Nytro

PuTTY 0.62 Heap Overflow Authored by Gergely Eberhardt PuTTY versions 0.62 and below suffer from an SSH handshake heap overflow vulnerability. PuTTY SSH handshake heap overflow (CVE-2013-4852) Description: PuTTY versions 0.62 and earlier - as well as all software that integrates these versions of PuTTY - are vulnerable to an integer overflow leading to heap overflow during the SSH handshake before authentication, caused by improper bounds checking of the length parameter received from the SSH server. This allows remote attackers to cause denial of service, and may have more severe impact on the operation of software that uses PuTTY code. Affected software products: - PuTTY up to and including 0.62 - WinSCP before 5.1.6 - all other software that uses vulnerable (revision 9895 or earlier) PuTTY code Details: A malformed size value in the SSH handshake could cause an integer overflow, as the getstring() function in sshrsa.c and sshdss.c read the handshake message length without checking that it was not a negative number. Specifically, the bignum_from_bytes() function invoked by getstring() received a data buffer along with its length represented by a signed integer (nbytes) and performed the following arithmetical operation before allocating memory to store the buffer: w = (nbytes + BIGNUM_INT_BYTES - 1) / BIGNUM_INT_BYTES; /* bytes->words */ result = newbn(w); If the value of nbytes was -1 (0xffffffff), the value of w would overflow to a very small positive number (depending on the value of BIGNUM_INT_BYTES), causing newbn() to reserve a very small memory area. Then a large number of bytes would be copied into the data buffer afterwards, resulting in a heap overflow. Similarly, if nbytes was chosen so that w would be -1, the newbn() function would allocate zero bytes in memory via snewn() and attempt to write the size of the Bignum (in four bytes) into the allocated zero-byte area, also resulting in a heap overflow. Consequences: In the standalone PuTTY client the attacker does not have precise control over the memory corruption, so this bug can only cause a local denial-of-service (crash). However, in other software that uses PuTTY code, such heap corruption could have more severe effects. Specifically in case of WinSCP, this vulnerability could potentially lead to code execution due to the exception handling employed by the program. Solution: This vulnerability has been fixed in the development version of PuTTY [2]. All developers using PuTTY code are recommended to use revision 9896 or later. The potential code execution vulnerability has been addressed in WinSCP 5.1.6 [3]. Credits: This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu) References: [1] http://www.search-lab.hu/advisories/secadv-20130722 [2] http://svn.tartarus.org/sgt?view=revision&sortby=date&revision=9896 [3] http://winscp.net/tracker/show_bug.cgi?id=1017 Sursa: PuTTY 0.62 Heap Overflow ? Packet Storm

Da, interesant

THC-IPv6 Attack Tool 2.3 Authored by van Hauser, thc | Site thc.org THC-IPV6 is a toolkit that attacks the inherent protocol weaknesses of IPv6 and ICMP6 and it includes an easy to use packet factory library. Changes: 2 new tools added as well as 2 new scripts. Various updates to existing tools. Download: http://packetstormsecurity.com/files/download/122685/thc-ipv6-2.3.tar.gz Sursa: THC-IPv6 Attack Tool 2.3 ? Packet Storm

Hydra Network Logon Cracker 7.5 Authored by van Hauser, thc | Site thc.org THC-Hydra is a high quality parallelized login hacker for Samba, Smbnt, Cisco AAA, FTP, POP3, IMAP, Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco and more. Includes SSL support, parallel scans, and is part of Nessus. Changes: Moved the license from GPLv3 to AGPLv3. Added module for Asterisk Call Manager. Added support for Android where some functions are not available. Various other updates. Download: http://packetstormsecurity.com/files/download/122684/hydra-7.5.tar.gz Sursa: Hydra Network Logon Cracker 7.5 ? Packet Storm

Netsniff-NG High Performance Sniffer 0.5.8 RC2 Authored by Tobias Klauser, Daniel Borkmann | Site code.google.com netsniff-ng is is a free, performant Linux network sniffer for packet inspection. The gain of performance is reached by 'zero-copy' mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace. For this purpose netsniff-ng is libpcap independent, but nevertheless supports the pcap file format for capturing, replaying and performing offline-analysis of pcap dumps. netsniff-ng can be used for protocol analysis, reverse engineering and network debugging. Changes: Build system fixes and clean ups. Mausezahn man pages improvements. Compiler warnings fixed. Support for replaying/reading pcap capture files from/to tunnel devices. Download: http://packetstormsecurity.com/files/download/122652/netsniff-ng-0.5.8-rc2.tar.gz Sursa: Netsniff-NG High Performance Sniffer 0.5.8 RC2 ? Packet Storm

(Syscall IDP Engine). Captures all system services(KDR, hidden). Returns control on specified address(int 0x2e/sysenter -> PEB.Filter()). By calling the backdoor control is returned to the kernel(Filter() -> backdoor() -> nt service dispatcher). o X86, KM, MI, KDR. o May be choose SST[0], SST[0] for gui-thread, SST[1] for shadow. Vid Video2.avi — RGhost — ????????????? Org VX Forum SIDE.zip Sursa: SIDE.

Ideea e simpla. Sa presupunem ca scrii o functie: RST() pe care o apelezi in main(). int main(){ RST(); } void RST() { // Ceva } Acest cod iti va da eroare deoarece in main, NU cunoaste functia RST, deoarece nu a fost declarata inca (pe scurt, pentru ca e definita SUB functia main). Ceea ce poti face insa e ca deasupra functiei main, sa declari PROTOTIPUL functiei RST, urmat de ";". Adica: void RST();int main() { RST(); } void RST() { // Ceva } Acum compilatorul stie ca tu ai o functie RST, fara parametri, de tip "void". Asta e ideea.

