Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18747

  • Joined

  • Last visited

  • Days Won

    718

 Content Type 

Everything posted by Nytro

  1. Nytro

    Fun stuff

    Nytro replied to Wisa's topic in Discutii non-IT

    Am aflat cu monitorizeaza NSA-ul pe toata lumea. http://www.southparkstudios.com/full-episodes/s17e01-let-go-let-gov Atat de simplu si atat de eficient...
  2. Nytro
    Malware archives [h=3]Warning! Warning! Warning! Warning! Warning![/h] Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection. If you do not know what you are doing here, it is recommended you leave right away. This page has no commercial purpose. Contact me via email for the passwords (specifying all or single archive). If you see errors, typos, etc, please let me know. [h=3]Notes about the collection of binaries[/h] Honeypot ISP: AS3269 Interbusiness (Telecom Italia) Honeypot software: amun, dionaea Total files: 7085 Period of time: Aug 2009 - Feb 2013 Type of files: ASCII, data, HTML, MS-DOS, PE32 (dll, gui, Mono/.Net) [TABLE=class: table table-bordered table-striped] [TR] [TH]Archive[/TH] [TH]List[/TH] [TH]#[/TH] [TH]Download[/TH] [TH]Size[/TH] [/TR] [TR] [TD]nothink-malware-archive-0.zip[/TD] [TD]list-md5-0.txt[/TD] [TD]445[/TD] [TD]link[/TD] [TD]50M[/TD] [/TR] [TR] [TD]nothink-malware-archive-1.zip[/TD] [TD]list-md5-1.txt[/TD] [TD]411[/TD] [TD]link[/TD] [TD]50M[/TD] [/TR] [TR] [TD]nothink-malware-archive-2.zip[/TD] [TD]list-md5-2.txt[/TD] [TD]456[/TD] [TD]link[/TD] [TD]60M[/TD] [/TR] [TR] [TD]nothink-malware-archive-3.zip[/TD] [TD]list-md5-3.txt[/TD] [TD]440[/TD] [TD]link[/TD] [TD]58M[/TD] [/TR] [TR] [TD]nothink-malware-archive-4.zip[/TD] [TD]list-md5-4.txt[/TD] [TD]421[/TD] [TD]link[/TD] [TD]62M[/TD] [/TR] [TR] [TD]nothink-malware-archive-5.zip[/TD] [TD]list-md5-5.txt[/TD] [TD]456[/TD] [TD]link[/TD] [TD]57M[/TD] [/TR] [TR] [TD]nothink-malware-archive-6.zip[/TD] [TD]list-md5-6.txt[/TD] [TD]485[/TD] [TD]link[/TD] [TD]69M[/TD] [/TR] [TR] [TD]nothink-malware-archive-7.zip[/TD] [TD]list-md5-7.txt[/TD] [TD]441[/TD] [TD]link[/TD] [TD]59M[/TD] [/TR] [TR] [TD]nothink-malware-archive-8.zip[/TD] [TD]list-md5-8.txt[/TD] [TD]449[/TD] [TD]link[/TD] [TD]63M[/TD] [/TR] [TR] [TD]nothink-malware-archive-9.zip[/TD] [TD]list-md5-9.txt[/TD] [TD]466[/TD] [TD]link[/TD] [TD]63M[/TD] [/TR] [TR] [TD]nothink-malware-archive-a.zip[/TD] [TD]list-md5-a.txt[/TD] [TD]437[/TD] [TD]link[/TD] [TD]56M[/TD] [/TR] [TR] [TD]nothink-malware-archive-b.zip[/TD] [TD]list-md5-b.txt[/TD] [TD]427[/TD] [TD]link[/TD] [TD]64M[/TD] [/TR] [TR] [TD]nothink-malware-archive-c.zip[/TD] [TD]list-md5-c.txt[/TD] [TD]448[/TD] [TD]link[/TD] [TD]59M[/TD] [/TR] [TR] [TD]nothink-malware-archive-d.zip[/TD] [TD]list-md5-d.txt[/TD] [TD]435[/TD] [TD]link[/TD] [TD]51M[/TD] [/TR] [TR] [TD]nothink-malware-archive-e.zip[/TD] [TD]list-md5-e.txt[/TD] [TD]441[/TD] [TD]link[/TD] [TD]51M[/TD] [/TR] [TR] [TD]nothink-malware-archive-f.zip[/TD] [TD]list-md5-f.txt[/TD] [TD]427[/TD] [TD]link[/TD] [TD]57M[/TD] [/TR] [/TABLE] Sursa: Nothink.org
  3. Nytro
    Browser Pivoting (Two-Factor Auth? Hah!) Description: A Browser Pivot is a way to inherit a user's access to sites by relaying requests through their browser. This man-in-the-browser capability gives pen testers a way to go around 2FA and demonstrate risk--even in high security environments. Browser Pivoting - Cobalt Strike Sursa: Browser Pivoting (Two-Factor Auth? Hah!)
