that an aircraft managed by a computer is susceptible to the same flaws as any other computer, including your desktop. So, don’t be surprised once you learn about Kaspersky Inflight Security’s availability on the market. Sursa: https://blog.kaspersky.com/hacking-aircraft-is-it-real/9659/

[h=1]DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle[/h] Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks. Charlie Miller is a security engineer at Twitter, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated". Twitter: @0xcharlie Christopher Valasek is the Director of Vehicle Security Research at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh. Twitter: @nudehaberdasher

You have the code that does this here: https://github.com/NytroRST/NetRipper Read and understand.

A aplicat cineva la Call for Papers/Presentations?

No. You declare a pointer, an uninitialized pointer, and allocate space based on "strlen(uninitialized pointer)"? @StoneIce: char fname[35] ="Shawn Little"; NOT char* fname[35] ="Shawn Little"; char namez[50]; namez = (char*) malloc(50*sizeof(char)); It is either char namez[50] OR char *namez=(char *)malloc(...) but NOT both. Come on, C is not that complicated. Just RTFM.

In sfarsit un tutorial pe care chiar il citeste lumea. Sau cel putin se uita la poze.

Such security. Much wow. Pentest.

Hacking DefCon 23’s IoT Village Samsung fridge Posted on Tuesday, August 18th, 2015 by Pedro Venda. As well as running the Hacking You Fat: The FitBit Aria workshop at DefCon 23’s IoT Village this year (more on that later) we also thought we’d take on their big fridge challenge: “Can you own our #IoT #Samsung - RF28HMELBSR fridge ::] @_defcon_”. As a team we’re doing more and more IoT research and hacking so this was a great opportunity to work on something we can’t get our hands on in the UK yet. It was a full-on team effort over the course of a day, so I’ve gathered everyone’s notes here. What’s the fridge? In the summer of last year Samsung brought out their RF28HMELBSR smart fridge, the successor to the RF4289HARS from two year previous. The fridge is part of Samsung’s line-up of Smart Home appliances which can be controlled via their Smart Home app. Man in the middle attack Whilst the fridge implements SSL, it FAILS to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections. This includes those made to Google's servers to download Gmail calendar information for the on-screen display. So, MITM the victim’s fridge from next door, or on the road outside and you can potentially steal their Google credentials. The notable exception to the rule above is when the terminal connects to the update server - we were able to isolate the URL https://www.samsungotn.net which is the same used by TVs, etc. We generated a set of certificates with the exact same contents as those on the real website (fake server cert + fake CA signing cert) in the hope that the validation was weak but it failed. The terminal must have a copy of the CA and is making sure that the server's cert is signed against that one. We can't hack this without access to the file system where we could replace the CA it is validating against. Long story short we couldn't intercept communications between the fridge terminal and the update server. Google Calendar service The fridge runs Google calendar, so you can set events and generally boss your family around from the fridge screen! It’s a usable feature and one that hasn’t gone without its own share of API update bugs This should have been an excellent route to get content on to the fridge; attaching tags and more to calendar entries. However, as HTML and other mark-up is not interpreted we couldn’t get a foot hold there either. Firmware attack We also looked at the possibility of faking a firmware update to compromise the unit via malicious custom update. We found the URL scheme to download the file, but we still need to find out a number of parameters to complete the URL. These are not secret things, just difficult to guess, like a code name for the model of the device, likely a serial number, etc. TCP services and certificate challenges The fridge's terminal has at least 2 listening services. One on port 4444 (SSL) and one on port 8888. The service on port 4444 requires a client side certificate for most requests, though not all are validated against the client side cert. We suspect this is used by the mobile app and therefore the cert must be located in the mobile app code. The mobile app We pulled apart the mobile app and found what we believe is the certificate inside a keystore. We “believe” we did because it is has a name that suggests this. However, it is correctly passworded and we are yet to extract the password that opens the key store. We think we’ve found the password to the certificate in the client side code, but it’s obfuscated and we haven’t got round to reversing it, yet. Conclusion …and that's how far we got. We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out time. However, we still found some interesting bugs that definitely merit further investigation. The MITM alone is enough to expose a user’s Gmail creds. The fridge STILL isn’t shipping in the UK, nor can we find any other Samsung smart fridges on the market here. Sursa: http://www.pentestpartners.com/blog/hacking-defcon-23s-iot-village-samsung-fridge/