Paper util: http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf

Mie imi merg cele de pe imgur. Nu va apar? Dati si voi Clear Cache ceva.

Da, adica voi puneti link-uri de cacat, catre pagini HTML care CONTIN o porcarie de imagine. Puneti link direct catre imagine daca vreti sa mearga. Multumim pentru intelegere.

S-a incercat asa ceva in trecut, s-au laudat multi ca vor a invete, ca vor sa participe si ne trezeam cu vreo 10 insi care erau pe chat (era un chat pe care se discuta, se explica) dintre care 6-7 nici nu erau la calculator.

Stiu: Firefox Zero-Day Exploit used by FBI to shutdown Child porn on Tor Network hosting; Tor Mail Compromised - The Hacker News

Jumatate dintre site-urile din reteaua TOR, compromise. Fondatorul Freedom Hosting, arestat de Redactia Hit | 5 august 2013 FBI-ul a demarat in acest week-end o actiune de proportii care vizeaza depistarea si capturarea furnizorilor de materiale online ilegale care au ca subiect pornografia infantila. Deja au avut loc arestari importante. Potrivit unei postari pe TwittLonger, mai bine de jumatate dintre site-urile care ruleaza prin reteaua Tor au fost compromise si acelasi lucru s-a intamplat cu adresele de email de pe TORmail, considerat cel mai bine securizat serviciu de posta electronica. In cadrul actiunii autoritatilor americane, Eric Eoin Marques, fondatorul Freedom Hosting, care deserveste inclusiv serverele TORmail, a fost arestat in Irlanda si acuzat de furnizare si promovare de materiale pornografice cu minori. FBI-ul il descrie pe Eric Eoin Marques drept "cel mai mare promotor de astfel de materiale din lume", iar autoritatile americane au cerut extradarea. Sambata dimineata, in acelasi timp cu raspandirea vestii arestarii lui Eric Eoin Marques, toate site-urile gazduite de FH au fost inchise, potrivit publicatiei DailyDot.com, iar majoritatea celor care au revenit online putin mai tarziu au fost compromise cu ajutorul unei vulnerabilitati care permite accesul la cookie-uri, autentificari si adrese IP. Interesant este faptul ca aceasta cadere a multor site-uri care functioneaza prin TOR si a serviciilor TORmail a avut loc chiar in timpul conferintei de hacking DEFCON, care s-a desfasurat intr 1 si 4 august. Trebuie precizat faptul ca TOR nu este o retea care trebuie confundata cu instrumentul exlcusiv al infractorilor online. TOR este folosita de toti cei care sperau ca reteaua le poate asigura confidentialitatea datelor personale si a comunicatiilor online si s-a bucurat de succes mai ales in contextul intruziunii din ce in ce mai directe a autoritatilor in viata privata a indivizilor. In ultimii cinci ani, autoritatile si diferite organizatii de hackeri au incercat sa sparga securitatea retelei, insa abia acum acest lucru a fost realizat. Freedom Hosting este serviciul de gazduire internet cel mai popular din reteaua TOR, dar si, probabil, cel mai controversat din cauza legaturilor cu site-uri ilegale precum Lolita City, the Love Zone sau PedoEmpire. In acest moment, multe site-uri gazduite de Freedom Hosting sunt la pamant sau sunt raportate ca infectate. Inchiderea celor mai importante site-uri de pornografie infantila este prima victorie concreta si de proportii a autoritatilor impotriva infractorilor online. Momentan, insa, nu se poate spune cine a stat la baza atacului asupra Freedom Hosting si nici care a fost metoda de atac. Din informatiile care circula pe internet, "raidul" FBI si al hackerilor care sprijina actiunea autoritatilor va continua cel putin inca doua saptamani. Vom reveni cu amanunte. Surse: The Daily Dot, Irish Independent Deoarece va pica coaiele daca cititi stirea in engleza, uitati o versiune in limba romana. Muie. Sursa: Jumatate dintre site-urile din reteaua TOR, compromise. Fondatorul Freedom Hosting, arestat | Hit.ro

[h=1]Over $100,000 in cash and prizes to be won in our new Windows and Windows Phone contest[/h]Unity and Microsoft are inviting Unity developers to enter a new contest by submitting beautifully crafted, high-quality new or existing games or content for the upcoming Windows Store Apps and Windows Phone 8 platforms. Over $100,000 in cash and prizes will be awarded to a number of talented and lucky winners. [h=2]Windows Phone 8 games or content[/h] First prize: $30,000 USD Second prize: $10,000 USD Third prize: $5,000 USD [h=2]Windows Store games or content[/h] First prize: $30,000 USD Second prize: $10,000 USD Third prize: $5,000 USD Sursa: Unity - Windows Contest