  4. Nytro
    Blackhat Eu 2013 - Advanced Heap Manipulation In Windows 8 Description: With the introduction of Windows 8, previously public known heap/kernel pool overflow exploitation techniques are dead because of exploit mitigation improvements. There are indications that compromising application speci?c data, which are facilitated by heap manipulation, are getting more popular for future exploitation. How to deterministically predict the heap state in great possible level? Tradition manipulation technique (both kernel pool and user heap) is to consistently defragment the heap which makes future allocations adjacent afterwards, and then make holes in these allocations to let the vulnerable buffer, which with similar size, fall into one of them. In the user heap a new LFH allocator was introduced, the randomized alloc/free and guard pages made this technique tough to work. Beyond that, the traditional technique has some limitations such as the size of the vulnerable buffer and the type of data structure that could be chosen as attacking target (especially in kernel pool), which together make it cannot be considered as a generic solution any more. This talk is aimed to provide an advanced method on precisely manipulating heap layout (kernel pool and user heap) by standing on the giant’s shoulder: “Heap Feng Shui”. Arbitrary sized vulnerable buffer could be covered with our more generic method which paves the way toward further interesting discoveries for security researchers. A reliable demo will be explained at the end of this section. By setting up the heap in a controlled state, some specific vulnerability scenarios could be exploited easily and reliably. In the following practical sections, this talk will then divided into two parts: 1: Kernel pool: I will show how to plant a desired kernel object into a fixed known address, and then demo exploit against write-what-where vulnerability scenarios. Furthermore, some attacks which need the sufficient control of the kernel pool and precise size information (eg: “block size attack” brought by Tarjei in his BH USA 2012 talk) may utilize this research. I will also show how carefully crafted kernel pool layout combined with application data corruption could lead to reliable exploit in kernel pool overflow scenarios. 2: User heap: I will discuss the possibility of heap determinism in Windows 8 user heap, and use demo to prove that: reliable heap exploitation is still achievable in some circumstance with proper heap layout crafting. Presented By: Zhenhua 'Eric' Liu For More Information please visit : - Black Hat | Europe 2013 - Briefings Sursa: Blackhat Eu 2013 - Advanced Heap Manipulation In Windows 8
  5. Nytro
    Ken Thompson's "cc hack" - Presented in the journal, Communication of the ACM, Vol. 27, No. 8, August 1984, in a paper entitled "Reflections on Trusting Trust", Ken Thompson, co-author of UNIX, recounted a story of how he created a version of the C compiler that, when presented with the source code for the "login" program, would automatically compile in a backdoor to allow him entry to the system. This is only half the story, though. In order to hide this trojan horse, Ken also added to this version of "cc" the ability to recognize if it was recompiling itself to make sure that the newly compiled C compiler contained both the "login" backdoor, and the code to insert both trojans into a newly compiled C compiler. In this way, the source code for the C compiler would never show that these trojans existed. Reflections on Trusting Trust by Ken Thompson Introduction I thank the ACM for this award. I can't help but feel that I am receiving this honor for timing and serendipity as much as technical merit. UNIX swept into popularity with an industry-wide change from central main frames to autonomous minis. I suspect that Daniel Bobrow (1) would be here instead of me if he could not afford a PDP-10 and ad had to "settle" for a PDP-11. Moreover, the current state of UNIX is the result of the labors of a large number of people. There is an old adage, "Dance with the one that brought you," which means that I should talk about UNIX. I have not worked on mainstream UNIX in many years, yet I continue to get undeserved credit for the work of others. Therefore, I am not going to talk about UNIX, but I want to thank everyone who has contributed. That brings me to Dennis Ritchie. Our collaboration has been a thing of beauty. In the ten years that we have worked together, I can recall only one case of miscoordination of work. On that occasion, I discovered that we both had written the same 20-line assembly language program. I compared the sources and was astounded to find that they matched character-for-character. The result of our work together has been far greater than the work that we each contributed. I am a programmer. On my 1040 form, that is what I put down as my occupation. As a programmer, I write programs. I would like to present to you the cutest program I ever wrote. I will do this in three stages and try to bring it together at the end. Stage I In college, before video games, we would amuse ourselves by posing programming exercises. One of the favorites was to write the shortest self-reproducing program. Since this is an exercise divorced from reality, the usual vehicle was FORTRAN. Actually, FORTRAN was the language of choice for the same reason that three-legged races are popular. More precisely stated, the problem is to write a source program that, when compiled and executed, will produce as output an exact copy of its source. If you have never done this, I urge you to try it on your own. The discovery of how to do it is a revelation that far surpasses any benefit obtained by being told how to do it. The part about "shortest" was just an incentive to demonstrate skill and determine a winner. FIGURE 1 Figure 1 shows a self-reproducing program in the C programming language. (The purist will note that the program is not precisely a self-reproducing program, but will produce a self-reproducing program.) This entry is much too large to win a prize, but it demonstrates the technique and has two important properties