[h=1]Native Java Bytecode Debugging without Source Code[/h]12 Feb 2014 Jason Geffner At CrowdStrike, we’ve seen a moderate increase in Java-based malware recently, with Remote Access Tools (RATs) like Adwind becoming increasingly prevalent. Reverse engineering Java is typically very straightforward, since excellent Java binary decompilers have existed for years. Tools like JD-GUI make Java analysis a breeze and do an excellent job at recovering Java binaries’ source code (minus the comments). In cases where we need to dynamically debug Java programs, decompiled Java can be exported from the decompiler and then imported into a Java IDE like Eclipse as part of a new Java project. This allows us to build a project using the decompiled code and then dynamically debug it through the IDE. However, this all goes out the window when dealing with Java bytecode-based obfuscation, as most Java IDEs won’t compile raw JVM instructions, nor allow you to step through these instructions without the original source code. Decompiled Non-Obfuscated Java Decompiled Obfuscated Java The best solution we’ve found for debugging malware’s native Java bytecode is Dr. Garbage’s Bytecode Visualizer. We haven’t seen any thorough walkthroughs on installing and using Bytecode Visualizer, so this blog entry serves as a step-by-step guide on how to dynamically analyze native Java bytecode with Bytecode Visualizer: [h=2]1. Install the Java SE JDK[/h] The Java Standard Edition Development Kit can be downloaded from Oracle’s website at http://www.oracle.com/technetwork/java/javase/downloads/index.html. JDK 7 is currently the latest version and can be downloaded directly from http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html. During the JDK installation, be sure to have the JDK installer install the Public JRE as well if it isn’t already installed: Installation Options [h=2]2. Install Eclipse[/h] The Eclipse IDE for Java Developers can be downloaded from https://www.eclipse.org/downloads/packages/eclipse-ide-java-developers/keplersr1 (the download links are on the right side of the page). [h=2]3. Install Bytecode Visualizer[/h] Run Eclipse and in the menu bar go to Help ? Eclipse Marketplace… In the Search tab of Eclipse Marketplace window, type “Dr. Garbage” into the Find textbox and press the Go button: Eclipse Marketplace Scroll to Bytecode Visualizer and press the Install button. Once installation is completed, restart Eclipse when prompted. [h=2]4. Load the JAR to be Analyzed[/h] Once Eclipse restarts, close the Welcome tab, and in the menu bar go to File ? New ? Java Project. Specify any project name you like and press the Next button: Create a Java Project In the Java Settings window, click the Libraries tab. In the Libraries tab, press the Add External JARs button and select the JAR file you want to debug, thereby adding it to the Java project’s build path: Java Settings Once the JAR has been added to the build path, press the Finish button. [h=2]5. Open the JAR’s Code with Bytecode Visualizer[/h] In the Package Explorer tab, expand your project’s Referenced Libraries to find your JAR file. Right-click on the class you want to debug and select Open with Bytecode Visualizer: Open with Bytecode Visualizer [h=2]6. Set Breakpoints[/h] With the JAR’s code now visible in Bytecode Visualizer, you can set breakpoints by double-clicking on the vertical gray bar to the left of the disassembled Java code: Setting a Breakpoint Note that Bytecode Visualizer only allows you to set breakpoints on method entrypoints (the first instruction of a method); you can’t set breakpoints on arbitrary instructions. [h=2]7. Debugging the Disassembled Code[/h] You can now run the disassembled code by right-clicking on the class you want to debug and choosing Debug As ? Java Application: Debug as Java Application In the Debug perspective view, there are buttons to Step Into Bytecode and Step Over Bytecode (circled in red below). Use the Step Over Bytecode button to perform standard single-stepping; use the Step Into Bytecode button only to step into calls. The Debug perspective also allows you to see local variable in the Variables tab, and to add your own watches in the Expressions tab (you can add this tab via Window ? Show View ? Expressions in the menu bar); you can see below that I added a watch/expression for variable b: Debug Perspective As far as we’ve seen, Bytecode Visualizer does not offer a view of the raw JVM stack, but even without it, tracing the code flow via single-stepping and examining memory with the Variables and Expressions tabs should typically allow you to successfully debug your target as needed. For more information on Java-based malware or the adversaries using it, including detection logic or any of the adversaries tracked by CrowdStrike, please contact: intelligence@crowdstrike.com and inquire about our Intelligence subscription. Sursa: http://blog.crowdstrike.com/native-java-bytecode-debugging-without-source-code/