Ati ramas cu ideea invechita cum ca IE e un jeg. Nu mai e asa. Da, apar probleme de "Code execution" in IE, insa ceea ce nu intelegeti, e ca apar si in alte browsere, Firefox si Chrome, doar ca acolo se repara mai repede si fara sa fie asa vizibil. (acele Bug Bounty sunt de vina...) Legat de programarea web, sa va zic un lucru pe care l-am patit acum ceva timp. 1. Fac si eu o pagina HTML, de 2 lei, ca nu ma pricep 2. Pagina se vede ok in toate browserele mai putin IE 3. Constat ca problema e un atribut CSS (nu mai stiu care) 4. Citesc in STANDARD si vad ca acel atribut e READ-ONLY iar eu incercat sa il modific 5. Ajung la concluzia ca IE e singurul browser ce tinde sa respecte standardele. Celelalte browsere sunt mai "prietenoase" cu programatorii slabi si permit o gramada de lucruri care nu ar trebui permise. Daca o pagina nu se vede ok in IE, e vina voastra, nu a IE-ului. Cititi standardele si o sa va convingeti. Revenind la partea de "safety", e cam aiurea ce s-a luat in considerare, cu acele link-uri blocate. Da, partial sunt de acord, adica in mod cert e o ramura care trebuie luata in considerare cand se compara niste browsere din punctul de vedere al securitatii, dar NU E SINGURA.

E de la secimg.php

Sunt probleme cu redirectionarea "Location: " si ceva ciudat cu HTTPS. Zilele astea, cand am timp, o sa repar, cel putin o parte dintre ele.

Haide ma

Un singur cuvant: SEO.

[h=1]Using SQLNinja to own MS-SQL Database Servers[/h] Posted by: FastFlux August 1, 2013 in Media, Tutorials, Videos Leave a comment This video was recorded and produced by Hood3dRob1n and is for educational purposes only. This is a special demo I made for a few friends to highlight how you can use SQLNINJA to completely pwn MS-SQL Servers where stacked queries are supported, without any need to dump anything or set foot in any admin panel. Sursa: Using SQLNinja to own MS-SQL Database Servers