that I need to complete my story: (I) This program can be easily written by another program. (2) This pro- gram can contain an arbitrary amount of excess baggage that will be reproduced along with the main algorithm. In the example, even the comment is reproduced. Stage II The C compiler is written in C. What I am about to describe is one of many "chicken and egg" problems that arise when compilers are written in their own language. In this ease, I will use a specific example from the C compiler. C allows a string construct to specify an initialized character array. The individual characters in the string can be escaped to represent unprintable characters. For example, "Hello world\n" represents a string with the character "\n," representing the new line character. FIGURE 2 Figure 2 is an idealization of the code in the C compiler that interprets the character escape sequence. This is an amazing piece of code. It "knows" in a completely portable way what character code is compiled for a new line in any character set. The act of knowing then allows it to recompile itself, thus perpetuating the knowledge. FIGURE 3 Suppose we wish to alter the C compiler to include the sequence "\v" to represent the vertical tab character. The extension to Figure 2 is obvious and is presented in Figure 3. We then recompile the C compiler, but we get a diagnostic. Obviously, since the binary version of the compiler does not know about "\v," the source is not legal C. We must "train" the compiler. After it "knows" what "\v" means, then our new change will become legal C. We look up on an ASCII chart that a vertical tab is decimal 11. We alter our source to look like Figure 4. Now the old compiler accepts the new source. We install the resulting binary as the new official C compiler and now we can write the portable version the way we had it in Figure 3. FIGURE 4 This is a deep concept. It is as close to a "learning" program as I have seen. You simply tell it once, then you can use this self-referencing definition. Stage III FIGURE 5 Again, in the C compiler, Figure 5 represents the high-level control of the C compiler where the routine "compile" is called to compile the next line of source. Figure 6 shows a simple modification to the compiler that will deliberately miscompile source whenever a particular pattern is matched. If this were not deliberate, it would be called a compiler "bug." Since it is deliberate, it should be called a "Trojan horse." FIGURE 6 The actual bug I planted in the compiler would match code in the UNIX "login" command. The replacement code would miscompile the login command so that it would accept either the intended encrypted password or a particular known password. Thus if this code were installed in binary and the binary were used to compile the login command, I could log into that system as any user. Such blatant code would not go undetected for long. Even the most casual perusal of the source of the C compiler would raise suspicions. FIGURE 7 The final step is represented in Figure 7. This simply adds a second Trojan horse to the one that already exists. The second pattern is aimed at the C compiler. The replacement code is a Stage I self-reproducing program that inserts both Trojan horses into the compiler. This requires a learning phase as in the Stage II example. First we compile the modified source with the normal C compiler to produce a bugged binary. We install this binary as the official C. We can now remove the bugs from the source of the compiler and the new binary will reinsert the bugs whenever it is compiled. Of course, the login command will remain bugged with no trace in source anywhere. Moral The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect. After trying to convince you that I cannot be trusted, I wish to moralize. I would like to criticize the press in its handling of the "hackers," the 414 gang, the Dalton gang, etc. The acts performed by these kids are vandalism at best and probably trespass and theft at worst. It is only the inadequacy of the criminal code that saves the hackers from very serious prosecution. The companies that are vulnerable to this activity (and most large companies are very vulnerable) are pressing hard to update the criminal code. Unauthorized access to computer systems is already a serious crime in a few states and is currently being addressed in many more state legislatures as well as Congress. There is an explosive situation brewing. On the one hand, the press, television, and movies make heroes of vandals by calling them whiz kids. On the other hand, the acts performed by these kids will soon be punishable by years in prison. I have watched kids testifying before Congress. It is clear that they are completely unaware of the seriousness of their acts. There is obviously a cultural gap. The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house. It should not matter that the neighbor's door is unlocked. The press must learn that misguided use of a computer is no more amazing than drunk driving of an automobile. Acknowledgment I first read of the possibility of such a Trojan horse in an Air Force critique (4) of the security of an early implementation of Multics. I can- not find a more specific reference to this document. I would appreciate it if anyone who can supply this reference would let me know. References Bobrow, D.G., Burchfiel, J.D., Murphy, D.L., and Tomlinson, R.S. TENEX, a paged time-sharing system for the PDP-IO. Commun. ACM 15, 3 (Mar. 1972), 135-143. Kernighan, B.W., and Ritchie, D.M. The C Programming Language. Prentice-Hall, Englewood Cliffs, N.J., 1978. Ritchie, D.M., and Thompson, K. The UNIX time-sharing system. Commun. ACM 17, 7(July 1974), 365-375. 4. Unknown Air Force Document. Sursa: Reflections on Trusting Trust
  6. Nytro