By SexyCyborg · 4 days ago · 37 images · 184,121 views · stats I’ve been watching the TV show "Mr. Robot" and while I know not all of it is accurate some of it is and it got me curious. I’m already pretty comfortable with command line and remote server administration from my web development work, and it turns out a lot of ‘hacking’ tools are just testing tools any sensible IT professional would use- just without a GUI. So I spent this month hitting the books (well web pages) watching lots of videos and learning a bit about information security and penetration testing (I wonder how many idiot jokes that phrase is going to cause…). I still don’t know much, but I know a tiny bit more than I did. Enough to ask people who know more than me the right questions- and enough for a fun project. So I got to thinking- if I had to do penetration testing on a corporate facility, how would I do it? Social engineering for one- I’m a natural honeypot. I think there's a reasonable chance that a guy might invite me back to their office after a few drinks in the neighborhood? But a handbag would be suspicious and leaving cell phones at the gate would be standard practice in any reasonably secure facility. My typical clothing does not leave room to hide anything- but that’s all the more reason they would not be suspicious of me. So I devised the Wu Ying Shoes (???)! - Penetration Testing Platform Heels! "Wu Ying" means “shadowless", the name is from the folk hero Wong Fei Hung’s (???) famous "shadowless kick" (???). Wong Fei Hung is from Foshan, which is my ancestral home as well as the ancestral home of Bruce Lee. As legend has it, to execute the "shadowless kick" Wong would distract his opponent with a punch or upper body move while striking with his foot. With my shadowless shoes I distract the target with my…upper body and they don’t see the real danger on my feet:-) Also I get tired of English names for everything. If we are ever going to stop copying Western things we should stop copying Western names as well right? So "Wu Ying Shoes". Each shoe has a drawer that can be slid out without my having to take the shoes off. This drawer can be customized for various payloads. (Just FYI- of course I asked the staff for spray and a cloth to wipe off the table carefully after I took these pictures). For the purposes of this first test version, my right shoe contains a pen testing drop box. This is a wireless router running OpenWRT with a built in rechargeable battery that could either be left running inside the shoe (for war-walking, wifi sniffing and logging etc) or could be removed and plugged into a convenient open network jack as soon as I was inside and had direct access to the LAN. Once this is done you can gain remote access anytime you want via SSH tunnel. Installing OpenWRT on the TL-MR10U is just like upgrading the firmware on any router. It’s two links and a button- nothing to it. There’s a lot of different software you can run once you have OpenWRT flashed. This router may-or-may-not be running a custom version of Wispi for the TP-Link TL-MR10U because if it was it would probably be illegal in China so maybe its not. But if it was I could run Jasager/Karma which lets you can fake being a friendly/known wifi access point and setup a fake login page to capture passwords, among other cool tricks. Wispi also has a few other handy utilities that you should never use in the real world but are pretty cool to try at home once or twice just so you know how. In my left shoe there is a USB keystroke recorder. This is a pass-through device that goes into the back of the computer where you normally plug the keyboard in and records everything typed on the keyboard (so all passwords) in it’s built in memory. A retractable ethernet cable for the OpenWRT router. A shim for opening padlocks. …and a basic lock pick set for gaining access to network cabinets, file drawers etc. I learned how to use the picks at a Locksport meet-up. I can only do simple locks but still loads of fun! Like little metal puzzles... Here’s the model I made for 3D printing. I’m sticking with TinkerCAD just to annoy all the CAD snobs who keep commenting on it ;-P I had to print it at 0.3mm so the layers are a little coarse. It was taking forever at 0.2mm (what I did my LED skirt control box at). Still looks decent. That’s PLA plastic. Infill is 20% and it supports my weight without any issues. Each shoe weighs about the same as a normal, non-printed shoe. Obligatory denim overalls work-clothes shot for the boys. You know the world is a strange place when fan-service is overalls and the slutty mini-dress is “meh". Removing the support structure. This kind of 3D printer can’t really do an overhang over 45% or so since each layer has to rest on the one below. Sacrificial columns are printed to support the overhang for printing and then peeled away afterwards. Source files are here if you'd like to make your own: http://www.thingiverse.com/thing:980191 LibraryBox can be a good way to share movies and ebooks with friends if you are traveling or don’t have wifi. I could see Piratebox being useful in time of disaster for sharing information when the wireless networks are down. It’s kind of like a mini-NAS. Wispi and Pentest drop boxes should of course should only be experimented with at home for educational purposes. While it’s good to know about this stuff always obey your local laws. People think all sorts of crazy stuff about China and I don’t want to talk politics- but my city Shenzhen is a really, really cool place to live (think Bladerunner) so there’s really no reason to do dumb stuff. As always- thanks to my friends for helping to clean up my English above. I had a ton of technical help but I follow a strict “don’t do it for me, show me how” rule so learned a tremendous amount. As I’ve also mentioned before, I’m not much more technical than my female friends but I am patient, good at following tutorials and and asking questions. If you can follow a recipe I assure you that you could do this sort of thing also. Any women with questions about teaching themselves online should feel free to contact me on Reddit and I’d be delighted to offer any help I can. Remember ladies- if you are thinking about becoming a Maker, learning to code or doing hardware; if a girl who looks like me can do it, how hard can it really be? Edit: Normally I have to sort though about 50% identical replies to my posts on Reddit. For those flexing their fingers and getting ready to give me a hard time: Yes, they are fake. Yes, I feature them prominently and deliberately in everything I do. No, most of my projects do not have all that much technical merit- they are 90% silicone and 10% silicon ;-) No, if you point out the absolutely obvious no one will think you are insightful, edgy or cool. They will think you are 12. Sursa: http://imgur.com/a/c4WNF#PEc4q1x