[h=1]Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages[/h][h=2]Exploit called BREACH bypasses the SSL crypto scheme protecting millions of sites.[/h] by Dan Goodin - Aug 1 2013, 6:30pm GTBST A frame from a video demonstration showing BREACH in the process of extracting a 32-character security token in an HTTPS-encrypted Web page. Prado, Harris, and Gluck The HTTPS cryptographic scheme, which protects millions of websites, is susceptible to a new attack that allows hackers to pluck e-mail addresses and certain types of security credentials out of encrypted pages, often in as little as 30 seconds. The technique, scheduled to be demonstrated Thursday at the Black Hat security conference in Las Vegas, decodes encrypted data that online banks and e-commerce sites send in responses that are protected by the widely used transport layer security (TLS) and secure sockets layer (SSL) protocols. The attack can extract specific pieces of data, such as social security numbers, e-mail addresses, certain types of security tokens, and password-reset links. It works against all versions of TLS and SSL regardless of the encryption algorithm or cipher that's used. It requires that the attacker have the ability to passively monitor the traffic traveling between the end user and website. The attack also requires the attacker to force the victim to visit a malicious link. This can be done by injecting an iframe tag in a website the victim normally visits or, alternatively, by tricking the victim into viewing an e-mail with hidden images that automatically download and generate HTTP requests. The malicious link causes the victim's computer to make multiple requests to the HTTPS server that's being targeted. These requests are used to make "probing guesses" that will be explained shortly. "We're not decrypting the entire channel, but only extracting the secrets we care about," Yoel Gluck, one of three researchers who developed the attack, told Ars. "It's a very targeted attack. We just need to find one corner [of a website response] that has the token or password change and go after that page to extract the secret. In general, any secret that's relevant [and] located in the body, whether it be on a webpage or an Ajax response, we have the ability to extract that secret in under 30 seconds, typically." It's the latest attack to chip away at the HTTPS encryption scheme, which forms the cornerstone of virtually all security involving the Web, e-mail, and other Internet services. It joins a pantheon of other hacks introduced over the past few years that bear names such as CRIME, BEAST, Lucky 13, and SSLStrip. While none of the attacks have completely undermined the security afforded by HTTPS, they highlight the fragility of the two-decade-old SSL and TLS protocols. The latest attack has been dubbed BREACH, short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext. As its name suggests, BREACH works by targeting the data compression that just about every website uses to conserve bandwidth. Based on the standard Deflate algorithm, HTTP compression works by eliminating repetitions in strings of text. Rather than iterating "abcd" four times in a chunk of data, for instance, compression will store the string "abcd" only once and then use space-saving "pointers" that indicate where the remaining three instances of the identical pattern are found. By reducing the number of bytes sent over a connection, compression can significantly speed up the time required for a message to be received. In general, the more repetitions of identical strings found in a data stream, the more potential there will be for compression to reduce the overall size. Using what's known as an oracle technique, attackers can use compression to gain crucial clues about the contents of an encrypted message. That's because many forms of encryption—including those found in HTTPS—do little or nothing to stop attackers from seeing the size of the encrypted payload. Compression oracle techniques are particularly effective at ferreting out small chunks of text in the encrypted data stream. BREACH plucks out targeted text strings from an encrypted response by guessing specific characters and including them in probe requests sent back to the targeted Web service. The attack then compares the byte length of the guess to the original response. When the guess contains the precise combination of characters found in the original response, it will generally result in a payload that's smaller than those produced by incorrect guesses. Because deflate compression stores the repetitive strings without significantly increasing the size of the payload, correct guesses will result in encrypted messages that are smaller than those produced by incorrect guesses. [h=2]On how an Oracle attack works[/h] The first thing an attacker using BREACH might do to retrieve an encrypted e-mail address is guess the @ sign and Internet domain immediately to its right. If guesses such as "@arstechnica.com" and "@dangoodin.com" result in encrypted messages that are larger than the request/response pair without this payload, the attacker knows those addresses aren't included in the targeted response body. Conversely, if compressing "@example.com" against the encrypted address results in no length increase, the attacker will have a high degree of confidence that the string is part of the address he or she is trying to extract. From there, attackers can guess the string to the left of the @ sign character by character. Assuming the encrypted address was johndoe@example.com, guesses of a@example.com, b@example.com, c@example.com, and d@example.com would cause the encrypted message to grow. But when the attacker guesses e@example.com, it would result in no appreciable increase, since that string is included in the targeted message. The attacker would then repeat the same process to recover the remainder of the e-mail address, character by character, moving right to left. The technique can be used to extract other types of encrypted text included in Web responses. If the site being targeted sends special tokens designed to prevent so-called cross-site request forgery attacks, the credential will almost always contain the same format—such as "request_token=" followed by a long text string such as"bb63e4ba67e24d6b81ed425c5a95b7a2"—each time it's sent. The compression oracle attack can be used to guess this secret string. An attacker would begin by adding the text "request_token=a" to the text of the encrypted page being targeted and send it in a probe request to the Web server. Since the size of the encrypted payload grows, it would be obvious this guess is wrong. By contrast, adding "request_token=b" to the page wouldn't result in any appreciable increase in length, giving the attacker a strong clue that the first character following the equal sign is b. The attacker would use the same technique to guess each remaining character, one at a time, moving left to right. Most attacks that use the BREACH technique can be completed by making only a "few thousand" requests to the targeted Web service, in about 30 seconds with optimal network conditions and small secrets, and in minutes to an hour for more advanced secrets. BREACH, which was devised by Gluck along with researchers Neal Harris and Angelo Prado, builds off the breakthrough CRIME attack researchers Juliano Rizzo and Thai Duong demonstrated last September. Short for Compression Ratio Info-leak Made Easy, CRIME also exploited the compression in encrypted Web requests to ferret out the plaintext of authentication cookies used to access private user accounts. The research resulted in the suspension of TLS compression and an open networking compression protocol known as SPDY. BREACH, by contrast, targets the much more widely used HTTP compression that virtually all websites use when sending responses to end users. It works only against data sent in responses by the website. "If you go to the Wikipedia page or any of the specialized security pages, they will tell you that CRIME is mitigated as of today and is no longer an interesting attack and nobody cares about it," Prado said. "So we are bringing it back and making it work better, faster in a different context." The good news concerning BREACH is that it works only against certain types of data included in Web responses and then only when an attacker has succeeded in forcing the victim to visit a malicious link. Still, anytime an attacker can extract sensitive data shielded by one of the world's most widely used encryption schemes it's a big deal, particularly as concerns rise about NSA surveillance programs. Making matters more unsettling, there are no easy ways to mitigate the damage BREACH can do. Unlike TLS compression and SPDY, HTTP compression is an essential technology that can't be replaced or discarded without inflicting considerable pain on both website operators and end users. At their Black Hat demo, the researchers will release a collection of tools that will help developers assess how vulnerable their applications and online services are to BREACH attacks. Most mitigations will be application-specific. In other cases, the attacks may give rise to new "best practices" advice on how to avoid including certain types of sensitive data in encrypted Web responses. Most websites already list only the last four digits of a customer's credit card number; BREACH may force websites to truncate other sensitive strings as well. "We expect that it could be leveraged in particular situations, maybe with an intelligence agency, or maybe an individual actor or a malicious crime organization might use this in a targeted scenario," Prado said. "Any malware writer today has the ability to do something like this if they have not been doing it already." Sursa: Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages | Ars Technica