    SysAnalyzer [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] David Zimmer (iDefense Labs) [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] RE Corner [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 21, 2011 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://sandsprite.com/CodeStuff/SysAnalyzer_Setup.exe[/TD] [/TR] [/TABLE] pdate: This tool is no longer available for download through the iDefense website. An updated installer has been made available by the author. SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare: * Running Processes * Open Ports * Loaded Drivers * Injected Libraries * Key Registry Changes * APIs called by a target process * File Modifications * HTTP, IRC, and DNS traffic SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks: * Create a memory dump of target process * parse memory dump for strings * parse strings output for exe, reg, and url references * scan memory dump for known exploit signatures Full GPL source for SysAnalyzer is included in the installation package. Download: http://sandsprite.com/CodeStuff/SysAnalyzer_Setup.exe Sursa: Category:Registry Monitoring Tools - Collaborative RCE Tool Library
  7. Nytro
    Burp Suite [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] PortSwigger [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.portswigger.net/suite/ [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.1 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://portswigger.net/suite/download.html[/TD] [/TR] [/TABLE] Burp Suite is an integrated platform for attacking web applications. It contains all of the Burp tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All tools share the same robust framework for handling HTTP requests, authentication, downstream proxies, logging, alerting and extensibility. Burp Suite allows you to combine manual and automated techniques to enumerate, analyse, attack and exploit web applications. The various Burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another. Key features unique to Burp Suite include: * Ability to "passively" spider an application in a non-intrusive manner, with all requests originating from the user's browser. * One-click transfer of interesting requests between tools, e.g. from the Burp Proxy request history, or the Burp Spider results tree. * Detailed analysis and rendering of requests and responses. * Extensibility via the IBurpExtender interface, which allows third-party code to extend the functionality of Burp Suite. Data processed by one tool can be used in arbitrary ways to affect the behaviour and results of other tools. * Centrally configured settings for downstream proxies, web and proxy authentication, and logging. * Tools can run in a single tabbed window, or be detached in individual windows. * All tool and suite configuration is optionally persistent across program loads. * Runs in both Linux and Windows. New features in version 1.1 include: * Improved analysis of HTTP requests and responses wherever they appear, with browser-quality HTML and media rendering. * Burp Sequencer, a new tool for analysing session token randomness. * Burp Decoder, a new tool for performing manual and intelligent decoding and encoding of application data. * Burp Comparer, a new utility for performing a visual diff of any two data items. * Support for custom client and server SSL certificates. * Ability to follow 3xx redirects in Burp Intruder and Repeater attacks. * Improved interception and match-and-replace rules in Burp Proxy. * A "lean mode", for users who prefer less functionality and a smaller resource footprint. Burp Suite is a Java application, and runs on any platform for which a Java Runtime Environment is available. It requires version 1.5 or later. The JRE can be obtained for free from java.sun.com. Download: http://www.portswigger.net/burp/downloadfree.html Sursa: Download Burp Suite
  8. Nytro
    SDT Cleaner [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Nahuel C. Riva [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] Corelabs site [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.0 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] SDT Cleaner is a tool that intends to clean the SSDT (system service descriptor table) from hooks. * The SDT Cleaner allows you to clean hooks installed by Anti-Virus and Firewalls. * This little tool (in this first release) tries to collect info from your current kernel and then switches to kernel land and if there are any hooks in SSDT, this tool will replace them with the original entries. Download: http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=SDT_Cleaner&file=SDTCleaner-v1.0.zip Sursa: Category:Kernel Hook Detection Tools - Collaborative RCE Tool Library
  9. Nytro
    Kernel Detective [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] GamingMaster -AT4RE [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.at4re.com [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.4.1 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] December 10, 2010 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] Kernel Detective is a free tool that help you detect, analyze, manually modify and fix some Windows NT kernel modifications. Kernel Detective gives you the access to the kernel directly so it's not oriented for newbies. Changing essential kernel-mode objects without enough knowledge will lead you to only one result ... BSoD ! Supported NT versions : XP/Vista/Server 2008/SEVEN Kernel Detective gives you the ability to : 1- Detect Hidden Processes. 3- Detect Hidden Threads. 2- Detect Hidden DLLs. 3- Detect Hidden Handles. 4- Detect Hidden Driver. 5- Detect Hooked SSDT. 6- Detect Hooked Shadow SSDT. 7- Detect Hooked IDT. 8- Detect Kernel-mode code modifications and hooks. 9- Disassemble (Read/Write) Kernel-mode/User-mode memory. 