MySQL Error Based SQL Injection Using EXP Table of Contents Overview Injection Extracting Data Dump In One Shot Reading Files Injection in Insert Injection in Update Injection in Delete Conclusion References Download: https://www.exploit-db.com/docs/37953.pdf

The PenTesters Framework (PTF) A TrustedSec Project - Copyright 2015 Written by: David Kennedy @hackinGDave The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important. PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you. The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute. Sursa: https://github.com/trustedsec/ptf

Proxy Chaining We live in a world where privacy has an important role in our day-to-day life. The activities we perform using the Internet can tell a lot about a person’s social and professional life. In the wrong hands, this information could result in various problems. Data collected could be used to hack bank accounts, social media accounts etc. Due to this reason, people choose to be anonymous while using internet, using a proxy. A proxy could be explained as a gateway between the user computer and the destination webpage. Normally while browsing through the website, your original IP is identified by the website, which could compromise your privacy. By the use of proxy chaining we bounce through a number of proxy servers and reach the destination. While using a proxy server you are not directly connected to the website. The proxy connects to the website and creates a cached version of the site and sends it to you, like a photocopy. If a proxy visits a website, then the page is cached in the proxy server. The next time someone visits the page, the proxy server loads from the cached page. This speeds up the process to an extent. If you check the IP that’s connected to internet, it will be the ISP IP. But when using proxy server and chaining the IP displayed will be the last used proxy server’s IP in the chain. User ———-> Proxy ———–> Webpage Proxy Chaining is connecting two or more proxy servers to obtain the intended page. We can use asmany proxies as we want. Let’s see an example as shown below: User ———–> Proxy1 ———–> Proxy2 ———–> Proxy3 ———–> Proxy4———–> Webpage The user connects to proxy1 and from there to the next proxies as specified by the user until it finally reaches the destination. When the destination end searches for the IP, the Proxy4 IP is displayed as the user’s IP. While using proxy chaining we have to make sure that the entire proxy server included in the chain are working properly. If any proxy IP fails to work, this means the connection can’t be established. Then we have to replace the damaged proxy with a new one or exclude the damaged IP and connect the rest forming a new chain. Sometimes it can be a bit difficult to figure out which proxy has misfunctioned, if you are using too many proxies. Proxy chaining is also used while carrying out an attack. It is a must if you are attempting to gain unauthorized access to any server. Even if you use proxy chaining you can’t be 100% anonymous. You could be traced on the basis of each proxy used to establish a connection. It just makes it a lot harder to track. If you use foreign proxies, then it will be more complicated to find someone. Tracking could be done only by collecting the logs of each proxies used from the administrator. This could take a lot of time if we use a foreign proxy. As the time passes, it becomes more difficult to track a person. Administrators delete the logs after a certain period of time. Once the log is gone, it’s just impossible to track the IP back. So while hacking, it’s advised to use at least 5 foreign proxies in a chain. One of the main factors that is needed to be taken in consideration when using proxy chaining is the connection speed. Each server might have a different connection speed and lag according to their configuration. So during chaining there may be chance of a slow net speed due to lag in each server. The total lag while connecting to a page could be said as the sum of individual lags at each server. This gets worse if we are using more number of proxies in the chain. Browser Chaining Browser chaining is an easy process. We make use of the browser for chaining proxies. This will work only for the requests made through the browser. Let’s see how this can be done using Internet explorer browser. First, open the browser and go to “Internet options” in the settings menu. A window will appear with a few tabs at the top as shown in the figure below : Figure 1 : Internet Option window in Internet Explorer. Now, click on the Connections tab from the available tabs and select “LAN settings” button. A small window will pop up after clicking on the LAN settings button as shown below: Figure 2: LAN Settings window to specify Proxy server details. Check the “Use a proxy server” box in the window to type in the proxy server details in the field. If you just need to use a single proxy, then type in the IP and port number and click ok. To use proxy chaining, click on the advanced button and type in the proxy IP followed by the port number in the box provided. Leave a space between each proxy IP. Now all the connections made from the browser is through the specified proxy servers. There are various software that helps us to carryout proxy chaining. Let’s discuss about one such piece of software called “Proxifier.” Proxifier It’s a simple piece of software that helps us to connect to various proxy servers across the world. All we have to do is type in the proxy IP, port number, and the socket type. While making use of proxy chaining there are some points you should remember: A proxy chain can contain various types of proxy servers like SOCKS v4, SOCKS v5, HTTPS etc. If using HTTP proxy, it should be placed at the last in the chain. The entire chain will not work if one proxy goes down. The total lag will be the sum of all individual lags in the chain. Figure 3: Proxifier window This software has a variety of functions. The connections space as shown above in Figure 3 will display all the connections established form the particular system. The total time, data exchanged etc can be easily sorted out using this software. We can save the log according to our need. The connections made could be encrypted as per the user’s requirement and various other options are available in this software. Click on the first icon in the panel called Proxy server configuration. A window will open up with a black space type in the proxy server