[h=3]Recon-ng Framework A Quick Intro [/h]Recon-ng is an open-source framework coded in python by Tim Tomes a.k.a LaNMaSteR53. Its interface is modeled after the look of the Metasploit Framework but it is not meant for exploitation or for spawning a meterpreter session or a shell, it is for web-based reconnaissance and information gathering. It comes with modules to support your web reconnaissance adventure and information gathering just like Metasploit's auxiliary and exploit modules. Modules are categorized into Discovery, Experimental, Recon and Reporting. As of this writing here are the modules with its subcategories: Discovery --------- discovery/exploitable/http/dnn_fcklinkgallery discovery/exploitable/http/generic_restaurantmenu discovery/exploitable/http/webwiz_rte discovery/info_disclosure/dns/cache_snoop discovery/info_disclosure/http/backup_finder discovery/info_disclosure/http/google_ids discovery/info_disclosure/http/interesting_files Experimental ------------ experimental/rce Recon ----- recon/contacts/enum/http/web/dev_diver recon/contacts/enum/http/web/namechk recon/contacts/enum/http/web/pwnedlist recon/contacts/enum/http/web/should_change_password recon/contacts/gather/http/api/jigsaw/point_usage recon/contacts/gather/http/api/jigsaw/purchase_contact recon/contacts/gather/http/api/jigsaw/search_contacts recon/contacts/gather/http/api/linkedin_auth recon/contacts/gather/http/api/twitter recon/contacts/gather/http/api/whois_pocs recon/contacts/gather/http/web/jigsaw recon/contacts/gather/http/web/pgp_search recon/contacts/support/add_contact recon/contacts/support/mangle recon/creds/enum/http/api/leakdb recon/creds/enum/http/api/noisette recon/creds/gather/http/api/pwnedlist/account_creds recon/creds/gather/http/api/pwnedlist/api_usage recon/creds/gather/http/api/pwnedlist/domain_creds recon/creds/gather/http/api/pwnedlist/domain_ispwned recon/creds/gather/http/api/pwnedlist/leak_lookup recon/creds/gather/http/api/pwnedlist/leaks_dump recon/hosts/enum/dns/resolve recon/hosts/enum/http/api/builtwith recon/hosts/enum/http/api/punkspider recon/hosts/enum/http/api/wascompanyhacked recon/hosts/enum/http/api/whatweb recon/hosts/enum/http/api/whois_lookup recon/hosts/enum/http/web/age_analyzer recon/hosts/enum/http/web/asafaweb recon/hosts/enum/http/web/gender_analyzer recon/hosts/enum/http/web/ipvoid recon/hosts/enum/http/web/malwaredomain recon/hosts/enum/http/web/mywot recon/hosts/enum/http/web/netbios recon/hosts/enum/http/web/netcraft_history recon/hosts/enum/http/web/open_resolvers recon/hosts/enum/http/web/urlvoid recon/hosts/enum/http/web/web_archive recon/hosts/enum/http/web/xssed recon/hosts/gather/dns/brute_force recon/hosts/gather/http/api/bing_ip recon/hosts/gather/http/api/google_site recon/hosts/gather/http/api/shodan_hostname recon/hosts/gather/http/web/baidu_site recon/hosts/gather/http/web/bing_site recon/hosts/gather/http/web/census_2012 recon/hosts/gather/http/web/google_site recon/hosts/gather/http/web/ip_neighbor recon/hosts/gather/http/web/mcafee/mcafee_affil recon/hosts/gather/http/web/mcafee/mcafee_dns recon/hosts/gather/http/web/mcafee/mcafee_mail recon/hosts/gather/http/web/netcraft recon/hosts/gather/http/web/yahoo_site recon/hosts/geo/http/api/hostip recon/hosts/geo/http/api/ipinfodb recon/hosts/geo/http/api/maxmind recon/hosts/geo/http/api/uniapple recon/hosts/geo/http/web/wigle recon/hosts/support/add_host Reporting --------- reporting/csv_file reporting/html_report reporting/list I am also one of the contributors for this framework and has contributed mostly to the Discovery modules. In this article I'm going to emphasize the Backup File Finder module which I authored together with Tim Tomes (the main developer of Recon-ng). This module can be used for checking specific hosts for exposed backup files. The default configuration searches for wp-config.php files which contain WordPress database configuration information. As a side note, this module is inspired by cmsploit. Basic Usage: load discovery/info_disclosure/http/backup_finder (use the module) show options (shows the options that can be set for the module) set source target.com (the host you want to crawl) set uri config_file (configuration file you want to check, ex. wp-config.php) Here is the screenshot of the Backup File Finder's actual crawling. Now, here is what's inside in a typical configuration file: define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'passwd'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); List of the various configuration files used by popular CMS' which can be set to the option uri: wp-config.php >> WordPress config.php >> phpBB, ExpressionEngine configuration.php >> Joomla LocalSettings.php >>MediaWiki mt-config.cgi >> Movable Type settings.php >> Drupal About The Author This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too. Resources: https://bitbucket.org/LaNMaSteR53/recon-ng The Recon-ng Framework : Automated Information Gathering 1% of CMS-Powered Sites Expose Their Database Passwords