10- Monitor debug output on your system. Enumerate running processes and print important values like Process Id, Parent Process Id, ImageBase, EntryPoint, VirtualSize, PEB block address and EPROCESS block address. Special undocumented detection algorithms were implemented to detect hidden processes. Detect hidden and suspicious threads in system and allow user to forcely terminate them . Enumerate a specific running process Dynamic-Link Libraries and show every Dll ImageBase, EntryPoint, Size and Path. You can also inject or free specific module. Enumerate a specific running process opened handles, show every handle's object name and address and give you the ability to close the handle. Enumerate loaded kernel-mode drivers and show every driver ImageBase, EntryPoint, Size, Name and Path. Undocumented detection algorithms were implemented to detect hidden drivers. Scan the system service table (SSDT) and show every service function address and the real function address, detection algorithm improved to bypass KeServiceDescriptorTable EAT/IAT hooks.You can restore single service function address or restore the whole table. Scan the shadow system service table (Shadow SSDT) and show every shadow service function address and the real function address. You can restore single shadow service function address or restore the whole table Scan the interrupts table (IDT) and show every interrupt handler offset, selector, type, Attributes and real handler offset. This is applied to every processor in a multi-processors machines. Scan the important system kernel modules, detect the modifications in it's body and analyze it. For now it can detect and restore inline code modifications, EAT and IAT hooks. I'm looking for more other types of hooks next releases of Kernel Detective. A nice disassembler rely on OllyDbg disasm engine, thanks Oleh Yuschuk for publishing your nice disasm engine .With it you can disassemble, assemble and hex edit virtual memory of a specific process or even the kernel space memory. Kernel Detective use it's own Read/Write routines from kernel-mode and doesn't rely on any windows API. That make Kernel Detective able to R/W processes VM even if NtReadProcessMemory/NtWriteProcessMemory is hooked, also bypass the hooks on other kernel-mode important routines like KeStackAttachProcess and KeAttachProcess. Show the messages sent by drivers to the kernel debugger just like Dbgview by Mark Russinovich. It's doing this by hooking interrupt 0x2d wich is responsible for outputing debug messages. Hooking interrupts may cause problems on some machines so DebugView is turned off by default, to turn it on you must run Kernel Detective with "-debugv" parameter. Download: http://www.woodmann.com/collaborative/tools/images/Bin_Kernel_Detective_2010-12-10_17.28_Kernel_Detective_v1.4.1.rar Sursa: Category:Kernel Hook Detection Tools - Collaborative RCE Tool Library
  10. Nytro
    Codetective Analysis Tool [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Francisco Gama Tabanez Ribeiro [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.digitalloft.org [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.7 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 26, 2012 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Locally archived copy[/TD] [/TR] [/TABLE] Sometimes we ran into hashes and other codes and can't figure out where did they came from and how they were built. If you work on pen-testing that might easily happen when you are testing systems from a black box perspective and you are able to grab a password file with hashed contents maybe from an exposed backup file or by dumping memory.. This may also be useful as a part of a fingerprinting process. You can either use a generic version or as a plugin for the Volatility framework. The usage is similar. Currently supports: shadow and SAM files, phpBB3, Wordpress, Joomla, CRC, LM, NTLM, MD4, MD5, Apr, SHA1, SHA256, base64, MySQL323, MYSQL4+, MSSQL2000, MSSQL2005, DES, RipeMD320, Whirlpool, SHA1, SHA224, SHA256, SHA384, SHA512, Blowfish, UUID Download: http://www.woodmann.com/collaborative/tools/images/Bin_Codetective_Analysis_Tool_2012-4-13_15.31_codetective.zip Sursa: Category:Crypto Tools - Collaborative RCE Tool Library
  11. Nytro
    [h=3]Visual DuxDebugger[/h]Visual DuxDebugger is a 64-bit debugger disassembler for Windows, especially useful when source code is unavailable.The user interface is very intuitive so it makes very simple any task in reverse engineering, you can edit code, registers, and memory. Visual DuxDebugger provides wide information about the process being debugged, showing all loaded modules with all exported functions, call stack, threads and much more. The main difference with others debuggers is that Visual DuxDebugger can debug child-processes and multiple-processes. Software Reverse Engineering is commonly used: · As a learning tool to understand undocumented APIs. · As a way to make new compatible products. · For making software interoperate more effectively. · To bridge different operating systems or databases. · To analyze possible spyware / malware. · To uncover and exploit vulnerabilities. · To audit software. · To fix complex bugs. · For litigation support. Download: http://www.duxcore.com/index.php/prod/visual-duxdebugger/overview
  12. Nytro
    EDB Linux Debugger [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Evan Teran [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] CodeF00 [ Projects ] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.9.17 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] April 14, 2011 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://codef00.com/projects/debugger-0.9.17.tgz[/TD] [/TR] [/TABLE] Features * Intuitive GUI interface * The usual debugging operations (step-into/step-over/run/break) * Conditional breakpoints * Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them. * Basic instruction analysis * View/Dump memory regions * Effective address inspection * The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them. * Importing of symbol maps * Plugins o Search for binary strings o Code Bookmarks o Breakpoint management o Check for updates o Environment variable viewer o Heap block enumeration o Opcode search engine plugin has basic functionality (similar to msfelfscan/msfpescan) o Open file enumeration o Reference finder o String searching (like strings command in *nix) One of the main goals of this debugger is isolation of the debugger core from the display you see. The interface is written in QT4 and thus source portable to many platforms. The debugger core is actually a plugin and the platform specific code is isolated to just a few files, porting to a new OS would require porting these few files and implementing a plugin which implements the "DebuggerCoreInterface" interface. Also, because the plugins are based on the QPlugin API, and do their work through the DebuggerCoreInterface object, they are almost always portable with just a simple recompile. So far, the only plugin I have written which would not port with just a recompile is the heap analysis plugin, due to it's highly system specific nature. Download: http://codef00.com/projects/debugger-0.9.17.tgz Sursa: Category:Ring 3 Debuggers - Collaborative RCE Tool Library