details. You can create a number of chains and select them accordingly using this window. The window is as shown below: Figure 4: Filling in proxy server details The order of chain will be as specified in the list as shown in the figure above. We can drag and change the order according to our need. There will be a check box to enable and disable each proxy in the chain. There is also a proxy checker tool integrated to this software, which is a very helpful one. Under “View” in toolbar click on proxy checker to start checking the proxies. Some of the proxy servers available are disabled by the administrators due to various reasons. So to checking the servers before connecting it to the internet is a good idea. This tool could be used to check the status of the server. All we have to do is to specify the server address and the socket type with IP and click the check button. If it’s a working proxy a message will be shown after the test that it’s ready to use with proxifier. TOR Tor is a browser that helps us to browse anonymously making use of various proxy server available. In here we cannot specify proxy servers. But the browser itself skips through a few servers which are provided by the TOR network. It helps us to reach blocked destination or view censored contents by the help of the available channels. I would not recommend TOR for extreme hacking purposes, but normal browsing could be done easily. All we have to do is to install the browser and type in the required page address. TOR’s hidden services help us to publish websites and other services without revealing the original location. Tor is mainly used against a common form of internet surveillance called “traffic analysis”. This is used to keep an eye on the activities of a public network. TOR cannot completely hide you from attackers. It protects the packets sent from your end by encrypting it and also by passing through various channels to make it hard for other to track. However, with sophisticated tools and efforts they could find information about your identity. As the number of users in TOR increases, the number of source and destination in the network increases accordingly, increasing the security for everyone in the network. Some NGOs recommend the users to browse from TOR to hide their identity to the outer world. A branch of U S Navy uses TOR for open source intelligence. They use TOR for visiting websites without leaving government IP to their website log. The path selected by the browsers changes from time to time. There may be various nodes in between the connection. All this connections will be encrypted in the Tor network and the connection from the last node to the destination will be open. So when the website checks its log, only the last node path will be visible, keeping user’s privacy. Figure 5: TOR Browser ProxyHam ProxyHam brings a whole new level for being anonymous. It’s a proxy device made by Ben Caudill which adds a radio connection to the users layer giving absolute protection. This device connects to Wi-Fi and relays a users internet connection over a 900 MHz radio connection to a faraway computer. ProxyHam has a range of about 2.5 miles (4 km approx). Even if the investigator fully traces the connection, they will only find the ProxyHam placed 4 km away from your original location. Device mainly consists of two parts. First one consists of Raspberry Pi computer connected to a Wi-Fi card and a small 900 MHz antenna which is to be kept at a far away location from yours. The other end consist of a 900 MHz antenna plugged in to the users Ethernet port. Figure 6: ProxyHam Proxy Website Service There are various proxy websites that offer proxy services. Some of them may have a chain of servers behind and some of them just one or two. These websites are mainly used to access blocked websites or pages. Some of the Youtube videos are blocked in certain countries. These websites help us to view such blocked contents easily. The following is a list of such websites that offer this kind of service: https://www.filterbypass.me/ https://www.proxysite.com/ https://hide.me/en/proxy https://kproxy.com/ https://zend2.com/ http://www.proxywebsite.org/ http://000freeproxy.com/ https://www.hidemyass.com/proxy There are some integrated browser add-ons like anonymox that provide proxy services. They have a small window, which allows us to select from available servers so that we could connect it to the destination. We cannot trust completely an such add-on. They might give a shield from normal scanning but on a thorough analysis the user IP could be easily determined. And also the number of available proxies is limited in such cases. So, this type could only be used for normal browsing purposes. The anonymox window is as shown below: Figure 7: Anonymox window. Conclusion Proxy chaining is a simple but effective method to stay anonymous over the internet. Not only hackers but normal users can also make use of such services to protect their privacy over the internet. Black hat hackers make use of several tools and software to switch between the proxy servers all over the world, which makes them very hard to track. By the use of normal browser and add-ons you won’t get much security, but to an extent these could be used for day to day browsing purposes. We might also consider the internet speed while using such intermediate servers. If it’s a popular website which the server has already cached, then the response time will be remarkable. These websites are loaded from cache database. When accessing a new webpage it takes a bit to load due to the lag in the intermediate servers. Now that we know how proxy chaining works, we can carry out our activities with relative anonymity. I used “relative” because there is no way to remain completely anonymous with the NSA spying across the globe. All we can do is to make detection a bit harder using proxy chaining. Reference http://www.claro.com.ec/Docs/hlzproxp.html http://www.hackershandbook.org/tutorials/proxychaining https://technet.microsoft.com/en-us/library/cc995172.aspx http://www.freeproxy.ru/en/free_proxy/faq/what_is_proxy_chaining.htm http://www.techgyd.com/free-proxy-sites-list-2014/12890/ http://www.publicproxyservers.com/proxy/list1.html https://www.torproject.org/about/overview http://www.backtrack-linux.org/forums/showthread.php?t=1496 https://www.owasp.org/index.php/Chaining_WebScarab_onto_another_proxy Author Steve Lynch Sursa: http://resources.infosecinstitute.com/proxy-chaining/