Black Hat 2013: talks and panels 'hot list' Summary: Leading security conference Black Hat boasts over 100 talks that include hacking nuclear facilities, rooting SIM cards, OPSEC failures of spies, a keynote from the NSA and more. Here's a 'hot list' of 2013's riveting talks and demos. By Violet Blue for Zero Day | July 29, 2013 -- 08:38 GMT (01:38 PDT) In its sixteenth year, Black Hat USA 2013 will introduce nearly a hundred new security tools and 35 0-days in a record 110 unique Briefings (talks) and workshops, with 131 companies showcasing their security solutions on-site. An estimated 7,000 high-level security experts are set to attend Black Hat this year. It takes place this week, July 27 – August 1, 2013, at Caesars Palace in Las Vegas. A security conference leader, Black Hat blends hackers, corporations, researchers of all kinds, law enforcement and Feds, in hats ranging from snow-white to so black they actually absorb light. These attendees will be wearing their nicest professional, casual-Friday armor to meet on neutral territory - all comprising an event that may be the world's biggest confluence of virtual arms dealers. Black Hat has cautioned press, "You are about to enter one the most hostile environments in the world." The list of precautions is long, and includes not to use any ATM machines around the conference, keep our hotel keys deep in our belongings, not to use the wi-fi unless we are security experts, not to leave any devices out of sight (EVER!), and to change all of our passwords immediately after leaving Las Vegas. Still, the list of cautions will probably not be enough. There is so much to see and absorb at Black Hat 2013, it will likely be a Vegas gamble worth taking. The packed schedule proves that Black Hat wanted to raise the excitement meter to eleven this year. To mediate overwhelm, we've compiled an insider's 'hot list'. Outside of the usual press releases, we asked organizers what they think will be hot, as well as compiling our own list. Combining the results, we've got a hell of a starting point for attendees listed here: Black Hat's Day 1 Keynote (Wednesday, July 31) is Gen. Keith Alexander, Commander, U.S. Cyber Command (USCYBERCOM) and Director, National Security Agency. Here he will "give attendees an insider’s look into the U.S. Cyber Command and the interworking of offensive cyber strategy." Mactans: Injecting Malware into iOS Devices via Malicious Chargers - Billy Lau. They'll demonstrate how an Apple iOS device can be compromised within one minute of being plugged into a malicious charger, and disclose the details of the vulnerability on-site – something they've held back on so far. Rooting SIM Cards - Karsten Nohl. Karsten will disclose his vulnerability onsite; the UN's ITU issued a global warning about it. Compromising Industrial Facilities from 40 Miles Away - Lucas Apa. Compromises around nuclear/energy, gas and oil facilities, among others - including shutting them down remotely - even from 40 miles away. Energy Fraud and Orchestrated Blackouts: Issues With Wireless Metering Protocols (WM-Bus) - Cyrill Brunschwiler. Energy fraud + widespread orchestrated blackouts are far easier than anyone thinks; Brunschwiler will disclose new flaws in wireless smart meters, resulting in not only a good cheat on your energy bill... but also widespread blackouts as the energy grid is directly impacted. Californians take note. Lets Get Physical: Breaking Home Security Systems and Bypassing Buildings' Controls - Drew Porter, Stephen Smith. Hardware-based vulnerabilities impacting a very broad audience – specifically impacts smart homes. Home Invasion v2.0: Attacking Network Controlled Hardware Jennifer Savage, Daniel Crowley, David Bryan. This team has hacked home-based network-connected devices and reveal how havoc or danger could be unleashed at home - specifically, ones that have been 'impossible' to hack until now - from space heaters to door locks, surveillance systems and much more. What Security Researchers Need to Know About Anti-Hacking Law - Marcia Hofmann. Reduce risk by finding out ways to reduce potential legal trouble from a number of things researchers wonder about; Hofmann surveys issues relevant to researchers now, including cases on port scanning, violating website terms of use, and designing tools capable of bypassing technical access controls. OPSEC Failures of Spies - Matthew Cole. "A rare peek inside the CIA's intelligence gathering operations and the stunning lack of expertise they can bring to the job." Above my Pay Grade: Cyber Response at the National Level - Jason Healey. Examining the decisions and actions at all levels of response escalation when a cyber attack is also a national security event, using an example attack on the finance sector, from banks to the military and presidential level. Combating the Insider Threat at the FBI: Real World Lessons Learned - Patrick Reidy (CSO of the FBI). "Come hear how the FBI uses a surprising variety of methods to combat insiders. In this session the FBI will provide five key lessons learned about effective detection and deterrence techniques used in the FBI's insider threat program developed over the last decade." Exploiting Network Surveillance Cameras Like a Hollywood Hacker - Craig Heffner. A live demonstration of leveraging vulnerabilities described in this talk to freeze and modify legitimate video streams from cameras such as those found in in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities. Aaron Swartz, Weev, the CFAA and The Future - Kurt Opsahl, EFF [panel]. With the dangers of the CFAA and overzealous, uneducated prosecutors now known, the infosec community has been thrust into the role of educating and persuading lawmakers to reform this dangerous law. The EFF's Opsahl leads a panel and on-the-spot outreach to the community to discuss and propose tactics on all levels. Lawful Access - Matt Blaze, Brewster Kahle, Jennifer Valentino-DeVries, Alan Davidson [panel]. "When you get a National Security Letter, no one can hear you scream." Being served with a search warrant for a criminal investigation can be scary enough, but if you're the target of a national security investigation, you won't be allowed to tell anyone about it. This panel discusss the technical risks of surveillance architectures, the legal and technical defenses against over-broad or invasive searches, and actual experiences fighting against secret surveillance orders. Mobile hot list highlights: Threats to mobile devices such as injecting malware into Apple’s iOS devices with malicious chargers, intercepting traffic and SMS messages through compromised femtocells cracking BlackBerry’s new OS 10, rooting SIM cards and building a spyphone that can record conversations and send messages without you ever knowing. Infrastructure hot list highlights: Preventing attacks on critical infrastructure and national security with talks around insider threats at the FBI, energy fraud and orchestrated blackouts, compromising industrial facilities, threats to major oil and gas pipelines and exploiting network surveillance cameras. Home attacks hot list: Exposing vulnerabilities within our homes from automation systems such as HVAC and lighting, to other network-controlled devices such as door locks and garage sensors, to hacking some of the most well known home security systems and even the newest smart TVs. At the Black Hat Arsenal: Researcher demo highlights: bypassing a car’s security for less than 25 dollars, to analyzing smartphone penetration testing and performing web application security audits. Can't make it, or just want to keep pace with Black Hat? Follow Black Hat Briefings on Twitter @BlackHatEvents, check Black Hat on Facebook, and connect with Black Hat on its LinkedIn Group - social updates can be found at hashtag #BlackHat. Watch for photos on the Black Hat Events Flickr account. An item I had selected for this list was Implantable Medical Devices: Hacking Humans by Barnaby Jack - it had been recommended to me by all experts and organizers I queried. There are many heavy hearts at the passing of Mr. Jack, and the sadness is palpable. He will be so very deeply missed. Black Hat has held his room time and talk slot open: Black Hat will not be replacing Barnaby’s talk on Thursday, Aug. 1. The hour will be left vacant for friends and family to gather: Black Hat has set aside the time to commemorate his life and work and stated to this year's attendees, "we encourage you to join us as we celebrate the legacy that he leaves behind." Sursa: Black Hat 2013: talks and panels 'hot list' | ZDNet