  13. Nytro
    PEiD [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] BoB [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] BobSoft - [Main Page] [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.95 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 31, 2008 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://www.woodmann.com/BobSoft/Files/Other/PEiD-0.95-20081103.zip[/TD] [/TR] [/TABLE] PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files. PEiD is special in some aspects when compared to other identifiers already out there! 1. It has a superb GUI and the interface is really intuitive and simple. 2. Detection rates are amongst the best given by any other identifier. 3. Special scanning modes for *advanced* detections of modified and unknown files. 4. Shell integration, Command line support, Always on top and Drag'n'Drop capabilities. 5. Multiple file and directory scanning with recursion. 6. Task viewer and controller. 7. Plugin Interface with plugins like Generic OEP Finder and Krypto ANALyzer. 8. Extra scanning techniques used for even better detections. 9. Heuristic Scanning options. 10. New PE details, Imports, Exports and TLS viewers 11. New built in quick disassembler. 12. New built in hex viewer. 13. External signature interface which can be updated by the user. Download: http://www.woodmann.com/BobSoft/Files/Other/PEiD-0.95-20081103.zip Sursa: Category:Packer Identifiers - Collaborative RCE Tool Library
  14. Nytro
    RDG Packer Detector [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] RDGMax [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] RDGMax - RDGSoFT [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.6.7 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] June 26, 2011 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] http://rdgsoft.8k.com/images/v0.6.7%20Vx%20Edition/RDG%20Packer%20Detector%20v0.6.7%202011%20Vx-Edition.rar[/TD] [/TR] [/TABLE] RDG Packer Detector is a detector packers, Cryptors, Compilers, Packers Scrambler,Joiners,Installers. -Holds Fast detection system.. -Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases. -You can create your own Signatures detection. -Holds Crypto-Graphic Analyzer. -Allows you to calculate the checksum of a file. -Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not. -OEP-Detector (Original Point of Entry) of a program. -You can Check and download and you always signaturas.RDG Packer Detector will be updated. -Plug-ins Loader.. -Signatures converter. -Detector distortive Entry Point. -De-Binder an extractor attachments. -System Improved heuristic. What's New! v0.6.6 -New Interface! -Fast Mode Detection and Mode Powerful Improved! -Super base signatures Updated! -Heuristic detection of Binders -Detection and Extraction Overlay! -Check and Auto-Update of signatures! -Super Fast Detection of MD5 Hash! -Support for Multiple Plug-ins for both RDG Packer Detector and other detectors! -Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc.. -Detection and removal of attachments! Download: http://rdgsoft.8k.com/images/v0.6.7%20Vx%20Edition/RDG%20Packer%20Detector%20v0.6.7%202011%20Vx-Edition.rar Sursa: Category:PE EXE Signature Tools - Collaborative RCE Tool Library
  15. Nytro
    Java Decompiler [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Java Decompiler project [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://java.decompiler.free.fr [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 0.3.2 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] March 20, 2010 [/TD] [/TR] [/TABLE] The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-Core is a freeware library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type “enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields. JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process, even if you do not have them all. JD-Core, JD-GUI and JD-Eclipse are free for non-commercial use. This means that JD-Core, JD-GUI and JD-Eclipse shall not be included or embedded into commercial software products. Nevertheless, these projects may be freely used for personal needs in a commercial or non-commercial environments. Download: http://java.decompiler.free.fr/ Sursa: Category:Java Decompilers - Collaborative RCE Tool Library
  16. Nytro

    Javassist

    Nytro posted a topic in Programe utile

    Javassist [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Shigeru Chiba [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] http://www.csg.is.titech.ac.jp/~chiba/javassist/ [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 3.12.0.GA [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] April 16, 2010 [/TD] [/TR] [/TABLE] Javassist (Java Programming Assistant) makes Java bytecode manipulation simple. It is a class library for editing bytecodes in Java; it enables Java programs to define a new class at runtime and to modify a class file when the JVM loads it. Unlike other similar bytecode editors, Javassist provides two levels of API: source level and bytecode level. If the users use the source-level API, they can edit a class file without knowledge of the specifications of the Java bytecode. The whole API is designed with only the vocabulary of the Java language. You can even specify inserted bytecode in the form of source text; Javassist compiles it on the fly. On the other hand, the bytecode-level API allows the users to directly edit a class file as other editors. Aspect Oriented Programming: Javassist can be a good tool for adding new methods into a class and for inserting before/after/around advice at the both caller and callee sides. Reflection: One of applications of Javassist is runtime reflection; Javassist enables Java programs to use a metaobject that controls method calls on base-level objects. No specialized compiler or virtual machine are needed. Download: www.csg.is.titech.ac.jp/~chiba/javassist/ Sursa: Category:Java Executable Editors & Patchers - Collaborative RCE Tool Library