SQL Injection Optimization and Obfuscation Techniques By Roberto Salgado Introduction SQL Injections are without question one of the most dangerous web vulnerabilities around. With all of our information stored in databases, almost every detail about our lives is at the mercy of a simple HTTP request. As a solution, many companies implement Web Application Firewalls and Intrusion Detection/Prevention Systems to try to protect themselves. Unfortunately, these counter measures are not sufficient and can easily be circumvented. This is all possible due to optimization and obfuscation techniques which have been perfected over the last 15 years since the discovery of this lethal vulnerabil ity. Even though firewalls cannot not be relied on to prevent all attacks, some firewalls can be effective when used as a monitoring tool. It is not unheard of for an attacker to be detected and blocked during mid-attack, due to firewall triggers and an alert security team. Because of this, a SQL Injection that has been optimized and obfuscated has a much higher probability of being successful; it will extract the data faster and remain undetected for longer. In this paper we will discuss and compare a variety of optimization methods which can be highly effective when exploiting Blind SQL Injections. We will also introduce SQL queries which can be used to dump the whole database with just one request, making it an extremely easy to quickly retrieve data while going unnoticed. Furthermore, we will be reviewing several obfuscation techniques wh ich can make a SQL Injection unrecognizable to firewalls. When combined, these techniques create a deadly attack which can be devastating. Download: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-WP.pdf