Minion is a platform developed by the Security Automation team at Mozilla to enable integration and adoption of automated security testing that has been under development for the past year. The platform allows any team to set up the basic requirements to perform automated scanning and testing of websites and services by providing sensible defaults for plugins that enable scanning of many types of web applications and services. With the 0.3 release of Minion there are several milestones that have been achieved that have allowed us to start using Minion internally across our development community, quality assurance, and security teams. Architecture Minion is intended to be a platform that is simple to use, easy to deploy, simple to extend, and flexible enough to be integrated into any development or operations workflows. At a high level there are three major components in Minion: Plugins, Task Engine, and Front End. Minon Plugins are light-weight wrappers that perform tasks such as configuring, starting, stopping a plan, and accept a set of callbacks to notify the caller that information is available. In order to be used, Plugins require a plugin runner that handles the invocation of the plugins as well as the results; in addition to supporting Minion’s task engine, the Minion backend repository includes command-line scripts to execute plugins. This provides support for testing during development of new plugins and allow a high degree of flexibility in how plugins are used outside of Minion. The Task Engine is the core platform; it provides an API for managing and configuring Plans (collections of plugins and configurations), collections of users, sites and services, and the results of executions of Plans against those targets. The Front End is a web application that provides both administration and usage of Minion; users can perform most of the configuration tasks needed to set up Minion plans, targets and users, as well as review the results of Minion scans. Being a Mozilla project, the front-end uses Persona for authentication, but all access control based decisions are built into Minion itself. Minion Plugins At their heart, Minion plugins are automation scripts designed to abstract away the platform, operating system, and features that an individual security tool implements, and provide a single mechanism for configuring the tool, initiating a scan, and collecting the results. It may be helpful to look at the code for an existing plugin to better understand how they work; the AlivePlugin is a clear, simple example. The Alive plugin is an extremely basic plugin that confirms that a host is reachable, but it implements all of the required features, and extends a BlockingPlugin. The plugin exposes some member variables that provide user interface cues (the name, links for additional information), and in this case, some built in report objects. In the do_run method the actual logic of the scan is performed, and since there is no detailed setup or stopping functionality is required, the BlockingPlugin starting and stopping functionality is sufficient. Two base classes for plugins are provided in the Minion backend to get developers started: BlockingPlugin this plugin provide the basic functionality to support a plugin that performs a task, and reports it’s completion state at the end. This is suitable for creating straightforward plugins directly within Python ExternalProcessPlugin this plugin provides the functionality required to kick-off an external tool, and provides the basis for several other extensions, especially those that wrap existing security tools. In addition to several basic “proof of technology” plugins that collect details about targets and provide best practice information, the Minion development team is currently maintaining three other extensions: OWASP Zed Attack Proxy This plugin wraps the OWASP ZAP platform and enables detailed application scanning Skipfish a simple, but powerful web fuzzer from Google nmap a port scanning tool that is generally accepted as the best in it’s class Minion Task Engine The Task Engine provides the core functionality for managing users, groups, sites, scans, and results within the Minion platform. Acting as a central hub, the Task Engine maintains a register of available plugins, provides facilities for creating and modifying plans, and managing user access to Minion, including which sites they can scan. Plugins Plugin deployment is one of the only features of Minion that cannot currently be managed from within the Front-End; this is a result of the configuration needed to deploy them, but the Minion Front-End provides the ability to review the available plugins, and get the class details, which is the information required to add a plugin to a Plan. Plans A Minion Plan is JSON document that provides some information about what the plan does, and a sequence of tools to invoke. An example can be found below: { "name": "Fuzz and Scan", "description": "Run Skipfish to fuzz the application, and perform a ZAP scan.", "workflow": [ { "plugin_name": "minion.plugins.skipfish.SkipfishPlugin", "description": "", "configuration": {} }, { "plugin_name": "minion.plugins.zap_plugin.ZAPPlugin", "description": "Run the ZAP Spider and Scanner", "configuration": { "scan": true } } ] } In this example, the name and description are intended to be human readable descriptions of what the plan will do, while the workflow array contains a set of plugin names, a description that can will be included in the plan details, and a set of configuration details that may be plugin specific. Users and Invites Minion is intended to be a team oriented tool; as a result, the the platform allows user and group management. User accounts are created through an invitation mechanism, or via the administrative interface. The invitation system allows administrators to pre-create groups, sites and plans within Minion, and then add a user to that group before the user has enrolled. Once the invite is issued, an email will be sent to the user and the user can then access a configured profile. Groups Groups are the mechanism by which administrators can control how users have visibility into sites and results within in Minion. In order for a user to be able to interact with a site via Minion, that user needs to be added to the group, and the site needs to be associated with that group. This provides extremely fine grained control over visibility into scan results. Currently group membership allows both viewing of scans and the ability to re-execute a scan, but as the project progresses, constraints can be added to allow users to review results, but not initiate scans. Minion Front-End Designed to be easy to use and provide instant feedback, the front-end provides access to the Minion platform. Each of the pieces of the functionality described above is accessible via the front-end, and is explicitly enabled by calling the web services exposed by the Task Engine. One of the advantages of the architecture is that the front-end can be easily re-engineered with no impact to the back-end or plugins. Technologies Minion is built with Python, Angular.js, and several packages that assist in ensuring a reliable end to end service. These technologies were selected by our development team, but the architecture, and each of the service boundaries are intended to use JSON calls to permit easy integration with other services. Because of the design principles applied, it is entirely possible to implement plugins that run on any operating system or platform, and do not need to reside on the same service. With the appropriate network configurations it is possible to deploy the front-end, task engine, and plugins on different networks, which allows users to isolate the amount of attack surface that needs to be deployed in sensitive networks. Road Map There are several features that are under active development, and should be implemented over the next several releases. Authentication & Access Management Site Ownership Verification This is a critical feature that enables users to demonstrate ownership of a site before initiating scans. Granular Access Control The ability to govern users ability to scan by group and site ownership as well as role. Plugin Improvements Improved Results Reporting Minion is only as good as it’s plugins. Now that we have a working and reliable core platform, refinement of plugin results, and improving reporting is a core objective. Deferred Execution Plugins Sample implementations of invoking third party services so that we can demonstrate integrating with other Security as a Service platform Reporting Plugins Currently we have assigned risk ratings to findings based on our best practices, but that is not necessarily reflective of the priority of issues to other teams. We intend to implement a pluggable reporting interface, including the ability to add plugins to modify the risk ratings based on the security posture and priorities of the teams using Minion. Front End Landing Pages Currently Minion is designed for technical users who have a need to see deep technical details. In the future, it may be desirable to generate metrics and dashboards, and to facilitate that Landing page support will be implemented to allow customization for user views. Task Engine Improvements Cohort Minion is designed to support dynamic analysis via web application scanning. This is only one part of the story regarding how to perform automated security testing. Cohort is a branch of Minion that will enable analysis of source code repositories and perform static analysis. Historical Issues In order to facilitate ongoing tracking of a security program, support and integration for third party issue trackers (initial targets are Bugzilla and Github), and the ability to compare multiple scans over time will be implemented. Why Minion? The Mozilla Security team supports hundreds of websites of services, and products used by hundreds of millions of users. In addition our team supports hundreds of employees and thousands of community members that contribute to Mozilla products and services. Scaling to that level is not feasible without improving automation capabilities. While it would be much easier to solve this problem for ourselves, Mozilla’s mission is to support the open web, and protect our users. By building Minion as a foundation for a security as a service platform, integrating open source and free tools, then releasing it as open source, we aim to contribute a platform that can be used by any team to dramatically improve their coverage, and integrate security testing automation in all parts of their IT operations and software development processes. Minion is an open source project, and we welcome contributors, users, and feedback! Minion Github Repository Minion Development Mailing List Minion Wiki Finally, I would like to extend a huge thanks to Stefan Arentz, Simon Bennetts, Yeuk Hon Wong, Matthew Fuller, and all of the other developers who have moved Minion from a sheet of paper and a set of shell scripts to a production service! yboily Sursa: https://blog.mozilla.org/security/2013/07/30/introducing-minion/