  17. Nytro
    Malzilla [TABLE] [TR] [TH=bgcolor: #E6EBFF, align: left]Author: [/TH] [TD] Boban bobby Spasic [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Website: [/TH] [TD=colspan: 2] Malzilla - malware hunting tool [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Current version: [/TH] [TD=colspan: 2] 1.2.0 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Last updated: [/TH] [TD=colspan: 2] November 2, 2008 [/TD] [/TR] [TR] [TH=bgcolor: #E6EBFF, align: left] Direct D/L link: [/TH] [TD=colspan: 2] Malzilla - Malware hunting tool[/TD] [/TR] [/TABLE] Malware hunting tool. Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell. Download: http://malzilla.sourceforge.net/downloads.html Sursa: Category:Javascript Deobfuscators - Collaborative RCE Tool Library
  18. Nytro
    [h=2]PE-bear – version 0.2.5 avaliable![/h] Hi! Finally, I found some time for PE-bear… Thank you for all your comments and feature requests. I did not manage to implement them all for this release, but i noted them all, and I promise, none will be neglected. You can expect new bundle of features 7th October 2013. But first, take a look what comes this time… Links to download are (as usual) here:PE-bear | hasherezade's 1001 nights [h=2]Changelog[/h] Special thanks to Ange Albertini for testing and consultation! Major Features: [feat#1] Permanently visible Hex/Text view [feat#2] Highlighting Hex/Text representation of any selected element [feat#3] Update notification [feat#4] Showing position of Entry Point on left PE structure tree [feat#5] In Disasm – resolving strings pushed on the stack [feat#5] Configurable disasembly bit mode …and others Screenshots: [feat#1] Permanently visible Hex/Text view [feat#2] Highlighting Hex/Text representation of any selected element [feat#5] Configurable disasembly bit mode Navigation changes Download: http://hshrzd.wordpress.com/pe-bear/ Sursa: https://hshrzd.wordpress.com/2013/09/26/pe-bear-version-0-2-5-avaliable/
  19. Nytro
    Browser Pivoting (Get past two-factor auth) September 26, 2013 Several months ago, I was asked if I had a way to get past two-factor authentication on web applications. Criminals do it, but penetration testers don’t. To solve this problem, I built a man-in-the-browser capability for penetration testers and red teams. I call it browser pivoting. A browser pivot is an HTTP proxy server that injects into a 32-bit Internet Explorer process. By browsing through this proxy server, I can reach any website my target logged into–as them. If the target logs into their web mail, I’m logged into their web mail. If they send sap stories to their ex-girlfriend on Facebook, I read them. If they use DropBox’s website to store and manage files, I’ll download the best ones. If they’re connected to an intranet portal site; I’m there too. How it Works Internet Explorer’s architecture makes Browser Pivoting possible. Internet Explorer is an application that consumes several libraries. WinINet is the library Internet Explorer uses to communicate. The WinINet API is popular with malware developers because it allows them to request content from a URL with very little code. WinINet is more than a high-level HTTP library built on top of Windows sockets. WinINet manages a lot of state for the applications that use it. I became familiar with WinINet during Beacon‘s development. I tried to use the Cookie header to send information. I was baffled when this cookie kept coming back blank. I didn’t know this at the time, but WinINet removed my cookie to insert the cookie from its store into my request. I had to set a INTERNET_FLAG_NO_COOKIES flag before I could programmatically send my cookie. Cookies aren’t the only thing WinINet forces into a request. WinINet will also retransmit “credential material” which includes a previously provided username/password or client SSL certificate. If WinINet is communicating with a site in the Intranet Zone (and the user’s settings permit it); WinINet will automatically try to logon with the user’s default credentials. The WinINet consumer must set the INTERNET_OPTION_SUPPRESS_SERVER_AUTH flag to disable this behavior. WinINet is the layer that manages Internet Explorer’s cache, history, cookies, HTTP authentication, and SSL session state. Inheriting this managed state isn’t a bug–it’s a feature. A browser pivot is an HTTP proxy server that fulfills requests with WinINet. The process this proxy server lives in is important. If I inject this proxy server into notepad.exe, I don’t get anything interesting. Magic happens when I inject [0] this proxy server into the Internet Explorer process [1]. I inherit Internet Explorer’s WinINet state with each request. If a user’s web session is secured with a stored cookie, session cookie, HTTP authentication, or client SSL certificate–I can use that session with a browser pivot [2]. Two-factor authentication is a non-issue at this point too. WinINet doesn’t care about how this session state was obtained. It just uses it. Notes [0] Several people have asked about this mysterious process injection thing I refer to. The Browser Pivot proxy server is compiled as a Reflective DLL. I use the Metasploit Framework’s post/windows/manage/reflective_dll_inject module to inject this DLL into a process I choose. [1] There’s one nuance to this: Modern versions of Internet Explorer isolate each tab in a separate process. In this case, the parent Internet Explorer process does not have access to WinINet state. The processes associated with a tab share WinINet state with the other tab processes. If you inject into Internet Explorer 10, make sure you inject into a child tab’s process. [2] WinINet session state is good until the user closes the browser. If the user closes their browser–the proxy server goes away and the attacker must inject into another process. How to keep session state–even after the browser closes, is not part of this work. How to Use It Browser Pivoting is available in today’s Cobalt Strike update. Go to [host] -> Meterpreter -> Explore -> Browser Pivot. Choose the process to inject into. Press Launch. Cobalt Strike will setup the browser pivot and start a port forward through Meterpreter for you. Setup your browser to go through the browser pivot and have at it. Here’s a demo of Browser Pivoting in action: To keep this blog post sane, I had to skip a lot of details. If you find Browser Pivoting interesting, you can learn more about it at DerbyCon. I’m speaking on the technology at 2pm on Saturday. If you’d like to try Browser Pivoting today, grab a 21-day trial of Cobalt Strike. Licensed users may get the latest with the built-in update program. Sursa: Browser Pivoting (Get past two-factor auth) | Strategic Cyber LLC