[h=1]Mozilla Maintenance Service Log File Overwrite Elevation of Privilege[/h] Source: https://code.google.com/p/google-security-research/issues/detail?id=427&can=1 Mozilla Maintenance Service: Log File Overwrite Elevation of Privilege Platform: Windows Version: Mozilla Firefox 38.0.5 Class: Elevation of Privilege Summary: The maintenance service creates a log file in a user writable location. It’s possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege. Description: When the maintenance service starts it creates a log file under c:\programdata\mozilla\logs. This is done in maintenanceservice.cpp/SvcMain. This directory it creates the file in has fairly permissive permissions which allows a normal user to create new files underneath that directory. It’s possible to race the creation of the log file during the service initialization to drop a hardlink to an existing file on the same drive (which is probably the system drive) which when opened by the maintenance service running as local system will cause the file to be overwritten by the log data. At the very least this would corrupt the target file, however as the user has some control over bits of the contents, such as the updater path, it’s possible to get some user controlled contents in there. This might be used to elevate privileges by overwriting a script file which has a permissive parser, such as powershell, batch or HTA which subsequently gets executed by a privileged process. The only slight difficulty in exploitation is that the user cannot directly delete the log file to replace it with a hardlink. However this isn’t a significant issue as before opening the log file the service backs up the log to a new name leaving the directory entry for “maintenanceservice.log” free. Therefore there’s a race condition between the log file being moved out of the way and the new log file being created. So to exploit this you perform the following operations: 1. Start a thread which creates a hard link in the log directory to the file you want to overwrite. Repeat until successful. 2. In another thread start the service passing the arbitrary content you want to insert as the path to the updater file A similar vulnerability exists in the update.status handling, for example in WriteStatusFailure which will write update.status to any location you specify. You can use a hardlink to force the file to be overwritten. In this case this would only cause file corruption as the user has no real control on the contents. If I could recommend fixes either make the logs directory writable only by administrators or use CopyFile instead of MoveFile when backing up the previous logs. I would not recommend trying to do anything like inspecting the file for hardlinks or similar. Proof of Concept: I’ve attached a proof of concept, it’s written in C#. You’ll need to compile it with the C# csc compiler. NOTE: you might need to run this on a multi-core machine to stand a chance of winning the race. 1) Compile the PoC 2) Execute the PoC passing the name of a file you want to overwrite on the command line 3) Program should run and print Done if successful Expected Result: The log file is created as normal Observed Result: The target file has been overwritten with the contents of the log file Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37925.zip Sursa: https://www.exploit-db.com/exploits/37925/