[h=1]OCSP Stapling in Firefox'[/h] dkeeler OCSP Stapling has landed in the latest Nightly builds of Firefox! OCSP stapling is a mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner. Revocation information is important because at any time after a certificate has been issued, it may no longer be appropriate to trust it. For instance, maybe the CA that issued the certificate realizes it put incorrect information on it. Maybe the website operators lose control of their private key, or it gets stolen. More benignly, maybe the domain was transferred to a new owner. The Online Certificate Status Protocol (OCSP) is one method for obtaining certificate revocation information. When presented with a certificate, the browser asks the issuing CA if there are any problems with it. If the certificate is fine, the CA can respond with a signed assertion that the certificate is still valid. If it has been revoked, however, the CA can say so by the same mechanism. OCSP has a few drawbacks. First, it slows down new HTTPS connections. When the browser encounters a new certificate, it has to make an additional request to a server operated by the CA. Second, it leaks to the CA what HTTPS sites the user visits, which is concerning from a privacy perspective. Additionally, if the browser cannot connect to the CA, it must choose between two undesirable options. It can terminate the connection on the assumption that something is wrong, which decreases usability. Or, it can continue the connection, which defeats the purpose of doing this kind of revocation checking. By default, Firefox currently continues the connection. The about:config option security.OCSP.require can be set to true to have Firefox terminate the connection instead. OCSP stapling solves these problems by having the site itself periodically ask the CA for a signed assertion of status and sending that statement in the handshake at the beginning of new HTTPS connections. The browser takes that signed, stapled response, verifies it, and uses it to determine if the site’s certificate is still trustworthy. If not, it knows that something is wrong and it must terminate the connection. Otherwise, the certificate is fine and the user can connect to the site. If Firefox requests but does not receive a stapled response, it falls back to normal OCSP fetching. This means that while OCSP stapling protects against mistakes and many basic attacks, it does not prevent attacks involving more complete network control. For instance, if an attacker with a stolen certificate were able to block connections to the CA OCSP responder while running their own server that doesn’t do OCSP stapling, the user would not be alerted that the certificate had been revoked. A new proposal currently referred to as “OCSP-must-staple” is intended to handle this case by giving sites a way of saying “any connection to this site must include a stapled OCSP response”. This is still in development. OCSP stapling works with all CAs that support OCSP. OCSP stapling has been implemented in popular web servers including nginx and Apache. If you run a website, consider turning on OCSP stapling to protect your users. If you use Firefox Nightly, enjoy the increased security, privacy, and performance benefits! Sursa: https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/