  20. Nytro
    25 Million Flows Later - Large-scale Detection of DOM-based XSS Sebastian Lekies SAP AG sebastian.lekies@sap.com Ben Stock FAU Erlangen-Nuremberg ben.stock@cs.fau.de Martin Johns SAP AG martin.johns@sap.com Abstract In recent years, the Web witnessed a move towards sophisticated client-side functionality. This shift caused a signi- cant increase in complexity of deployed JavaScript code and thus, a proportional growth in potential client-side vulnerabilities, with DOM-based Cross-site Scripting being a high impact representative of such security issues. In this paper, we present a fully automated system to detect and validate DOM-based XSS vulnerabilities, consisting of a taint-aware JavaScript engine and corresponding DOM implementation as well as a context-sensitive exploit generation approach. Using these components, we conducted a large-scale analysis of the Alexa top 5000. In this study, we identied 6167 unique vulnerabilities distributed over 480 domains, showing that 9,6% of the examined sites carry at least one DOMbased XSS problem. Download: http://ben-stock.de/wp-content/uploads/domxss.pdf
  21. Nytro
    Research detects dangerous malware hiding in peripherals By Darren Pauli on Sep 26, 2013 6:30 AM A Berlin researcher has demonstrated the capability to detect previously undetectable stealthy malware that resides in graphics and network cards. Patrick Stewin's proof of concept demonstrated that a detector could be built to find the sophisticated malware that ran on dedicated devices and attacked direct memory access (DMA). The attacks launched by the malware dubbed DAGGER targeted host runtime memory using DMA provided to hardware devices. These attacks were not within scope of antimalware systems and therefore not detected. DAGGER, also developed by Stewin and Iurii Bystrov of the FGSect Technical University of Berlin research group, attacked 32bit and 64bit Windows and Linux systems and could bypass memory address randomisation. After beginning life last year as a keylogger, DAGGER has recently been upgraded with new functionality and now included the ability to update its attack behaviour during runtime via an out-of-band channel. "DMA malware is stealthy to a point where the host cannot detect its presence," Stewin said. In a paper Stewin will present next month, he said the DMA attacks were both dangerous and undetectable. (pdf) "DMA-based attacks launched from peripherals are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host. "Therefore they present a highly critical threat to system security and integrity. Unfortunately,to date no OS (operating system) implements security mechanisms that can detect DMA-based attacks. Furthermore, attacks against memory management units have been demonstrated in the past and therefore cannot be considered trustworthy." The German Government funded research was closing in on its aim to develop a reliable detector for DMA malware. "At the moment we have a proof-of-concept that proves that a detector is possible," Stewin said in an email to SC. "It can find DAGGER." The proof-of-concept was based on a runtime monitor dubbed BARM which modelled and compared expected memory bus activity to the resulting activity, meaning malware residing on peripherals would be detected. Stewin said the detector would not significantly drain compute resources. Some detectors had been previously developed but they required that peripherals be modified or that a special debug feature exist. (pdf) (pdf) The researchers aimed to develop the proof of concept into a detector that did not require modification. The pair would present the research paper "A Primitive for Revealing Stealthy Peripheral-based Attacks on the Computing Platform's Main Memory" at the 16th International Symposium on Research in Attacks, Intrusions and Defenses in October in Saint Lucia. Sursa: http://www.scmagazine.com.au/News/358265,research-detects-dangerous-malware-hiding-in-peripherals.aspx
  22. Nytro
    Altu care a crezut rahatul cum ca poti asculta telefoane cu el? E cu lanterna? Iti dau 30 RON pe el daca are lanterna.
  23. Nytro
    Doar la iPhone ai functia de blocare a camerei foto de catre guvern daca esti in anumite zone de conflict. Doar la iPhone ai functia de amprenta care doar la backup uploadeaza amprenta ta catre serverele Apple. Doar la iPhone ai un pret de productie de 20%-30% si tu platesti ceilalti 70%-80% de dragul firmei Apple. Doar la iPhone ai un design de Justin Bieber si daca il atingi mai tare se sparge in 200 de bucati. Doar la iPhone ai caracteristici mai proaste ca la S4: rezolutie mai mica, 2 core in loc de 4 core, 8 MP in loc de 13 MP Recomand iPhone. </irony>
  24. Nytro
    Understanding C Integer Boundaries Authored by Saif El-Sherei This is a brief whitepaper tutorial to help facilitate the understanding of C integer boundaries (overflows and underflows). Download: http://packetstormsecurity.com/files/download/123371/understanding-c-integer-boundaries.pdf Sursa: Understanding C Integer Boundaries ? Packet Storm
  25. Nytro
    Return-to-libc Tutorial Authored by Saif El-Sherei This is a brief whitepaper tutorial discussing return-to-libc exploitation. Download: http://packetstormsecurity.com/files/download/123370/Return-to-libc-tutorial.pdf Sursa: Return-to-libc Tutorial ? Packet Storm
×
×
  • Create New...